Vendor Lock-in in the transistion to a Cloud Computing platform

(1)

DEGREE PROJECT, IN , SECOND LEVEL STOCKHOLM, SWEDEN 2015

Vendor Lock-in in the transistion to a Cloud Computing platform

MENATALLA ASHRAF FAWZY KAMEL

KTH ROYAL INSTITUTE OF TECHNOLOGY

(2)

I DEGREE PROJECT, IN COMMUNICATION SYSTEMS (IK223X), SECOND LEVEL STOCKHOLM, SWEDEN 2015

Vendor Lock-in in the transition to a Cloud Computing platform

Student:

Menatalla Ashraf Fawzy Kamel mafk@kth.se

Examiner:

Jan Markendahl janmar@kth.se

Supervisor:

Amirhossein Ghanbari amigha@kth.se

Industrial Manager:

Fredrik Husander

fredrik.husander@scania.com

Industrial Supervisor:

Jan Mäehans

jan.maehans@scania.com

(3)

Abstract

The thesis introduces a study about the vulnerabilities that a company as Scania IT faces towards vendor lock-in in the transition to a cloud computing platform. Cloud computing is a term that refers to a network of remote servers hosted on the internet to store, manage and process data, rather than on a local server or a personal computer. Vendor lock-in is an outcome that causes companies to pay a significant cost to move between cloud providers. The effects that cause vendor lock-in that will be described are portability, interoperability and federation are called the lock-in effects. The goal of the research is to help Scania IT understand the vendor lock-in and the vulnerabilities they can face in the transition to the cloud as well as to clarify the concern that they may have against falling in vendor lock-in. The main purpose of the research is to present the various lock-in effects that are related to the transition from one cloud provider to another and the vulnerabilities that cause companies to fall in vendor lock-in. The thesis presents the reasons that motivates why Scania IT would consider using the cloud and the concerns that they may have against usage of a cloud computing platform. The results will be based on a case study of a similar company that has moved to a cloud provider and specifically Microsoft Azure and an interview of Microsoft Azure point of view with the risk of vendor lock-in. Finally, a process of interviews with different people from Scania IT to extract the current bottleneck in the development process that caused the company to think of a cloud computing platform. The results show that companies should consider many risks and factors while moving to the cloud, as vendor lock-in, cloud maturity index and their IT strategies. As a result, the thesis gives recommendations of the steps needed to minimize the risks of the cloud while maintaining the positivity of the cloud.

Keywords: Cloud computing, vendor lock-in, lock-in effects, portability, interoperability, federation, Software as a Service, Platform as a Service, Infrastructure as a Service.

(4)

III

Sammanfattning

Uppsatsen presenterar en studie om de sårbarheter som ett företag som Scania IT har mot inlåsning i övergången till molntjänster. Molntjänster är en term som hänvisar till ett nätverk av servrar som finns på internet för att lagra, hantera och processa data, istället för på en lokal server eller en persondator. Inlåsning är ett resultat i vilket orsakar att företagen behöver betala en betydande kostnad för att flytta mellan molnleverantörer. De effekter som orsakar inlåsning vilket kommer att beskrivas är portabilitet, interoperabilitet och federation, dessa kallas inlåsningseffekter. Målet med forskningen är att hjälpa Scania IT att förstå inlåsning och sårbarheter som de kan möta i övergången till molnet. Dessutom är målet att klarlägga riskerna som de kan ha mot att falla i inlåsning. Det huvudsakliga syftet med forskningen är att presentera de olika inlåsningseffekter som är relaterade till övergången från en molnleverantör till en annan samt de sårbarheter som orsakar företagen att falla i inlåsning. Uppsatsen presenterar skäl som motiverar varför Scania IT ska överväga att använda molnet samt den oro som de kan ha mot användning av en molnleverantör. Resultaten kommer att baseras på en fallstudie av ett liknande företag som har flyttat till en molnleverantör och specifikt Microsoft Azure samt en intervju av Microsoft Azure synvinkel med risken för inlåsning. Slutligen, en rad av intervjuer med olika personer från Scania IT för att extrahera den nuvarande flaskhalsen i utvecklingsprocessen som orsakade företaget att tänka på molntjänster. Resultaten visar att företagen bör överväga många risker och faktorer när de flyttar till molnet, som exempelvis inlåsning, cloud maturity index och deras IT-strategier. Som ett resultat ger examensarbetet nödvändiga rekommendationer för att minimera riskerna för molnet samtidigt som positivitet av molnet.

Nykelord: Cloud computing, vendor lock-in, lock-in effects, portability, interoperability, federation, Software as a Service, Platform as a Service, Infrastructure as a Service.

(5)

Acknowledgements

This Master thesis is the last part of my degree program in Information and Communication Technology at the Royal Institute of Technology in Stockholm. First and foremost, I want to thank my dear family for their continuous support and encouragement throughout my whole education.

The study was performed at Scania CV AB in Södertälje in the department INWR .Net development. I want to begin by thanking my manager Fredrik Husander and supervisor Jan Mäehans in Scania CV AB for giving me the opportunity to do my thesis with them and the continuous support they gave me under the thesis process. I want to thank the staff in Scania CV AB that gave me their time to answer my questions and gave me valuable information through the interviewing process.

I also want to express my gratitude to Amirhossein Ghanbari, not only for being my supervisor from whom I have learned a lot but for his assistance and continuous feedback on guidance for my work and report. Last but not least, I would like to thank my examiner Jan I Markendahl for his advice and words of encouragement throughout the thesis period.

Menatalla Ashraf Fawzy Kamel Stockholm, Sweden, 2015

(6)

V

List of Figures

Figure 1-1 Cloud computing pros and cons and some of the issues directed in the thesis 2

Figure 2-1 The framework that was used in the thesis work 9

Figure 3-1 Different models and what is managed by the company versus what is managed by the cloud provider 12

Figure 3-2 Different delivery models and illustrates the Hybrid cloud and Hybrid IT 14

Figure 4-1 Development process of Scania IT 17

Figure 4-2 Barriers that DevOps are trying to eliminate 18

Figure 5-1 The risk level of different cloud service models 22

Figure 6-1 The method that can be used to minimize the risk of vendor lock-in 25

Figure 6-2 Cloud Maturity Index and the current situation of Scania CV AB 26

Figure 6-3 Hybrid IT strategy steps needed to adopt a cloud computing platform 28

Figure 6-4 Complexity integrations in relation to whether the producer and consumer exist internally or externally 30

Figure 6-5 Classifications of information types followed by their risk level 31

Appendix- Figure 1-Magic Quadrant for Cloud Infrastructure as a Service (IaaS) 41

Appendix-Figure 2-Magic Quadrant for Enterprise Application Platform as a Service (PaaS) 42

(8)

VII

List of Acronyms and Abbreviation

API Application Programming Interface

CM Change Management

CMI Cloud Maturity Index

CR Change Request

DSL Domain Specific Languages

MM Maintenance Manager

IaaS Infrastructure as a Service

ISEC Information Security

ITDM IT Development Meeting

PaaS Platform as a Service

RFC Request For Change

SaaS Software as a Service

SAC Strategic Architecture Council

TOSCA Topology and Orchestration Specification

for Cloud Applications

TR Trouble Request

(9)

1. Introduction

Scania CV AB has a history over more than 100 years, they were founded in 1891 [1]. Since that time, Scania has built and delivered more than 1,400,000 trucks and buses for heavy transport work [1]. Scania IT is a part of Scania CV AB, which is responsible for the development of the applications and handling infrastructure of Scania CV AB. Scania IT are currently having all their work and infrastructure on-premises. So currently Scania IT is looking for a better economical and flexible solution, with the aim to decrease time to market. Therefore Scania IT is considering implementing a cloud computing platform, since they assume it will lead to reaching globally faster and will contribute to continuous delivery, which is an important goal to Scania IT that they are always striving to achieve with optimization. Many concerns are listed within Scania IT in the transition to the cloud such as security issues, lack of control and reliability. However the main concern that they want to analyze is vendor lock-in and the vulnerabilities that cause the companies to fall in vendor lock-in. Vendor lock-in is the outcome that makes a customer dependent on a specific vendor for products and services unable to use another vendor without substantial switching costs. Therefore the thesis will present a study about this main concern to Scania IT in moving to a cloud computing platform.

1.1 Problem statement

Scania IT is seeking for improvement for the rate of delivering services and applications with providing a faster delivery rate, which contributes to continuous delivery that tries to deliver improvements to an application as often as possible while maintaining quality. Moreover, Scania IT wants to investigate deeply the many unresolved and open problems related to the mature technologies of cloud computing. One of these technologies is vendor lock-in, which is caused by the lock-in effects that will be described in this thesis such as portability, which is the ability to move applications, data, and tools from one cloud vendor to another in a company that wants to use a cloud provider such as Scania IT. Another effect is the interoperability, which is the ability for different clouds to communicate with each other. Portability and interoperability effects play a big role in causing vendor lock-in, which causes companies to pay a significant cost to move between cloud providers.

Moreover, Scania CV AB is a large international company where several countries are involved to many applications that are found in Södertalje (The main office); therefore a goal they are always

(10)

1.2 Related work and contribution

To accomplish the transition to the cloud, there are many factors that need to be taken into account as shown in figure 1-1 below [2].

Figure 1-1 Cloud computing pros and cons and some of the issues directed in the thesis [2]

General studies in the field of deployment of cloud computing bring up some ongoing discussions.

Figure 1-1 above shows that there are four main cons to cloud computing which are security, lock- in, lack of control and reliability [2].

Since cloud computing is a big technological aim to provide flexibility and economic improvement to companies and customers. For companies to use cloud computing, they need to discuss and research these benefits versus the risks of cloud computing. Therefore a literature study has been conducted to provide an empirical investigation of cloud computing using multiple sources of evidence and in-depth analysis of several previous studies.

Greenwood et al [3] showed that cloud computing can be significantly cheaper alternative to purchasing and maintaining system infrastructure in-house. Despite these advantages, he showed that there are some important socio-technical issues that need to be considered before organizations would move their IT systems to the cloud [3]. Petcu et al [4] have proposed a layered set of APIs that are offering a supplementary degree of freedom, from programming languages and style.

Kostoska et al [5] has proposed a new cloud portability service platform and gave an overview of the current trends in the area of cloud service portability. Kostoska discussed that there are no

(11)

standard solutions for cloud service portability, mainly due to a huge number of various cloud providers on the market. However, he named two approaches that are known in technology area to cope with emerging markets and offer. The first approach is using the most successful provider, which will “kill” the other in the concurrent market environment, and the other to establish a highly recognized standard accepted by all market players [5]. The second approach is using Topology and Orchestration Specification for Cloud Applications (TOSCA), which represents a first step towards building a standard for portable deployment and the migration of existing applications onto a cloud [5]. Guillen et al [6] proposed a framework which aims to favour cloud agnostic software development, which helps companies continue building their applications without having to modify their technology, and also without having to choose a single immovable cloud provider. Moreover, Ranabahu et al [7] indicated that using Domain Specific Languages (DSL) shows a promise in developing portable applications for the cloud and related platforms. They have done some tests and the results shown were very promising for a portable cloud platform.

It can be concluded so far, almost all researches for cloud computing are pointed towards solutions of portability and ways to overcome vendor lock-in. However not much has been discussed about the vulnerabilities that make companies like Scania IT fall into vendor lock-in. Also, the reason why it is a concern to companies considering the usage of cloud computing. Therefore, the contribution that thesis aims to address is the existing gaps in the deployment of a cloud computing and specifically Microsoft Azure in an International huge company like Scania IT and fills the research gap, which is the lack of studies for the reasons and vulnerabilities that companies face in the deployment of a cloud provider.

Furthermore, the thesis represents some ideas on how to resolve some problems faced when deploying a cloud computing platform. It is believed that the thesis research questions will be filled by the conclusions made on this project. Therefore, some research questions will be presented in order to show what would be the direction of study during different steps of this project and eventually by answering these questions the final conclusion will be made.

The main problem area is related to the title of the thesis:

Despite the fact that Cloud Computing is a popular evolved computing terminology based on the consumption of computing resource and proven to be cost efficient and more flexible with a reduce in the amount of physical infrastructure that a company have to keep and maintain. However some downsides are security and vendor lock-in. So why such a technology has not been applied or discussed in huge companies like Scania CV AB?

Since the previous statement is not easy to resolve, it should be cleaved:

(12)

(1) Why is the cloud a raised issue in Scania IT?

(2) Why is Scania IT vulnerable to vendor lock-in in the transition to a cloud computing platform?

(3) Why is vendor lock-in a concern to Scania IT when using a cloud computing platform?

The above order was based on a sequence that would be easy to follow. The work would start by answering the research question (1) that would lead companies to think of the positive side of the cloud. However the drawbacks of the cloud such as vendor lock-in raised questions (2) and (3) to be interesting to examine as most companies do not take into consideration the movement out of the cloud. After identifying the missing gap and the research questions, it could be derived the goal and purpose of the study in the following sub-sections.

1.3 Goals

The goal of the study is to emphasize the reason why Scania IT needs to consider the deployment of a cloud computing platform and to help Scania IT understand the vendor lock-in and the associated vulnerabilities they can face in the transition to the cloud as well as to clarify the concern they may have against falling into vendor lock-in and show what can be done to decrease the risks of cloud computing.

1.3.1 Benefits and Sustainability

The audience of this document are companies that want to use a cloud computing platform and want to understand more the risks rather than the benefits of cloud computing. They could use the solution proposed in the thesis to minimize the risks of vendor lock-in and benefit from the steps and ways to minimize the risks of cloud computing.

Sustainability aspects were also taken into account, which is reusing the work that had already been analyzed in Scania and build on it what was missing to achieve a useful thesis that can help the companies that are thinking of using a cloud computing platform. Moreover, the work submitted and analyzed can be reused by other companies to minimize the risks of cloud computing and improve companies maturity rate within cloud computing, which contributes to sustainability.

1.4 Delimitations

The name of the company in the case study that has been done by interviewing the person who was involved in this transition will be stayed anonymous, due to ethical reasons and request of the owner of the information in the case study.

(13)

1.5 Outline of the thesis

Chapter 2 presents the methodology used in performing the work. Also, gives the reader a more insight of which methods are used in this research and why they are preferable methods. The chapter gives more details of how data is collected and how the analysis of Vendor lock-in vulnerabilities is performed.

Chapter 3 is the start of the author contribution and presents for the reader a history and a wide introduction to cloud computing. Also, gives an introduction on the different service and deployment models. Finally, it gives an idea about two main cloud providers.

Chapter 4 presents the investigations that are performed in the company to understand the development process and bottlenecks that Scania IT is currently facing and give reasons why Scania IT should consider the cloud.

Chapter 5 presents the lock-in effects that cause vendor lock-in and the different types of vendor lock-in.

Chapter 6 presents the evaluations of investigations that were carried out to figure out if Scania IT is vulnerable to vendor lock-in.

Chapter 7 presents the conclusion with the answer to the research questions and the future work that can be done by other researchers and Scania IT.

(14)

2. Method

This chapter represents the methodology and the framework of the research, data collection, selection, application and evaluation of the data collection method. The work with this thesis was divided into several stages that contributed to the final conclusion.

2.1 Methodology

To perform this thesis work, given the explorative nature of the research objectives, a qualitative research method was chosen instead of quantitative method. The quantitative research method uses experiments and large data sets to reach a conclusion, while the qualitative research method uses investigations in an interpretative manner to create theories [8]. The thesis applies the qualitative method because it helps to understand the vulnerabilities that companies such as Scania IT can fall into and the lock-in effects that cause the difficulty of moving between different cloud providers. Qualitative research method answers to questions, such as why, how and what [8].

Research approaches are needed to draw conclusion and to be clear whether these conclusions are true or false. There are several methods that can be used, such as inductive, deductive or abductive approach, which includes both the latter named methods. Inductive approach is when the research resonate theories based on experiences and opinions. While, deductive approach resonate theories to verify or falsify hypotheses. Inductive approach is often used when data is collected with qualitative methods [8].

The thesis will apply inductive approach since there is no clear theory to verify or falsify hypotheses, which applies in a deductive approach. However, a deep analysis is needed to gain an understanding of the different cloud computing techniques and their effect on the company specially the lock-in effects. Also, since the outcome is based on interviews of different employees in the development process and getting an idea of how they work today when compared to working with a cloud computing platform as Microsoft Azure.

The work contribution involved several stages:

1. Literature Study

2. Interviews internal and external 3. Analysis of Scania intranet system 4. Case Study

(15)

Starting with a literature study, this is needed to analyze the present situation of the company and the current work done in this area. This analysis was performed by studying secondary data such as reports, conference presentations, online information, user guides, press releases, white papers and articles.

The second step was data collection for carrying out the study, which was by interviews. The interviews of people in the current development process of Scania IT was performed to understand the bottleneck in the process and motivate for reasons for the need of the cloud. The interviews were done by carrying out unstructured or semi-structured data collection techniques i.e. individual depth interviews and group discussions in this case. This field research consisted of interviewing developers, testers and software oriented architecture experts. The exact interviewees for this project were mainly addressed to three teams in one section of Scania IT. The process started by interviewing maintenance managers of each department in one section of the company. Then the process proceeded by interviewing a system developer and tester in that specific section. Finally, the process of interview was directed to a higher rank, which is Change Management department.

Interviewing different people was done to understand the current process, then an analysis of Scania’s intranet system was needed to provide a wider picture of the inner work of Scania and the structure of how they work. Then an external interview was performed with the solution lead principle for Microsoft Azure to understand their offerings for companies and their perspective on vendor lock-in.

Furthermore, a case study of a company that has had the experience about transition to the cloud provider and specifically Microsoft Azure. Case studies involved reading previous experience of the adoption of the cloud and gathering information that will help make the analysis to Scania IT and solve the worries that can be found. This case study has been deducted through a semi-structured interview to one of the employees that was in charge of this transition and the questions were directed to how this company dealt with vendor lock-in. Finally, the idea of the cloud maturity index, showing how mature Scania IT is towards cloud computing led to the proposal of an IT strategy to define applications in Scania IT moving to a cloud hence lead to a higher rank of cloud maturity.

(16)

2.2 Framework of the study

In order to make the work structured in a way that would be comprehensive and easy to follow. A framework was created by the author with the steps need to answer the research questions. This particular order of steps found in figure 2-1 was the order that was used to answer the research questions, which are described below in details.

Problem: This is the first step in the thesis, where the problem was concluded from the current situation of Scania IT and the reasons gathered behind the study of cloud computing.

Related Work: Following the problem, the work started by reading other researchers work and extracting the related work and figuring out the thesis gap. From that literature study, the research questions were introduced.

Cloud Computing Theory: Then following that a deep detailed analysis of the cloud computing theory was needed to give the reader a broad understanding of cloud computing, which will be needed to understand the rest of the work.

Interviews: After representing the data about cloud theory, 14 interviews from within Scania IT have been performed to understand their current development process and discuss the work and tools that are needed in each process. From these interviews, it was concluded as well the bottlenecks that Scania IT are currently facing. Ethics was taken into account in this interview research. That being said, in all interviews that were conducted it was asked to the interviewees whether it was allowed to use and reference the data given in the interview and if it was allowed to use their name and position in the thesis if needed.

Microsoft Azure Interview: That included an interview for a Principal Solutions Lead – Azure in Microsoft. That was to better understand their services and their view on vendor lock-in as leading cloud providers in both IaaS and PaaS service models.

Case Study Company X: That was an important step to gather the company’s opinion on vendor lock-in, where the author interviewed the person responsible about the movement to the cloud in company X. This was used to evaluate if Scania IT can follow the same pattern and avoid vendor lock-in.

Cloud Maturity Index: This analysis step was to evaluate what was Scania IT current situation with cloud maturity and how to move to a higher stage. Therefore a Hybrid IT strategy was created as a flowchart guideline for companies to follow in order to achieve a high maturity stage.

(17)

Figure 2-1 The framework that was used in the thesis work

The green arrows illustrate that all the work performed results to the answer the research questions.

The red arrows illustrate the order of the steps taken to answer the research question starting with problem, all the way to the cloud maturity index analysis.

(18)

3. Cloud Computing Theory

This chapter presents a background theory on cloud computing, cloud service models, cloud deployment models and top three cloud providers. Moreover, there will be a clarification about the difference between vendor lock-in and lock-in effects.

3.1 What is Cloud Computing?

Cloud computing is a new terminology that was added to the IT industry in early 2007 [9]. Cloud Computing is the practice of using a network of remote servers hosted on the Internet to store, manage, and process data, rather than a local server or a personal computer [12].

The national Institute of Standards & Technology has defined Cloud Computing as follows [10]:

“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”

These cloud service and deployment models will be discussed in the next section. However the five essential characteristics will be listed below and described [10].

1. On-demand self-service: A consumer can use computing capabilities, such as server time and network storage without requiring human interaction with each service provider.

2. Broad network access: Computing capabilities are available over the network and can be accessed by any device (e.g., mobile phones, tablets, laptops, and workstations).

3. Resource pooling: Computing resources that are owned by the cloud provider are pooled to serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. Examples of resources include storage, processing, memory, and network bandwidth.

4. Rapid elasticity: Capabilities can be elastically provisioned and released, in some cases automatically, to scale rapidly outward and inward commensurate with demand. To the consumer, the capabilities available for provisioning often appear to be unlimited and can be appropriated in any quantity at any time.

(19)

5. Measured service: Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage can be monitored, controlled, and reported so providing transparency for both the provider and consumer of the utilized service.

3.2 Cloud Service Models

There are three common service models that are represented in relation to cloud computing, which are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These models will be represented in details below.

Infrastructure as a Service (IaaS)

Infrastructure as a Service is a service offering a focus towards those who have knowledge of how to configure the software portion of the technology stack, but do not want to manage the hardware [14]. Infrastructure is the base of the stack and provides all the raw computing resources.

Platform as a Service (PaaS)

Platform as a Service is a service aimed to developers that help them develop and test applications without having to worry about the underlying infrastructure. Developers do not want to have to worry about provisioning the servers, storage and backup associated with developing and launching an application [15]. The platform services provide users with software, virtual machines (VMs) and usually handle all aspects of system administration for the user. On the other hand, the customers would need only to handle the applications and data as illustrated in figure 3-1.

Software as a Service (SaaS)

Another type of cloud computing model is Software as a Service, which is a service that means that the cloud computing provider is in charge of applications, data, operating system, storage, service and the rest as shown in the figure 3-1 [2]. The consumer buys the services without worrying about the customization or maintenance of the hardware. They need to just stay connected to the cloud provider.

(20)

Figure 3-1 Different models and what is managed by the company versus what is managed by the cloud provider

Figure 3-1 illustrates the separation of responsibilities for on-premises versus three service models, IaaS, PaaS and SaaS, where it presents what is manageable by the cloud provider versus what is managed by the customer. So, Other manages illustrates the cloud providers as Microsoft Azure or Amazon. While You Manage, illustrates the customer as Scania IT.

3.3 Cloud Deployment Models

There are five common deployment models that are represented in relation to cloud computing, which are public cloud, private cloud, private virtual cloud, community cloud and hybrid cloud.

Public Cloud

A public cloud is available to the public or a large industry group and is owned by the organization selling cloud services [16]. Public cloud resources are normally provisioned on demand or on dynamic basis over the internet [16]. In the public cloud, the servers are the same for all companies in the cloud but with different structures, where different companies can share the servers. This can be shown in figure 3-2. The limitation of the public cloud is the security concerns that the cloud servers are shared by many companies. This can be motivated since many cloud servers are in the

(21)

same cloud infrastructure and therefore there is a lot of resources that are shared among the different companies that can be found in the cloud.

Private Cloud

A private cloud provides an easy, flexible and effective way to request, use and deploy IT resources, applications and virtual machines (VMs) on hardware that is dedicated to a single organization [11]. It can exist on premises or off premises [16]. The private cloud is an emulation of the public cloud, typically on a private network, and exists to support the goals of the organization, rather than to generically support resources for multiple organizations [16]. Private cloud customers have their own servers and ports. This is illustrated in figure 3-2. The limitation of the private cloud is that it can be more expensive than a public cloud. Since each cloud infrastructure is particularly to one cloud consumer and therefore nothing is shared with other consumers making it more expensive when compared to the public cloud.

Virtual private cloud

An alternative solution to addressing the limitations of both public and private clouds is called Virtual Private Cloud (VPC). VPC is where the cloud is present in a cloud provider data center such as Amazon, Azure data center, where each server has its own network of companies’ information. It uses a multi-tenant shared services model as the public cloud but the partitions a single instance of resources are for an individual customer. VPC customers “share” the core cloud platform but the virtual machines they use are dedicated for their own private use, which makes it more isolated than the public cloud and the user has complete control over their virtual networking environment, including selection of their own IP address range, creation of subnets. This also allows customers to design their own security firewalls when compared to the public cloud limitation. However the limitation in VPC is the use multi-tenant, while many customers prefer the use of single-tenant.

Since there is a fear of sharing other customers the core cloud platform.

Community Cloud

A Community cloud is shared by several organizations to support a specific community, which is only accessible for these organizations [10]. The infrastructure can be operated and owned by the cloud provider or the organization. These communities would most probably share privacy and

(22)

performance requirements. The limitation that can be found is the sharing of the cloud platform as the public and virtual private cloud. If there is no trust between the organizations using the cloud, there can be a risk of information leakage. Also, to provide resources and a cloud computing infrastructure to the community requires a huge amount of investment, which can limit the resources to the organization making them less wanting to share the cloud and use the community cloud.

Hybrid Cloud

A Hybrid cloud is the combination of two different methods of resource pooling; it could be two cloud deployment models like public with community [10]. This combination of two or more cloud providers is remained as a unique entity that is bound together by standardized technology that allows data and applications portability [16]. Hybrid cloud is one of the best solutions, where it includes many deployment models with the benefits and limitations of each.

While a Hybrid IT is the result of combining internal and external services, usually from a combination of internal and public clouds, in support of a business outcome [33]. The comparison can be better illustrated in figure 3-2. Hybrid IT includes traditional IT with all the cloud deployment models (Hybrid cloud) shown below.

Figure 3-2 Different delivery models and illustrates the Hybrid cloud and Hybrid IT [31]

(23)

3.4 Cloud Providers

Cloud providers are a company that provides cloud computing services and solutions to customers, which can be individuals or businesses. The cloud provider delivers solutions that are pay-as-you - go, meaning that the customers need only to pay while using such services. These solutions are the ones named in the previous chapter, which are IaaS, PaaS, and SaaS. The two providers that are discussed are Microsoft Azure and Amazon Web Services (AWS) are top leading providers in different cloud models. Amazon is leading in IaaS services and Microsoft Azure has become a leader since 2014 in both IaaS and PaaS services [25; 26]. This information was published by Gartner [25; 26] and the charts can be found in appendix A.

Microsoft Azure

Microsoft Azure is the cloud provider that Scania IT wants to adopt. Microsoft Azure is Microsoft's cloud platform [34], which is a growing collection of integrated service such as compute, storage, data, networking, and applications that help the customer move faster, do more, and save money [34]. Azure is an industry leader for both IaaS and PaaS services as ranked by Gartner [25; 26; 34].

IaaS and PaaS combined together give services that let customers build, deploy, and manage applications any way you like for unmatched productivity [34].

Amazon Web services (AWS)

Amazon web services were founded by Bezo in 1994 as an online book store [27] and in year 2002, it was officially one of the top 500 companies in US [27]. Amazon is the leading provider in IaaS services as ranked by Gartner [25; 26]. They have several PaaS services that have been introduced in 2011 such as “elastic beanstalk” [28], which allow users to create application and push them into a defined set of AWS services.

(24)

4. Current development process and bottleneck in Scania IT

This chapter is done by investigating the current development process that Scania IT is currently going through all the way to production. Then, concludes with the bottlenecks that have made Scania IT think about the adoption of the cloud platform. The aim of this chapter was to understand the development process and the vulnerabilities that Scania IT is currently facing and whether it can be solved by using the cloud.

4.1 Current development process

A study of the current development process of Scania IT was needed to evaluate the process that Scania IT is currently using and the tools they use for their applications. The current development process was gathered by interviewing a group of people working in Scania IT and in the process of change management process which is name of the process that Scania IT is working with to deliver products.

The development process goes through several procedures. The development process starts by having a Change Request (CR), meaning that a request to change for an application served to a customer, which is Scania. The CR can be a change in an application or an upgrade of Scania’s database. Then after figuring out the start of the process, the work started by interviewing three different maintenance managers (MM), which are responsible for handling the CR. MM are also in charge of the control of installation, repair and upkeep of employers' property, including machines and mechanical systems. They may also take on more administrative tasks, depending on the specifics of their job. Then moving to a higher rank that is change management department. MM currently uses a system called “Jira”, which is an issue tracking product on Scania that is used for Trouble Reports (TRs) and Change Requests (CRs) made during software development, maintenances and projects alike. MM handles CRs within the team, which means that the MM has discussed with the developers and testers who will be responsible about that specific change.

A Request for Change (RFC) is issued by the MM on a system called “Remedy”, which is handled by the Change management (CM), responsible. Therefore an interview to the person responsible was conducted to understand more about their system and their process. CM is in charge of minimizing the number, and impact, of incidents caused by planned changes to the Scania IT service production environment. Also, to ensure that all IT services are carefully prepared for a safe and secure operation. When the CM has agreed on the change, the application needed to be changed

(25)

is done and moves to the stage of production. This is shown in details in figure 4-1 below. The steps can be summarized with respect to the figure:

1. Scania CV AB, the customer issues a change request (CR) to Maintenance Managers (MM).

2. After MM register in”Jira” system, they issue a Request for Change (RFC) through a system called “Remedy” to the Change Management team (CM).

3. The CM looks at the editing and does the necessary things as written in the figure 4-1. After approval about the quality, risk analysis and other things, they send the CR to production to take care of it.

Figure 4-1 Development process of Scania IT

In between the MM and the CM, DevOps can be found as shown in the figure 4-2. Two DevOps in the Scania IT were interviewed to understand their role in the process. DevOps comes from the combinations of the initials of Developers and Operations. They are in charge of decreasing the gap between developers and operations by synchronizing the methods and tools used between both. As seen in figure No. There was a further interview conducted to the creator of this process and the one responsible about continuous updates to the process. He talked about his continuous effort along

(26)

with his team to optimize the change management process and ease the process to help Scania IT workers to delivery faster with the aim of continuous delivery.

To better illustrate the DevOps aim and their work effort, the following figure can be created.

Figure 4-2 Barriers that DevOps are trying to eliminate

Figure 4-2 shows the sequence that developers use to develop a product, they always strive to achieve continuous integration, which is a software development practice where developers integrate their work frequently, leading to multiple integrations per day [30]. This has shown a progress in code management within teams and a more rapid development of software. Moreover Scania IT strives to achieve continuous delivery, which is to continuously deliver improvements to an application as often as possible while maintaining quality. Lastly, is continuous deployment, which is the next step of continuous delivery. Every change that passes the automated tests is deployed to production automatically. It leads to minimizing the overall lead time. However there are several bottlenecks that will be presented below that cannot be helped with DevOps but needs the intervention of a cloud computing platform.

(27)

4.2 Bottleneck in Scania IT

After interviewing different employees in the company and understanding their current development process, it could be concluded the bottlenecks they have in the current process that they believe will be solved by adopting the cloud.

1. No standardized tool between Maintenance Managers (MM) and Change Managers (CM).

Since MM are using “Jira”, while CM are using “Remedy”.

2. Time needed to deliver/setup a server/database is 3 weeks, since the hosting servers team must provide the servers and deliver the infrastructure which takes times.

3. Access Management, they are responsible for granting access to server, servers’ accounts, and active directory groups. Every order typically takes 3 days to complete. This adds to lead time.

4. The CM process often takes a lot of time before the RFC’s get approved

5. Involved Dependencies. Often in the development of an application, there are other teams involved in the development e.g. Integrations. They follow different time plans for development & tests and which does not necessarily match with the owner of the application time plans. This adds to lead time.

6. In the change management process, the MM has a duty to send an RFC request to the Change management (CM). However there are several types of RFC that are available in the system “Remedy”. One of the bottlenecks is the wrong usage of the RFC type that can make conflicts in the process and prolong the process.

These bottlenecks have made the teams such as the .net development team, which is responsible for several applications that use the .net development tool to think about the cloud computing solution.

Since all these lead times have affected the continuous delivery that the teams are trying to achieve, the cloud seems to be a perfect solution. The cloud can decrease the lead time with both hosting server team that takes up to 3 weeks to deliver/setup a sever or database and time for the access management that takes 3days/request to grant access for the employees to their servers. Since if a company buys IaaS, then they have the servers delivered by the cloud provider instantly and the access is also done automatically. So it could be concluded that the cloud would decrease the lead time with the fast delivery of the servers and granting access automatically.

However in the next chapter, there will be a discussion about the risks of the cloud with a focus on vendor lock-in and the lock-in effects.

(28)

5. Three types of lock-in effects that cause vendor lock- in

Most companies look at the positive side of the cloud and the ways to move into the cloud, but never take into consideration the ways out of the cloud. In order to evaluate the way out of the cloud, the vendor lock-in and lock-in effects need to be described.

Vendor lock-in is the situation that makes customers who are adopting a cloud platform from a cloud vendor to be locked-in to that specific vendor. This situation can cause complications for the customer to move to another vendor in terms of cost, effort and time. On the other hand, the lock-in effects are the effects that cause vendor lock-in. These effects are portability, interoperability and federation.

5.1 Lock-in effects

There are several cloud providers that offer different services, storage, infrastructure, API and etcetera. Therefore, there must be a way to identify the most suitable cloud provider to a specific company such as Scania IT. A cloud provider can be chosen according to many factors such as security related to that cloud provider; another main issue is the cloud portability and interoperability. Most companies think about the advantages and the ease to the adoption of the cloud but never take into consideration their way out of the cloud and the difficulty it could cause for the companies in terms of time, effort and money. Therefore cloud portability and interoperability are the important issues discussed in this chapter since many cloud customers forget taking this into account when adopting cloud providers. Therefore, it is needed for cloud customers to consider the lock-in effects that cause vendor lock-in to try to avoid them, where the risk is being tied to a particular cloud service provider due to the difficulty and costs of switching to another cloud provider to use the equivalent cloud services [18].

Cloud computing often relates to data, application, platform, and infrastructure components. Data is the machine-processable representation of information, which is found in the computer storage [17].

Applications are software programs that perform functions that are related to business problems [17]. Platforms are programs that support the applications and perform generic functions that are not business-related. Infrastructure is a collection of physical computation, storage, and communication resources [17].

(29)

Portability

Portability is the ability to move applications, data, and tools from one cloud provider to another so that it is usable in the target provider. This is found in a company that wants to adopt a cloud provider such as like Scania IT. There are several types of portability such as data, application and platform portability.

Interoperability

IEEE [20] and ISO [21] define interoperability as the ability for public clouds, private clouds or other more systems within a company to exchange information and mutually use the information that has been exchanged.

In cloud computing, the most important thing with interoperability is the ability of cloud customers’

service to interact with cloud provider services and be able to communicate with the components on both sides [18]. They usually interact and communicate using a specific interface or an API. The problem is that cloud providers have different interfaces for each cloud service, which deal with different functions for example administration interfaces, billing interfaces, and many more interfaces. There are many types of interoperability such as application interoperability, platform interoperability and management interoperability.

Cloud Federation

Federation is when several cloud providers are brought together to create a solution for a company.

Federation is referred to the unionization of software, infrastructure and platform services from different networks that are accessed by the customer though the internet [35]. Federation of the cloud resources are facilitated through network gateways that connect public or external clouds, private or internal clouds to create a hybrid cloud computing environment.

(30)

5.2 Vendor lock-in types in relation to different cloud models

Vendor lock-in is a risk that companies need to take into consideration when adopting a cloud provider. The risk can be found in different cloud service models, in IaaS, PaaS and SaaS. The risk varies greatly depending on the cloud service model as shown in the figure 5-1. This depends greatly on the number of hardware and software the vendor provides to the customer.

Figure 5-1 The risk level of different cloud service models

IaaS depends on the specific infrastructure services that are used. For example, if the customer uses cloud storage, they will not be impacted by the non-compatible virtual machine formats [36]. IaaS vendor lock-in has the lowest risk involved because most vendors use the same virtualization environments, which makes it easier for customers to move between cloud providers [29].

The risk increases with PaaS, since the vendor providers both hardware and software applications [29]. PaaS lock-in occurs at both the API layer and at the component level. For example, PaaS providers offers highly efficient back-end data store, that makes forces customer to develop code using the custom APIs offered by the provider and code data access routines in a way that is compatible with the back-end data store [36]. Accordingly, even if the APIs that are offered are compatible, the access model may be different, making the code unportable across PaaS providers.

Moreover, PaaS lock-in at the API layer happens as different providers offer different APIs. Finally, the highest risk is with SaaS, since the vendor controls all the key components of the customers system [29].

0 15 30 45 60 75

IaaS PaaS SaaS

High risk Low risk

(31)

6. Is Scania IT vulnerable to vendor lock-in?

This chapter is concluding whether Scania IT is vulnerable to vendor lock-in and gathering information that can be used to evaluate why Scania IT might be vulnerable. This is done by analyzing the cloud provider they want to adopt, which is Microsoft Azure and having an interview to a similar company, in such of the same motivation to use cloud computing, and the current components that are being used. This analysis has been done to learn what the greatest challenge to make this move was and how they handled the vendor lock-in situation.

6.1 Microsoft Azure view on vendor lock-in

It was mainly focused on the lock-in effects and how a company falls in vendor lock-in. The issues that can be concluded from the meeting was that vendor lock-in should be included in a risk analysis of any company and vendor lock-in is valid regardless of whether the system is running on a physical data room of an organization or in a public cloud service such as Azure.

Azure is a platform with very many different services where it varies how easy it is to move in a solution. In Azure, they are always working to minimize the lock-in effects. Azure’s Cloud OS strategy is built to be able to manage their platforms in the same way as if it is on-premises, a partner cloud provider or in Azure. In Azure IaaS deals mostly with virtual machines and these are simple to be copied to other environments, i.e. no more vendor lock-in than the equivalent in its own or partner’s hall. Maybe even less as Azure have well-defined public APIs. When it comes to various PaaS services, so it varies how easy it is to migrate. Everything is going to migrate but the thing to consider is how big or small the stakes are. For example Azure websites are very easy to move to a regular web server on premises.

6.2 Relation between Company X and vendor lock-in

Company X ¹ begin their thoughts of the transition of cloud computing and the most convenient provider was Microsoft Azure, since the company only used Microsoft components. Company X decided not to put everything in the cloud. But accordingly to the information classifications and how important the information is and whether it is dependent on another application or not, they would decide whether it is applicable to be put in the cloud. After choosing the most convenient

1 Company X is an international company that wanted to stay anonymous due to their privacy concerns

(32)

cloud provider, they had a testing period through which a practical test of cloud services was made and evaluation of what would the shift mean for the organization?

They found that the usage of the cloud gave them:

1) Better user experience.

2) They could store information that is accessible to the other branches in the company in other countries.

3) Web acceleration is more effective with continues loading of new process and information.

4) The same process is shared to everyone in the company.

However, some of the concerns that made the people responsible on the transition make more efforts in examining is both security issues with a public cloud and the risk of falling into vendor lock-in. In order to decrease this risk of vendor lock-in, the company thought of the idea of mirroring. This following described method was conducted to be independent on a specific cloud provider and decrease the vulnerability to fall in vendor lock-in by making an own copy of the cloud internally offering the same services with the public cloud they have bought services that are non-vendor proprietary components such as SQL Server, Oracle, Tomcat, JBoss, IIS, Apache, etcetera that can either run:

1. In IaaS cloud, where the company take care of them but run them on an instance in the cloud or spin up a complete "image" of the IaaS provider's application list.

2. At PaaS provider, where the components are handled by the provider and is running on one of their servers, such as Oracle, IBM and others have this kind of PaaS based on standard products that can also be run at home in a company’s own data center or in the company’s own data centers (in private IaaS, PaaS or traditional IT).

However Proprietary PaaS components such as Azure Blobs, Tables Azure, Azure Machine Learning, Azure Message Bus, etcetera, or AWS corresponding components can only be used in the provider's data center and you cannot move the applications that use them either to another cloud or home to the companies own data center. With this solution, the company can save data on-premises but in case of crashing there will be no way to run the data without creating an application that can take out data. Therefore company X choose to buy non-vendor proprietary cloud that is handled by the provider and based on standard components. The PaaS services are mapped in both internal and external IaaS to achieve mirroring and redundancy. Also, in case of a crash or that the operator agreement is no longer suitable. There is always a copy of data available on-premises. This is

(33)

illustrated in figure 6-1. Each application (App) has a runtime environment to make the customer have the possibility to stop and restart the environment as seen in the figure 6-1.

Figure 6-1 The method that can be used to minimize the risk of vendor lock-in Some characteristic that need to be applied in both the internal and external cloud are:

• Resource management: for IaaS in cloud computing offers benefits such as scalability, quality of service, optimal utility, reduced overheads, improved throughput, reduced latency, specialized environment, cost effectiveness and simplified interface [22]. Also customer demands services and features and gets an environment in public or private cloud depending on current available resources.

• Automated provisioning: it is the ability to deploy information technology by using predefined procedures that are carried out electronically without human intervention [23].

• Adapters for different providers: it is the ability that makes different software’s to transfer information from a local office to different cloud providers.

(34)

6.3 Is Scania IT Vulnerable in the transition to the cloud?

The most important question was whether Scania IT is vulnerable in the transition to the cloud was analyzed through the previous case study mentioned and the view of the cloud provider. It can be seen from the case study of the similar company previous situation before adopting the cloud, it can be seen the similarities in both companies. Scania IT is also an international company that has the same motivation to use the cloud, which is global accessibility, that the same process can be shared to everyone in the company. Moreover continuous delivery importance can be thought to be helped by the cloud through web acceleration in loading of new process and information. The decrease of time to market was an important factor to both companies, company X and Scania IT. All these factors made it interesting to learn from company X the ways they tried to solve issues with the cloud. Their main issues were security and the fear of vendor lock-in. However our main focus was on vendor lock-in and their perspective on solving it. The study has shown the way to minimize the risk of vendor lock-in by providing two Infrastructure services both internally in Scania IT and externally in the cloud provider. However, another factor that needs to be considered is the Cloud Maturity Index (CMI), how mature Scania IT is in cloud computing services. Therefore figure 6-2 below shows the different factors that have been considered to set Scania IT in Stage 1 in CMI.

Figure 6-2 Cloud Maturity Index and the current situation of Scania CV AB

(35)

In stage 1 (Immature): The cloud services are not used at all or very little. There is no strategy for the cloud services and the level of knowledge and ability is low. Finally there is no application consolidation, which means there is no strategy about the amount applications should move to the cloud. It is an important factor, since it decreases the number of vendors you deal with, and the number of licenses or home-built apps you manage, which can reduce complexity.

In stage 2 (Basic): There is a basic knowledge of cloud services. The use of services is purchased when the need arises and very little integration to other IT environment without a strategy.

In stage 3 (Mature): There is a strategy for cloud services and purchases are partially in accordance with it. There is probably more than one type of cloud service and perhaps more than one distribution model used. Cloud services are a natural part of the IT portfolio.

In stage 4 (Leading): The differences between cloud services and other forms of delivery are clearly defined. It includes whether an analysis of the existing IT portfolio has been implemented. Purchase of cloud services is in accordance with a defined strategy. Several types of cloud services and distribution models are used, depending on what is best for each area. The drivers of cloud services is particularly change, innovation and development. After the detailed view of the stages, the author of the report views Scania IT as in stage 1, since there is no use of cloud services yet. Moreover there is no defined strategy of the applications needed to move to the cloud. However it can be concluded that stage 3 can be reached fast and easily if there is a cloud defined strategy and purchases are done according to that strategy.

To clarify the current strategies in Scania IT, a flowchart has been made in figure 6-3 to ease what is needed from organizations. To be able to create a strategy, an IT strategy must be clarified. Once that is done, companies need to set their applications to be cloud defined. Cloud defined means that the applications requirements are specified and clarified with which service model suits these applications. Another requirement is the application consolidation, which is to bring several applications together to benefit of the decrease of number of vendors the company would deal with, and the number of licenses or home-built apps the company manage, can reduce complexity.

Finally the last point was to clarify which requirements are needed when moving application from on-premises to the cloud, whether there are any guidelines set in a company or not.

It has been concluded that within Scania IT there are few guidelines that state which applications are most suitable to be put on the cloud in terms of simplicity, flexibility and information classification. However there are some points missing such as the need for the applications, whether they will need IaaS, PaaS or SaaS. The number of application needed to move to the cloud. It can be seen in the flowchart in figure 6-3, with the “No” in cloud defined, that if Scania IT does not

(36)

have a fully defined cloud strategy, they should do it to decrease the risk of cloud immaturity, have power of negotiation when they have several cloud moving to the cloud and could request an own shell in the cloud from any cloud provider.

Figure 6-3 Hybrid IT strategy steps needed to adopt a cloud computing platform

These guidelines that are listed below would minimize the risk of the usage of the cloud. It is advisable for companies to work with improving their strategies before using the cloud services.

Some of the guidelines currently being looked at are listed in the next subsection.

(37)

Guidelines

Scania IT has a Hybrid IT strategy focus that is managed by Strategic Architecture Council (SAC).

SAC is a part of Scania’s Enterprise Architecture Governance structure. This council is responsible for Principles and strategies, Enterprise Architecture Roadmap Strategic. Some guidelines and thought by Magnus Eriksson, who is a senior Enterprise and IT-Architect at the Enterprise Architecture Office in Scania IT AB. He has performed proactive strategy and technology investigations.

The guidelines that will be discussed below are still not accepted by the IT Development Meeting (ITDM), which is part of the Scania IT Technology Architecture decision structure. The meeting is facilitated by Scania Enterprise Architecture Office. They are responsible to accept and decide on new strategic plans.

Simplicity Guidelines

One of the important features that should be considered when choosing a deployment model and IT architecture is Simplicity. Two factors are most important when considering deployment models, which are the number and complexity of integration, and location of data producer and consumer [31]. In case of the existence of both the producer and consumer of data for a particular system are internal itself adds unnecessary complexity to deploy the system externally and vice versa for a system with external producers and consumers [31]. As seen in figure 6-4, the high risk is noticed to be when many/complex integration are in a system and the producer and consumer are not externally , then it is not a good idea to put the system externally. Also there is high risk when the producer and consumer are internal, and the systems with some/normal integrations are put externally. In most other cases there is no risk or medium risk to put the system internal or external depending on the integration complexity. So to conclude, if both the producer and consumer of data for a particular system are internal it adds unnecessary complexity to deploy the system externally and vice versa for a system with external producers and consumers [31].

Vendor Lock-in in the transistion to a Cloud Computing platform