Software infrastructure service provider Loudcloud has been navigating economic and industry waters since its launch in 1999. Besides hosting or managed services, the company's Opsware technology automates the operations environment, and Loudcloud offers services ranging from code deployment to network monit

oring.

As a strategic Oracle customer serving on the company's Customer Advisory Board, Loudcloud offers Internet start-ups the Database Cloud™ Service, which provides customers with back-end data systems for powering high-traffic, dynamic sites. In this exclusive ZDNet Tech Update interview at Oracle OpenWorld, Marc Andreessen talks with Senior Editor Eileen Bermingham about transitioning from dot-com mania to a more security-aware, enterprise market.

Tech Update: Loudcloud launched during the boom times. How have you changed your strategy in the past two or three years to adjust to the current economic times?

Andreessen: We started right in the middle of the boom. We launched in September '99; the boom in our market really started in 1997. September '99 was right around that time period that had the fever pitch, and all the dot-coms. The only way a company thought about a strategy at that point was what would it take to be number one in the market. If you were willing to design your business so that you'd become the market share leader--regardless of cost or profitability--you'd receive a huge amount of funding. The other rule of thumb was, go sell to dot-coms. What Sun, Oracle, Cisco and everyone else were doing was sell to dot-coms, because dot-coms had a lot of money, would buy things really fast, they're not nearly as complex to deal with as large organizations.

In March 2000, the first crack in the Nasdaq appeared. At that point, we were about six months old and we'd launched our services, but we weren't yet running at scale. That had a couple consequences: One was that we had only signed about a dozen dot-coms…It was likely in the next year that the companies we'd signed in the past year wouldn't get more funding. So we said, "Let's not build out a huge dot com sales force, let's build out an enterprise one."

The other was that if we'd started our company two years earlier, we would've been able to raise probably a billion dollars of debt. The problem with raising huge debt, as we've seen with Exodus, is you end up going bankrupt.

Tech Update: How did you adjust your strategy to sell to enterprises?

Andreessen: There are some companies you'll go into and they're just not going to do anything outside. There are other companies--General Motors, for example--that are all outsourcing. Then there are a lot of companies that are open minded about it. These things tend to go in waves. So what you'll see in a lot of companies is that you'll have one CIO who'll come in and want to do everything in house. He'll last for about two years, and a new one will be hired. And he'll say the previous guy was a bozo and the people he hired to do everything in house aren't any good, so I'm going to outsource it all. So you have go into these organizations and navigate that.

We do run into customers who say they like what Loudcloud is. They say: "I want that, but I want it running inside my own data center." So we have a customer with which the master contract is done through Boeing, but the end customer is an agency of the government. We can't identify the agency by name, but it gives you an idea of what type of agency it is. They are running a major data center overhaul. They have to cut costs, but they know in the next five years they have to launch a lot of new applications, so they have to do more with less. We're taking our software and approach and transplanting it into their facility.

Tech Update: What about internal security with a project like that?

Andreessen: A bunch of our employees are cleared now, and others are getting cleared now, including me. You can't have anyone who's not a U.S. citizen working on the project; the clearance process is very involved--background checks and fingerprints and polygraph tests. There are particular regulations around the environments in which the development of the deployment is happening--who's allowed in this room and that type of physical security. And then they just spend a lot of time watching it.

Tech Update: You've recently announced new managed security services. What are some of the services you're offering with respect to disaster recovery?

Andreessen: We have a bunch of stuff we're doing on disaster recovery. We were originally giving customers a staging and a deployment environment. The staging one was a skinnied-down environment where they could stress test new code pushes, for example. It could be a three-tier architecture and a big database and storage system and it could run the application, but it wasn't scaled. It was one system at each tier, whereas the production environment would be multiple application and Web servers, multiple databases. In the past, we'd had the staging and deployment environments in the same data center.

What we've done now, for an incremental fee, is we'll separate the staging and deployment environments and put them in separate data centers in separate locations. So you could have your staging environment on the west coast, and your deployment environment on the east coast. So if there's an outage on the east coast, you could bring your application back up in production mode in your staging environment on the west coast. Now it wouldn't be able to handle the same level of capacity as your deployment environment, but it would be up and running.

Another thing we can do in the Loudcloud environment is recover your site in the event of disaster. It'll take days, because we'll have to go get new hardware and set up somewhere else. The good news is we'll have a copy of your entire environment in our database so we can transfer it over and install that. What we said was that if you want more disaster recovery than that, you have to be willing to pay an extra 60 or 70 percent on top of the base cost of the service because we have to set up a duplicate set of the hardware. So most people would say, "I want disaster recovery, but is it worth 60 or 70 percent? No." Since September 11, they're coming back to us and saying, "Well, I'm much more interested in that, but I wish there was something you could do that only cost 30 percent more."

Tech Update: Have you had a lot of interest in your security services so far?

Andreessen: Since September 11, there's been a lot of interest from the customers and the prospects. A lot of people are taking a step back and saying, "What am I really set up for?" Security in these environments has gotten much more complex to insure than it was two, three, four years ago. Four or five years ago, most security attacks were boot viruses still, DOS viruses. These days, they're all Internet-based attacks being generated by tens of thousands of high school kids all over the world, with automated scripts and tools. The denial of service attacks are a lot more sophisticated. The new generation of worms like Code Red are very sophisticated and contagious. And in general, the number of hacker attacks that people have seen are expanding over time.

Tech Update: Loudcloud guarantees 100 percent uptime. How do you guarantee something like that? What goes up usually comes down.

Andreessen: The reason we call it 100 percent uptime is the same reason FedEx ran their advertising campaign: "Absolutely, positively overnight." Of course, with FedEx there are thousands of packages every night that don't actually make it. But what it does is it forces the issue. So it sets the bar. The expectation we're going to set, and what we're going to try to live up to, is we're going to do everything possible to make it 100 percent. What we're going to do is give cash back to customers any time we fall short of that. So we budget for a margin of cash givebacks to our customers, because you can't hit 100 percent…It's basically a philosophy of continuous improvement.

We spend a lot of time building quality environments; we run a lab where we'll test new releases of Oracle, Solaris, Cisco switches, and BEA application servers all running in combination. Once we get into the customer environment, we spend a lot of time building it out so they're redundant. We build an environment that has no single point of failure anywhere on the system.

Security's been a core part of the offering for a while, but security and disaster recovery have been similar in the sense that people are always hypothetically interested in them; the question is whether they want to spend the money on them. What's different since September 11 is the answer is, yes, they would actually like to spend the money.