Cloud Computing in BusinessCloud computing providers offer their services through different models. The first model is Software as a Service (SaaS). SaaS provides the consumer with the capability to use the cloud provider's software applications running on a cloud infrastructure. The applications are accessible from various devices through a thin interface such as a web browser (for example, web-based email). The consumer does not manage or control the underlying cloud infrastructure, which includes the network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited, user-specific application configuration settings. Examples of SaaS are Salesforce.com and its customer-relationship management application; Microsoft's Business Productivity Online Suite, soon to be revised as Office 365; and Google Apps for email and document collaboration. The code that runs the application is managed by the cloud provider, and the customer simply signs up as a user. The second service model is Platform as a Service (PaaS). PaaS provides the consumer with the capability to deploy, onto the cloud infrastructure, consumer-created or -acquired software applications created using programming languages and tools supported by the cloud provider. The consumer does not manage or control the underlying cloud infrastructure, including the network, servers, operating systems, or storage, but the consumer has control over the deployed applications and, possibly, application-hosting environment configurations. Google's App Engine is an example of PaaS. The consumer writes the application in Java or Python and uploads it. The consumer's application can make use of services such as a transactional data store, task queue, user management, email, and caching, and the consumer relies on Google to provide these services. The third service model is Infrastructure as a Service (IaaS). IaaS allows the consumer to access provision processing, storage, networks, and other fundamental computing resources and to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, and deployed applications--and, possibly, limited control over select networking components (such as host firewalls). Amazon dominates the IaaS market with its Elastic Compute Cloud (EC2). SaaS, PaaS, and IaaS are deployed, in turn, through different models. One deployment model is a private cloud. A private cloud is operated solely for an organization. The organization or a third party may manage it, and it may exist on or off the organization's premises. Another deployment model is a community cloud. A community cloud is shared by several organizations and supports a specific community that has shared concerns (e.g., mission, security requirements, policy, and compliance considerations). It may be managed by the organizations or by a third party and may exist on premise or off premise. A third deployment model is a public cloud. A public cloud is made available to the general public or a large industry group and is owned by an organization selling cloud services. Finally, there is a hybrid cloud. A hybrid cloud comprises two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability.
Open-Source SoftwareThe Free Software Foundation (FSF) is a nonprofit organization with a mission to promote computer user freedom. The FSF identifies four essential characteristics of "free software":
There are different kinds of free software, but the distinctions among the categories are minimal. The one category of free software that most concerns software developers is "copyleft software." Copyleft software's distribution terms ensure that all copies of all versions carry the same distribution terms. For example, copyleft licenses generally do not allow others to add requirements to the software (though a limited set of safe added requirements can be allowed), and they generally require making source code available. This shields the program and its modified versions from some of the common ways of making a program proprietary. The FSF publishes the GNU General Public License (GPL), which is the most popular copyleft software license. Other important licenses published by the FSF include the GNU Lesser General Public License (LGPL), GNU Affero General Public License (AGPL), and GNU Free Document License (FDL). The Intersection Between Cloud Computing and Open-Source Software Generally, open-source software will have less of an impact on end users of SaaS and IaaS than on end users of PaaS. End users of SaaS only have access to the application; they do not receive a copy of the software in either object code or source code. Accordingly, there is no opportunity to create a derivative work. And the ability to create a derivative work is key to whether proprietary software is exposed to the distribution terms of a copyleft license. End users of IaaS, like end users of SaaS, generally control the operating system and applications. As a result, open-source software has little impact on end users of IaaS. However, end users of PaaS do not control the platform used to deploy a proprietary application. If the platform is subject to a copyleft license, how the application and platform interact with each other could put the proprietary nature of the application in jeopardy because there is the potential to create a derivative work. In most cases, an operating system is not a behemoth but consists of many small system programs governed by the core, or kernel, of the operating system. An operating system manages computer hardware resources and provides common services for the execution of various applications. The operating system provides a layer of abstraction between the application and the hardware. In other words, applications interact with the hardware through the operating system. The FSF developed the GNU operating system, which is based entirely on free software. The kernel in the GNU operating system is called the GNU Hurd. However, after more than 25 years of development, the Hurd has not achieved production quality. Steven J. Vaughan-Nichols, Opinion: The Top 10 Operating System Stinkers, Computerworld, Apr. 9, 2009. The first version of the Linux kernel ported GNU code, including the GNU C Compiler, to run on Linux. Later, when the GNU developers learned of Linux, they adapted other parts of GNU to run on the Linux kernel. This work filled in the remaining gaps to running a completely free operating system. Modern free and open-source software systems are composed of software by many different authors, including the Linux kernel developers, the GNU Project, and other developers, such as those behind the X Window System. Desktop and server-based distributions use GNU components such as the GNU C Library (glibc), GNU Core Utilities (Coreutils), and bash. In an analysis of the source code for packages comprising Red Hat Linux 7.1, a typical Linux distribution, the total size of the packages from the GNU Project was found to be much larger than the Linux kernel. David A. Wheeler, More Than a Gigabuck: Estimating GNU/Linux's Size, David A. Wheeler's Personal Home Page, July 29, 2002. Determining exactly what constitutes the "operating system" is a matter of continuing debate. GNU components are licensed under the GNU GPL. The GNU GPL permits an end user to have the free software on the condition that any derivative works the end user creates from it and distributes must be licensed to all others under the same license terms, although the actual language of the GNU GPL does not state the bargain so clearly. Nevertheless, the key elements that would subject proprietary software to the terms of the GNU GPL are the creation of a derivative work and distribution. Under copyright law, a derivative work is a work based on one or more preexisting works, whereas a mere collection of independent works is a "collective work" and not a derivative work. This distinction is important because it has a bearing on the reach of the GNU GPL and its applicability to individual, unmodified programs that merely link to each other and are collected into one program for convenience. To form an executable program, various software modules need to link together. A link may be static or dynamic. A static link occurs when some or all of the functionality from an object code module forms part of the final executable program when the source code is compiled into object code. A dynamic link occurs when some or all of the functionality from an object code module does not form part of the final executable program but is linked to the executable program when the program is actually run. In other words, in a dynamic linking scenario, code from relevant libraries is loaded into the computer memory as needed. In general, static linking creates a derivative work, whereas dynamic linking may not under the GNU GPL. The GNU GPL appears to offer a special exceptionfor software that is normally distributed with the operating system on which the application runs; namely, the licensee of a platform need not include, as part of the distribution of its application source code, any source code of the operating system. However, this does not seem to be much of an exception because the licensor of the operating system, and not the licensee, is the only one who can elect to publish the source code. Moreover, this exception assumes that it is the application that contains the open-source software and not the operating system. In the case of PaaS, the consumer needs to be concerned with the source code comprising the operating system. By itself, the creation of a derivative work that is subject to the GNU GPL does not trigger the requirement that the source code for the whole program be released to the public. Rather, distribution of the derivative work triggers the obligation to release the source code for the whole program. The original GNU GPL did not account for distribution via a computer network, and providing access to the software through the web did not qualify as a traditional "distribution" of the derivative work. This situation was commonly referred to as the web distribution loophole. The FSF fixed the web distribution loophole by releasing the GNU Affero GPL, which defined distribution to include distribution through a network. Conclusion In the PaaS context, the end user needs to investigate whether the platform it is licensing contains any open-source software and which open-source software licenses govern the platform. If a copyleft license is applicable to the platform, then the end user needs to consider how it will link its proprietary application to the operating system. Although most applications dynamically link to the operating system, some developers may want the simplicity of static linking. If so, the developer needs to understand the potential issues with creating an executable with a static link to the operating system. However, the issue for cloud-computing consumers will be the ability to get this level of detail from a cloud-computing provider, and even more challenging will be getting any representations in an agreement concerning the use of open-source software. Unless the amount of money involved is significant, most cloud-computing providers are unwilling to negotiate their contract terms with an end user. Regardless, if a cloud-computing consumer is to make an informed decision about whether to use a particular cloud-computing provider, it is important to understand the issues that may exist concerning open-source software. By Bradley J. Walz |