cloud adoption in the eu - and analyst's perspective (revised)

1

Cloud adoption in Europe- an analyst's perspective

Mike Davis Principal AnalystJune 2013

© All images acknowledged © msmd advisors Ltd 2013

responsive, credible, flexible

2 © msmd advisors Ltd 2013

Running order The issues around Cloud are not new

The thirst for cloud solutions (to problems)

9 questions and myths that need to be burst

The things businesses haven't thought of

How does legislation impact Cloud adoption?

EU examples and initiatives

Which legislation?


The thirst for and benefits from cloud adoption

• Rapid adoption – learnt the lessons from web apps

• Rapid updates – without the pain of downtime

• Flex and scale – without “Yee cannot break the laws of physics Captain”

• Addressed more needs than originally envisaged

• Scales exponentially (within contract and budget)

• Allowed IT to focus on solutions rather than 'plumbing'

• Better uptime than in house

5

These are all Cloud companies by design

© msmd advisors Ltd 2013


9 questions/myths about Cloud for EU CIOs1. “I won't have control of my data”

2. “What if my provider get hacked?”

3. “How can I trust people I don't know to look after my data?”

4. “How can I be sure of my provider's privacy controls?”

5. “Can you guarantee it will be cheaper?”

6. “We can't use a generic platform, our business is unique, we need significant customisation of our software to address our business needs.”

7. “Why shouldn't I keep doing all our processing internally?” (It boosts my staff numbers, my salary and my profile)

8. “My regulator says I can't have personal data stored outside the country”

9. “All the Cloud service providers are American, thus they are subject to the Patriot Act and the US Government can size the data.”


Control


1. “I won't have control of my data”

– Yes you will, and as a corporate entity you still have responsibility for your data too, no matter where it is and who is processing/storing on your behalf. If you are concerned about the controls, look closer at the contracts and do better due diligence. Banks and retailers do not have qualms about security companies transporting their cash.


How secure is cloud?


2. “What if my provider gets hacked?”

– There was a recent exercise on social engineering hacking undertaken by so-called 'ethical hackers'. Of the 25 well known corporations they targeted, the majority were ‘captured’ within 15 minutes. The only successful defendant was Google. Unless you are the US government, you can't afford to invest in as much training and infrastructure as a provider. The real questions to ask are: 'How big is my security team?' 'How quickly can they respond to a threat?' More relevantly from a business perspective, 'How sensitive is the vast majority of information in my businesses systems?' I refer again to the canteen menu.


3. “How can I trust people I don't know to look after my data?”

– The question is 'Do you put the database management and backup responsibility in the hands of people who work for an organisation, whose only purpose is to deliver a trusted service? Or to your intern, who is at best paid the minimum wage (probably nothing at all), and when his/her partner says “can you come to the cinema now?” will choose the popcorn over the mandated procedure'.


4. “How can I be sure of my provider's privacy controls?”

– Because unless you are the intelligence service, they are better at it than you are. It's their focus and credibility. Like you they are subject to privacy laws, and should have the ISO 27001 and equivalent certification(s) (as should you).


What do you NEED to keep private?

Menus for the canteen

Contracts?

Payroll?

Operating manuals?

Sales figures?

Research findings?

Canteen menus?


Cloud is cheap!


5. “Can you guarantee it will be cheaper?”

– NO. It should be - because the providers have economies of scale in terms of hardware, networks, and expertise. The real business question is 'Can it give me a better service within my current budget envelope?'. It should do - because in most instances it is likely to be more efficient, robust, accessible, and secure than an on-premise service. However, just as with the IT Facilities Management contracts of the 1980/90s beware of the costs of changes to service/processes/volumes that the provider will charge. In addition moving to cloud services is not a 'fire and forget' issue. You need to have robust and regular monitoring of all areas of the service provided.


6. “We can't use a generic platform, our business is unique”

– If you move to a cloud service you can take all your idiosyncrasies with you, but don't expect the service to be cheaper, because your provider will have to incorporate and train their staff on all those 'tweaks'. 60% + of the western world uses Google as their internet search engine, less than 1% of those customise the interface because the 'vanilla' product gives them the majority of what they need. The pareto principle (80-20) applies in information management/IT just as much as it does in the rest of life.


7. “Why shouldn't I keep doing all our processing internally?”

– Look at the previous 6 answers. Your job security and progression really depends on addressing the business needs of your organisation. If you cannot provide the service the organisation requires, it will find someone who can.


The EU perspective – personal data


Data Protection Act 1998 - 8th principle

“Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data” .”


'No go' zones for cloud adoption?

X

X

X


8. “My regulator says I can’t have personal data stored outside the country”

– So? That becomes an explicit contractual requirement, a focus of due diligence and then on-going monitoring. No different technically than stating the cleaning contractor should wash the toilet floors twice a day. Chose a provider that can address that requirement, and remember the geographic restriction only applies to personal data or that specified by national security. You can store your canteen menus anywhere in the world.


EU examples and initiatives


Whose legislation is going to hold back cloud adoption?


9. “All the cloud service providers are subject the Patriot Act and the US government can seize the data”

– There are a lot of scare stories around the Act. Yes if your data is on US soil there is a risk it could be seized, if it poses a threat to US national security. But how many businesses will that apply to? More importantly there are many other providers of managed services or cloud provision in different geographies who are not subject to the Act. Look at the real issues of service delivery and expected outcomes, and as with all business decisions make pragmatic trade-offs of the risks and benefits.


Issues around cloud adoption

We use procurement models for kit. not services (talk to the facilities manager)

Bring your own (BYOx) can cause issues (though it shouldn't)

Solution vendors don't like cloud (unless its their own – vertical integration = margins)

Organisations need to keep/develop in house support (cloud is VANILLA)

3rd party add-ons not always available for cloud

Granular Security can present challenges

- apps designed for companies have a specific security mode

Federated security for hybrid not yet addressed

cloud adoption in the eu - and analyst's perspective (revised)

Technology

design msmd advisors

cloud service providers

cloud solutions

cloud companies

better service

cloud adoption rapid

onpremise service

trusted service