In an SAP-sponsored post on ZDnet, SAP employee Eric Lai attempts to identify "four big problems" with multitenancy in cloud applications. As I am writing a soon-to-be published research report on cloud ERP, I was interested to hear Eric's take on the subject.
By way of definition, in a software-as-a-service application, the term multitenancy refers to an application architecture where a single instance of the system's application code and database serves multiple customers.
Please read Lai's entire post, as, in the interest of space, I will not quote from it extensively.
Lai gets off to a good start:
Anyone can see how much more efficient [multitenancy] is versus the old server hosting model, where the ratio of server:customer is 1:1. Even using today’s Red Hat-type virtualization, each server can cram fewer users/customers onto itself than a true multitenant service.Besides their efficiency, multitenant services can scale easily. Both of these mean lower costs for the hosters/software vendors, and, potentially, lower prices for customers.
No argument there. But then he quickly goes downhill. He first draws a distinction between consumers and enterprise customers, which have "much more rigorous requirements." He then presents his four objections to multitenancy.
1. "It's Inflexible."
Here, Lai doesn't really make a flexibility argument as much as a security and privacy argument. He points to privacy laws in some European regions that require data in some circumstances to be stored locally. But this is not an argument against multitenancy--it's an argument in favor of local data centers. A single-tenant system provider will need to build local data centers in the regions it serves, just as a multitenant provider will need to do so.
He then argues that multitenant systems might allow competitors on the same system to see each other's confidential information. I agree that IP theft is an increasing problem, especially with organized gangs of cyber-criminals in Eastern Europe and Asia, who in some cases may have the endorsement of their governments. (See, for example, this report.) But I do not know of a single cases where one tenant on a multitenant system was able to access the data of another customer on the same system. Tellingly, Lai provides not a single reference of such a confidentiality breach.
2. "It's Less Secure."
He now makes the security argument again, from a different angle. Here he argues that a multitenant database gives a careless database administrator, or a malicious hacker, the opportunity to compromise, with one breach, the data of multiple customers rather than just a single customer. He overlooks the fact that if a DBA is careless with one database, he or she would probably be careless with multiple databases. Likewise, if a criminal is able to gain access to a single customer's database in a secured data center, he or she will probably be able to gain access to many or all of the customer databases in the same data center.
3. "It's Less Powerful."
Here the argument is that the capabilities of the platform-as-a-service providers do not match the capabilities of traditional database tools. He points to Salesforce.com's database.com, Google App Engine, and Windows Azure as examples. Here, I find Lai's argument similar to that of Larry Ellison, head of SAP's arch-rival, Oracle.
In response I would point to the testimony of the head of development of one new enterprise SaaS provider. This individual came from a traditional enterprise software development and has now built sophisticated enterprise applications on both NetSuite's platform and on Force.com. He told me recently, "Frank, you wouldn't believe how easy it is to develop on these platforms. Things that used to take us months [at vendor X], we can now do in weeks or days."
Although I am no longer into software development, I am willing to stipulate that the newer cloud platform-as-a-service (PaaS) environments do not have all of the features and functions of traditional on-premise application development environments. (So also, in the old days we couldn't do as much with third-generation procedural languages, such as COBOL, as we could in assembler language. And, we couldn't do as much in 4GLs as we could in third generation.) But a PaaS removes an enormous amount of development work, by abstracting database, middleware, and user-interface functions, allowing the developer to focus on business logic. Furthermore, if (as I believe) PaaS is a disruptive technology, we should expect its capabilities to improve over time, and increasingly able to take on jobs that formerly could only be done by traditional tools.
4. "It May Be More Costly."
Here he doesn't mean the cost to the customer, but the cost to the ISV who wants to move from a traditional on-premises software product to a cloud offering. He is arguing, in essence, that it is cheaper for the vendor to simply host his traditional product as a single-tenant offering (i.e. changing nothing) than to rewrite it as a true multi-tenant SaaS offering.
As an advocate for enterprise IT buyers, I have to ask, will that hosted offering will be less costly for customers? Lai doesn't say. But in his introductory paragraphs (quoted earlier), he indicates that multitenancy offers "lower costs for the hosters/software vendors, and, potentially, lower prices for customers." So he has contradicted himself in his own post.
A Puzzling Position
Finally, what I find strange about this SAP-sponsored blog post is that it seems to contradict SAP's own position relative to Business ByDesign (ByD).
ByD is a full multi-tenant ERP offering for SMBs. It is a well-known fact that SAP's first attempt at ByD employed a single-tenant architecture, similar to that proposed by Lai in his blog post. That iteration was not successful in that, according to SAP spokespeople, they could not get that approach to scale cost-effectively. So, SAP took an extra two years or so and rewrote ByD as a completely multi-tenant application. The system is rolling out in multiple geographies worldwide, in local data centers where required, presumably with security and privacy measures commensurate with SAP's high standards for customers. The system is cost-competitive with other SaaS ERP offerings and has grown quickly to over 1,000 customers at the end of 2011.
SAP now has such confidence in its ByD platform that it has made it the platform for developing its line-of-business applications, such as Sales OnDemand and Travel OnDemand, for its large enterprise customers--presumably the ones with the most demanding security and privacy requirements.
Now, at the top of the post, ZDnet does make the disclaimer, "Eric's views are his alone and do not necessarily represent those of SAP." Still, as I mentioned, I find it puzzling that Lai's views appear to be closer to Larry Ellison's than those of his employer.
I am waiting for SAP's rebuttal to its own sponsored post.
Update: Eric Lai responds in the comments below.
Update, Feb.23: Please read the more detailed response on SDN by Sybase's Eric Farrar.
Related Posts
Cutting Through the Fog of Cloud Computing Definitions
SAP in Transition on Mobile, Cloud, and In-Memory Computing
