Cloud computing: Don't get caught without an exit strategy

Before you trust your business to the cloud, be sure you know how to get out.

1 2 3 Page 3
Page 3 of 3

The risk/benefit dance

Avoiding the proprietary aspects of a vendor's system really comes down to a risk/benefit tradeoff, Staten says. You need to weigh the advantages of using provider-specific technology against the vendor's vulnerability.

Take Inc., which uses a proprietary programming language and APIs, he says. "Years ago, no one was writing custom applications in Salesforce or leveraging their APIs, because they didn't know if they'd be around," he says. "Now that they've been around 10 years and are well capitalized, those things are in high use."

To determine a vendor's viability, Staten proposes doing in-depth research, asking the vendor to provide under a nondisclosure agreement information such as its cash position. He also talks to the venture capitalists backing the company about their commitment to it. In addition, Staten recommends asking references whether they're just dipping their toes in the water with a vendor or making a bigger commitment.

Serena Software's Bonvanie also advises companies to specify an exit strategy in their contracts. "The imperative is that you agree with your vendor on what the procedures are for abandoning their application, if needed," he says. For instance, how does data come out, and what is the vendor's involvement in making that happen? How much time do you have to get the data out after service nonrenewal?

In many of its contracts, Serena inserts escrows to regulate what happens to its cloud software vendors' source code if the vendors cease operations. Bonvanie says he has found that cloud vendors are more forthcoming about doing this than most traditional vendors.

It's also essential to set policies early on as to how your company is going to use the cloud and under what circumstances, Staten says. This is especially important when it comes to securing data in the cloud, which often requires customization by the user. "You have to do things above and beyond what the cloud vendor provides to be secure or compliant," he says.

So if you want to use five different cloud vendors, for instance, you need to be sure beforehand that you can apply those customizations to all five platforms.

Creating these types of policies is not something many companies are doing yet, "because use of the cloud right now is a bit like the Wild West," Staten says.

However, Staten points out that security customization is yet another way to get locked into a particular vendor, because if you wanted to move to a different provider, you would need to unwind and then redo all that work.

Maturity takes time

Over time, standards will develop, Staten says, most likely driven by customer demand. This won't happen without tension, he says, because customer demand will be offset by the advantages that vendors see in lock-in. For that reason, users need to be adamant about which standards they desire and where they're most important. One crucial area is in using open Web services in application-to-application communication, Staten says.

Gartner Inc. analyst Richard Ni contends that IT leaders can encourage standards development by ensuring that their teams consider a wide range of vendors and technologies beyond the obvious leaders. "We will encourage lock-in if we close our eyes to other vendors in the industry," he says. "The CIO has a role to play in ensuring several vendors are involved in the assessment, selection and due diligence process."

As the hype about cloud computing begins to settle down, the hope is that lock-in concerns will grow more rational and less emotional. That will be a welcome development to Bonvanie, who sees just as much risk with traditional computing systems. In fact, his use of NetSuite Inc.'s Web-based business software and IntAcct Corp.'s Web-based ERP software has convinced him that they have easier interfaces and procedures to retrieve and unload data than SAP AG does.

"What gets me nuts is that the same people who are concerned about lock-in in the cloud are not concerned about it behind the firewall or on-premise systems, where people normally run mixtures of three or four different breeds of Unix," Willis agrees. "It's much harder to move from AIX to Sun than to move from Amazon to FlexiScale," he says.

Willis looks forward to the day when people stop asking whether the cloud causes lock-in. "It's the wrong question," he says. "The cloud is just the furniture." Instead, Willis says, remove the word cloud altogether and ask, "Is there lock-in in the choices I'm considering?"

Don't miss: Cloud computing not fully enterprise-ready, IT execs say.

Mary Brandel is a Computerworld contributing writer in Newton, Mass. Contact her at

Copyright © 2009 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon