Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Articles PaaS Is The Word

PaaS Is The Word

As cloud computing continues to pervade all aspects of information technology, from the data center through application offerings, the function and capabilities of various cloud offerings are beginning to blur. Anecdotally, it seems that most enterprises are still strongly focused on delivering Infrastructure-as-a-Service (IaaS) to their constituency in some form. This may be as a broker leveraging existing public cloud provider offerings or internally building IaaS as a private cloud offering. Eventually, all these clouds will house applications or data, which means that IaaS is merely a stepping stone to the ultimate goal of simplifying the operations and management of the application platform or Platform-as-a-Service (PaaS).

Before PaaS, IT Must Nail IaaS

The widespread focus on IaaS demonstrates the level of overall maturity for cloud computing in the IT industry. IaaS is heavily reliant upon an understanding for how to manage a set of shared resources effectively among a disparate set of requirements. This understanding is not well-practiced within our industry as, until recently, we have not had the facilities and capabilities to deliver this using commercially available software and hardware. With the advent of commercial offerings for simplifying the pooling and sharing of compute, storage and networking, and a solid business case for doing so, a high percentage of IT shops have ventured into the cloud computing arena.

The first step in moving to shared resources is commonly virtualization. It is common to hear IT executives talk about the percentage of their environment that is “virtualized”. The value of having a high percentage of the environment virtualized is questionable if continued evolution does not occur. That is, if all IT does is move from physical to virtual, gains will most likely only be seen in the reduction of the number of physical servers, and hence, data center utility utilization, such as power, cooling and space.

A good analogy might be organizing a messy storage room. By grouping similar items into stackable containers, it would be very easy to optimize the use of the space. However, it doesn’t make it very easy to find items when they are needed. Moreover, if there’s no system for shuffling the containers to simplify access to the containers, then the static nature can make it very arduous to get a single item out of a container that is at the bottom of the stack. For example, this time of year, you might want to move your holiday decorations and ornaments containers to the top of the stack, giving them a higher priority for setup and tear down.

Likewise, if the virtual machines are statically grouped to a specific set of servers, then it will make it very difficult to prioritize processes that require more resources at different times. For example, many businesses tend to see spikes in certain applications around year end as users tend to run more reports and analytics for purposes of budgeting and business performance. To benefit from the first step of virtualization to support these needs, IT needs to move to the next step and facilitate a practice around resource pooling and management.

The transition from step one to step two most likely will require a change to existing IT processes, which is why it can be complex and often present significant challenges to the business. While step one also incurs some process change, these are typically around provisioning of data center resources. However, most organizations can still apply their existing provisioning and procurement processes to the virtual environment. The transition from step one to step two will require changes in governance, capacity and configuration management, and require new techniques in monitoring to ensure that the resource pool is meeting demand. In turn, this requires training and expertise that is not yet widely available in the market, and thus, constraining businesses from taking this next step.

From IaaS to PaaS

The challenges facing many IT organizations in transitioning to cloud computing will eventually be overcome. As IT matures with regard to managing and operating a cloud computing environment, the real focus for this effort begins to become apparent—providing an efficient platform for applications and data that is secure, available and meets performance service levels.

Like the transition from virtualization to IaaS, the transition from IaaS to PaaS can be equally challenging. One of the more difficult aspects of choosing PaaS is the approach and architecture. In some cases, the platform can be represented as simply the collection and organization of a set of virtual machines. A common example of this is a Web application where all the components required to support the application are represented by server operating systems (see Figure 1).

(Click on the image to enlarge it)

Figure 1: VM-based PaaS

This type of PaaS closely mimics its physical counterpart, so it’s more familiar from a management and operation standpoint. However, due to the introduction of the hypervisor and cloud management software, it can be more difficult to troubleshoot issues due to inadequate resource management.

Another popular approach to PaaS is the application container. These containers support multiple programming languages and provide a set of services to the application, such as a database and messaging. Whereas scaling and high-availability are the responsibility of the operations team in the aforementioned architecture, cloud-based containers manage these attributes on behalf of the application. Examples of these containers include: Microsoft Azure, VMware Cloud Foundry, Cloudbees and EngineYard.

Given the complexity associated with scaling and high-availability, it can be desirable to leverage the capabilities of these containers. However, while configuration, deployment and operations may be simplified, these containers still leave much to be desired. Most of these containers are still in their early revisions and offer little in the way of security or governance controls. Hence, if your application has specific requirements for where a process may run or the locale for the set of servers that data may be accessed from, these platforms may be too immature to support your needs.

Additionally, applications tend to operate better in these containers when they are specifically developed with cloud computing in mind. Here are some attributes that should be adhered to when building applications for the cloud:

  • Applications should be able to scale in and out, not just up and down. That is, the application should be able to operate across multiple resource pools, not just within a single resource pool.
  • The application should take necessary precautions for security with regard to multi-tenancy. For example, it should secure log information and configurations as well as implement appropriate access controls to separate configuration and administration.
  • The application should not rely on the infrastructure to indicate failure. Hence, the application should implement necessary logic to ensure consistency of data and not rely on the underlying services or hardware to manage all consistency.
  • The application should not be aware that it is being migrated to best available resources. This means that the application should not make assumptions about the infrastructure its running on or define configuration statically.
  • Due to the nature of the cloud, the application should leverage a common identity management platform for access and management. This will ensure the application continues to operate unabated in a high-availability scenario.
  • The application should be able to delegate to platform services where available versus directly implementing with a specific service. While this does introduce additional overhead it also allows the application to more easily scale and meet service levels.

As is appropriate practice with all facets of cloud computing, it is the responsibility of the consumer to ensure that the appropriate security policies and levels are implemented and maintained. This means that your PaaS architecture must account for securing the data in motion and at rest as well as ensure that access to the application requires the appropriate authorization. All too often IT has placed minimal attention on this area with regard to applications deployed in their own stack within the enterprise data center. Given the lower risk levels, this was perhaps suitable, but with the move to shared resources, a greater emphasis must be placed on security across the entire environment.


Cloud computing is more than just a popular buzzword with regard to IT organizations. It is an architectural direction and mandate that requires operational and process changes. Approaching these changes from a bottom-up perspective has proven to be a successful approach by many organizations by allowing them to become proficient at building and managing shared resource compute environments. This foundation is critical to being able to transition to building and operating a PaaS by fostering the appropriate practices around configuration and capacity management, governance and monitoring.

Platform-as-a-Service is fast becoming a major focus for IT organizations that have successfully transitioned along the cloud computing maturity continuum. Platform selection will be highly dependent upon your organization’s ability to manage and operate the applications within the PaaS environment. Each of the platform architectures described has benefits and pitfalls that ranges from greater responsibility for the security and high-availability to less responsibility for these requirements. Moreover, the emerging PaaS containers may also require your IT organization to re-think how they have been developing applications and perhaps even re-engineer certain applications to operate in a cloud computing environment.

About the Author

JP Morgenthal is one of the world's foremost experts in IT strategy and cloud computing. He has over twenty-five years of expertise applying technology solutions to complex business problems. JP has strong business acumen complemented by technical depth and breadth. He is a respected author on topics of integration, software development and cloud computing and is a contributor on the forthcoming "Cloud Computing:Assessing the Risks" as well as is the Lead Cloud Computing editor for InfoQ.

Rate this Article