Held to ransom

Are your vendors partners, or are they locking you in?

Read time 5min 40sec
The internet of other people's things

Take a look at any of the low-cost hardware platforms that are often cited as driving growth in Internet of Things (IoT) technologies and they have 'open' written all over them. Quite literally, in the case of open hardware like Arduino or Raspberry Pi. You'd think, then, that vendor lock-in wouldn't be an issue in IoT development, but, sadly, that's not yet the case.
"It's not too open today," says Michael Westberg of the German company Connode, which specialises in wireless mesh networks for IoT devices like smart meters. "But it is changing. The billion-dollar question here is when true convergence on a small number of open standards will happen. Today, the market is fragmented, with different solutions in different industry verticals."
Utilities, which are often among the earliest adopters of IoT technologies, aren't used to buying the kind of 'horizontal solutions' that ensure interoperability and future portability, Westberg says.

In the bad old days, when proprietary formats dominated, it was impossible even to change your accounting software without spending a fortune on data migration and clean-up, after which the chances of everything working smoothly were still pretty slim. We've had decades of customer activism, industry pressure, legal battles, mammoth fines for anti-competitive practices, antitrust suites and more, all of which have pushed vendors to adopt more standards-defined approaches.

When Microsoft adopts a policy of openness and includes one of the easiest ways to deploy a Linux server as part of its standard Azure toolkits, not even the most skeptical could argue things haven't changed. But as business computing becomes more complex and yet more abstract in the era of the cloud, managed services and the Internet of Things, so the likelihood of being tied to one supplier is a question businesses have to face.

"An open web is an interoperable web based on open standards," says Gianugo Rabellino, a senior director at Microsoft Open Technologies and member of the Apache Foundation. "Usable by the community and often open source."

It's not something you'd have heard from the Microsoft of yore, but with the influence of people like Rabellino and its CEO Satya Nadella - who worked for open source champions Sun Microsystems prior to joining the Redmond firm - the company has finally made an effort to make Internet Explorer standardscompliant and gone as far as open-sourcing significant parts of its software base, including .net and Chakra, the JavaScript processing engine at the heart of its new Windows 10 browser, Edge.

It's a far cry from just a few years ago, when in 2011, the European Commission faced heavy criticism for pursuing a Windows 7 upgrade program without opening the process up to tender, which could have included alternatives. The Commission argued that changing supplier for its desktop operating systems to - say - an open source alternative would be too technically challenging to implement and therefore exempted the process from its usually strict rules around competition in the procurement process.

While desktop software and the web are certainly a lot more open than they used to be, standards in the cloud world are few and far between - and while spooling up an Apache server is simple on either Amazon Web Services (AWS) or Microsoft Azure, the deeper companies delve into the cloud services, the greater the chance of vendor lockin becomes. As with desktop computing, it's not just technical lock-ins and incompatible APIs for advanced services; many companies find that if cloud costs begin to mount up beyond their expectations, just the costs of migrating large amounts of data from one provider to another can be prohibitive enough to act as a lock-in.

Business benefits

Amazon, for example, recently released a suite of tools that makes migrating databases from almost every major format to its SQLcompatible Aurora database hosted in AWS fast and simple, with, the company boasts, almost no downtime. Getting data back out is fairly straightforward, given that it's SQLcompatible, but there are charges for exporting data from AWS even before the technical process starts.

Lise Hagen, a research manager at analysts IDC South Africa, says that vendor lock-in is frequently cited as a reason for enterprises not to adopt cloud services. But as vendors move away from proprietary formats and towards more standards-based approaches, she says there are still strategic decisions that will see companies effectively tie themselves down to providers.

From a technical point of view, lock-in is less of an issue.

Lise Hagen, IDC SA

"From a technical point of view, lock-in is less of an issue," Hagen says, but adds that more large firms are choosing to develop very close relationships with cloud service providers that look like the shackles of lockin because the platforms they offer allow for the flexibility they need, and the pace at which large cloud providers are developing those platforms increasingly outstrips anything that could be done in-house. Working closely with a cloud provider can have distinct business benefits.

"Ultimately, vendors with targeted resources can innovate faster than other companies do," Hagen says. "So partnering becomes a softer relationship than before - it's more about long-term strategy.

"Partnering is a two-way thing," she adds. "Companies that want the best services from a vendor will have to understand that the vendor wants something back in loyalty."

That doesn't mean standards aren't important, of course. Timo Goosen is a co-organiser of the Cape Town branch of the Open Web Application Security Project (OWASP). He says that as with anything, when purchasing cloud services, companies should value vendors that are as open as possible because the chances are they'll be the ones that can keep your data secure.

"When it comes to vendor lock in, companies should choose products that can easily integrate with other products from other vendors and that run bug bounty programs," Goosen says. "Many of these big companies are very stingy when it comes to paying researchers for finding security issues in their products. These very same companies that are stingy are the ones that get hacked over and over again."

Goosen agrees that lock-in is more complicated than simply being open, though. Today's soft lock-ins are just as binding.

"Vendor lock-in is usually associated with proprietary software, but it also happens with open source software...for example, if you buy from the only company that sells support for that software in your area, then you can also feel locked in, because there won't be anybody else that you can make use of should you wish to change at a later date."

Certainly, many CIOs are still cautious. In the US, research firm the Enterprise Software Group (ESG) says vendor lock-in is still the second highest concern for people migrating to the cloud and 'hyperconverged' systems after price (security, oddly, comes much further down the list).

Of course, they still migrate anyway.

This article was first published in the [March 2016] edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.

Have your say