Image: 27% voted for cloud computing in Phil Wainewright’s recent PaaS survey. This sounds like the easy option, but is everyone really clear on what they are letting themselves in for? SaaS is not going to be pretty for many ISVs.

In part one of this article I introduced Phil Wainewright’s five layer PaaS model. Phil asked readers to say which layer they would prefer to use for building a SaaS application. Readers had cast 173 votes by May 15th.

In part two I looked at layer one: do-it-yourself and layer two: managed-hosting. Neither is suitable for SaaS ISVs. In part three I move up to PaaS layer three: cloud computing. Might this be more suitable for ISVs building SaaS solutions?

Cloud computing was the most popular choice of Phil’s readers. 27% said they would prefer it to develop a SaaS application. I wonder how many of them realise that cloud computing, just like banking, relies on a simple confidence trick…

Hardware is a now an API

Cloud computing presents physical servers and storage as abstract services. You can now create a secure and reliable virtual data centre with a few simple API calls.

The market leaders have not yet revealed the size of their clouds. For the moment they just say their clouds are plenty large enough to meet whatever your needs might be.

This cannot be true, of course, because virtual resources must eventually map to finite physical hardware. We know that Google, Amazon, Microsoft, Sun, CA AppLogix (formerly 3Tera), Mosso, Joyent, Nirvanix and other providers have a lot of hardware, but it is not infinite.

The (unstated) limits are probably huge. However, there is always a risk the cloud cannot provide you with server or storage when you need them. Is the all-you-can-use confidence trick something you need to worry about, or is this more a theoretical than real problem?

Confidence tricks are not always bad

Banking could not exist without a confidence trick: that you can always get your money back when you want it. We know that this cannot be true. If too many savers want their money then no bank can honour every withdrawal.

We know what happens during a run on a bank. Even knowing this, we still accept the risk because banking is so useful to us.

The same risk and reward trade-off applies to cloud computing. We know resources are not infinite; but that they are infinite enough most of the time. As long, of course, as most users use reasonable levels of resources most of the time.

The benefits of cloud computing for SaaS ISVs more than outweigh the risk of a full cloud. You can safely ignore the cloud computing confidence trick, just as you ignore the confidence trick banking needs to survive.

Cloud computing beats managed-hosting hands-down

Cloud computing is a great hardware solution; far better that managed-hosting or do-it-yourself for SaaS ISVs. You only pay for what you need and you can easily scale as your SaaS business grows.

Your data is more secure that it would be on your own server, as the never-ending press coverage of lost and stolen data reminds us. The cloud computing provider takes care of the underlying hardware (which you never get to see or touch).

Even with these benefits, you need to cover the full application lifecycle, not just the deployment hardware. You have no time to set up test clouds, rolling-updates, active support, change control and so on.

Automation tools including RightScale and Scalr can help. But even so, this is not your core competence and you should stay well away.

The cloud is not as opaque as you might think

Providers prefer opaque clouds to better balance their workloads. Ideally it should not matter where your servers or storage are. Unfortunately, this utopia will not happen: national laws and jurisdictions from the real world have already intervened.

Data protection laws in Europe restrict how you can store and process customer’s data. As a result, the cloud is not as opaque as it might first seem. The cloud computing providers recognise this and have announced support for different jurisdictions.

Salesforce.com is adding data centres in Asia soon, with Europe to follow so customers can keep data and processing out of the US.

Amazon’s availability zones allow you to store your data in Europe today; server instances running in Europe will follow.

Coming up…

Cloud computing is too low-level for you to worry about. Focus on your domain; do not waste your time on (virtual) hardware (no matter how interesting this might be).

The next level up in the PaaS market model is level four: cloud IDEs. These build on the cloud computing platform, adding development and deployment tools. The idea is you can focus on your SaaS solution and not worry about anything else.

Next time on PaaS Talk I will take a first look at cloud IDEs. This is where PaaS starts to get really interesting; I look forward to seeing you in part four of this article.

What’s your view of cloud computing? Have you run into any problems separating test from production? How much time are you spending on operations? Are you using automation tools?

Image: On-premise ISVs don’t really need to be concerned with what their users are doing. This is not the case for SaaS, where the service provider needs to meet “know your customer” and other legal requirements.

ISVs must consider their jurisdiction, as well as that of their customers, suppliers, processing utilities and data storage providers. Not knowing enough about your customers can be expensive, and could even land you in jail. PaaS providers can add value to European ISVs by abstracting these jurisdiction issues and keeping track of future legal changes.

In Is jetting to Cuba this summer a bad idea for European SaaS ISVs? I reported on how the US Treasury’s Office of Foreign Asset Control (OFAC) can impact non-US companies. A European travel agent appeared on the OFAC blacklist for selling Cuban holidays.

The travel agent’s only US assets were the DNS database registrations for their .com domain names. The domain register froze the .co domains following a call from OFAC; the travel agent’s websites disappeared from the Internet.

New US rules intended to prevent identify theft came into force on January 1st 2008. These new rules are part of the US Fair and Accurate Credit Transactions Act (FACT). The FACT rules cover all companies that keep consumer accounts with personally identifiable information. Companies covered by the new rules must comply by November 1st 2008.

Companies will have to check customers against the FACT list of suspected identity-theft criminals. They must also watch customer’s transactions and report anything suspicious (so-called “red flags”). There are threats of fines and even jail for breaking the reporting rules.

FACT does not just apply to banks and financial institutions. As online service providers, SaaS ISVs will also have to worry about these rules. It will take time, and you face complex questions about jurisdictions.

Welcome to law enforcement

As a SaaS ISV you provide services and have customer accounts involving money and online identity. It is likely you will also have to meet Know Your Customer rules. What’s more, you must identify all suspicious transactions and report these to the proper authorities.

The US is not the only country moving towards privatising law enforcement in this way. The UK also has strict Know Your Customer laws intended to prevent identity theft fraud, money laundering and terrorist financing. Even China now has similar rules.

Many of these laws overlap and could even be in direct conflict. It will be many years before consistent rules apply between the US and EU. Meanwhile you must stay up-to-date with the latest rules in each jurisdiction.

It is not just where you are, but where your customers and suppliers are as well. You have to get it right as the penalties are severe, and ignorance of the law is no defence. Hobby developers might not care about these rules, but business ISVs must.

Jurisdiction-abstraction as a service?

Mapping these new rules to your utility computing and PaaS providers will be a complex, and lasting, problem. However, it is a problem common to all ISVs; it is not different for each vertical niche.

It must be possible to find a common solution. PaaS providers are therefore in an ideal position to provide jurisdiction abstraction features on their platform.

I look forward to seeing how PaaS providers will solve this problem. It is not so much a technical issue, but is critical for SaaS in general and PaaS in particular. Those that can abstract away US, EU and other jurisdiction problems will have a real benefit to talk about.