The Federal Government is adopting new approaches to IT at a historic pace. The long-standing trust in the large software and services vendors is vanishing rapidly under the realization that the Government was oversold licenses they didn’t need or use, and is now being burdened by massive operations and maintenance costs for armies of resources running stacks of hardware and software. This is leaving almost no funds for true modernization and has driven an upsurge in interest and guidance on new approaches to IT. Two areas that are gaining significant traction are PaaS and Open Source Software. Which is the right answer to solving these longstanding problems? In this FAQ I tackle the biggest issues: Cost and Security.
Should we be comparing PaaS and Open Source at all?
Let me be frank and say that comparing these two things is really like comparing apples and oranges. For example, many PaaS vendors may be using Open Source Software in their solutions, and some allow provisioning of Open Software stacks. We have, however, heard many executives who are struggling with their inefficient IT situations bring up both approaches when looking to modernize – both are being encouraged through federal guidance. Here is a quick review of the two:
PaaS is a hosted, pre-integrated, and secured stack of software that allows you to rapidly build applications by focusing on the business logic of the application rather that than building and maintaining hardware and stacks of software such as the operating system, web server, application container, presentation layer frameworks, and specialized software such as CRM, case management, collaboration, and analytics. PaaS brings all those capabilities to you as a service in the cloud without the need to integrate and maintain all the hardware and pieces of software.
Which ends up being more cost effective – PaaS or Open Source Stack?
The quick answer is that a well-implemented PaaS, despite paying for the service, will be cheaper and more secure in the short and long run. This is primarily due to these facts:
- Open Source elements have no license cost, but they require time and money to configure and integrate to support a complete application, even before you start developing your real business logic.
- Open Source software layers still need to be operated and maintained, just like in a legacy model. You still need your administrators and specialists to keep things going. This means, for example, that Oracle may not be getting their license fees anymore, but the large integrators will be happy to charge you to keep your Open Source software stacks and applications running. We know of an example of an architect who designed an Open Source stack for application development that used over 50 different Open Source software products. The more significant and enterprise-grade the application is, the more this is the case:
The following is an illustrative example, mirrored from a real-world situation, of what the costs look like for three different scenarios for modernizing of a legacy mission system that originally cost $10,000,000 to develop: 1) Keep the legacy system running, 2) Rebuild the system in a PaaS environment (we call this re-platforming) and 3) Rebuild the system using an Open Source stack.
In this example, re-platforming the system using PaaS costs 30% of the original system implementation cost (Sources - IDC, Forbes) and that will be recouped in the second year. There are significant savings thereafter. The 10-year cost of continuing the legacy system is estimated at $25M versus roughly $11M for the PaaS solution. This is primarily due to the reduced O&M costs (PaaS solutions average 65% saving in O&M – Source: IDC) and no hosting costs. Re-building the system using Open Source layers was estimated conservatively at 60% of the legacy implementation costs and 85% of the legacy O&M costs. As you can see in the graph, the Open Source re-implementation costs are recouped in year 8. The cumulative 10-year cost of the Open Source system is roughly $22M, a $3M savings over keeping the legacy system running, but $10M more than having re-platformed the system using PaaS.
This analysis illustrates the often-ignored fact that even though individual Open Source software products can be of high quality and secure, by the time you build your Open Source software stack out of multiple products and build your application, you have a system that can be almost as complex and expensive to maintain as the legacy system you are replacing. The whole purpose of PaaS is to outsource that complexity at a far lower cost and allow you to focus on your mission-specific business processes when building an application.
Which is more secure – PaaS or Open Source Stack?
Tony Scott, the Federal CTO has been sounding the alarm about the O&M costs of legacy systems and the difficulty of securing these systems. He is correctly using the concept of “Secure by Design”. This is the idea that all the pieces of a system are designed with the whole in mind when it comes to security. Scott said most agencies are just "bubble wrapping and air bagging existing environments." What Mr. Scott is talking about is not an easy task. You can replace an aging mainframe or system made up of many legacy components with lots of new, individually secure Open Source components, for example, but end up with an overall system that is almost as insecure as what you are replacing. Paul Tatum, Vice President of Solution Engineering for Public Sector at Salesforce.com graciously allowed me to adapt a telling graphic he put together describing the number of different combinations a common hardware and software stack can create when it comes to just versions and patches. I have adapted this to incorporate Open Source elements. The reality is that the astronomical complexity does not diminish. In fact, given the branching of code bases that can happen in the Open Source world, it can make the problem worse. This is an example stack before adding more advanced layers such as case management, or even writing a single line of code:
Every agency or system owner is now tasked with securing such a complex beast. Are there enough security experts available to “bubble wrap” all of these, and how much do the best of them cost? This is where PaaS differs drastically from the do-it-yourself Open Source approach. With a well-built PaaS, security is designed in their software stack, and the more control they have of their software stack, the more they can limit the combinations, and thus the complexity. It is also in their financial interest to provide an incredibly secure environment, as breaches are a fundamental risk to their entire cloud-based business models. For example, Salesforce.com spends hundreds of millions on security, and even employs security experts who make seven figure salaries, an option generally not available to the federal workforce or even IT contractors at government billing rates.
It turns out that not every PaaS solution is created equally. I will cover this topic specifically in a future FAQ. Gartner also has their analysis of the topic. However, the “complexity influences security” issue is important enough to merit a brief summary here. Different PaaS vendors provide different levels of configurability of their software stack makeup. Microsoft’s Azure, for example allows you to provision a broad set of products, allowing you to re-create the complexity you can create in your own datacenter. Their main business applications are the Dynamics suite hosted in the cloud. IBM’s Bluemix and Amazon Web Services follow a similar model of allowing you to provision all kinds of software. Salesforce.com’s platform is an example where all the pieces are integrated by design. Your only concern is identifying which pre-integrated features you want to pay for and build your business applications. Salesforce was also the first PaaS vendor to build a FedRAMPed cloud specifically for the federal government on US soil, with American citizens running the operations. For Enterprise Application Platform as a Service, Salesforce is the market leader, and Gartner came to this conclusion as well. My point is that due to it’s high level of integration and emphasis on "Secure by Design", it is also a far more secure solution than other PaaS offerings and definitely more secure than a do-it-yourself Open Source approach, no matter how much "bubble wrap" you use.