Vendor Lock-In: The Bogeyman in the Cloud

At every tech conference, in every piece of marketing collateral from a network-technology vendor, and all over the IT blogosphere are reprobations against vendor lock-in.

"I call it Kim Kardashian-esque," quipped Doug Nassaur, general manager and lead principal technical architect of technology design and architecture at AT&T Inc. (NYSE: T), when asked about vendor lock-in. "We hear about it every day but we don't know why."

Is vendor lock-in really so terrible? After all, the arguments against vendor lock-in are often self-serving --for example, coming from vendors that you haven't (yet) engaged.

In a recent Upskill University lecture, Heavy Reading Analyst Sterling Perrin stated that the largest telcos and network operators have been multivendor for more than 20 years primarily because it is too expensive and unappealing to upgrade decades' worth of legacy patchworks of complex multivendor systems.

"If you look at any of the US operators, they're a hodgepodge of different acquisitions over the decades; those are all different carriers that have come together with different systems," said Perrin. "So, yeah, if you could start from scratch and say I'm going to use these two vendors and build out my whole network with these two vendors only, sure, you could go with just having to interwork between the two, but the reality for any operator is they're a combination of many different parts."

The entanglement Perrin describes reflects, perversely, multivendor lock-in -- justified largely by logically fallacious appeals to tradition. It thus becomes difficult to cost-justify further entrenchment in such a complex "hodgepodge."

"I think complexity is really the number one factor here; that is the most dominant element. Security and simplification go hand in hand, and risk and complexity go hand in hand," said Chris Richter, senior vice president of global security services at Level 3 Communications Inc. (NYSE: LVLT), when asked about the competing interests of consolidated versus diversified vendor environments. "The more complex an environment is, the less secure it is, and the less streamlined and profitable the companies tend to be. If you add a lot of different products and a lot of different controls, it increases the noise level, the complexity and a lot of things suffer because of that."

Richter quickly noted, however, that single-vendor standardization presents an InfoSec tradeoff--because the vendor's vulnerabilities become the organization's vulnerabilities. The answer, therefore, could be to engage a few vendors, but a very few indeed.

"In any telco, they never have just one vendor of network equipment; they always choose two or three," said Darrell Jordan-Smith, vice president of worldwide information and Communications Technology at Red Hat Inc. (NYSE: RHT). "One, they don't want vendor lock-in. Two, they want vendor choice. Three, they do it for backup or resiliency; if there's a problem with one, they can move to the other."

Nonetheless, the extensive testing, resources and expertise necessary to properly maintain broadly multivendor environments can easily surpass the risks and liabilities of the alternative.

"I firmly believe that simplification is the most important factor," said Richter, "which may mean fewer vendors."

Indeed, simplification is but one reason that demand for vendor consolidation is growing.

"In the carrier world, the trend is to consolidate vendor relationships," said Arpit Joshipura, the Linux Foundation's general manager of networking and orchestration. "Globally, I think what they want to do is, from a procurement and a relationship perspective, make sure that the relationships they have are with people that are more strategic partners versus a whole set of industry-ecosystem types."

Still, there remain good reasons to expand vendor relationships, notably, when it comes to best-of-breed applications.

"Customers are looking for best-of-breed; that's one of the reasons why we've taken an approach of being cloud-agnostic," explained Adam Saenger, Level 3's vice president of global product developments and management, of his own company. "We provide connectivity to our facilities and to third-party datacenters because we know that our customers want choice in not only where they're going but also who they're accessing."

To this extent, Jeff Kaplan, managing director of cloud and digital-transformation consultancy THINKstrategies, calls out vendor lock-in for the red herring that it is.

"There is a growing view that multi-cloud strategies make more sense not only to prevent lock-in but to take advantage of best-of-breed cloud services to satisfy specific workload requirements, and, given today's APIs and other integration tools, utilizing cloud services from multiple providers is not as difficult as in the past," Kaplan said. "Either way, lock-in isn't the issue, technically. It is the time, effort, and cost of moving from one [vendor] to another that concerns organizations."

Accordingly, Richter advocates that enterprises institute and apply a risk-governance framework to assess these issues, and only then determine what works best for them.

"Those fundamentals have to be in place regardless of what technology is used," said Richter.

— Joe Stanganelli, Contributing Writer, Telco Transformation