"You've made a choice to be involved in a certain ecosystem," notes Michael Crandell, CEO of RightScale, a cloud infrastructure provider. "There are APIs and platforms in the cloud world that create a walled garden. You get the benefits of that garden, but you're also restricted."
Then, there's fear itself
Technicalities aside, lock-in is also an emotional issue, says Rene Bonvanie, senior vice president at Serena Software, which provides a cloud-based application life-cycle management system and runs most of its own business on the cloud. He argues that data housed in traditional systems such as those of SAP, Oracle, or Microsoft is just as locked in as any cloud system, but people are more concerned because the systems are not on their own premises.
"The common misperception is that because data is within reach, it's somehow more accessible than when it's remote," he says. "But the reality is that it's like money: If it's in a vault, it doesn't matter whether the vault is. It's locked up, regardless."
Exacerbating this fear is the immaturity of the cloud market, Staten says, adding that IT leaders can't help but ask, "When the shake out comes, is this vendor going to make it?"
That's the case for Christopher Barron, CIO at CPS Energy. "We are very concerned about being locked into a specific vendor for a multiyear time period without knowing if they have the capability to serve us properly," he says.
For that reason, Barron is moving into cloud computing slowly, choosing certain business processes that fit into this architecture without having to commit the entire enterprise to the cloud.
"By taking it in pieces, we can experiment, tune and adjust while mitigating a large financial commitment risk," he says.
"Vendor viability is less of a concern if you're using it for a short-term project like a promotional service or an application you want to test," Staten says.
Staying out of the vault
Another way to approach the lock-in conundrum is to use Willis' rule of thumb: The higher you go in the cloud taxonomy, the higher the risk of lock-in.
With cloud storage, for instance, data is easily transportable because it's stored in Linux servers, he says, but with cloud software and platforms come nonstandard APIs, system calls and other proprietary technologies. (Lamia Youseff of the University of California at Santa Barbara offers an interesting look at the cloud computing landscape -- download PDF.)
A case in point is Microsoft's Azure Services Platform, which provides an operating system and a set of developer services to build cloud-based applications.
As Staten points out, with Azure, users write to a set of cloud services in a way that's different from writing to the same services deployed in their own environment. The calls to the SQL database, he explains, are different from the calls in Azure. To move to a different provider, users would have to understand how to translate those API calls into SQL Server calls, he says.