Image via Wikipedia
If you want to know why these issues of ratings and insuring continuity are important, I direct the reader to this article about on-line file hosting site Carbonite.
I am going to write about a project that got stranded on my research pile when a well funded client decided that they did not wish to complete the contractual research allocation. The research directives encompassed finding a preliminary business model for underwriting business continuity risk within the rubric of cloud applications and hosting services. A concomitant directive was to research new and existing technological models that would offset the risk of such underwriting programs.
So there was an insurance underwriting and actuarial side, and a real systems side. I was to uncover the insurance industry's perspective on underwriting SAAS /PAAS / Cloud, etc. I was to bring to the partner underwriters technical proposals that would offset the risk. The project was on a roll and then still birthed. I think it still has merit. I think that the failure of several VC funded net storage start ups points to this, and that even recent hours-long outages in the 'clouds of the mighty', should indicate that this analysis was not a complete waste of time. I certainly uncovered gaping holes in the standard insurance industry lines when underwriting business interruptions and continuity for advanced hosting and SAAS.
I am under NDA as to the identity and specific plans of the client, but what I learned, and the contacts I made, cannot encumber my portfolio of analysis and career endeavors. I have that in writing, and the former client, admitting to the invocation of an early termination clause, is cool with that - bigger crises on the home front and all.
We analysts wouldn't be worth much if we couldn't (at least sometimes) feel things coming 'round the bend. Before the words "economic crisis" became a meme for all subsequent business failures, many esteemed colleagues felt there was excess capital flowing into redundant business models (YASN and YAVSS, for the initiated). This was an evil wind with bad portents. Too much VC cake was handed over to the 'Valley Undertakers", i.e., entrepreneurs who had fostered serial failures, break-evens, and maybe one or two small M&A's, but who in the big picture had no business getting that much access to capital. So that's the tableaux we have set at around 3/07.
I was working for an R&D lab in South San Francisco when my self-billed services (product strategy under contract) started softening. I was counting on an implied renewal to extend a six month term to 18-24 months. Well, they said they loved me.I was not alone in the exodus from Gateway Blvd.
I also had several quotes out around the Valley, and performed several live pitches for real make-money product strategies based on bedrock research. But something was in the air, a whiff of fear in the faces of those I was pitching, even at the most august institutions. I've always been a realist, and this was well prior to the words 'economic meltdown' becoming CNBC's daily mantra. Many of my analyst-contractor colleagues in the Northern CA high technology sector also started to feel the chill.
So it happened to me a little before it happened to many of you. Despite accolades for the stellar work I performed, my contract was not renewed, and all my pitches and proposals in and near the city of San Francisco were not closing at the usual pace I was accustomed to. Until 2006ish, I could close in a month or two. Now in '07 I was being braced by the clients to be ready to sit on contracts for up to 90+ days. One of them closed and was aborted after 120 days. That project, hosted solutions business continuity underwriting and preemptive outage prevention, was a real money machine, with potential users, a realistic existing market model, and had reality baked-in. You get the idea. Sound business models are sometimes not enough when fear is in the air.
I researched market strategies for services offerings to rate, certify, and offer business continuity solution services for....."The Cloud". I want you all now to recall that in late '06 mid '07 "cloud" meant many things and had not yet gained that buzz cachet that it has now.
Cloud, ASP, SAAS, Hosted solution - all it means to the small and medium business owner is, "no in-house infrastructure or software', or put more simply, "no stuff here". Oh, throw in the poorly defined term, "Grid". The subtle and not so subtle distinctions of transparent scalability, fault tolerance, and configure-ability are lost on most bread and butter businesses. I try where possible to avoid these distinctions with my clients, except to point out that a dedicated or multi-tenant web host or erstwhile server used for whatever purpose is not cloud like - in that we expect a certain amount of inherent scalability or flexible options for configuration with Cloud or Hosted grid offerings.
In other words: If you can point to the machine and its downtime or a request for upgrades in capacity generates a ticket, that's not "Cloud-like". If you can expect a certain level of independence from single point failures and have the ability to remotely configure additional capacity, well then, there you go.
SAAS and PAAS solutions; well, since we usually don't get to choose the hardware for these applications, we usually almost never know if the provider of say, project management or accounting web services is Cloud like or not. These services may be running on infrastructure that is decidedly vulnerable to single point failures and scalability deficits. I'm fairly certian that many of the early entrants to the SAAS space were quite pedestrian in their hardware systems. But we never will know these things about a 37 Signals, or a Salesforce - what they run is what they run. But, their services are, "out there", as opposed to "here", and we pay by the month...so there you go again.
Shoot, that was a long preamble to an article on third party certification and business continuity services for hosted applications, cloud services, and customers of SAAS / PAAS, etc.
My work uncovered much ugliness in the arena of newly minted SAAS start ups offering webs apps covering accounting, project management, document management, etc. These sincere folks, many of them, did not have the legs to weather any storm. Being cockeyed optimists, they never conveyed their worst case scenarios to clients that considered the service mission critical. Who's fault is that? - the customers for lack of due diligence, or the SAAS vendor? My early investigations pointed to a real thorny issue: Are any of these New Age SAAS providers, save for the select few, worthy of being underwritten against disruptions to client continuity?
In order to mitigate against a panoply of risk factors (such as under capitalization, under provisioning, etc.) I had to come up with some benchmark program requirements. I did this in concert with some other analysts who work in the more narrow field of recovery and fault tolerance. I had to find a way to get insurers involved in the actuarial portion of the solution so we could price the risk, and I had to get offsetting technological solutions to solve 90% or so of the most common technical / strategic disruptions to operations. There was, as well, a component of financial analysis that addressed transient issues of reinsurance that would stave off the kind of unnecessary business failures that in turn morph into technical failures. All of these issues are thorny and interconnected.
One of the most interesting areas of provisioning services for ensuring continuity of Cloud Hosting services was the use of competitive services for backstopping outages. This entailed proposals for mutual anonymity, competitive protections, etc., all while making sure that services would continue and that data would be protected without endangering a provider's relationship with a client. Fascinating stuff.
The study of mutually reinforcing the interlocking forces of business viability on the part of the services providers, and the needs of the clients who are buying into this pool of insurance products, was a wild research docket that should have lasted well into 2009, but got stalled at day 120; it was just enough to whet my appetite. Ratings, certifications, standards, reinsurance, double blind technical services coverage by and for competitors (cost effectively and confidentially provisioned!) - This was a juicy assignment and an analyst's dream.
I wonder if the concept still has legs? In my next post, I will list some of the actual programs and concerns that the research entailed. Or, maybe I will extend the current post.