a forrester consulting thought leadership paper...

A Forrester Consulting Thought Leadership Paper Commissioned By Microsoft

Enabling The Secure And Rapid Adoption Of Cloud Services

October 2013

Forrester Consulting


Page 1

Table Of Contents

Executive Summary ................................................................................................................................................................................. 2

IT Pros Turn To Cloud Services To Help Reduce Costs While Increasing Value ...................................................................... 3

Cloud Adoption Requires Architectural And Process Changes ..................................................................................................... 6

IT Pros Take A Multilayered Approach To Data Protection ........................................................................................................ 11

Key Recommendations ......................................................................................................................................................................... 14

Appendix A: Methodology................................................................................................................................................................... 15

Appendix B: Demographics/Data ....................................................................................................................................................... 15

Appendix C: Endnotes .......................................................................................................................................................................... 16

© 2013, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources.

Opinions reflect judgment at the time and are subject to change. Forrester®, Technographics®, Forrester Wave, RoleView, TechRadar, and Total

Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional

information, go to www.forrester.com. [1-M572U3]

About Forrester Consulting

Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in

scope from a short strategy session to custom projects, Forrester’s Consulting services connect you directly with research analysts who apply

expert insight to your specific business challenges. For more information, visit www.forrester.com/consulting.



Page 2

Executive Summary

On behalf of Microsoft, Forrester Consulting conducted research to explore the current and future state of security in

cloud environments among North American and European enterprises. In this study, we found that cloud adoption is

accelerating at a rapid clip because the benefits (flexible cost models, rapid implementation, high availability, and

performance) outweigh many security concerns regarding the cloud provider’s ability to respond to significant service

disruptions, protect sensitive data, and support regulatory compliance. Given the rapid adoption, IT pros, particularly

those in security, must focus not on inhibiting or preventing adoption (because it’s futile) but on how they can support

this adoption by ensuring the right controls are in place and mitigating risks to a level that is acceptable to the business.

To do this, IT pros must assess the security and risk posture of potential cloud providers for the ability not only to

provide network and data protections such as encryption but also to demonstrate process maturity in disaster recovery

preparedness and response, identity and access management, and incident management and forensics.

Key Findings More specifically, in this custom study, we found that:

• Flexible models, scalability, and lower overall costs continue to drive cloud adoption. When asked to rank the

top three cloud drivers, 44% of IT pros selected flexible cost models, 40% selected scalability (specifically the

ability to scale up and scale down services as needed), and 36% selected lower overall costs.

• Forty percent have moved email to the cloud, and more workloads will follow. Another 22% of IT pros plan to

move email to the cloud during the next 12 months, at which point, a majority of organizations will use a cloud

provider for email. But it’s not just email. In healthy numbers, IT pros also plan to move storage, document

management, portals, and office productivity tools to the cloud.

• When evaluating cloud providers, IT pros focus on network security, data protection, and continuity. IT pros

consider network security controls such as firewalls and intrusion detection systems to be of high or critical

importance (85% and 77%, respectively). They also consider data security and protection technology such as data

leak prevention and encryption of data in transit to be of high or critical importance (85% and 80%, respectively).

Disaster recovery or IT continuity was also important: 79% said it was a high or critical consideration. When

asked about process considerations, business continuity and disaster recovery (BCDR) and data protection once

again topped the list, but identity and access management appeared in the top three.

• IT pros expect some architectural and process changes in security as the result of cloud adoption. More than

one-third of IT pros expect to see many differences in how they approach security management and

implementation. This due to the fact than when workloads move to the cloud, IT pros lose responsibility for the

direct implementation and management of security controls but the organization still holds them ultimately

responsible for the security of the organization’s assets. This requires more focus in integrating on-premises and

cloud-based security, more monitoring of service-level agreements (SLAs), and continuous assessment of the

cloud provider’s security and risk posture.

• For granular data protection, IT pros expect to see secure databases and storage. More than 76% of IT pros

indicated that secure databases and storage were of critical or high importance, followed by data leak prevention

(DLP) technology at 72%.



Page 3

• When it comes to compliance, IT pros look to a mix of security and industry-specific certifications. When

evaluating cloud providers for compliance, IT pros identified compliance with ISO 27001, HIPAA, and SAS 70

(now SOC) as high or critical in importance. IT pros identified ISO 27001 as the top standard or regulation when

evaluating cloud providers. While not industry-specific or even cloud-specific, ISO 27001 is a globally recognized

security standard, and certification for it indicates a better-than-average maturity in security management.

IT Pros Turn To Cloud Services To Help Reduce Costs While Increasing Value

Core IT infrastructure and services are undergoing a massive transformation. Today, new server deployments are

virtualized by default, and consolidation, standardization, and automation are helping IT pros optimize costs and

deliver services that are more dependable. Even still, most IT organizations find themselves under continuous pressure

to reduce costs even further and transform themselves to meet new business demands. For many, public cloud services

are becoming smart alternatives to the on-premises deployment of IT services that can help achieve these goals. In fact,

according to Forrester’s Forrsights Software Survey, Q4 2012, Forrester Research, Inc., 38% of enterprises have already

adopted software-as-a-service (SaaS), 17% have adopted platform-as-a-service (PaaS), and 28% have adopted

infrastructure-as-a-service (IaaS).1 How? It’s because cloud services:

• Provide more flexible cost models and reduced implementation time. Since most cloud service subscriptions

can be treated as operational expenses and not capital expenditures, companies are able to move away from the

old-style acquisition of boxed software media and licenses — allowing them to acquire solutions and applications

when and where they need it and not when they can budget capital expenditures for it. This ensures ease of

purchasing and provisioning of new software services.

• Allow IT pros to scale services up or down as business demands change. While buying more licenses has been

relatively easy (except for version availability and incompatibility issues), legacy software licensing models did not

allow for easy scaling down and reducing seats as needs change. The cloud resolved this: You can acquire as

much computing and software power as you need. You can also use pay-as-you-go subscription models with

cloud offerings.

• Have lower hardware, power, and licensing costs. Because you don’t need to have hardware on-premises to run

cloud services, hardware acquisition, system administration, and power costs are significantly lower with cloud-

based services.

• Require fewer IT resources for maintenance. Since much of the computing power is not on-premises and you

don’t need to do version upgrades, patching, or maintenance of either the hardware, operating system, or

business software, IT personnel costs will be significantly (our interviewees said that in some cases 80% or more)

lower.

• Improve availability and performance. Many organizations fail to realize that they actually cannot provide the

same level of availability, business continuity, disaster recovery, and performance at the same price level as a

cloud provider, which can leverage its scale and expertise to deliver higher availability with lower costs.

• Speed up deployment of new services and applications. With minutes instead of days/weeks to procure and

provision servers, the pace of innovation has dramatically increased. Reduced time-to-develop and time-to-

market means your IT can be much more agile in servicing needs of the business units or developers. Cloud



Page 4

services also help organizations embrace and enable innovation and move faster than their competition. In fact, it

is the speed and agility that IT hasn’t been able to provide that has resulted in what many call “shadow IT” where

business units are resorting to using credit cards to procure computing resources outside of the purview of the IT.

Figure 1

Lower Cost And Higher Performance And Scalability Drive Cloud Adoption

Base: 200 US and European IT decision-makers from firms with 1,000 or more employees

(multiple responses accepted)

Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013

More And More Workloads Will Move To The Cloud Which specific workloads are IT pros moving to the cloud? It turns out that IT pros have already moved email (40%)

and essential office productivity tools (30%) workloads to the cloud. But more workloads are headed to the cloud; data

storage (56%), customer portals (56%), and document management (56%) have the highest levels of planned

implementation/expansion (see Figure 2). In Forrester’s own client interviews, we found that IT pros are moving these

workloads to the cloud because:

• IT can’t keep up with data storage growth. As organizations have digitized most business processes, data storage

requirements for both structured (databases) and unstructured (file shares storing high-resolution images, video,

files, etc.) content have skyrocketed.2 This is further exacerbated by the need to back up and replicate data

multiple times for operational and disaster recovery and to archive data for sometimes years at time for

regulatory compliance and legal discovery. In many cases, IT organizations have found that cloud storage,

particularly for bulk storage requirements related to files, backups, and archives, is less expensive than on-

premises storage deployments.

• Email requires high availability and performance. For many organizations, they classify email as a mission-

critical application. When it’s down or performance is degraded, internal and external communication between

employees, partners, and customers comes to a halt. Email requires significant storage as well as high levels of

availability and performance, and outside of very large enterprises, this can often be difficult to achieve in-house.

Security is also of the utmost importance. IT must not only stop spam and phishing campaigns but also ensure



Page 5

that employees do not send or accidentally leak sensitive data from the organization. Protecting data in emails

using on-premises DLP solutions is costly and labor-intensive to configure (you have to be able to define sensitive

and risky data using search patterns) — moving email DLP into the cloud also acts as a catalyst for moving email

into the cloud.

• Customer/employee portals require state-of-the-art high-performance identity and access management.

Creating and maintaining a single sign-on (SSO) and identity and access management (IAM) environment is not

an easy task — even with good on-premises IAM solutions. Using a cloud-based solution for IAM services

provides these services out of the box, along with better network security and distributed denial of service (DDoS)

protection.

• Cloud-based document management allows for structured risk-aware management. Most organizations

Forrester interviewed struggle with unstructured data protection and a mushrooming array of on-premises

collaboration and enterprise content management systems resulting in lax compliance and controls. Cloud-based

document management systems 1) mandate that all documents are stored in the same place (at the cloud

provider); 2) force better risk-tagging of data elements; and 3) reduce the use of unstructured data in general.

• Cloud-based office applications foster collaboration. Organizations tell us they are seeing the benefits of cloud-

based productivity (word processing, spreadsheets, presentations, etc.) applications already because they enable

secure document sharing and promote collaboration faster than on-premises solutions. Beyond collaboration,

organizations also said that their desktop maintenance costs for business users have decreased 30% to 50%

because of not having to administer and maintain desktop versions.

Figure 2

Data Storage, Email, Portals, And Document Management Are Moving Rapidly Into The Cloud


Source: A commissioned study conducted by Forrester Consulting on behalf of Microsoft, July 2013 Note: Don’t know responses are not included



Page 6

Cloud Adoption Requires Architectural And Process Changes

It’s one thing to decide that your organization is going to leverage cloud services; determining whether you can do so

successfully and in a stable and secure fashion is a very different matter. This is measured by your organization’s

familiarity with cloud computing technologies and services, your level of experience with them, as well as your degree

of understanding about what makes them different and the implication that has on your organization. Given the rapid

adoption of cloud services, it’s clear that IT pros, particularly those in the security organization, must focus on how they

address security concerns and reduce overall risk — attempting to block or inhibit adoption is out the question. When

evaluating the security posture of service providers, IT pros were most concerned with the cloud provider’s ability to

provide:

• Adequate network security and data protection controls. Similar to their own internal environments, IT pros

want to know the cloud providers have basic network security controls in place such as firewalls and intrusion

detection systems. And because the provider will store sensitive data, IT pros also must ensure that they or their

provider can protect data in flight (typically through encryption). Once there, the provider has the means to

protect the data from IT failure, human errors, and other events (typically through backups, snapshots, and

replication) and prevent possible extrusions (from cybercriminals, malicious insiders, or unwitting insiders) with

DLP technology (see Figure 3).

• Adequate processes for IT continuity, data protection, and internal identity and access management.

Evaluating a provider’s technical controls is only half the battle. To ascertain their risk posture accurately, IT pros

must also understand the maturity of the provider’s security operations and processes. IT pros seem most

concerned about providers’ readiness for a major disruption that requires an invocation of their disaster recovery

(DR) plan. Readiness is more than technology. It requires having documented plans that the provider tests on a

regular basis. The same is true for data protection; it’s more than just applying encryption and deploying DLP.

Providers need to understand the patchwork of global data privacy regulations and their implications on where

they can store and transmit data. Moreover, since so-called “trusted insiders” are responsible for a large

percentage of breaches, understanding how the provider restricts and strictly enforces access control for its own

employees is one of the most important considerations in data protection (see Figure 4). Finally, when breaches

and other incidents occur, it’s important that the provider has robust incident response plans in place to properly

stop, investigate, and communicate the breach. You can transfer responsibility for data protection to a third

party, but you can’t transfer liability.



Page 7

Figure 3

IT Pros Seek Robust Data Protection, Network Security, BCDR, And IAM Tools And Technologies





Page 8

Figure 4

Cloud Providers Must Have BCDR, Data Protection, PIM, And Physical Security Processes Firmed Up



IT Pros Must Focus Security Technology On Integration, Visibility, And Access Control With on-premises IT services and apps, IT pros have almost total control of security: They can set firewall rules, set up

access policies for their apps, manage encryption keys, and set up patterns in DLP solutions. When workloads move to

the cloud, you lose responsibility for the direct implementation and management of security controls, but you still have

responsibility to protect your organizations’ most sensitive assets — regardless of location or hosting model. Cloud

security is all about 1) ensuring adequate security controls at your cloud provider, and 2) integrating your on-premises

security tools and processes with that of the cloud provider — because not all workloads will move to the cloud. What

are the biggest differences in the security of on-premises versus cloud apps? According to our custom study and

interactions with Forrester clients, it’s the fact that IT pros must:

• Rely on the DR technology and approaches of the cloud provider. According to our study, 39% of IT pros see

many or complete differences in BCDR between on-premises and cloud apps and services. By deploying

applications in the cloud, IT pros become reliant on the high availability and disaster response (DR) capabilities

of their cloud providers. In some cases, the cloud providers can offer much higher levels of availability than IT

pros could achieve on-premises. However, IT pros don’t take provider’s capabilities for granted; they require

visibility into the way the cloud provider designs, implements, and manages these capabilities. They want to

know, for example, that the provider has the ability to continue processing in the event of localized failures (e.g.,

hardware or software failure, human error, data corruption) as well as data-center-wide failures (e.g., extreme



Page 9

weather, power failures). In addition to providing these foundational services, IT pros want backup and recovery

mechanisms that support their own DR processes and expose services that support the development of their own

highly available applications.

• Integrate IAM for cloud services with on-premises identity systems. Increasingly, IT pros leverage cloud

service to expose data and applications to not only employees but also members of their extended enterprise (e.g.,

business partners, contractors, and customers). Managing identities and access controls across this diverse set of

user groups requires the same robust identity management systems IT pros currently have on-premises, along

with the necessary security capabilities, such as roles-based access control (RBAC) and multifactor

authentication. In addition to rich IAM capabilities in the cloud, integration with existing on-premises identity

systems was critical for most of the IT pros we interviewed — organizations want to extend their existing identity

systems to the cloud rather than bolting together disparate identity frameworks. While federation can help bridge

that gap, systems that offer a more integrated hybrid approach are often more preferable.

• Demand transparency in physical security. Cloud providers often implement advanced physical security

features (like video surveillance), which are too expensive for the average enterprise but can provide a much

higher level of security. However, not all cloud providers provision their own data centers; many lease floor space

from colocation providers that support other customers in their data centers. It’s therefore critical to understand

the physical security measures of the data center in which providers will store your sensitive data.

• Insist on storage and workload isolation. For a cloud provider serving multitudes of customers, storage and

workload isolation is a must. Organizations we interviewed said that while they are comfortable sharing lower-

level hardware and software environments at the cloud provider (e.g., development and integration

environments) with other clients, they definitely demand robust access control and isolation in higher-level

environments (e.g., staging, QA) and definitely in the production environment. The tools that enable logical

isolation are encryption, virtualized operating systems, firewalls, and network compartmentalization.

• Require network visibility and analysis into and logs from cloud intrusion detection and prevention

(IDS/IPS) and security incident and event monitoring (SIEM). Forrester’s interviews reveal that clients expect

IDS/IPS to be bundled into the cloud provider’s environment. Most said that they are satisfied with the

commoditized IDS/IPS solutions of the cloud provider as long as the provider can demonstrate reporting and

auditing capabilities and meets applicable compliance standards (e.g., FedRAMP). IT pros have gone to great

lengths to deploy, integrate, and fine-tune SIEM platforms. Many clients feel that they lose this situational

awareness in the cloud, but they expect that cloud providers will readily provide integration with their clients’ on-

premises SIEM solutions to regain it.

• Stipulate the use of robust privileged identity management tools and processes. Privileged identity

management (PIM) in the cloud is something that concerns IT pros. When it comes to your own environment,

you obviously know your system administrators well, but in the cloud, you know nothing about the

administrators managing the environment. IT pros increasingly demand to understand the provider’s process for

background checks, and they want greater insight into the process of granting and using administrative rights to

the provider’s hardware and virtualization infrastructure. Many Forrester clients tell us that they want their cloud

provider to use a PIM tool (password-safe privileged session management and recording tool, privilege

delegation tool, etc.) for the cloud environment and also have strong process controls for privileged access to

systems.



Page 10

Figure 5

More Than One-Third Expect A Substantial, If Not A Complete, Overhaul Of Security In The Cloud



IT Pros Must Focus Processes On Mitigating Risk In ongoing discussions with Forrester clients, it’s clear that the security technology of the cloud provider is not

everything. IT pros not only want to see documented procedural safeguards in the cloud environment but also demand

measurable SLAs for availability. When asked about the expected differences in nontechnical processes, IT pros

expected to see differences in all essential processes from BCDR to risk assessments and change management. Once

again, DR tops the list. Collaboration of the client teams with the cloud provider teams in BCDR processes that pertain

to the IaaS infrastructure and the client’s assets, physical security, risk assessment, data protection processes, and

change management are the most important (see Figure 6).



Page 11

Figure 6

Security Processes Are Significantly Different In The Cloud



IT Pros Take A Multilayered Approach To Data Protection

Many of the workloads that IT pros have or plan to move to the cloud contain massive amounts of sensitive data

(intellectual property, nonpublic financial information, etc.) and personally identifiable information (PII) such as

employee or customer addresses that IT pros need to protect regardless of location or hosting model. In addition to

protecting sensitive data from cybercriminals, fraudsters, and state-sponsored agents, IT pros must ensure that the

organization does not violate compliance or privacy laws (e.g., HIPAA in the US or the EU Data Protection Directive)

that dictate how the organization can collect, store, use, and transfer PII. In this custom study, we found that IT pros

require a multifaceted approach to protecting their data including the:

• Security of databases and storage. One can consider the database the most important layer in the IT stack — it’s

often where you store your organization’s most sensitive data and certainly most of the PII. According to our

custom study, 76% of IT pros indicated that secure databases/storage were of critical or high importance.

Protecting databases requires multiple technologies, some provided by the database vendors themselves and

some provided by security vendors, but they generally include database monitoring, encryption (the ability to

encrypt at a granular level such as a cell, row, or table), data masking (obscuring sensitive data), and database-

specific DLP tools.

• Demonstration of DLP. Seventy-two percent of IT pros cited DLP as a high or critical priority. Forrester clients

often tell us that they look at DLP from two different angles: 1) protection of PII data types (which luckily are



Page 12

often easy to identify, such as social security or credit card numbers), and 2) protection of organization-specific

sensitive data (e.g., intellectual property, classified information).

• Segregation and isolation of data. Keeping (sensitive) data apart from other companies’ data is critical:

Companies definitely would not like to find their potential competitors looking at their cloud-stored data. Proper

network segregation and compartmentalization and applying least-privileges principles to all IaaS personnel will

ensure data segregation and isolation. Ninety-four percent of respondents thought that data segregation was at

least of medium importance.

• Destruction or deletion of data. If you opt to discontinue services with your cloud provider or if you are using a

public cloud service for the storage of archival data that has an expired retention period, it’s very important to

have assurances that the provider can certify the destruction of the data. Otherwise, the data is still possibly

vulnerable to cybercriminals, legal discovery, or compliance audit. In this custom study, 66% of IT pros said that

data destruction was of high or critical importance.

• Support for encryption. According to the custom study, about 66% of IT pros said that encryption (applied at

various levels) was of high or critical importance. Many organizations also mentioned that they want to have data

encryption to protect data ingestion and transfer. Most organizations use SSL on the web layer but find that the

application layer is trickier, as many applications do not easily support SSL or deal well with encrypted data.

Organizations working with less-sensitive data find that cloud providers can run key management processes. For

more-sensitive data protection, clients said that they use managed PKI services. Emerging technologies in this

space include homomorphic encryption and efficient and fast searching of encrypted data without decryption.

Figure 7

Cloud Providers Must Protect Clients’ Data Using Secure Database, DLP, Data Segregation, Secure Key

Management, And Encryption





Page 13

IT Pros Want Cloud Providers To Certify With Security And Industry Standards Even those organizations that are not subject to strict regulatory controls often used widely recognized regulations and

industry standards as a guideline for expected best practices. While Forrester has witnessed standards such as the Cloud

Security Alliance (CSA) Cloud Controls Matrix (CCM) and Service Organization Controls (SOC) 1 and SOC 2 become

the international standard for assessing security of cloud providers, ISO 27001 is still incredibly important. In fact, 40%

of IT pros say it’s of high or critical importance in their evaluation (see Figure 8). For many, ISO 27001 is an essential

barometer of core security management maturity. Cloud providers are required to comply with SOC 1, SOC 2, SOX,

and PCI primarily for financial services, HIPAA for healthcare, and FISMA/FedRAMP for US government agencies

and affiliates (contractors and organizations that are part of the defense industrial base).

Figure 8

Cloud Providers Need To Comply With ISO 27001, SAS 70, HIPAA, SOX, And PCI Regulations





Page 14

KEY RECOMMENDATIONS

Supporting the inevitable transition to the cloud requires an understanding of the differences in managing security and

risk. Forrester recommends that firms look for cloud providers that can reliably and repeatedly demonstrate scalable,

documented, and followed-through processes and use of leading-edge tools in:

1. Multilayered data protection at rest and in transit. Mature data protection requires encryption of data at

the storage layer, using DLP tools on servers and in email, as well as non-repudiable key management

processes. While many companies value control and management of their own encryption keys, others require

that the cloud provider should be able to optionally provide key management and information rights

capabilities that work well with the organization’s workloads and also allow a third-party data protection

company to plug into the cloud environment (to “watch the watchers”).

2. BCDR. Our survey respondents and interviewees unanimously said that they look out to ensure that their

cloud provider can at least guarantee 99.9% SLAs as well as allow them to participate in BCDR exercises.

Organizations also need documentation, repeatability, visibility, and transparency of IaaS provider BCDR

processes as well as integration of the cloud provider’s relevant BCDR process with their on-premises BCDR

processes.

3. Robust business and privileged IAM capabilities. Leading firms mandate that their cloud provider use PIM

tools for administrative password checkout and session monitoring and recording. Business user security

repositories should ideally be stored at the clients’ site and resources should act as a federated (SAML 2.0 or

OAuth) relying party. The cloud provider should also provide turn-key solutions for SSO and multifactor

authentication for sensitive applications and sensitive or PII data access.

4. Network security and intrusion detection and prevention integration. Interviewees mentioned that at the

tools and process levels, they need to ensure that their cloud provider is able to match and exceed security

requirements when using a cloud provider. Identity- and resource-aware firewalls are recommended. Identity-

aware firewall and virtual networking capabilities are a must, and cloud providers also need to provide robust

IDS/IPS functionality to help with prevention and forensic support of any suspicious activity.

5. Portable transparency and trust. When evaluating cloud providers, make sure that their compliance

promises are real, and ask to see evidence when it comes to ISO 27001, SOC 1, and SOC 2, plus industry-specific

compliance. Be sure to ask for compliance with FedRAMP, as that standard is the most cloud-savvy today when

it comes to security. Build a framework that will allow your organization to pass on your cloud providers’

certifications to both your upstream and downstream partners and suppliers so that you can avoid being the

weakest link in the security compliance chain.



Page 15

Appendix A: Methodology

In this study, Forrester conducted an online survey of 200 North American and European IT security decision-makers

from firms with 1,000 or more employees to understand the current and future state of security in cloud environments.

Survey participants included IT security professionals and leaders with decision-making responsibilities for their

organization’s cloud security. This study was conducted in July 2013.

Appendix B: Demographics/Data

Figure 9

Regional and Industry Breakdown of Respondents


(percentages do not total 100 because of rounding)




Page 16

Figure 10

Responsibility For Their Organization’s Cloud Strategy, Management, And Implementation


(percentages do not total 100 because of rounding)


Appendix C: Endnotes

1 Source: Forrsights Software Survey, Q4 2012, Forrester Research, Inc.

2 Source: “Cloud Storage Comes Down To Earth,” Forrester Research, Inc., August 5, 2010.

a forrester consulting thought leadership paper...

Documents