IaaS Archives - Club Cloud Computing

Business Model Canvas for Cloud Providers

Cloud Computing is not so much about technology but more about the new business models that this technology enables. The question then is, how do these business models look? One of the most inspiring ways of looking at business models is through the so-called “Business Model Canvas”. This article explores the basics of cloud computing business models as drawn out on such a canvas.

Business Model Canvas

The business model canvas is a visual template for developing and discussing business models. For more information see http://en.wikipedia.org/wiki/Business_Model_Canvas and http://www.businessmodelgeneration.com/

AWS EC2 cloud canvas

The business model canvas has nine basic building blocks and specific relations between those building blocks. The rest of this article describes each of them, and gives a brief example of how they apply to a cloud provider proposition. The main cloud provider example I will use is Amazon Web Services (AWS), in particular EC2 (virtual machines on demand). This is an Infrastructure as a Service offering. The power of the business model canvas approach will become clear if we see how it can distinguish between various cloud service offerings and traditional IT.

Customer segments (CS)

In the Business Model Canvas, “Customer Segments” are the groups of customers that the company ultimately serves, i.e. the ones that consume and pay for the services.

In the AWS case, although basically anybody with a credit card can spin up a virtual machine, it looks like Amazon is primarily targeting software developers and (startup) SaaS providers as its main customers. Historically, Amazon development teams were the first customers. External customers were initially added as an afterthought.

Value Propositions (VP)

The value propositions reflect the customer’s problems and needs. This is the central element that describes why a customer would ultimately pay for the product or service.

The value proposition of cloud computing centres around its five essential characteristics. For example, in the AWS EC2 case, the core component of the value proposition is rapid self-service provisioning of virtual machines with pay per use billing. For each individual customer this translates into different business advantages. An example is reduced capital expenditure and reduced risk of over-investing or under-provisioning.

Channels (CH)

Value propositions are delivered to customers through communications, distribution and sales channels.

It is often assumed that cloud computing relies solely on self-service direct sales, but the reality is much more diverse. SaaS providers in particular are developing extensive partner programs.

AWS primarily employs a self-service direct model, where the delivery is through APIs. AWS also provides a web user interface to those APIs. Interestingly, that interface used to lag in functionality behind the main AWS services, but these days most new features are announced on the API and the Web UI simultaneously. The model is enhanced by premium support.

Customer Relationships (CR)

Customer relations are established and maintained with each specific customer segment.

One of the ways that AWS maintains relationships with its customer segments is through conferences. The 2013 re:Invent developer conference attracted 9000 visitors. Additionally, there are vibrant online communities. Finally, though details are scarce, we can assume that AWS does extensive analytics on the activities customers engage in on the platform.

Revenue Streams (RS)

Revenue streams are the result of value propositions that are successfully offered to customers.

The structure of revenue streams is where cloud computing differs from earlier IT service models, as they are usage based rather than asset based.
AWS basically charges hourly fees per virtual machine. The ‘bigger’ the virtual machine, the higher the hourly rate.

Key Resources (KR)

Key resources are the assets required to offer and deliver the previously mentioned elements (e.g. value proposition, customer relationships).

AWS owns massive amounts of hardware, estimated at 1 million servers or more. That is housed in dozens of data-centres worldwide. But there is more; the service can only be delivered through advanced and unique fulfilment software and processes. Amazon must have invested substantially in that.

Key Activities (KA)

The key resources perform key activities.

At AWS the key activity, delivery, is highly automated. But at the scale of AWS, oversight and resource planning is still a serious effort. Optimizing assets versus utilization is essential in the IaaS business model. Through economies of scale, AWS is able to spend a lot of effort on these activities.

Key Partnerships (KP)

Some activities are outsourced, and some resources are acquired outside the enterprise.

AWS buys immense amounts of hardware, and uses a lot of (open source) software. Building of data centres is also likely to be outsourced.

Cost Structure (CS)

All business model elements result in a cost structure.

In more traditional IT service models the revenue streams are tightly coupled to the cost structure. The cloud computing innovation is also about decoupling these.
At AWS the main cost elements are in assets such as servers and data centres; in services such as electrical power and telecommunications; and in people for developing and managing the systems.


The business model canvas is a good tool to map out the particularities of cloud provider business models. In this article we have only looked at the basics of a particular infrastructure provider. For software-as-a-service providers, cloud brokers, or internal/private cloud providers, the canvas can also be used to discuss their differences.

If you want to know more about the business of adopting cloud computing, have a look at my “Cloud Adoption Essentials” course.

Which Cloud service model is right for you?

Cloud Computing is no longer an option, but a reality in the IT landscape of almost all organizations. At the same time cloud computing has a lot of variants and choices. These choices are relevant for the IT strategy, and in some cases even the company strategy.

This article outlines in a step by step way the most important questions that you can ask to come to the right cloud strategy.

The first question is: what to expect of cloud computing? Which business improvements do you aim for? Cost advantage? Agility? Mobility? Innovation? If you don’t have a clear idea on this, it may be sensible to first dive into cloud characteristics, models, options and alternatives.

infographic cloud service model

The next question to ask yourself is this: which IT applications and functionality are the most important ones for your organisation? What is most needed in IT, now and in the future? Is that e-mail, ERP, CRM, a big website, or something else?

With this overview, you can ask yourself the central question, the one question that has a fundamental impact on your strategic cloud choice. And that question is: are these important applications unique for your organization? Do they make the organization into what it truly is, are they nowhere else to be found, are they of vital importance?

If the answer to this question is ‘no, these applications are not uniquely important to my organisation’, this means that the core competence of your organisation is not in IT. That is not a bad thing, you can be a very successful 5 star restaurant, or a manufacturer of advanced pumps for the process industry, without having unique software. In that case, having your own hardware is senseless, in the long run. It may take a while for the software market to realize this, but you are ultimately a SaaS ‘consumer’.

Star restaurant or not, as a ‘SaaS consumer’ the most important IT competence is selecting and implementing SaaS offers. Depending on the type of company this also requires quite a bit of IT competence, but that will be the topic of a later article.

If the answer is: ‘yes, my software is very unique, i cannot get it elsewhere’, then new opportunities arise. Your software and the associated data is a ‘strategic asset’. It would be a waste to only use it for your own company. There are probably other organisations who could also benefit from this software. If you are not directly competing with them, you could be their SaaS provider.

You should also consider giving your partners in the supply chain (customers, suppliers, etc) access to that software to enable them to do their work better, and to generate new business. This is in line with the practice of certain insurance companies: they give their agents direct access to their policy database. It is even thinkable that there are start-ups that would love to innovate with that strategic software. Procter and Gamble, for example, has opened up its research database to enable innovation by outside companies. As a result the percentage of patents that are actually used in products has risen from 10% to more than 50%. As early as the 1960s, American Airlines set up the SABRE flight information and reservation system that was used by travel agencies and other airlines.

My proposition is this: if you have strategic software assets, you also want to be a cloud provider for that software.

So, as a provider of software services (SaaS), what are your strategic options? Unless you have a substantial and constant workload it is not very sensible to purchase a lot of servers and associated hardware. The more obvious approach is then to procure your servers in an IaaS model (Infrastructure as a Service). This has the disadvantage that your system administrators, in collaboration with your software developers have to have substantial expertise in software scalability. You will have to deal with choices around multi-tenancy architectures, and detailed capacity and performance management. It may be worth your while, but there are quite a few alternatives these days.

Instead of IaaS, you can also focus on a PaaS (Platform as a Service) strategy. Scalability of the architecture is then no longer an issue for the developers. One disadvantage of this strategic choice is the potential for ‘vendor lock-in’ if the software is not easily ported to a different PaaS provider. This will then be something to address in the software architecture.

An example of this approach is the website that was built in 2011 for the British Royal Wedding. It was developed and deployed on Google App Engine. The scalability of the website was very important, and could be guaranteed easily with this design choice. For a website of this type, vendor lock-in is also not very hard to avoid. Most of the content is fairly static, functionality is limited, and the lifetime of the website is also short.

A few other strategic design choices for the cloud provider have to do with the degree to which services of other cloud providers can be used. For starters, you can ask yourself if you want to go to market all by yourself, or that you want to work with a ‘broker’ who includes your service in his portal (which is like an app store). That too has implications for your software architecture, because the portal can assume some of your functionality, like customer registration.

Finally, once again, it is a good idea to ask yourself which part of your functionality is truly unique. As an example, if you are a start-up companies it does not appear to be very distinguishing to develop your own software for helpdesk, payments and identity management.

In summary, cloud computing offers a lot of opportunity for setting up IT and positioning an organisation for a bright digital future. But doing it all by yourself is only rarely the best plan..

Interested in finding out more? Find yourself a relevant cloud training or workshop, or contact me directly.

Join our research – Cloud Assurance in practice

The Dutch CSA chapter has a plan to address the number one concern of organizations using cloud: “can we trust our provider?”.

The CSA (Cloud Security Alliance) has developed a number of tools to address that situation. Our plan is to test these tools in practice, and record the experiences for inclusion in a “best practices” paper.

The main CSA tools are combined in the so-called CSA GRC stack (which stands for Governance, Risk management, and Compliance).

The “Security guidance for critical areas of focus in cloud computing v3.0” is the underlying body of knowledge for the GRC stack. We typically refer to this document as the ‘CSA guidance’.

The first component of the GRC stack is the CSA Cloud Controls Matrix (CCM). These controls are largely based on the recommendations of the CSA guidance.

The CCM is called a matrix, because it cross references other assurance frameworks such as PCI-DSS (payment card industry) and HIPAA (Healthcare).

The CCM can be used as a framework to give assurance to cloud customers. To make this process more efficient, CSA has introduced a number of additional tools. One of them is the CAIQ (Common Assessment Initiative Questionnaire, pronounced ‘cake’) which is a standardized list of questions to use to evaluate cloud providers. Each question in the CAIQ corresponds to exactly one control in the CCM.

Cloud consumers can take the CAIQ as a basis, select questions from it, add their own questions, and submit it to a number of cloud providers.

The smart move for a cloud provider is to pre-answer the CAIQ, and publish the results. This is the ambition of STAR (Security Trust and Assurance Registry), which is also a CSA initiative. And it does not stop there, beyond this there is Cloud Audit and the Cloud Trust Protocol. These products are in development and aim to go further by automating parts of the assurance process.

STAR is planned to have multiple levels:

  • Level 1 is Self-Assesment, based on a provider report following either the CAIQ or the CCM.
  • Level 2 is Third-Party Assessment, where the idea is to use the requirements of the ISO/IEC 27001:2005 management systems standard integrated with the CSA Cloud Control Matrix (CCM) and an organization’s own internal requirements or specifications to assess how mature their systems are.
  • Level 3 is a Continuous Monitoring based certification. This is currently under development.

These three levels are collectively referred to as the Open Certification Framework (OCF).

Our ambition is to do a number of case studies in applying the CCM and CAIQ. These case studies would preferably cover at least a provider and a financial business (bank or insurance firm).  For providers, this could lead to an actual STAR entry with its associated benefits.

Some of the expectations are:

  • The CCM will be a better fit for cloud services than other assurance frameworks
  • Assurance frameworks such as the CCM will lead to lower costs for consumers and providers because audit costs will be lower.

Some of the research questions are:

  • How is the coverage of the CCM in relation to assurance requirements, what else do you need?
  • How much work is it to fill in the CAIQ?
  • How do you experience value in CCM/STAR/CAIQ?

Currently we have started to work with a number of IaaS providers who are interested in exploring better assurance. If you are interested you could still be part of this initial group. Just contact us.

5 organizations that got value from using cloud computing

Just to let you know that I created a brief note about 5 organisations that got value from using cloud computing.

It is brief, but explains the main business reason and how they did it.

Examples include profit and nonprofit businesses, public cloud and private cloud.

You can get immediate access to it by filling in your e-mail address in the box on the right.