Nearly all modern companies rely upon the services of other companies in order to stay competitive, agile, and to focus on growing their core business. Imagine starting a business today without the services of another. Payroll, taxes, web hosting, email hosting, telephony, invoicing, payment processing, record-keeping, government filings, and a litany of other functions would need to be solved for before you could begin actually running and growing your business.
You simply must sacrifice some degree of self-reliance in order to function. That is why stories such as that of Nicolas Beauvais and his company Raisup can cause a shiver to run down the spine of business owners. Raisup, a French startup focused on using artificial intelligence to assist in corporate strategy decisions, is a heavy user of the cloud provider Digital Ocean. On May 31st, Digital Ocean unceremoniously locked Raisup out of all of the resources they use to run their core business, effectively shuttering the young company (at least temporarily).
Fortunately for Raisup, Beauvais had previously amassed a considerable following on Twitter and other venues (Hacker News) and was able to leverage his clout to have the account restored. As a result, Digital Ocean’s customer service response transformed from the stonewalling to which we all have become accustomed…
Support already answered that our account will not be reactivated without any explanation, I answered with another (5th) explanation of our use case and got no answers. This is not acceptable, we were trusting you. All we got was automated messages. My holidays are ruined— Nicolas Beauvais Ⓥ (@w3Nicolas) May 31, 2019
To a much more thoughtful set of responses, and a considerable amount of backpedaling…
Hi Nicolas, we are very sorry for this incident. We are reviewing the processes that resulted in your account being locked twice. Access has been fully restored, and your resources were not destroyed. Your account will not be locked again, and we will be following up with you.— DigitalOcean (@digitalocean) May 31, 2019
The trust of our users and the community is our top priority. We have fully restored the account and are doing a full investigation of this incident. We will post a public postmortem to provide full transparency for our customers and the community.— DigitalOcean (@digitalocean) May 31, 2019
We hear and understand your concerns and apologize for how this was handled. We have restored the account and are doing a thorough investigation of this incident. We will post a public postmortem to provide full transparency for our customers and the community.— DigitalOcean (@digitalocean) May 31, 2019
Digital Ocean announced that they would be conducting a “thorough investigation of this incident” and providing a “public postmortem to provide full transparency for our customers and the community.” For many, the damage control was too little, too late. Users of Digital Ocean and other cloud services expressed their loss of trust and fears of vendor-lock on Twitter and other forums (Hacker News).
As promised, Digital Ocean published An Update on Last Week’s Customer Shutdown Incident, which gave an overview of the incident, a timeline of events from their understanding, and their key findings. In their timeline of events, Digital Ocean does not shy away from acknowledging the role that social media played in resolving the incident, noting that “social escalation” had lead to “the account being unlocked/powered back on”. This still left many other Digital Ocean customers fearful of what would happen to their accounts if they couldn’t use their social media to drive as much attention to their situation as Nicolas successfully did.
While this may cause you to question how many eggs you should place into one vendor basket, Bernard Golden, CEO of Navica tells readers “Don’t avoid cloud vendor lock-in. Embrace it.” As companies are looking to automate or simplify everyday business functions he states that “Succeeding in this world requires stepping away from standard IT offerings and crafting bespoke solutions. You must reimagine the way your company delivers products and services, how those products and services operate, and even how customers interact with your company’s offerings. In short, IT groups must move beyond standard software packages, create sophisticated aggregations of software components, and customize those to deliver exactly what the company needs to provide a differentiated product to its customers.”
In order for software to operate at the level that businesses require, we have to make the switch from existing software to cloud-based services. “The right choice is to find a provider that can implement these products as a service. Providers can hire the talent, provide enough infrastructure, and ensure redundancy and scalability. Of course, that raises the specter of lock-in. And then you must focus on implementing the right functionality on top of the services the provider offers… The only way to really deliver next-gen applications is to take advantage of a provider’s higher-level services—a.k.a., embrace lock-in.”
According to Craig McLuckie in his article Four Ways to Avoid Vendor Lock-in When Moving to the Public Cloud, “there are steps that organizations can take to lower the risk of lock-in (that provide some added business benefits as well).”
The first step he recommends is to embrace open source technologies where possible. “All of the cloud providers, to varying degrees, support the integration of open source technologies for containerized applications, services and orchestration. Open source-based cloud services (like Amazon RDS that is based on MySQL or Google Kubernetes Engine that is based on the open source Kubernetes project, of which I was a co-founder) have analogs in other environments, or you could always run your own version if you needed to.”
Second, “find your ‘Goldilocks’ abstraction layer… When properly applied, this infrastructure abstraction offers a degree of flexibility to run applications in a wide array of environments without limiting their capabilities.”
Third, “be judicious about adopting bespoke services.” Companies should be deliberate and intentional in choosing when to adopt services that might create a lock-in situation but not necessarily shy away from truly differentiated services that offer deep value. Those should, however, be used with care.
Finally, “be deliberate… The cloud offers a great deal more promise than simply outsourcing the running of basic infrastructure and adopting the practices of the “cloud native” world can have significant benefits in other environments. And the earlier they start, the less likely they are to find themselves having stumbled into a lock-in situation, and the more they will get out of the transformative change that is moving through the industry.”
At Oscillas we tend to agree with these suggestions, especially to “find your ‘Goldilocks’ abstraction layer”. Understanding where abstraction creates value and where it creates liabilities is critical to reducing vendor-related risks. There is a tremendous amount of value to standing on the shoulders of these giant cloud providers and their multi-billion dollar R&D teams. That said, risk-reduction is important, and it’s a service that we provide to our clients every day. Whether through on-prem backups, provider-agnostic architectures, or detailed contingency plans, we are able to leverage our experience with these issues to make the most out of cloud-based services while minimizing the risk of third-party reliance.