During the last months I had a number of conversations with vendors about the licensing and business models for their cloud offerings. And frequently the conclusion was that the models aren’t really adequate for the cloud. Some might work today and for some period of time, but they are not likely to be successful on the longer term.

One ob the obvious shortcomings are accounting periods which are too long and thus don’t provide the required flexibility which is a key advantage of cloud services. Contracts which run at least 12 months or accounting periods which look at the peak use within a calendar month are not what we need for the cloud. Over time, customers will expect the ability to switch their provider quickly and to pay-per-use. For sure there are services where customers aren’t that likely to move ever or on short-term (salesforce.com, SAP BusinessByDesign). But I’ve seen that model as well at the platform and infrastructure level.

But pay-per-use models can be critical as well. If there are either too many elements in or elements which can’t be predicted, these models don’t provide the advantage of reliable cost models which are as well a key advantage that cloud services can and should provide. That is the same like with ISPs in the past – there will be a logical move to flatrate models. Noone likes to become bankrupt because he is too successful.

The reason for these sometimes inadequate business models are obvious:

• Many vendors in the cloud are experienced with classical, license-based business models and have no experience and sometimes little understanding of new cloud business models. They are insecure and have to learn.
• Customers currently frequently accept these business models – but that will change.

However it is very interesting to observe the change in these business models over time. In the cloud, business models are always under stress test. The impact of actions of other vendors is strong. For example, Microsoft in fact has defined an maximum price tag for hosted Exchange services with their own offering. Providers which want to earn more will have to very clearly show the added value to their customers.

That will not automatically lead to a situation in which the cheapest provider wins. But for sure cloud service providers will have to react on what others are doing. Thus, flexible business models and an efficient production of cloud services are mandatory. Vendors who are not able to pick up the pace of these changes in business models are likely to disappear from the market.

Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a “personal information hub”. The idea is to provide an approach where someone can maintain its “contacts” centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data.

The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in contrast to today’s lock-in approach in most social networks. Data can be tagged and so on, allowing to use different data for different contexts. That even will allow companies to integrate (respecting the data protection/privacy laws) available contact aggregated from individual contacts of employees, as one of many use cases.

Currently, HTTP and XML are the underlying concepts, allowing an easy adoption. But Open-Xchange considers approaches like information cards as well for the future. The focus is on a common semantics and standardized interfaces to exchange that information. And Open-Xchange claims that several large social network providers are starting to support that concept.

Social OX is an interesting threat for providers of social networks, given that it opens them up. But will it also affect their business models? Currently, the lock-in is a part of the concepts. With approaches like Social OX (and the approach for exchanging social network information might be used by other vendors as well) that lock-in disappears, allowing to use platforms like Open-Xchange to read the data out and publish it to another social network. That will allow a faster and more easy switch between social networks.

However, it is unlikely that leading social networks will disappear. They benefit from the number of users and they especially benefit from their other services around the personal information which could be exchanged using Social OX. However, it will become easier for new social networks (and other system relying on that information) to enter the market. Today, the value of new social network approaches is frequently low because there are too few users. That will become easier, even with the need of others to subscribe and import their data as well.

Social OX has the potential to influence the way we work with social network data and personal information, with Open-Xchange (and maybe other vendors) acting as personal information hub. It might as well allow new business models (think about personalization). And it might lead to a world with more successful social networks than today, due to a lower market entry for newcomers. But as long as the market leaders focus on the added values for the network members and have a valid business model (which isn’t necessarily true for all of them today), Social OX will not lead to their replacement. However, they will have to learn to exist without the lock-in of social network information of their customers.

These days, there were several articles in different media stating that eBay might discard its Skype service. The reason is that they haven’t acquired the underlying P2P core technology. This is still owned by Joltid. And Joltid plans to terminate that license agreement. One doesn’t need to be a prophet to guess that the real reason behind that situation is about money…

However, eBay definitely is in a difficult situation. They might find a deal with Joltid. They might discard the Skype service with its 16 million users – which probably won’t be that lucky about. They might develop an own P2P technology. Or they might replace the P2P technology. Given the limited time eBay has to solve the problem they the most likely options are that eBay either will find a new agreement with Joltid or will have to acquire another P2P technology. There are several P2P providers out there, some supporting phone capabilities, like Collanos Phone. There are Open Source projects like Gizmo. Thus there are some options. It will require some intense technical due diligence for eBay to choose the technology which allows to continue the Skype service with somewhat equal features and not too much of disruption for existing users. But there are solutions out there.

It will be interesting to observe which option eBay chooses. Given that I’m a Skype user, I’m really interested in. I’m as well interested from a perspective of an analyst for the Cloud Computing market, because the situation eBay is in shows the inherent complexity of Cloud Computing with many different relying parties. Think about a situation where, just as an example, a database isn’t provided any more by the cloud computing platform it has been run on before, because the company providing the platform has terminated the agreement with the database vendor. That would be somewhat the same story. Thus, think about these dependencies and look at the potential problems…

Recently, the DMTF (Desktop Management Task Force) announced an initiative to develop cloud standards for resource management, packaging formats, and security mechanism to facilitate the interoperability of private and public clouds (and amongst public clouds from different providers). Given my recent critics on the term of “private cloud” that means just standards to be able to use different types of service providers, regardless where they are. The announcement can be found here.

The DMTF starts an Incubator to develop such standards, including existing work and standards like WS-Policy and others. From my perspective, DMTF is an interesting player in that field given that they have succeeded with some other standards around desktop management and systems management. And they have a lot of vendors on board, mainly from the virtualization and systems management market segments. Thus it is likely that they are able to drive things forward. Anyhow, they shouldn’t miss to include existing de-facto standards like the APS (Application Packaging Standard) promoted by Parallels.

There is no doubt that we need a lot of standardization for the cloud. The DMTF initiative addresses current needs of managing the “infrastructure cloud” but will as well influence the level of the “platform cloud”, as long as you understand management for systems, identities, and so on as part of that level. Anyhow it will probably take us some years until we can use cloud-ready systems management tools which rely on the potentially upcoming standards in that area.

And we also have to be aware of the fact that even that initiative will cover only a few of the missing standards for the cloud computing of the future. Authorization management, business-level policy management, SLA standards and many other elements are missing today. Anyhow, any initiative for further standardization is welcome from my perspective, as long as it focuses on integration with other initiatives and existing standards and as long as it delivers – the sooner, the better.

And, by the way: Don’t miss the Cloud 09 Conference in Munich, December 2nd to 4th.

Even while I don’t share his understanding of the term “private cloud” (I don’t believe in that term) , I like what Chuck Hollis of EMC has blogged about “Monetizing the cloud“. There are so many open questions around the valid business models for as well cloud providers as consumers for cloud services. And everyone will have to learn a lot – and learning from others might help to avoid mistakes.

By the way I also wouldn’t limit the cloud discussion to “providing infrastructure” – it goes well beyond that and covers virtually any type of IT service.

There will room to discuss thinks like the correct terminology around the cloud as well as valid business models at Cloud 09, to be held 2nd to 4th of December in Munich – the cloud counterpart to our European Identity Conference.

The biggest problem around cloud computing is the lack of a valid and well accepted definition. Definitions like “scalable services delivered via the internet” fail for example when thinking about “private clouds” which aren’t used via the internet (but at least based on using the same standards). And, by the way, not every cloud service will have to be highly scalable – there will be more and more very specialized services where functionality is key, not a massive scalability.

But the more you dive into the topic of cloud computing it becomes obvious that this cloudy thing of “cloud” (usually associated with the Internet and things which are provided there) isn’t the key thing. The key to success is that companies understand the value of Cloud IT.

What does this mean? Cloud IT stands for consequently using cloud principles in IT – and in every part of IT, not only for consuming some external services. That includes

• well defined services (SLAs!!!)
• a consistent service management across all services, regardless of where they are running (and, based on that, consistent approaches to cloud governance)
• applications which are agnostic of where they are run or which hardware resources are available – there have to be parameters which might limit the ability to run applications everywhere and the application has to accept the currently available hardware resources but as well should understand that these resources can change dynamically

Defining everything in IT as services in a consistent manner is a fundamental change and the foundation for a flexible use of cloud services. Once you have made that move you can decide (based on parameters of a service) which service provider (internal or external) you will use. Thus, the first step is making your IT “cloud-ready”, e.g. moving towards a Cloud IT. Without that, using cloud services will always be sort of tactical and not strategic.

There are plenty of definitions of the “cloud”. Most of them include aspects like services which are provided via the internet and which are highly scalable. But the discussion about terms like a “private cloud” proves that this is a somewhat insufficient definition. Depending on the definition of a “private cloud”, these services might be delivered via a private network.

The insufficiency becomes obvious as well with respect to some of the aspects of the cloud. There are so many different types of cloud services that there are for sure some which, for example, are so specific that they don’t need to be highly scalable – for example cloud applications which are devoted to a specific target audience with only few members like for example airlines or rail operators. There the scalability is automatically limited and not somewhat infinite, like often is assumed as a requirement for cloud services. And there will be many services devoted to much smaller groups (with respect to the size and number of members).

From my perspective, the essence of cloud computing are the services. Services are defined on various levels, from pure computing power up to very specific applications. These services are provided by someone. They have to be well-defined so that they can be provided by different providers and the switch to another provider is supported. This definition goes well beyond today’s definitions in IT Service Management. It has, for example, to be defined, where (geographically) a service can be hosted – due to legal reasons.

Given that a well-defined service which can be run virtually anywhere is the core of cloud computing, it becomse obvious that terms like “private cloud” are just marketing fuzz. In fact there will be only one cloud with different operators, from internal data centers to external cloud providers. And by the way: Where should be the borderline between “private” and “public”? The (diminishing) perimeter of an organization? The fact that a partition of a data center in the cloud is used? A physical machine or a virtual machine? Actually it isn’t possible to define that in a valid way.

The real value of cloud computing is that services can be consumed from different providers and that providers can be changed – sometimes pretty easy, sometimes with a little more efforts. That might be an internal or external provider, but you shouldn’t care about in case that the requirements are fulfilled (which could as well mean that it is mandatory to provide a service internally).

There are many open points around cloud services and the related standards today. In case that we have defined that a specific service consumed in the EU has to be hosted in the EU – how do we avoid that the data is sent from Paris to Berlin via New York which might happen in practice? Obviously, a lot of work has to be done around standards, around service descriptions, around management tools at any level. But despite the shortcomings we observe today, the cloud will become reality and IT will be run and managed differently from today. There are far too many advantages in cloud computing.

We will discuss many of the topics around Cloud Computing, the opportunities, business drivers, standards, service management and so on at Cloud 09 in Munich in November 2009. Take part in these discussions!

Last week Microsoft has announced that they will offer own cloud computing services in nineteen different countries. The approach is “hosted by Microsoft, offered by partners”. That is an interesting approach and it is obviously the result of Microsoft’s thoughts about how to manage the balance act between the existing business model and the upcoming cloud computing business.

On one hand, Microsoft relies on their partners which sell software licenses today. On the other hand, Microsoft has to provide offerings as cloud services. Until now, there have been some limited offerings for example with value-adding services for Exchange infrastructures or, in a specific market segment, the Office LiveMeeting product. With last week’s announcement, Microsoft provides core services like Exchange Online and SharePoint Online by themselves. The services aren’t sold directly by Microsoft but via 2.500+ specialized partners.

Microsoft has as well announced that this is just the beginning of their “Software and Services” strategy, thus other solutions will be added. Given that the pretty prominent URL www.microsoft.com/online (or www.microsoft.de/online or similar URLs) is used it becomes clear that this type of business shall provide a significant part of the future revenue stream of Microsoft.

Even with this business model which focuses on sharing revenues between Microsoft and the partners, there is still some potential conflict with partners. The price tag defined by Microsoft is sort of the upper border for Hosted Exchange and Hosted SharePoint Services. Thus, some of the existing hosting partners of Microsoft will have to change their price tags. Microsoft now is the one who controls the price tag. Partners might add services, for sure.

But many partners will have to rethink their business model. On one hand, participating in a constant revenue stream is interesting. On the other hand, the more parts of the environment are delivered from the cloud, the less project revenues will occur. That is a risk for partners.

From a Microsoft perspective, the model looks more interesting. Microsoft has the biggest network of resellers for cloud services in the market, Microsoft can compete with other cloud vendors and Microsoft adds a service-based revenue model to its existing license-based models.

It will be interesting to observe how that model affects the existing partnerships as well as the entire cloud market. Despite some scepticism I think that the chosen model is the best solution for the balance act Microsoft has to do. And I’m as well convinced that it will allow Microsoft to take a significant share of that particular area of the cloud market. It might again prove that Microsoft is pretty well able to adopt to changes – like they have done multiple times before.

By the way: Don’t miss Cloud ’09 and EIC 2009!

Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology – and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated.

That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. Salesforce.com is just one example, some of the online conferencing providers are as well in the market for years now. But only few of them support at least basic standards like SAML (Security Assertion Markup Language) for Identity Federation. And many still lack the support for such standards, not to talk about more advanced approaches like Information Cards or XACML.

Beyond the fact of missing support for existing standards, there is the issue of missing standards. There are virtually no standards for GRC, for example for auditing and alerting (and SNMP isn’t the solution for the cloud). Even XACML is more sort of a technical standard, which needs a lot of additional work to really support the authorization management issues in the cloud.

There are some additional offerings for example for Single Sign-On to the cloud, there are some identity providers for the very lightweight OpenID and even less for Information Cards, and there are few offerings for Identity Provisioning from the cloud, e.g. managed services for Identity Management. Some of the more interesting vendors in the market are, amongst others, companies like Fischer (Provisioning), Ping Identity (Federation), TriCipher (Authentication), Arcot Systems (Authentication), Multifactor Authentication (again Authentication), and Fun Communications (Information Cards). But the number of offerings is still relatively small.

On the other hand it is obvious that IAM and GRC will become a very fast growing segment of the IT market, for ISVs as well as for Identity Providers. And it will be as well an interesting opportunity for consultants supporting all the other providers in the cloud in enabling their applications for the IAM and GRC requirements of their customers.

To become successful as a provider in the cloud, the “externalization” of the management of authentication and authorization as well as externalized auditing will become mandatory. Customers can’t afford to manage authorizations per cloud service but will have to apply pre-defined policies. Thus, we need new standards and we need new semantics for existing standards like XACML on a much higher level than today.

The entire industry, e.g. cloud providers as well as customers and IAM/GRC vendors have to work together on this. Feel free to send me your ideas and proposals on this – we’re currently preparing a launch of a standards initiative on some IAM/GRC issues and that might be the next one.

More on IAM and GRC for the Cloud at the European Identity Conference 2009 (Munich, May 5th to 8th).

At March 30th, several vendors, including IBM, Sun, and Cisco, announced an “open cloud manifesto” which pleads for open standards in the cloud. The “open cloud” shall allow choice and flexibility of cloud platforms and cloud providers. A main target is the easy portability of applications. But, if you read that manifesto, you’ll find the typical sentences about “openness”, “avoiding vendor lock-in”, “the need for standards”, and so on.

One of the most interesting things with the short and pretty lightweight (to avoid the harsh term of  “meaningless”) “manifesto” is which vendors are missing in the list of supporters:

Microsoft, Salesforce.com, Amazon, Google

With other words: Several big ones don’t participate in that initiative yet. And most of them have established cloud platforms.

That doesn’t mean that the noble intention of the initiators of the Open Cloud Manifesto (which isn’t that noble given that all of them hope to earn money from the cloud) doesn’t make sense. Yes, we need standards. Yes, we need portability of applications between cloud platforms. But some nice words doesn’t solve anything.

What we really need are standardizations. For the application packaging, for cloud governance, for cloud management and monitoring, and so on… In some areas we might reuse existing standards like SAML for identity federation, in other areas standards are still missing. Thus, instead of talking about a “cloudy” target of an open cloud world, there should be precise actions. And these should take place in the existing standard bodies like OASIS, W3C, and so on.

Standards are important – not only to the cloud. At the European Identity Conference, May 5th to 8th in Munich, there will be a OASIS pre-conference workshop – and there will be a lot of discussion around the Identity and Governance standards which are required for IAM and GRC, as well for internal services as the cloud. Cloud Governance won’t work without such standards.