enterprise adoption of public cloud services is all … adoption of public cloud services is all...
TRANSCRIPT
Enterprise Adoption of Public CloudServices Is All About Pragmatic Tradeoffs
Publication Date: 01 Feb 2012 | Product code: IT007-000616
Steve Hodgkinson
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
SUMMARY
CatalystWhile enterprise use of public cloud services is now widespread and growing in Australia, perceptions
of risk have become somewhat overstated due to cautionary statements made by regulators and
security authorities. This report seeks to restore some balance to the discussion by sharing the
positive public cloud adoption experiences and lessons learned by 10 corporate and government
enterprises.
Ovum viewPublic cloud computing is evolving to become an increasingly viable element of the enterprise ICT
mix. Organizations around the world, from small businesses through to large corporate and
government enterprises, now rely on the public cloud to support services ranging from niche ICT
applications to mission-critical operations.
Public cloud services bring two main benefits, both attributable to the “radical externalization” of ICT
capabilities beyond enterprise boundaries: into the cloud. First, the public cloud offers a more effective
and efficient way to source selected ICT-enabled business processes, applications, and infrastructure.
Second, it offers a new way to accelerate participation in the rapidly evolving social networking and
mobile solution ecosystems of the Internet age.
This radical externalization of ICT capabilities, however, involves new tradeoffs and a willingness to
"think outside your boxes". Traditional ICT approaches are focused on owning and controlling
resources, assets, and contracts for specified services. The public cloud enables the focus to shift to
accessing iteratively evolving services and participating in dynamic Internet ecosystems.
The tradeoffs between “owning and controlling” and “accessing and participating” require new
mindsets and skills. They offer exciting opportunities, but are uncomfortable for some because they
are new, and threatening to others because they challenge the status quo of ICT departments and
traditional ICT vendors alike. Those who see more risk than opportunity in public cloud services tend
to be skeptical, or even critical, of the new model.
This skepticism has been reinforced by cautionary statements made over the past year by regulators
and security authorities about the theoretical risks of offshore data storage in the public cloud model.
While not specifically recommending against the use of public cloud services, the statements have
served to heighten awareness of regulatory concerns regarding potential security and privacy risks,
particularly in the financial and government sectors.
The reality, however, is that use of public cloud services is widespread in corporate and government
enterprises in Australia. Perceptions of the risks of public cloud services have become overstated.
Detractors, some with vested interests in the status quo, are outspoken about the potential risks, while
proponents with hands-on experience are relatively silent about how public cloud services actually
feel in practice due to perceived compliance sensitivities.
To shed some light on the reality of public cloud services adoption we interviewed executives in 10
corporate and government enterprises with hands-on experience of using public cloud services.
Discussions were intentionally “off the record” to encourage open and frank discussion. The results
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
convey positive experiences. The executives we interviewed stated that the public cloud has added
value to their enterprise's ICT portfolio.
Public cloud services were typically not chosen to save costs. In most cases the service was selected
because it was better and faster, even though some changes to information-management practices
may have been required. One of the most strongly valued benefits was iterative functional evolution.
The cloud service addressed user frustrations with the slow cycle of innovation of past ICT solutions
as well as user expectations that modern Internet applications should be constantly evolving in terms
of their functionality and support for innovations such as social networking and mobility.
Concerns about data security and regulatory compliance are taken seriously, but are not viewed as
“showstoppers” as long as careful thought is given to the categories of data that will be stored in the
cloud and to identifying specific risk factors and contractual and process mitigations. Not all public
cloud services are equal in terms of their ability to meet enterprise reliability and security
requirements, so the biggest risk mitigation is the choice of a high-quality enterprise-grade cloud
services provider.
Data sovereignty issues create an undercurrent of “worry” about offshore data storage for some
executives, although this is acknowledged as a justifiable benefit/risk tradeoff as long as the risks are
judiciously managed. In the medium term, a key emerging differentiator for public cloud service
providers serious about the enterprise market will be the ability to provide robust encryption of data at
rest.
Key messages There is widespread adoption of public cloud services in corporate and government
enterprises in Australia.
Concerns expressed by regulatory and security authorities regarding the risks of offshore data
storage do not preclude enterprise consideration of public cloud services.
Discussions with 10 enterprises that use public cloud services reveal that carefully considered
and appropriately governed use is viewed as a positive addition to the enterprise ICT
portfolio.
CLOUD COMPUTING DOWN UNDER
Public cloud services are relied upon by organizations large and small Public cloud services are now relied upon by organizations around the world, from small businesses
through to large corporate and government enterprises. Virtually all types of applications are now
available as software-as-a-service (SaaS) offerings. Platform-as-a-service (PaaS) models are
available for a wide range of the leading application development environments. Virtually any type of
workload can now be run under a long or short-term infrastructure-as-a-service (IaaS) arrangement.
Initial perceptions that public cloud services were more appropriate for the consumer and small
business markets, or for niche applications only, are giving way to a broader acceptance of the
opportunities for the public cloud model to provide genuine alternatives to traditional enterprise ICT
approaches. Salesforce.com, for example, pioneered the provision of niche CRM SaaS offerings over
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
a decade ago, but has now evolved to provide a wide range of SaaS and PaaS services. Salesforce
now provides mission-critical applications for more than 100,000 organizations worldwide, including
some of the world’s largest enterprises. As the scope and maturity of public cloud services have
developed so has awareness of the benefits of the cloud model and understanding of how it can be
applied.
In recent years the PaaS functionality of the leading public cloud services vendors has evolved
significantly, and now offers one of the most compelling elements of the cloud model. PaaS offerings
now provide enterprises with access to increasingly integrated suites of SaaS apps and accelerated
participation in the rapidly evolving social networking and mobile solutions ecosystems of the Internet
age.
The success of the public cloud model is demonstrated by the fact that leading global ICT companies
such as IBM, Microsoft, Oracle, and SAP now provide public cloud services as alternatives to their
traditional modes of product and service delivery and licensing for the enterprise market.
Ovum estimates that public cloud services generated about $18.2bn in revenue in 2011, and forecasts
that this will grow by 30% per year to in excess of $65bn by 2016. The Asia-Pacific region is expected
to comprise the fastest growing market for public cloud services, with revenues forecasted to grow by
34% per year from $2.9bn in 2011 to $12.5bn by 2016.
(Ovum reports providing detailed discussions of cloud service definitions and forecasts and
perspectives on cloud computing are listed at the end of this document).
Australian enterprises still need to go offshore for public cloud servicesThe Australian cloud landscape
Overall the small size of the Australian market has not supported anything like the scale of
investments in local public cloud computing services that have occurred in the US-centric global
market and in Asian hubs such as Singapore. Australian cloud vendors are focused primarily on the
small to medium business market, though private cloud offerings are starting to also mature for the
enterprise market. From an enterprise perspective, in practice, public cloud services are located
offshore.
IaaS services
While momentum is growing, and some substantial IaaS deals have been committed, the local IaaS
market is still at an early stage of maturity relative to both the global cloud services market and also to
the traditional outsourcing and managed services markets.
The largest on-shore investments, predominantly in private cloud IaaS services, have been made by
the domestic telcos Telstra, Optus, and Macquarie Telecom. Telstra, for example, is estimated to have
spent more than A$100m establishing its IaaS offerings, and announced a further commitment of
A$800m in mid-2011.
Some global ICT services companies, such as CSC, Fujitsu, HP, and Oracle, are leveraging their
global capabilities to make investments in on-shore private cloud services facilities in Australia. Fujitsu
announced a local investment of A$14m in FY2010 to develop its Australian-based IaaS offerings,
leveraging its $1bn global investment in cloud services.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Local outsourcing and managed services companies have also been retooling to deliver private and
public cloud IaaS, albeit at a more modest scale of investment. Leaders including BitCloud,
BrennanICT, CloudCentral, Emantra, MelbourneICT, Rejilia, VirtualArk, UberGlobal, and UltraServe,
though there are many other companies asserting that they are able to provide cloud services to
varying degrees. Macquarie Telecom has launched a public cloud IaaS business called Ninefold.
SaaS services
The local public cloud SaaS market is even thinner and more fragmented from an enterprise
perspective, comprising a large number of small companies that have created SaaS offerings, or
evolved their software into SaaS delivery. Melbourne ICT's WebCentral Application Marketplace
(www.applicationmarketplace.com.au) currently provides access to as many as 100 SaaS applications
in 15 different categories, the majority of which are targeting the small-to-medium business (SMB)
market. Oracle is the only major SaaS provider that is so far known to have arranged for on-shore
hosting of a global SaaS offering: its CRM On Demand service.
Telstra's T-Suite SaaS portal provides exclusive access to Microsoft's Singapore-hosted Online
Services/Office 365 and a handful of other local market SaaS services, such as Worketc, Workforce
Guardian, and Xero. Telstra reported in November 2011 that growth in adoption of SaaS services
through T-Suite was "explosive" at over 200% in the year ending in June. While this may have been
off a low base it illustrates the rising momentum behind cloud adoption in the Australian SMB sector.
Enterprise adoption of public cloud services in Australia is widespreadAn emerging trend
The evidence of actual adoption of public cloud services in Australia by corporate and government
enterprises is largely anecdotal, with surveys tending to focus on attitudes and intentions rather than
actual adoption. Surveys also tend to overstate usage due to the difficulty of defining cloud computing
as distinct from managed service and outsourcing arrangements. The general view, however, is that
adoption of public cloud computing services is now widespread across all sectors and growing
steadily as awareness of cloud computing increases and as public cloud services mature in terms of
their support for enterprise-grade requirements.
Much of the early growth in the adoption of public cloud services tended to be business users
acquiring SaaS applications outside of formal enterprise ICT procurement and governance processes,
but adoption is increasingly now occurring within formal ICT procurement processes.
Proof points
Proof points of widespread adoption include:
Salesforce is estimated to have many thousands of customers in Australia, comprising a mix
of large corporate and government sector enterprises and SMB organizations.
NetSuite's CEO recently stated that the company has 850 customers in Australia,
predominantly in the SMB sector, but also including subsidiaries of larger corporate that use
NetSuite as a common financial reporting platform.
Corporate and government enterprises publicly known to have adopted Google Apps include
universities such as Adelaide, Macquarie, Monash, and RMICT, as well as corporates such as
AAPT, Flight Centre, Mortgage Choice, New Zealand Post, and Ray White Real Estate. The
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
New South Wales Department of Education is a long-standing user of Gmail for student email
with local storage of email records by Telstra.
Microsoft's Online Services (Live@edu, BPOS/Office 365) are publicly known to be adopted
by universities such as Australian Catholic, Curtin, Edith Cowan, Flinders, Sydney,
Queensland and UTS, TAFE SA as well as corporates such as Realestate.com.au and Ted’s
Cameras.
Other SaaS applications popular in Australia include Microsoft Dynamics CRM, Oracle CRM
On Demand, RightNow, SuccessFactors, and Yammer.
Adoption of niche SaaS applications and web services is visibly commonplace now in most
enterprises. Use of apps such as Google Maps and Microsoft Bing Maps, for example, is now
almost ubiquitous.
The use of Google Apps and Microsoft Online Services by universities has been an interesting
evolution. The case for cloud email was an early and obvious use case because of the large number
of users and the immediate applicability of relatively simple consumer market style email services
such as gmail and live@edu. However, the evolution of universities to using one cloud collaboration
platform for both students and staff (at Monash University, for example) is a powerful demonstration of
the fact that these public cloud services have actually now fully measured up to enterprise-grade
requirements.
Adoption of Salesforce has similarly matured as the scope and functionality of the services has
expanded over the years from one SaaS app, CRM, to a wider range of apps and to PaaS offerings.
These proof points illustrate that some enterprises in Australia do see value in public cloud services. It
is also apparent, however, that public cloud services are still a relatively small though fast-growing
subset of the overall enterprise ICT market.
The remainder of this report will explore some of the issues that are slowing down the adoption of
public cloud services and will provide guidance for enterprise executives considering the public cloud.
PUBLIC CLOUD IS A TRADE-OFF OF BENEFITS AND RISKS
Public cloud service benefitsA more effective and efficient way to source selected ICT capabilities
Much has been asserted about the benefits of public cloud services, which revolve primarily around
six distinguishing characteristics of the public cloud model:
Pooling of investment and resources to create economies of scale in the development,
operation, and evolution of a standardized service that is shared by many customers and can
be scaled up and down on demand.
Configurable multi-tenant infrastructure and application architectures to enable efficient
allocation and configuration of standardized resources and software to meet diverse needs
with minimal need for software customization.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 6
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Iterative evolution to enable customers to benefit from regular releases of new functionality in
the service.
Automation and self-service to enable faster and easier ordering from a service catalogue and
provisioning and administration of the service.
Subscription and usage-based pricing models to lower the entry costs for new customers and
enable flexibility in the way the service is paid for.
Internet ecosystems to leverage the rapid innovations enabled by social networking and
mobile technologies and a diverse ecosystem of vendors.
Cloudy is as cloudy does
The benefits from a business perspective stem from the opportunity to consume shared standardized
services that already exist, and that iteratively evolve, instead of building and maintaining services
that are dedicated and “hard-coded” customized to an individual organization's needs.
We often use the phrase "cloudy is as cloudy does" to describe a mature cloud service from an
executive's perspective. Such a service is already operating at scale to deliver a defined catalogue of
functionality at a defined level of quality and cost.
This characteristic is often viewed by executives as one of the biggest benefits of cloud services when
compared to their previous experiences of more traditional ICT projects which involve the
procurement, customization, and implementation of new ICT infrastructure and applications. Projects
all too often run over time and over budget while also failing to fully deliver the promised functionality.
For many, traditional ICT has developed a reputation for unreliable delivery, which makes executives
eager to explore an alternative model based on acquiring services that can be seen to be already
operating and which iteratively evolve.
Public cloud services are now outpacing many ICT departments on innovation
Maintaining both the operational efficiency and innovative capabilities of in-house ICT departments is
a constant challenge for any enterprise. The practical reality for many is that the ICT department is
under increasing stress due to budget cuts, ageing assets, an ageing workforce, and skills
constraints, leaving limited capacity for innovation and renewal.
By contrast, public cloud services are at the leading edge of innovation in four areas that most
enterprises are now discovering are becoming critical to achievement of their mission.
High-availability, secure, global service delivery platforms - operational scale obliges cloud
providers to deliver high levels of operational reliability, resilience, and security in a
standardized and scalable platform. The leading public cloud platforms deliver higher
performance than many enterprises would be able to afford for themselves.
Agile application development - competitive pressures drive public cloud providers to employ
agile development processes in order to provide iteratively evolving services.
Integration with social networking - being born and bred in, and running in, the Internet
ecosystems that are driving social computing means that public cloud services are well
positioned to accelerate enterprise adoption of social networking innovations.
Support for mobility - web services, open APIs, and early adoption of HTML5 put public cloud
services at the forefront of enabling mobility. Public cloud services can typically already be
accessed from any device and are increasingly being optimized natively for mobile devices.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 7
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
The market-leading public cloud services are now outpacing all but the largest and best-resourced
enterprise ICT departments on these four aspects of ICT innovation, and are likely to continue to do
so into the future.
The eye of the beholder
As with many things, the degree to which the benefits of public cloud services are positively valued
depends very much on the eye of the beholder. This is driven by two main factors: the existence of a
burning platform and the pressure to innovate.
From a burning platform
For some enterprises the appeal of public cloud services arises out of disillusionment with the
alternatives, perhaps reinforced by a catalyst such as the need to replace assets or renew contracts
or by an imperative of timeframes that cannot be met by a traditional ICT project. These enterprises
are looking for a better way of sourcing some elements of their ICT environment as a matter of
necessity. The status quo is no longer adequate.
To drive innovation
For others, the appeal rests on the specific functional or financial superiority of the public cloud
solution. A public cloud service may just happen to provide the best or most affordable way of meeting
a business need, independently of any particular interest the enterprise may have for cloud
computing. This is often because the service is built using the latest thinking in software and
technology innovation and can be brought to market more quickly than alternatives. The innovation
cycle in public cloud services is rapid, and innovations can be made available globally as soon as they
are released into production.
Enterprises that are at the leading edge of using ICT to interact with customers, citizens, suppliers,
and business partners using the Internet, social media, and mobile technologies are some of the first
to appreciate the value of public cloud services because they quickly grasp the benefits of interacting
on and in an Internet platform.
Public cloud risksPublic cloud services are a new, more radical, way to externalize ICT capabilities
Broadly speaking, the risks involved in public cloud services are similar to those associated with other
forms of outsourcing. Public cloud services, however, represent a greater degree of externalization of
ICT capabilities than many enterprises have previously experienced. It is now possible, for example,
for a complete business process to be externalized to a public cloud service along with its back-end
infrastructure, applications, and ICT operations.
Six “somewhat novel” public cloud risks
This radical externalization of ICT capabilities creates six “somewhat novel” risk factors:
Ungoverned adoption - the ease of adoption, relatively low entry costs, and the compelling
benefits of public cloud services can lead to a proliferation of cloud services within enterprises
through ungoverned piecemeal adoption.
Technology immaturity - the technologies that enable cloud computing (whether in a public or
private delivery model) are relatively new and rapidly evolving. It takes a large investment in
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 8
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
R&D, technology, process design, and skilled people to successfully implement an
enterprise-grade cloud computing service. Technology risk reinforces the need for enterprises
to select the largest and most mature public cloud providers.
Multi-tenancy - the ability of one integrated ICT environment and application to simultaneously
support the needs of a multitude of different corporate and government enterprise customers
is one of the defining innovations of public cloud services. Multi-tenancy, however, creates
potential risks. What if unauthorized users obtain accidental, mischievous, or criminal access
to my data?
Data location - data in public cloud services is located wherever the provider's data centers
are located, and can flow across national boundaries in the cloud provider's network. This
creates potential risks arising from the obligations of enterprises to ensure that they and their
vendors are at all times compliant with nationally specific regulations relating to data security,
privacy, and record keeping.
Non-negotiable contract terms - public cloud services necessarily seek to minimize the variety
of different contracts under which services are sold, with most vendors preferring all
subscribers to sign up to standardized services on standardized terms and conditions.
Enterprise ICT buyers, however, are accustomed to negotiating contract terms and conditions
in order to address specific risk issues, and may have legitimate needs to do so because of
legal and compliance requirements.
Vendor lock-in - some enterprise buyers are concerned that public cloud services may lead to
increased “lock-in” to the cloud provider because the provider holds the data and users will
become reliant on the functionality and configurations of the service. If the public cloud
provider fails technically or commercially there is little power that an individual customer can
exert to recover the situation.
We use the term “somewhat novel” for these risks because in the main they are all variations on well
understood ICT procurement and management themes. The issue is largely about awareness of the
new nuances created by the degree of radical externalization inherent in the public cloud services
model.
Public cloud services involve new benefit/risk tradeoffsIt comes down to choices
Whether the six “somewhat novel” risk factors are risks or benefits, however, tends to be a matter of
judgment about the tradeoffs inherent in the public cloud model as illustrated in Figure 1.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 9
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Tradeoffs between “traditional ICT” and public cloud services
Source: Ovum
The tradeoffs are about choices and judgments.
The limited ability to customize a SaaS application can be viewed as a risk (may not be able
to meet a unique new business need) or as a benefit (minimizes costs, reduces complexity,
and better supports process standardization).
The global nature of SaaS providers can be viewed as a risk (not as tuned to local
requirements) or as a benefit (the vendor is pooling requirements across a much larger
number of different customers and building new functionality iteratively into the service to the
benefit of all customers).
The relative inability to tailor specific contract conditions and performance sanctions can be
viewed as a risk (weak one-to-one legal influence over the vendor) or as a benefit (the vendor
is exposed to collective wrath of a large number of customers all using one service under the
same terms).
Tradeoff preferences reveal vested interests
The tradeoffs require new mindsets and skills. The characteristics of public cloud services offer
exciting opportunities, but are uncomfortable for some in the ICT industry because of their novelty,
and threatening to others because they challenge the status quo of enterprise ICT departments and
traditional ICT vendors alike.
Those who see their careers being disadvantaged or the competitiveness of their companies put at
risk by public cloud services tend to be skeptical, or even critical, of the new model. Those who see
career opportunities or fresh ways to solve existing problems to drive innovation and to cut costs
using public cloud services tend to be positive proponents.
The propensity to embrace the tradeoffs of public cloud services depends very much on the degree to
which decision-makers and commentators are seeking to challenge or to protect vested interests and
the status quo.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 10
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
RISK PERCEPTIONS NEED TO BE KEPT IN CONTEXT
Regulatory and security authorities fuel cloud skepticismRegulators are perceived to have placed constraints on public cloud adoption
Our conversations reveal that there is a widespread perception that regulatory constraints comprise a
substantial barrier, particularly in the financial services and public sectors, to the use of public cloud
services. This section describes some of the statements made by regulators and security agencies
and puts them in perspective.
Note from APRA: public cloud services are outsourcing
The Australian Prudential Regulation Authority (APRA) issued a statement in November 2010 voicing
concerns that "…its regulated institutions do not always recognize the significance of cloud computing
initiatives and fail to acknowledge the outsourcing and/or off-shoring elements in them. As a
consequence, the initiatives are not being subjected to the usual rigor of existing outsourcing and risk
management frameworks, and the board and senior management are not fully informed and
engaged"
(http://www.apra.gov.au/lifs/documents/letter-on-outsourcing-and-off-shoring-adi-gi-li-final.pdf).
This statement was aimed at professionalizing, not preventing, the adoption of public cloud services,
and some public cloud service providers have embraced it. Salesforce, for example, stated publicly
that it "welcomes APRA’s recent guidance on cloud computing as an important step toward
implementing robust cloud solutions for the Australian financial services industry".
APRA's statement was, in effect, a wake-up call to directors and CIOs to rein in ad hoc adoption of
public cloud services by business units and to bring public cloud services under formal ICT
governance and risk-management processes.
OAIC is considering amending data privacy legislation
The Office of the Australian Information Commissioner (OAIC) has not provided any specific advice
relating to cloud computing, but proposed amendments to Australian Privacy Act have attracted media
comment recently due to a tightening of the extent that organizations will be held accountable for the
actions of contracted service providers that store data outside of Australia
(http://www.oaic.gov.au/news/speeches/speech_080911-tp-calma.html).
Privacy principles at state and federal government levels propose two specific areas of theoretical
challenge for public cloud services. The first relates to the obligation to ensure that appropriate
security arrangements are in place to protect personal and sensitive data. The second is the
obligation to ensure that any vendors involved in the outsourcing of sensitive data also comply with
the obligations of Australian state and/or national privacy legislation.
These obligations are often raised as barriers to public cloud services, which they are not. Services
provided by mature enterprise-grade providers can accommodate these obligations.
OVPC focuses on data location issues
The Office of the Victorian Privacy Commissioner (OVPC), which is responsible for regulating the way
Victorian state government agencies and local councils collect and handle personal information,
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 11
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
issued an information sheet on cloud computing in May 2011, which states: "Where the provider is
located outside of Victoria or off-shore, taking reasonable steps to protect personal information from
misuse, loss, unauthorized access, modification or disclosure" (a legal requirement under the
Victorian Information Privacy Act) "may be difficult or even impossible. By using cloud services, the
government agency is relinquishing some – if not all – control over their data. This includes being able
to control security measures” (http://www.privacy.vic.gov.au/privacy/web2.nsf/files/cloud-computing).
The OVPC’s concerns about data location seem overly parochial in an increasingly networked
economy. We suspect, however, that the concerns are founded more on the known inadequacy of
agency information management arrangements than on any serious belief that data is only secure if
stored within Victorian state boundaries.
DSD encourages agencies to keep data on-shore
The Defence Signals Directorate (DSD), the government's lead ICT security agency, issued a paper in
April 2011 titled "Cloud Computing Security Considerations". In this paper DSD stated, "DSD
recommends against outsourcing information technology services and functions outside of Australia,
unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies
to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and
stores, processes and manages sensitive data only within Australian borders"
(http://www.dsd.gov.au/infosec/cloudsecurity.htm).
This, in our view, reflects DSD's assessment that many public cloud services were not designed for
use by government agencies, and do not fully meet enterprise-grade standards of data security. DSD
also proposed a checklist of security considerations that assists agencies to decide, when all things
are considered, whether or not a public cloud service is adequately secure for the categories of
information it will handle.
AGIMO talks about cost versus security tradeoffs
More positively, the Australian Government Information Management Office (AGIMO) issued a cloud
computing strategic direction paper in April 2011, which set out a broad way forward for the use of
cloud computing in federal government agencies. The paper proposed a principle and risk-based
approach to cloud adoption under the following policy statement: "The Australian Government and its
agencies may choose cloud based services if they demonstrate value for money and adequate
security" (http://www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html).
The strategic direction paper supported a tactical approach to the adoption of public cloud services for
uses involving publicly available data, and noted that agencies may also choose to evaluate whether
the use of improved business processes, security technologies such as encryption, or other mitigation
strategies may open further opportunities for public cloud use.
AGIMO has subsequently published a series of Cloud Better Practice Guides covering the privacy,
legal, and financial issues of cloud computing for federal government agencies. These guidelines
reinforce the fact that normal standards of procurement due diligence apply to cloud services.
Agencies should only consider buying cloud services from vendors capable of meeting information
privacy and other legal requirements
(http://agimo.govspace.gov.au/2011/11/14/cloud-computing-draft-better-practice-guides).
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 12
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Put regulatory authorities’ statements in contextBe careful, but not alarmed
Organizations with no direct experience of cloud computing services can be forgiven for being
alarmed by the cautionary statements by regulators and government authorities.
However, these statements are simply reminders that the apparent ease and convenience of public
cloud services does not excuse enterprises from the need to be careful about how and where they are
used. Public cloud services, while they may be a radical externalization of ICT capabilities, do not
suspend normal enterprise ICT governance and information management obligations.
Privacy compliance is primarily about due process
It is useful to consider the case of the hacking of customer data in the Sony PlayStation Network to
gain a glimpse of the reality of privacy compliance. Even though Sony is not a public cloud services
provider, this incident has been used by detractors of public cloud services to reinforce privacy
compliance concerns when data is managed offshore by global corporations exposed to the Internet.
This was an unusually serious information security incident involving actual access to financially
sensitive information affecting 77 million customers worldwide. The Australian Privacy Commissioner
recently completed an own motion investigation to determine if Sony complied with the National
Privacy Principles in the privacy legislation. The Principles require organizations to take reasonable
steps to protect personal information, and to limit the circumstances in which organizations can use
and disclose personal information, particularly when trans-border data flows are involved. The Privacy
Commissioner concluded:
"I found no evidence that Sony intentionally disclosed any personal information to a third party.
Rather, its network platform was hacked into. I also found that Sony took reasonable steps to protect
its customers' personal information, including encrypting credit card information and ensuring that
appropriate physical, network, and communication security measures were in place."
The commissioner noted the potential challenges for regulation of the flow of personal information
"where large global companies undertake different functions relating to the provision of services and
products, including the collection of personal information, while operating out of different jurisdictions",
but he made no conclusions against Sony in regard to trans-border data flows
(http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html).
This case illustrates the fact that even a situation where a severe breach of the actual security and
privacy of sensitive customer information occurred is not necessarily in breach of privacy legislation.
The issue that enterprises need to address is the actual policy, process, and technology controls
surrounding the management of their information wherever, and by whoever, it is processed and
stored. Privacy compliance was, in fact, the least of Sony's worries in regard to this incident.
Risks inherent in the status quo should not be understated
There is often a temptation to understate the familiar risks of the status quo while overstating the risks
of a new and unfamiliar approach such as the use of a public cloud service.
ICT audit reports sometimes reveal that the actual quality of ICT security controls in organizations is
much lower than ICT executives would like to admit. For example, a recent Information Systems Audit
report tabled by the Western Australian Auditor General concluded: “Fourteen of the 15 agencies we
tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 13
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
identified numerous vulnerabilities that could be exploited to gain access to their internal networks and
information” (http://www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf).
Such a scathing audit result is also by no means unique to public sector agencies. Results like this
are illustrative of the challenges facing all ICT departments as they attempt to do the best job they can
with the financial means available.
Proverbially, "people who live in glass houses shouldn't throw stones". The reality is that many ICT
departments that question the security of public cloud services would struggle to measure up
themselves to both the actual security performance and the transparency of trust reporting of the
leading enterprise-grade public cloud service providers.
Enterprises must face the reality of securing a connected, socially networked, and mobile workforce in the Internet age
The combined effect of funding and skills constraints and the increasing complexity and sophistication
of threats means that some enterprises are struggling to adequately secure their organization's
perimeters. This is part of a general trend toward more porous organization perimeters, which is
accelerated by Internet connectedness, the increasing use of social networking and mobile devices,
and the digital blurring of our work and personal lives.
We need to acknowledge the reality that public cloud services are part of a broader Internet age trend
away from information being “locked away” inside the enterprise network and toward the emergence
of information ecosystems that transcend organizational and national boundaries.
Enterprise executives should also consider the very real possibility that an enterprise-grade public
cloud service provider may well be capable of higher standards of information security in this new
Internet age than their own ICT department.
HOW DOES PUBLIC CLOUD FEEL IN PRACTICE?
The research approachThe objective
The objective of the research was to respond to the views about the benefits and risks of public cloud
services expressed in the previous sections of this report and to explore how they play out in practice.
The aim was to reveal direct observations from the front line of enterprise adoption of public cloud
services, and more specifically to understand how enterprises have dealt with the perceived issues
and risks of public cloud services.
The sample
Ovum conducted a program of interviews with enterprise executives from 10 different organizations to
discover how public cloud adoption feels in practice. Interviews were conducted face-to-face and/or
over the telephone in order to gain qualitative insights into the rationale for choosing a public cloud
service and how the process was managed.
The interviews do not purport to comprise a fully objective survey. In the main the executives
interviewed were self-selected advocates of public cloud services.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 14
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Some executives were interviewed a number of times to fully discuss their experiences. All were
senior business or ICT executives who had been responsible for decision-making regarding their
enterprise’s adoption of a public cloud service.
The enterprises were representative of a range of sectors, including banking and finance, utilities,
government agencies, universities, and not-for-profit organizations. Public cloud services adopted by
these organizations included Google Apps, Microsoft Online Services, RightNow, and Salesforce.
Confidentiality
Discussions were under Chatham House Rules out of respect for the regulatory and compliance
sensitivities of the organizations interviewed. The executives did not consent to the enterprises being
named.
Questions
The discussions with interviewees are summarized in terms of their responses to a range of questions
regarding their experiences of the use of public cloud services, including:
Why was a public cloud service chosen?
Who made the adoption decision and with what process?
What was the deployment experience like?
Cost effectiveness?
Commercial issues?
How was Privacy Act compliance addressed?
What about data security?
What happens if things go wrong?
What about lock-in?
What has been your operational experience?
What were some of the concerns going forward?
Overall impressions from the interviewsThe overall impression drawn from the interviews is that appropriately governed and judicious use of
public cloud services is not seen as creating undesirable risks or issues for the organizations. The
services are universally viewed as a positive step forward compared to traditional ICT approaches.
In most cases the public cloud service was selected because it was better and faster, not just
cheaper, than the alternatives. This is an important observation because it explains why a public cloud
service was adopted, or retained, even though doing so may have incurred new compliance costs
such as the creation of information categorization and management processes and on-site data
replication. Public cloud services are not seen primarily as a way to cut costs.
Concerns about data security and regulatory compliance are taken seriously, but are not viewed as
“showstoppers” as long as careful thought is given to the categories of data that will be stored in the
cloud and to identifying risks and implementing contractual and process mitigations.
Not all public cloud service providers are judged to be appropriate for enterprise use, so each vendor
needs to be tested as to the degree to which the service is genuinely “enterprise-grade”.
Distinguishing characteristics of the trustworthy services appeared to be the rigor of their data security
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 15
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
arrangements and the extent to which they are willing and able to contractually address specific
requirements regarding data security and privacy compliance.
One of the most strongly valued benefits of the public cloud services appears to be their iterative
functional evolution. This is valued because it addresses user frustrations with the slow cycle of
innovation of past solutions as well as addressing user expectations that modern Internet applications
should be constantly evolving in terms of their functionality and support for new end-user devices
such as tablets and smartphones.
While there is an undercurrent of “worry” around offshore data storage created by both operational
concerns and regulatory uncertainties, this is acknowledged as a justifiable benefit/risk tradeoff. The
key mitigation of offshore data risks is the quality and maturity of the cloud provider's operational and
technical security arrangements.
Interview outcomes1. Why was a public cloud service chosen?
In most cases the public cloud service was selected because it offered better functionality and faster
implementation than alternatives. Several executives commented that the service was the best
solution, and was not chosen because of any particular interest in the cloud model per se.
A number commented that a cloud-based solution was preferred after repeated failure with the
implementation and/or rollout of on-premise application projects. A public cloud approach was viewed
as offering a more reliable, lower-risk way to get users from across multiple parts of the organization
onto one common platform.
In one case the need was so urgent that a public cloud solution was the only way a system could be
provisioned to meet the business requirements in time.
Several commented that regular releases of new functionality were an appealing benefit of the cloud
model. Configurability of the solution without customization was strongly valued.
In a number of organizations the service was used as a relationship management system for external
industry partners/brokers so the fact that it was cloud hosted was a positive benefit in terms of
accessibility via the Internet.
Lower total cost of ownership was not regarded as the main justification, but the in some cases the
low entry cost of a subscription was material in the decision either because it kept the procurement
beneath corporate ICT procurement thresholds or because it offered a flexible way to experiment,
starting small and scaling if the application proved to create business value.
2. Who made the adoption decision and with what process?
Decisions made several years ago, particularly for SaaS apps, were typically made by a business
executive with no or little ICT department involvement, though this is now less common. In some
cases the early adoptions were made by individual executives as an expedient way to address a
business need, literally buying the service on a credit card. One organization had accumulated over
10 separate SaaS contracts by uncoordinated ad hoc adoption in different business units.
In all the organizations interviewed, however, previous ad hoc adoption had since been “normalized”
and brought within formal ICT governance and risk-management arrangements.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 16
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Most decisions made in the past year or so were made by the ICT department as part of a formal ICT
procurement process, typically comprising a selective tender, formal evaluation of a range of cloud
and on-premise application alternatives, and formal assessments of data security and privacy risks.
3. What was the deployment experience like?
All of the executives interviewed were positive about the deployment experience, particularly when
they compared them to previous ICT project experiences. The services worked largely as expected,
user adoption was reportedly good, and the ability to configure the services to meet specific business
needs was felt to be adequate.
Many commented specifically about the benefits of iterative evolution of the functionality. While in
some cases this caused some issues associated with deciding when and how to make the new
functionality available to users, the overall impact was highly positive as the users appreciated the fact
that the service was continually improving.
Several commented on the advantages of a limited degree of configuration over previous approaches
based on customization of on-premise systems. Once the users had experienced a few cycles of
iterative evolution of the standard system they became less worried about defending fixed ideas about
specific requirements and more inclined to adapt their process to the way the standard software
already worked.
4. Cost-effectiveness
Views on cost-effectiveness were generally positive, with most organizations expressing the view that
there were significant savings over alternative approaches when all things were considered.
Some, however, commented that as the number of users grew then costs certainly "spiraled" and that
this had led to the imposition of caps on the number and types of users to ensure that costs stayed
within budget.
5. Commercial issues
It was apparent that most of the organizations had had detailed negotiations with the cloud service
providers over matters of data security and privacy and that various accommodations had been
reached. Several remarked on the fact that the leading vendors had acknowledged the need to
address the requirements of Australian regulatory authorities and had been adequately flexible in
changing some standard contract terms and operational delivery arrangements.
Conversely, lack of flexibility of “one-size-fits-all” contract terms was cited as a reason for either not
selecting or terminating some public cloud services.
Subscription-based licensing approaches were felt by several organizations to be something of a
two-edged sword. A range of pricing arrangements for different categories and numbers of users
provided more granular pricing, but also brought overheads associated with managing variable costs
and ensuring that users were using the service under the most advantageous pricing arrangement.
6. How was Privacy Act compliance addressed?
Understanding and assuring privacy act compliance was often cited as one of the major hurdles, but it
was not in the end a showstopper for any of the organizations interviewed.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 17
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Privacy compliance concerns are often overstated
The comment was made several times that legal advisers adopted a very conservative stance on
interpretation of the information privacy principles, which tested both the cloud providers and the
executive responsible for managing the procurement and deployment. Some legal advisers initially
recommended against the adoption of public cloud services on compliance grounds, but became
more comfortable once issues were worked through and resolved one at a time, either by contractual
or operational process mitigations.
Most, but not all, organizations conducted a formal independent privacy impact assessment (PIA). In
some case multiple PIAs were conducted over the years as the scope and depth of use of the cloud
service expanded.
Some executives commented that resolving the privacy issues was "hard work" and required a
sustained effort of will to keep battling resistance from both internal and external stakeholders and
advisers. It was observed that it can be a challenge to maintain a practical approach to balancing
various business and legal risks in the face of stakeholders and advisers who have no stake in the
benefits of the new model and who aren't necessarily aware of, or accountable for, the limitations and
risks in the current environment.
Privacy compliance is all about information management
Working through the issues, however, was later regarded as having been a positive process because
it confronted the organization's historically informal and ad hoc approach to information categorization
and the result was an overall increase in the integrity of information management - and privacy
compliance.
One organization used the fact of using a public cloud service as a catalyst for a major review of
information management and the development of new business processes for categorizing and
handling information and testing a range of scenarios and risk mitigations around the handling of
sensitive data.
Some organizations effectively avoided exposure to privacy act requirements by making a conscious
choice either to only use the public cloud service for uses cases that did not involve personal data or
to avoid storing data categorized as “sensitive”.
Generally, there was recognition that the move to using a public cloud platform required a new
approach to thinking about information security on a more granular, transactional, basis, whereas in
the past the thinking was mainly at a higher level. Some types of information in some types of
transactions can be safely trusted to the cloud. One executive commented that he felt that this was a
necessary evolution in information management that was driven by increasing use of the Internet and
mobile platforms for customer interactions. Cloud platforms are one element of a bigger change under
way in the way information needs to be managed. His view was that use of a public cloud service was
a useful catalyst for changes that needed to happen anyway.
Specific contractual provisions may be required for privacy compliance
Most organizations required the cloud provider to agree to specific contract provisions relating to their
compliance with the provisions of the privacy act, particularly regarding their obligations to uphold
principles for fair handling of information that are substantially similar to the national privacy principles.
In some cases the contracts have specified particular data centers where data must, and must not, be
stored based on the privacy legislation that exists in those particular countries or regions. Japan, for
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 18
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
example, is viewed more favorably than Singapore, and some states in the US (California, Virginia,
and Illinois) are regarded as having stronger privacy legislation than other states.
In some cases privacy issues have required explicit director-level exemptions to be granted from
internal corporate policies, and these have been approved in the context of an overall assessment of
the risk mitigations and the benefits to the organization of continuing to use public cloud services that
had already gained support in the business. It was clear, however, that board-level exemptions were
an uncomfortable experience. One executive noted that the strong preference of directors was for
customer data to stay within its country of origin where possible.
No privacy breach incidents reported
To put all this into context, despite (and perhaps because of) the perceived risks, none of the
organizations reported any actual incidents regarding privacy compliance since adopting a public
cloud service.
7. What about data security?
Not all public cloud services have good enough security
A few organizations admitted that data security concerns had led them to block or terminate public
cloud services in the past where they had been adopted by the business but were not assessed to be
adequately robust. Several remarked that not all public cloud services were appropriate for enterprise
use from a data security perspective, which was why they had retrospectively imposed ICT
governance arrangements over adoption of all cloud services.
The leading public cloud services have adequate security
All of the organizations had rigorously assessed and tested the security of the public cloud services
currently in use. Where the initial adoption, perhaps several years ago, was via an informal
business-led process, the ICT department had typically conducted reviews and retrospectively
implemented policy-compliant data security arrangements.
Reviews by external ICT security experts or audit firms were a common practice. One government
agency had also explicitly engaged the Auditor General's office to review the overall security
arrangements around their use of a public cloud service. Smaller agencies remarked that it was useful
when they could "travel in the wake" of a larger agency's adoption of a public cloud service and
benefit from the precedent set by their resolution of contractual issues.
The comment was made many times that the market-leading public cloud services actually had strong
security credentials. The fact that all customers were served out of one shared operational
environment was perceived as a benefit from a security perspective because the service needed to be
operated to the standards required by the most demanding customers, and most organizations were
therefore confident that the security standards were higher than they could ordinarily justify funding
themselves.
Offshore data remains an “emotional leap”
Another common remark, however, was that even after deep security testing it was still a big
emotional leap to fully trust the public cloud provider. It still felt uncomfortable because of the lack of
direct control, and it took a while for confidence to grow. Some remained uncomfortable because they
felt that the organization's data-protection requirements, and the regulatory environment, were
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 19
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
constantly changing so there was always a residual sense of exposure with data being stored
offshore.
Encryption of data at rest so that only the enterprise customer had access to the encryption keys was
regarded by some but not all organizations as a necessary evolution of data security in the public
cloud.
Several organizations noted that they had made a policy decision not to keep some primary data in
the public cloud service. Copies of data were replicated daily to the cloud service.
Ability to audit may be necessary
Most organizations had negotiated some degree of ability to audit the cloud provider if they could
demonstrate grounds to do so. Most also required access to the cloud provider's own regular
independent external audit reports for SAS70 Type2 and ISO27001 compliance.
8. What happens if things go wrong?
Some executives commented that sourcing from a public cloud provider was a new experience in
terms of the power relationships with a large outsourced vendor. They were accustomed to the
comfort of a "thick contract and SLA" and were initially uncomfortable with the idea that they would be
likely to have little influence over the public cloud provider in the event of something going badly
wrong.
In practice, however, the sense was that most felt that there was a positive advantage in the fact that
all the cloud service provider's customers were using a shared system, so that there was a “crowd”
effect that worked to the advantage of customers. If something goes wrong then the cloud provider is
likely to be under realtime pressure from all customers, not just one.
A number of executives observed that the public cloud actually provides greater confidence than
some previous outsourcing arrangements. Some told stories of being let down in the past by both
small and large ICT providers to illustrate that the contract and SLA approach sometimes provided
little actual assurance despite the illusion that they provided leverage over the vendor.
There was an acceptance of the fact that the organizations are totally reliant on the cloud services
provider to deliver a quality, reliable, service. Several commented that this was just a reality, part of
the tradeoff of a cloud service, and that this made it even more important to choose a provider with
the scale of investment and operations to be trustworthy.
9. What about lock-in?
Most, but not all, organizations had negotiated explicit provisions for a daily or weekly on-site
replication of data from the public cloud service as a measure of protection against loss of data in the
event the service is interrupted for a sustained period or withdrawn. This was also regarded as
necessary to meet record-keeping requirements.
Several organizations had also actually implemented simple applications to report and enable
rudimentary access to the backup data in an emergency.
In practice, however, lock-in was pretty much accepted as a fact of life. Some were not that worried
about it because their use of the public cloud service was for relatively simple and generic
applications that would be straightforward enough to replicate. Others just regarded this as a tradeoff
necessary to obtain access to the functionality unique to the provider, and accepted the need to
manage it at a practical level.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 20
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
One executive commented that she felt that one advantage of moving to a public cloud service was
that for the first time the entire organization was using one platform. In theory, this then made the task
of migrating to another provider easier than in the previous fragmented, multi-vendor, environment.
10. What has been your operational experience?
The operational experience of consuming a public cloud service was overwhelmingly positive. No
organization reported any significant operational issues or disappointments once they had selected a
public cloud service that they regarded as trustworthy.
Some executives commented that not having to manage the infrastructure environment with
processes such as server operating system upgrades and the application of software patches was a
welcome benefit.
Reliability experiences were universally good, and regarded as on par with or better than in-house
systems performance.
11. What were some of the concerns?
Governance of cloud adoption is essential
“Stealth” cloud adoption was regarded as one of the dangers of public cloud because of the risks of
inadvertent exposure to security and privacy compliance issues. The move to a public cloud service
therefore needs to be properly planned and implemented. Ad hoc adoption was perceived as a real
risk, and was acknowledged to be at the root of APRA's concerns over cloud computing. Some
executives noted that it had taken quite a lot of effort to regain ICT governance control over ad hoc
adoption of public cloud services by business units.
Need to refocus on business analysis and information management
The configurability of the service can lead to many different and incompatible deployments in different
business units. One executive commented that the ease of adoption and configurability provides a
faster way to go in the wrong direction. Using a public cloud service frees the organization from many
of the more operational ICT tasks, but it reinforces the need for the development of the business
analysis, process design, and training capabilities needed to ensure that effective use is made of the
new tools.
Several noted concerns about the inevitable expansion of the scope of use of the cloud services over
time as users became more comfortable with the services and extended the functionality by
configuration and use of other apps. This was, on the one hand, a good thing because it endorsed the
fact that the services were valued by the business. On the other, however, it increased the risk that
the use of the public cloud service could eventually create inadvertent compliance exposures if
personal or sensitive data was stored in the system without proper consideration of compliance
obligations.
Another remarked on the increased importance of information management and governance. In most
cases approval to use the public cloud services was based on constraints around the categories of
data that were permitted to be stored offshore in the cloud. Remaining within these constraints
required active and ongoing attention to information management, which was a new discipline in the
organization.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 21
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Strong encryption of data at rest will ultimately be an essential requirement
A number of executives acknowledged that information management disciplines, while an essential
element of the safe use of a public cloud services, would be unlikely to be foolproof. In the end the
ability to fully trust a public cloud service would require efficient mechanisms for implementing strong
encryption of data at rest.
PaaS and app ecosystems introduce an element of unpredictability
The evolution of ecosystems of apps around the leading public cloud platforms was viewed as a
useful source of innovative functionality, but it was also highlighted by two executives as a significant
emerging risk factor. The app ecosystems are dynamic, with new apps emerging, being acquired by
other companies, and forming partnerships and alliances.
In this context the reliability, security arrangements, and trustworthiness of some of the app vendors is
a constantly moving target. The comment was made that enterprise-grade PaaS providers will need to
carefully manage their exposure to risks created by partners in their app ecosystems.
RECOMMENDATIONS
Recommendations for enterprisesDo not discount public cloud services on security and privacy grounds
Regulatory concerns regarding data security and privacy should be regarded as important business
requirements, but they are not necessarily showstoppers for the use of public cloud services. There
are numerous corporate and government enterprises in Australia that are currently using public cloud
services after having carried out rigorous risk assessments.
Ovum recommends that enterprises should not discount consideration of public cloud services on
data security and privacy grounds.
Approach use of public cloud services from a strategic perspective
It is important to approach consideration of cloud computing from a strategic perspective, rather than
a tactical or narrow cost-cutting perspective. Public cloud services are a radical externalization of ICT
capabilities that require some new tradeoffs and a willingness to "think outside of your box". The
tradeoffs between owning and controlling resources and accessing and participating in Internet
services require new mindsets and skills.
Managing a shift in the balance of these tradeoffs is part of a strategic transformation of the
enterprise's approach to ICT, not simply an expedient way to source a new point solution. A strategic
approach requires a “warts and all” analysis of the strengths and weaknesses of the current in-house
ICT operations and capabilities and how these are projected to evolve, and the strengths and
weaknesses of cloud services and how these are projected to evolve.
Ovum recommends that enterprises are realistic about both the weaknesses of their current ICT
capabilities and their actual ability to address these weaknesses. Our view is that public cloud
services are evolving rapidly in terms of their functionality and trustworthiness. It is likely that the pace
of evolution of the capabilities of public cloud services will be much faster than the evolution of
in-house ICT capabilities within most enterprises, particularly those that are under financial pressure.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 22
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
A strategic perspective is necessary to appreciate the broader advantages of public cloud services
and to assess their benefits in the context of enterprise ICT realities.
Acknowledge that scale counts in the cloud where bigger will be better
Building reliable and trustworthy enterprise-grade cloud services is a challenging exercise for any
organization, whether an in-house ICT department, an ICT vendor, or a global public cloud services
provider. Significant investments in technology, processes, and people are required, and the
performance of any under-invested or resource-constrained cloud services is unlikely to live up to
service expectations.
Concerns about the fact that global public cloud services providers will store data offshore need to be
balanced against the advantages that these vendors offer in terms of their capacity to invest in service
innovation, application functionality, and reliable, secure, operational processes and facilities. The
primary concern should be the depth and quality of the overall service offering, not simply the location
of the data.
Don't compromise on enterprise-grade compliance requirements
One of the distinguishing characteristics of enterprise-grade public cloud services providers is the
extent to which they understand and support enterprise-grade compliance requirements. Global
one-size-fits-all services and “take it or leave it” contract terms and conditions are a characteristic of
consumer and small business market cloud services, but are unrealistic in the enterprise market.
Public cloud providers that are serious about attracting and retaining enterprise business understand
the need to provide contractual and operational solutions such as:
Assurances about compliance with process quality and security standards.
Assurance about compliance with information privacy principles.
Access to routine external audit reports, and (if there are grounds) consent to some forms of
ad hoc external audits.
A range of options for data encryption.
Local data replication.
Assurances about how data will be made available to the subscriber on the termination of the
service and/or permanently deleted from the cloud provider's databases.
In addition, they will have a clear strategy for longer-term resolution of data-sovereignty concerns,
which may include significant investments in data encryption and the creation of a network of data
centers distributed around the globe in countries with trusted legal and regulatory regimes.
See beyond the contract and SLA to harness the power of the “wrath of the crowd”
Some enterprises are concerned that they will have less power in public cloud services relationships
than in more traditional arrangements. While a contract and SLA is essential to reach an agreed basis
for the commercial relationship, in practice enterprises need to appreciate the importance of the
“wrath of the crowd” in public cloud service relationships. The bigger the crowd, the greater the wrath,
and the greater the pressure on the cloud provider to prevent service issues and to resolve them
quickly.
The fact that large numbers of customers share a common service means that there is safety in
numbers, which is a change in the logic of power relationships in ICT procurement. In the past being a
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 23
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
small customer among many of a large ICT provider tended to leave the customer powerless if things
went wrong. With public cloud services the opposite is true. Being a small subscriber among many of
a large cloud provider makes the subscriber part of powerful crowd that quickly attracts media
attention if it has a service grievance. This observation further reinforces the importance of scale and
critical mass in public cloud services.
Rein in “stealth” cloud, the main driver of public cloud adoption risks and regulatory concerns
While it was fashionable for a while to admire the innovative energy of business units that acted
independently of the ICT department to acquire public cloud service “because they could” this
behavior has already led to cautionary statements from regulators including APRA. The reality is that
ICT departments must rein in “stealth” cloud adoption and bring public cloud adoption under normal
ICT governance arrangements, particularly in the financial services and government sectors.
We can be sure that auditors and directors will pay increasing attention to this over the next year, so
CIOs are recommended to get onto the front foot in order to be able to deal with issues proactively
rather than in a crisis.
Recommendations for vendorsMaking the public cloud safe and trusted for enterprise use is not optional
The rate of growth of the public cloud market in the enterprise sector will be very much determined by
the success of the major vendors in meeting the enterprise expectations outlined above. It is not
enough for the public cloud to offer superior functionality, it also has to offer superior trust.
The actual and perceived trustworthiness of individual public cloud vendors will become a significant
source of differentiation in the enterprise market.
The ability to efficiently encrypt data at rest will be strongly valued by Australian enterprise executives.
As soon as this is technically, operationally, and commercially feasible it is likely to be strongly
recommended by regulators, and will therefore be regarded as a prerequisite for the use of public
cloud services by auditors and company directors.
Find ways to develop peer-to-peer networks of customers and prospects
Public cloud providers have much to gain and little to lose by encouraging networking and
information-sharing between customers and prospects. The rate of enterprise adoption of public cloud
services will be accelerated by greater transparency around how data security and privacy concerns
are overcome in practice to counterbalance the cautionary statements made by regulators and
security agencies.
The sharing of best practices across enterprise buyers will be viewed by some vendors as a
two-edged sword because it will also make buyers on average more demanding. Ovum's view,
however, is that this is a necessary evolution in both buyer expectations and the ability of public cloud
providers to meet the specific data security and privacy requirements of doing business in Australia.
Public cloud services that can meet these requirements will be at a strong competitive advantage.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 24
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Develop proactive support for ICT governance-as-a-service
The fact that all customers use one platform means that public cloud providers have a unique
opportunity (compared to most other modes of providing ICT services) to support enterprise ICT
governance processes.
Stealth adoption of cloud services by different business units in an enterprise, for example, is easy for
cloud providers to monitor because they have visibility of all services being consumed by an
enterprise in real time.
We recommend that vendors seek to understand the governance challenges that public cloud
adoption creates for enterprises and provide functionality within the platforms to support governance
processes.
We also note the problems that some vendors are creating for ICT governance, and for enterprise
confidence in public cloud services generally, by sales strategies that proactively target stealth
adoption. Vendors that are serious about the enterprise market need also to demonstrate an
understanding of enterprise ICT management realities. Vendors, despite building a groundswell of
bottom-up user adoption, gain little if their service is ultimately blocked in the enterprise firewall by the
CIO once the ICT department becomes engaged.
Make it easy for customers to leave and ensure that they have no reason to want to
Concern about lock-in is somewhat over-hyped, but nonetheless we recommend that public cloud
services providers make a virtue of making it easy for customers to both subscribe to and terminate
the service. Paradoxically, customers will be less anxious about adopting a public cloud service if they
are confident that that can leave at any time, taking all their data and erasing any trace of their use of
the service.
The reality is that switching costs will rise for the customer over time as they become more invested in
the service, but making a public cloud service a safe and easy choice is an important differentiator
versus both in-house and other cloud alternatives. Once the customer has signed up to a subscription
then the onus is on the vendor to ensure that the service actually does what it says on the label, and if
it does then most customers are likely to become stronger advocates if they feel that they are in the
relationship because of choice rather than because they are locked in by contract.
APPENDIX
Further readingCloud Computing: From Patriot Act to Parochial Marketing (OI00127-076) November 2011
Revisiting the NIST definition of cloud computing (OI00127-074) November 2011.
Public cloud computing services global market forecast model (OI00147-045) September 2011.
Cloud computing in the US federal government - the state of a market at tipping point (OI00130-026)
June 2011.
2011 Trends to Watch: cloud computing technology - one of the most important ICT trends of the
decade has barely started (OI00001-011) January 2011.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 25
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Planning for cloud computing - understanding the organizational, governance, and cost implications
(OI00005-006) November 2010.
Cloud computing fundamentals (OI00127-075) August 2010.
Cloud-computing quality of service in perspective (OVUM052345) July 2010.
The role of multi-tenancy in a cloud environment (OVUM052476) June 2010.
Cloud computing costs in perspective (OVUM052010) March 2010.
Cloud computing will be hybrid (OVUM051761) January 2010.
Will cloud computing enable or undermine public sector ICT climate change? (OVUM050757) May
2009.
AuthorDr Steve Hodgkinson, Research Director ICT, Asia-Pacific
MethodologyThis research report was based on a wide-ranging set of inputs including insights gained by Ovum
from discussions about cloud computing with more than 400 executives over the past two years and
from detailed discussions with executives from 10 corporate and government enterprises in
September and October 2011. Our research was complemented by online research and Ovum's
extensive prior research insights.
Ovum ConsultingWe hope that this analysis will help you make informed and imaginative business decisions. If you
have further requirements, Ovum’s consulting team may be able to help you. For more information
about Ovum’s consulting capabilities, please contact us directly at [email protected].
DisclaimerAll Rights Reserved.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form
by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior
permission of the publisher, Ovum (an Informa business).
The facts of this report are believed to be correct at the time of publication but cannot be guaranteed.
Please note that the findings, conclusions, and recommendations that Ovum delivers will be based on
information gathered in good faith from both primary and secondary sources, whose accuracy we are
not always in a position to guarantee. As such Ovum can accept no liability whatever for actions taken
based on any information that may subsequently prove to be incorrect.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 26
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
Ovum ConsultingWe hope that this analysis will help you make informed and imaginative business decisions. If you
have further requirements, Ovum’s consulting team may be able to help you. For more information
about Ovum’s consulting capabilities, please contact us directly at [email protected].
Copyright notice and disclaimerThe contents of this product are protected by international copyright laws, database rights and other
intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our
affiliates or other third party licensors. All product and company names and logos contained within or
appearing on this product are the trademarks, service marks or trading names of their respective
owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced,
distributed or transmitted in any form or by any means without the prior permission of Informa
Telecoms and Media Limited.
Whilst reasonable efforts have been made to ensure that the information and content of this product
was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any
person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any
errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as
no liability can be accepted in this regard – readers assume full responsibility and risk accordingly for
their use of such information and content.
Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited.
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 27
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs
CONTACT US
www.ovum.com
INTERNATIONAL OFFICES
Beijing
Dubai
Hong Kong
Hyderabad
Johannesburg
London
Melbourne
New York
San Francisco
Sao Paulo
Tokyo
© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 28