Security. Heroku publicly lists its security compliance, noting mainly that it sits on Amazon Web Services infrastructure and Amazon is compliant with ISO 27001, SOC 1/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley (SOX). PCI compliance is provided by offloading credit card processing to a compliant third-party service.
Who's using it? Heroku said that it sees adoption from small startups through the largest enterprise customers in the world. It lists a good number of reference accounts, including social and Facebook apps, digital media sites, corporate marketing sites, city government sites, and more. In addition to those listed on the website, the company pointed to "exciting adoption" by Macy's, which is building Java apps on Heroku.
How did it do? Heroku was easier to work with than OpenShift but harder than CloudBees or Cloud Foundry. The documentation was fairly straightforward. In addition to uploading your WAR file, you have to log into your account and set up your database, then return to Eclipse to complete the process. This swapping between the Web GUI and Eclipse makes Heroku a less attractive option than Cloud Foundry. Heroku lacks the polish of some of the other offerings despite its maturity.
Conclusions. Heroku is a "safe" choice because it's well established, with a growing marketplace of add-on services. It isn't the easiest or hardest to work with. For a Ruby app, it might be our first choice. Our initial test was less positive, but after Heroku released improvements to the Java platform on Sept. 19, deploying Granny proved much more seamless. Heroku wouldn't be our first choice for a legacy application, but it's not bad at all.
Microsoft Windows Azure
Windows Azure is Microsoft's take on Amazon Web Services, encompassing both IaaS and PaaS offerings. In addition to .Net language support, there are SDKs for Java, Python, PHP, and Node.js.
Differentiators. First off, this is Microsoft -- your .Net apps can come here too. Further, Microsoft points out that Azure supports almost any developer language that's popular today, and more are being added. Unlike most competitors, which are AWS underneath, Azure runs on Microsoft's own cloud. Additionally, Azure is available for production today with publicly available pricing.
We don't consider Azure to be a true PaaS because the Azure tools actually deployed our entire Tomcat instance. On one hand, this is one way of answering the lock-in question. On the other hand, the whole idea behind choosing a PaaS is to be freed from having to manage your own application server.
Lock-in. According to Microsoft, making use of a PaaS solution means writing to a set of runtime libraries designed for that specific PaaS. This has excellent effects on scale, agility to write, and performance but requires custom work to move to another PaaS. The company notes that data migration is a simpler proposition because there are many ETL patterns supported by Windows Azure and other PaaS platforms.
Sign up for Computerworld eNewsletters.