Beware the perils of dealing with a 'nested cloud' solution

Mary Shacklett explores the risks of using a cloud provider that relies on a third-party cloud service. 

 

Cloud will continue its expansion as an IT solution, propagating an ecosystem that could turn into a "cloud upon cloud" architecture. I call this "nested cloud," because every time you peel away one layer of cloud, you're likely to find another cloud layer nested under it.

The best way to illustrate this is with an example of a Software as a Service (SaaS) provider that delivers a specific business solution for a targeted industry vertical.

Let's say a SaaS provider sells an up-to-date customs system that knows the latest trading regulations for more than 100 countries. The niche expertise of a SaaS solution in customs can save a global trading company thousands of hours each year that their internal staff would normally have to spend researching and applying all of these constantly changing customs rules. If the monthly subscription to the cloud is attractive, and it's easy to onboard with the solution, there's almost nothing more to think about—unless you're in IT or risk management and must ask yourself: How many clouds really are there behind this solution?

Cloud has been a fertile area for many new IT startups, and in some cases, even for spinoffs of established businesses. Why? Because you can start a cloud business at a fraction of the cost that you would incur if you had to build or lease a data center and then stock it with all of the IT equipment you would need to run your operation.

Unsurprisingly, 52 percent of all cloud startups said they would not have been able to afford on-premises IT resources at the time they wanted to launch, according to a Rackspace survey."First and foremost, startups that offer software or online services have to prove their business model works in the cloud before they are likely to get any venture capital funding these days," said James Staten, vice president and principal analyst at Forrester Research. "That means their business starts in the cloud." 

But many of these cloud infrastructure providers don't offer service level agreements (SLAs) with any teeth in them, and their SaaS customers, which pale in size to them, have little leverage.

Moz is an example of a SaaS company that decided to move off a third-party cloud for its cloud services and to instead offer the services through its own internal data center. "We create a lot of our own data at Moz, and it takes a lot of computing power," wrote Moz CEO Sarah Bird on the company blog. "Over the years, we've spent many small fortunes at Amazon Web Services. It was killing our margins and adding to product instability. Adding insult to injury, we've found the service… lacking….For our longer stateful processing or apps that need to be available 24/7 with no variability in load we have purchased our own hardware ….We must have staff to manage 1000s of servers at AWS or at our own data centers. The biggest factor was paying for compute on boxes that crashed and yielded nothing we could use to move our business forward."

Enterprises contracting with Moz and other SaaS vendors that run their own cloud data centers have the peace of mind that, when they enter into a contract and agree to SLAs with these vendors, they're really getting "all in one" accountability for reliable services from a single cloud vendor.

In a "nested cloud" solution where you have your SaaS vendor offering one level of cloud and then piggy-backing it onto an outsourced cloud data center that it contracts for with a third-party cloud infrastructure provider, cloud accountability gets nebulous. Who is accountable, for example, when the infrastructure cloud goes down, since it is with the SaaS provider and not with the infrastructure cloud provider that the enterprise has a contract? And if it is the SaaS provider's operation that generates the outage, how do you really know?

These are the perils of dealing with a "nested cloud" solution, which may motivate some SaaS providers that are now relying on third-party cloud service infrastructure for their cloud services to think again—before their clients do.