The CEO of Red Hat, Whitehurst, was quoted by Computerworld today regarding proprietary architecture:

Cloud architecture has to be defined in a way that allows applications to move around, or clouds can become the mother of all lock-ins, warned Red Hat’s CEO James Whitehurst.

This begs the question of incentives. At first glance it seems vendors have every reason to make exit cost high for customers. It helps them ensure loyalty to a platform that has recurring revenue.

However, when security is factored, the exit cost has an additional risk that vendors and service managers must take into account.

Take for example the issue Microsoft has convincing users of version six of their web browser (IE6) to upgrade, as I posted recently. Jeremiah Grossman, CTO of White Hat Security sent me a nice summary in response:

MS is suffering the long term effects of successful proprietary technology.

A web browser is free, which alters the model slightly compared with cloud services, but it sill illustrates a situation where vendors have a big incentive for an easy exit path. I will skirt the issue of whether open systems are more secure than closed. Suffice it to say that given the rate of discovery for software flaws every cloud vendor should be a huge advocate for the benefits of an easy upgrade/migration path.

The Network Solutions breach is another example. At the time of compromise the company revealed a vast number of accounts ran applications on a service still supported but “old and no longer in development”. While both the old and new platforms were compromised a single re-architecture and security fix surely could have been less costly. Did the cost of the fix exceed the cost of a migration path?

Thus, the requirement for a well-managed security life-cycle can help foresee and dissipate risks related to lock-in. Computerworld unfortunately does not mention security in the article. Instead they focus on the usual cloud topics such as performance and resource allocation/sharing.

To be able to move a workload from a data center to a cloud or between two clouds, a connecting API (application programming interface) is needed, and there are a plethora of different ones being developed. Fewer would be better, according to Whitehurst. However, the real challenge isn’t the API, but ensuring that the application will run with the same performance when it has been moved. That is what Red Hat is focusing on. Getting an API in place that allows a workload to be moved is only 10% of the work, Whitehurst said.

Performance. Access to resources that scale is an obvious benefit. Performance gains definitely drive cloud projects as well as marketing. A less obvious benefit, apparently, is the ease of migration from insecure to secure platform (including physical to virtual). How many customers today feel locked-in to old and obsolete hardware that keeps them exposed to known security risks?

Migration tools that break hard-ware lock-ins like Microsoft’s disk2vhd, which I profiled earlier, are not only good for the customer but good for the vendors. Microsoft really, really wants you to stop running NT4 — there is a point at which the proprietary/lock-in model actually hurts the vendor. That is why I would say good migration strategy benefits the vendors as well as customers; helps avoid obsolescence and significantly reduces the cost of managing security. This makes Whitehurt’s point about avoiding lock-ins even more poignant.