Lesssee, the framework supports the APIs which support storage but not authentication...

In more than 25 years of technology reporting rarely ran into such chaos as I did reporting a recent story for Computerworld on open source cloud frameworks. Just about everyone worth talking to claims to have a framework; just about everything valuable calls itself a framework; and just because you have (or are) a framework doesn’t mean you don’t need another framework to get anything done.

Let’s start simple: A framework is a collection (or, if you prefer, library) of software that helps you do something. In the case of cloud frameworks, the objective is to develop, deploy and/or manage a cloud-based application. The “library” of enabling software that makes up a framework might include development, management and test tools, middleware to link the application to other cloud components such as databases, or APIs to make it easier to move applications among clouds.

A Pain in the PaaS and the IaaS

Some frameworks are designed for use with private clouds (those within a customer’s own data center.) Others are for public clouds, such as those hosted in multitenant (multiple customer) environments such as Amazon. Others are designed for “hybrid” clouds (a mix of public and private) except, of course, if by “hybrid” we’re talking about a mix of physical and virtual servers, as some vendors do.

Then, of course, there are cloud frameworks built at various levels of the “stack” that leads from the base hardware to the applications user see. Infrastructure as a service (IaaS) clouds help customers deploy servers, storage and networks; platform as a service (PaaS) platforms have all the tools needed to deploy actual applications. Each level of framework provides a different combination of price, agility, control and security. A customer might need one framework (such as OpenStack) to provision virtual machines, and another (such as Opscode Chef) to describe how those servers will be configured.

Confused yet? Consider that not all frameworks have all the pieces customers need to not only deploy but manage very large, complex applications over time. Some, such as Eucalyptus and Deltacloud, are APIs (application programming interfaces) aimed at making it easier to move applications from one cloud to another. But customers have found that without the ability to also move underlying services, such as data storage, from cloud to cloud these APIs fall short. If your framework can provide that (or you need another to do this work) say so.

Some have even built their own frameworks after being unable to find one that handled enterprise-scale requirements. These requirements include updating hundreds of applications, providing the strict levels of authentication needed for financial applications and discovering and reusing services such as security and data warehousing. If you can provide these services, these are big draws for enterprise customers.

Open Source or Not?

Many large organizations now see open source software (where the source code is freely shared and open to improvement by customers and others) as a safer choice than proprietary code, as long as they can get enterprise-level support. But whether a framework is truly open source and not tied to one vendor can be another mystery.

Some frameworks have a true open-source feel (geeky Web pages with no major company logos.) Other frameworks are backed with financial and technical help from big-name software vendors. Cloud Foundry, for example, is backed by VMware, while Red Hat’s Open Shift is based on Red Hat Enterprise Linux.

That big-name backing is often a plus, not a minus, to customers. But it raises another question in customers’ minds about just how committed the vendor, or partnership of vendors, is to open-source versus their own in-house products. Providing details like the number of developers you’re committing to open source, what modules or code you are contributing to the effort, and how open you are to new members joining the “community” and pitching in. Those are all questions I hear customers asking when considering open source frameworks.

Guess What I Am. Go Ahead. Guess.

Kudos to those who clearly explain what type of framework they are (the level at which they operate, what functions they do and don’t provide, and exactly what role commercial vendors play vs. the volunteer “community.” But others confuse customers with cute product names and high-level benefits such as “agility,” “flexibility” and “portability” without explaining whether or how these hold up under the scalability, manageability and security requirements of the real world.

To avoid being swept away in a flood of look-alike offerings, use my tried and true “fill in the blanks” formula to make your framework pitch more understandable:

               “(Product name) is a “(noun) that (verb, verb, verb.)

                The product consists of (noun, noun, noun.)

                 It is better than competitive products (adjective, adjective, adjective) because it (specific claim, specific claim, specific claim.)”

 And be sure to describe, clearly and up-front, how you meet the life cycle application demands of complex enterprise environments if you hope to serve that market.

I hear their beta is buggy as heck...

We all have competitors dishing the dirt on us. One way to fight back: Boldly repeat their lies, only to demolish them point by point.

Maybe they’re saying your growth is unsustainable because you’re giving away product to score reference customers. Maybe they’re claiming customers are ripping out your software a year after installation because it doesn’t scale. Or that you’re in the process of ruining that great technology you acquired from a start-up last year.

Many of my clients tip-toe around the accusations, carefully crafting white papers or mission statements aimed at disproving these claims without ever describing them. By hinting that something might be, or could be wrong, and that you’re fixing it (without saying what it is and what you’re doing) you only make customers more confused and skeptical.

A bolder, clearer and more effective approach is to repeat and even amplify what you consider to be underhanded claptrap, loudly and clearly, and then refute it point by point. It’s a technique you’ve probably heard radio talk shows hosts use. I ran across it while browsing aviation Web sites (yeah, I’m an airplane nut) and seeing a promo for Emirates airlines rebutting charges it gets unfair government subsidies.

Note how Emirates, rather than tiptoeing around the subject with euphemisms like “the proper role of government in supporting the aviation industry” headlined the charges against them, repeating them (and naming those making them) in case the reader hadn’t heard them before.

Identifying the lying so and sos...

Then they refuted them, point by point and with pages and pages of statistics and even quotes from oil companies assuring they charge Emirates fair market rates for jet fuel even though the airline is in the middle of the world center of oil production.

...refuting them with unnamed sources. Oh, well.

They even defend their record on touchy subjects like the conditions of the many immigrant workers in the Gulf. Taking on risky issues like this that aren’t even central to their business fairly screams that they have nothing to hide. Its part of the sheer mass of facts, figures, numbers and angles they throw at the reader – everything from airport landing fees to whether Chapter 11 bankruptcy laws in the U.S. are, in effect, a form of government subsidy. I’m not sure I buy that argument, but it sure changes the terms of the argument.

And isn’t that what you want to fight unfounded rumors?

This in-your-face approach helps cut though today’s Web-based information overload, telling the audience “We’re so sure these claims are bogus we’ll blast them loud and clear so you can see how ridiculous they are.” This is chutzpa and it works, though I’m not sure I’d use that term resonates in the UAE.

Is this what they mean by a transformative change?

After being nice and congratulating a vendor for a clear, simple job explaining their value proposition, my dark side takes over as I blast another for a confusing – and potentially damaging — attempt at rebranding.

When business process outsourcing firm Data Dimensions  recently announced a new “Mission, Vision, and Values statement” it totally failed to explain exactly what is new and why anyone should care. As someone who follows the BPO market closely, I was hoping to learn something.

But it was clear Data Dimensions was talking to itself, not its customers, from the very start with the headline “Data Dimensions Looks to the Future with a New Vision.” Unless I’m a Data Dimension employee or customer, why should I care?

The naval-gazing went on as the release explained the company wanted to “make our (vision) statement more in line with who we are and to better clarify our commitment to the clients that we serve, and the people we employ.” If you’re having an internal identity crisis, why publicize the fact, at least without mentioning what’s in this clarification for the customer?

Now, to the “meat” of the news, although there’s not much to chew on. The company’s new mission is — wait for it – to provide “innovative business process solutions (with) an uncompromising commitment to quality, responsiveness, and integrity.” It’s “vision” is “To be the leading solutions provider for every customer we serve!” For this, they wasted valuable Web bandwidth?

Their values (which I’m sure you’ve never heard of before) include “integrity, “excellence,” “innovative” and “responsive.” To make the kitchen sink of jargon complete, they collaborate with each other while recognizing the diverse background of their employees. And since you asked, you’ll be relieved to know “the new Mission, Vision, Values statement is posted throughout our buildings and in key public areas” and that it is actually “a continuation of the principles that Data Dimensions was founded on in 1982.”

Besides failing to explain the importance of this for its customers, Data Dimensions fails to provide any context by explaining what is new, or has changed. This makes me, as a suspicious reader, look between the lines for signals of problems or failures they’re trying to fix. If their values now include “integrity” does that mean they lacked integrity in the past? If they’re now committed to “excellence” and being “innovative” have they not been in the past? If they’ve always had integrity and innovation, why emphasize it now?

It may be wonderful that Data Dimensions went through this internal values clarification, but it’s not, in and of itself, anything the market cares about. It only becomes worth sharing when the company can explain specifically how it will deliver lower-priced, higher-quality, or more innovative services for its customers. Until then, these feel-good generalities teach the customer not to bother reading the next press release they see from this company.

Let me know if you think I’m being too hard on these folks or you want help explaining your own strategic repositioning. 

As I recently reported for Computerworld, the days of dedicated “hot site” DR with banks of expensive servers and storage waiting around for a volcano to blow are long gone, except for the most mission-critical applications.

Most customers are more pragmatic. Some are using virtualization to quickly reshuffle production applications onto less-critical test or development environments in case of an outage, forcing the less-critical workloads to wait until the trouble is over. Others are providing limited uptime rather than immediate 24/7 coverage. If that means payroll has to work from 9 PM to midnight on Sunday night to process paychecks during the emergency, so be it.

Some vendors are claiming the cloud will finally bring DR to the small to medium sized businesses who until now couldn’t afford it. But I found some SMBs who are not only skeptical of security in the cloud, but turned off by the prices some vendors are charging on a per-server basis. If you’re marketing cloud-based DR. be ready to prove it delivers on ease of use, low cost and security.

Anyone claiming to provide cloud DR also must show how its lets customers monitor the health and security of their DR site. Across all sectors of IT, customers are demanding business-friendly reports and dashboards so they can constantly monitor the costs and the benefits of their internal and external service providers, and that also goes for cloud DR.

In this era of wired and cloud-centric everything, I was surprised to learn how many companies still back up data by physically shipping tapes or (increasingly) portable hard drives to remote locations. That is still more cost-effective, it seems, than spending big bucks on the replication software and huge network connections it would take to move today’s data stores over the network. As one user joked, “FedEx is still the largest-bandwidth network out there.” Obviously, lower-cost, easier or even automated options for replicating data over today’s networks are a good play.

A final note to cloud and DR marketers: The confusion around different types of cloud and DR is reaching crisis proportions. For example, sometimes the term “private cloud” means a virtualized, on-demand infrastructure within an organization’s own firewall rather than that of an external provider. Other times, it also means a customer’s dedicated hardware running at an external site. Sometimes “hybrid” means a mixed public/private cloud, and other times a mix of virtual and physical servers.

I’ve seen some reports that such confusion is spooking customers so much they’re throwing up their hands and delaying a purchase decision. That’s a disservice not only to you, but the entire market. Whenever you’re unsure if “everyone knows” what your definition of “cloud” means, the safest bet is to explain it anyway – as clearly and simply as you can.

But security isn’t the bugaboo it used to be. In fact, “security as a service” that matches the agility and ease of use of the cloud is a huge potential market current security vendors aren’t reaching. And therein lies potential opportunity for security vendors.

That was the message from customers, analysts and cloud providers at a dinner discussion hosted by security software and services provider StillSecure the other night in Boston. Customer surveys show security dropping as a barrier to cloud adoption by customers, said Carl Brooks, an analyst at Tier1 Research. Compliance, however, is holding steady as a major concern.

Security vs. Compliance

That rang a bell with many around my table, who lamented that security is a “nice to have” that companies are reluctant to spend on until they’ve been breached, while compliance is forced on them by outsiders such as regulators. They also pointed out that the security provided by cloud players such as Amazon is at least as strong as that most organizations can provide themselves, at least at the infrastructure level of servers and networks.

Application-level security is another story, though, and where cloud security (while achievable) is often too expensive and cumbersome. While businesses do want more “visibility” into security through dashboards and reports, the last thing they need are endless reams of log file data that don’t mean anything to them, said Brooks. Nor, said StillSecure Chairman and CEO Rajat Bhargava, do they want to manage security themselves.

Wanted: “Click and Go” Security

What they do want was described to me by David Greenstein, co-founder and CTO of startup Kibits, a mobile micro social-networking and information sharing platform. He wants “click and go” cloud security that allows him to instantly apply security policies to new servers as he spins them up in the cloud, without the need for manual configuration. As for reports, he only wants to receive alerts for an attack or vulnerability he needs to do something about. Trying to grow a company on a limited budget, he doesn’t want to spend any more time, money or effort than absolutely necessary for functions such as security that aren’t his core competence.

While there are “frameworks” for cloud development and deployment (a topic of an upcoming story I’m doing for Computerworld) no one around my table knew of a comparable framework for security. Larger security and systems management vendors, it seems, are either too busy solving security problems in current customer environments or not sufficiently clued in to the needs of the new, cloud-based corporate infrastructures.

Hurdles and Opportunities 

Some of the hurdles to this “security as a service” include educating customers (especially small to mid-size businesses) about basics such as firewalls and the dangers of giving users root (or administrator) access to systems. Assuring compliance is even trickier given the vague requirements of regulations such as HIPAA (governing patient care) and Sarbanes-Oxley (protecting corporate financial information.) But given customers’ desire to cut costs, services that could boost both compliance and security could be a huge win.

But there does seem to be a market out there for automatic, policy-based, server and application layer security services that can be applied and monitored as easily as spinning up a server in the public cloud. What companies out there are offering such services we at the dinner haven’t heard about?