enterprise adoption of public cloud services is all … adoption of public cloud services is all...

28
Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs Publication Date: 01 Feb 2012 | Product code: IT007-000616 Steve Hodgkinson

Upload: lyque

Post on 24-May-2018

217 views

Category:

Documents


1 download

TRANSCRIPT

Enterprise Adoption of Public CloudServices Is All About Pragmatic Tradeoffs

Publication Date: 01 Feb 2012 | Product code: IT007-000616

Steve Hodgkinson

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

SUMMARY

CatalystWhile enterprise use of public cloud services is now widespread and growing in Australia, perceptions

of risk have become somewhat overstated due to cautionary statements made by regulators and

security authorities. This report seeks to restore some balance to the discussion by sharing the

positive public cloud adoption experiences and lessons learned by 10 corporate and government

enterprises.

Ovum viewPublic cloud computing is evolving to become an increasingly viable element of the enterprise ICT

mix. Organizations around the world, from small businesses through to large corporate and

government enterprises, now rely on the public cloud to support services ranging from niche ICT

applications to mission-critical operations.

Public cloud services bring two main benefits, both attributable to the “radical externalization” of ICT

capabilities beyond enterprise boundaries: into the cloud. First, the public cloud offers a more effective

and efficient way to source selected ICT-enabled business processes, applications, and infrastructure.

Second, it offers a new way to accelerate participation in the rapidly evolving social networking and

mobile solution ecosystems of the Internet age.

This radical externalization of ICT capabilities, however, involves new tradeoffs and a willingness to

"think outside your boxes". Traditional ICT approaches are focused on owning and controlling

resources, assets, and contracts for specified services. The public cloud enables the focus to shift to

accessing iteratively evolving services and participating in dynamic Internet ecosystems.

The tradeoffs between “owning and controlling” and “accessing and participating” require new

mindsets and skills. They offer exciting opportunities, but are uncomfortable for some because they

are new, and threatening to others because they challenge the status quo of ICT departments and

traditional ICT vendors alike. Those who see more risk than opportunity in public cloud services tend

to be skeptical, or even critical, of the new model.

This skepticism has been reinforced by cautionary statements made over the past year by regulators

and security authorities about the theoretical risks of offshore data storage in the public cloud model.

While not specifically recommending against the use of public cloud services, the statements have

served to heighten awareness of regulatory concerns regarding potential security and privacy risks,

particularly in the financial and government sectors.

The reality, however, is that use of public cloud services is widespread in corporate and government

enterprises in Australia. Perceptions of the risks of public cloud services have become overstated.

Detractors, some with vested interests in the status quo, are outspoken about the potential risks, while

proponents with hands-on experience are relatively silent about how public cloud services actually

feel in practice due to perceived compliance sensitivities.

To shed some light on the reality of public cloud services adoption we interviewed executives in 10

corporate and government enterprises with hands-on experience of using public cloud services.

Discussions were intentionally “off the record” to encourage open and frank discussion. The results

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 2

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

convey positive experiences. The executives we interviewed stated that the public cloud has added

value to their enterprise's ICT portfolio.

Public cloud services were typically not chosen to save costs. In most cases the service was selected

because it was better and faster, even though some changes to information-management practices

may have been required. One of the most strongly valued benefits was iterative functional evolution.

The cloud service addressed user frustrations with the slow cycle of innovation of past ICT solutions

as well as user expectations that modern Internet applications should be constantly evolving in terms

of their functionality and support for innovations such as social networking and mobility.

Concerns about data security and regulatory compliance are taken seriously, but are not viewed as

“showstoppers” as long as careful thought is given to the categories of data that will be stored in the

cloud and to identifying specific risk factors and contractual and process mitigations. Not all public

cloud services are equal in terms of their ability to meet enterprise reliability and security

requirements, so the biggest risk mitigation is the choice of a high-quality enterprise-grade cloud

services provider.

Data sovereignty issues create an undercurrent of “worry” about offshore data storage for some

executives, although this is acknowledged as a justifiable benefit/risk tradeoff as long as the risks are

judiciously managed. In the medium term, a key emerging differentiator for public cloud service

providers serious about the enterprise market will be the ability to provide robust encryption of data at

rest.

Key messages There is widespread adoption of public cloud services in corporate and government

enterprises in Australia.

Concerns expressed by regulatory and security authorities regarding the risks of offshore data

storage do not preclude enterprise consideration of public cloud services.

Discussions with 10 enterprises that use public cloud services reveal that carefully considered

and appropriately governed use is viewed as a positive addition to the enterprise ICT

portfolio.

CLOUD COMPUTING DOWN UNDER

Public cloud services are relied upon by organizations large and small Public cloud services are now relied upon by organizations around the world, from small businesses

through to large corporate and government enterprises. Virtually all types of applications are now

available as software-as-a-service (SaaS) offerings. Platform-as-a-service (PaaS) models are

available for a wide range of the leading application development environments. Virtually any type of

workload can now be run under a long or short-term infrastructure-as-a-service (IaaS) arrangement.

Initial perceptions that public cloud services were more appropriate for the consumer and small

business markets, or for niche applications only, are giving way to a broader acceptance of the

opportunities for the public cloud model to provide genuine alternatives to traditional enterprise ICT

approaches. Salesforce.com, for example, pioneered the provision of niche CRM SaaS offerings over

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 3

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

a decade ago, but has now evolved to provide a wide range of SaaS and PaaS services. Salesforce

now provides mission-critical applications for more than 100,000 organizations worldwide, including

some of the world’s largest enterprises. As the scope and maturity of public cloud services have

developed so has awareness of the benefits of the cloud model and understanding of how it can be

applied.

In recent years the PaaS functionality of the leading public cloud services vendors has evolved

significantly, and now offers one of the most compelling elements of the cloud model. PaaS offerings

now provide enterprises with access to increasingly integrated suites of SaaS apps and accelerated

participation in the rapidly evolving social networking and mobile solutions ecosystems of the Internet

age.

The success of the public cloud model is demonstrated by the fact that leading global ICT companies

such as IBM, Microsoft, Oracle, and SAP now provide public cloud services as alternatives to their

traditional modes of product and service delivery and licensing for the enterprise market.

Ovum estimates that public cloud services generated about $18.2bn in revenue in 2011, and forecasts

that this will grow by 30% per year to in excess of $65bn by 2016. The Asia-Pacific region is expected

to comprise the fastest growing market for public cloud services, with revenues forecasted to grow by

34% per year from $2.9bn in 2011 to $12.5bn by 2016.

(Ovum reports providing detailed discussions of cloud service definitions and forecasts and

perspectives on cloud computing are listed at the end of this document).

Australian enterprises still need to go offshore for public cloud servicesThe Australian cloud landscape

Overall the small size of the Australian market has not supported anything like the scale of

investments in local public cloud computing services that have occurred in the US-centric global

market and in Asian hubs such as Singapore. Australian cloud vendors are focused primarily on the

small to medium business market, though private cloud offerings are starting to also mature for the

enterprise market. From an enterprise perspective, in practice, public cloud services are located

offshore.

IaaS services

While momentum is growing, and some substantial IaaS deals have been committed, the local IaaS

market is still at an early stage of maturity relative to both the global cloud services market and also to

the traditional outsourcing and managed services markets.

The largest on-shore investments, predominantly in private cloud IaaS services, have been made by

the domestic telcos Telstra, Optus, and Macquarie Telecom. Telstra, for example, is estimated to have

spent more than A$100m establishing its IaaS offerings, and announced a further commitment of

A$800m in mid-2011.

Some global ICT services companies, such as CSC, Fujitsu, HP, and Oracle, are leveraging their

global capabilities to make investments in on-shore private cloud services facilities in Australia. Fujitsu

announced a local investment of A$14m in FY2010 to develop its Australian-based IaaS offerings,

leveraging its $1bn global investment in cloud services.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 4

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Local outsourcing and managed services companies have also been retooling to deliver private and

public cloud IaaS, albeit at a more modest scale of investment. Leaders including BitCloud,

BrennanICT, CloudCentral, Emantra, MelbourneICT, Rejilia, VirtualArk, UberGlobal, and UltraServe,

though there are many other companies asserting that they are able to provide cloud services to

varying degrees. Macquarie Telecom has launched a public cloud IaaS business called Ninefold.

SaaS services

The local public cloud SaaS market is even thinner and more fragmented from an enterprise

perspective, comprising a large number of small companies that have created SaaS offerings, or

evolved their software into SaaS delivery. Melbourne ICT's WebCentral Application Marketplace

(www.applicationmarketplace.com.au) currently provides access to as many as 100 SaaS applications

in 15 different categories, the majority of which are targeting the small-to-medium business (SMB)

market. Oracle is the only major SaaS provider that is so far known to have arranged for on-shore

hosting of a global SaaS offering: its CRM On Demand service.

Telstra's T-Suite SaaS portal provides exclusive access to Microsoft's Singapore-hosted Online

Services/Office 365 and a handful of other local market SaaS services, such as Worketc, Workforce

Guardian, and Xero. Telstra reported in November 2011 that growth in adoption of SaaS services

through T-Suite was "explosive" at over 200% in the year ending in June. While this may have been

off a low base it illustrates the rising momentum behind cloud adoption in the Australian SMB sector.

Enterprise adoption of public cloud services in Australia is widespreadAn emerging trend

The evidence of actual adoption of public cloud services in Australia by corporate and government

enterprises is largely anecdotal, with surveys tending to focus on attitudes and intentions rather than

actual adoption. Surveys also tend to overstate usage due to the difficulty of defining cloud computing

as distinct from managed service and outsourcing arrangements. The general view, however, is that

adoption of public cloud computing services is now widespread across all sectors and growing

steadily as awareness of cloud computing increases and as public cloud services mature in terms of

their support for enterprise-grade requirements.

Much of the early growth in the adoption of public cloud services tended to be business users

acquiring SaaS applications outside of formal enterprise ICT procurement and governance processes,

but adoption is increasingly now occurring within formal ICT procurement processes.

Proof points

Proof points of widespread adoption include:

Salesforce is estimated to have many thousands of customers in Australia, comprising a mix

of large corporate and government sector enterprises and SMB organizations.

NetSuite's CEO recently stated that the company has 850 customers in Australia,

predominantly in the SMB sector, but also including subsidiaries of larger corporate that use

NetSuite as a common financial reporting platform.

Corporate and government enterprises publicly known to have adopted Google Apps include

universities such as Adelaide, Macquarie, Monash, and RMICT, as well as corporates such as

AAPT, Flight Centre, Mortgage Choice, New Zealand Post, and Ray White Real Estate. The

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 5

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

New South Wales Department of Education is a long-standing user of Gmail for student email

with local storage of email records by Telstra.

Microsoft's Online Services (Live@edu, BPOS/Office 365) are publicly known to be adopted

by universities such as Australian Catholic, Curtin, Edith Cowan, Flinders, Sydney,

Queensland and UTS, TAFE SA as well as corporates such as Realestate.com.au and Ted’s

Cameras.

Other SaaS applications popular in Australia include Microsoft Dynamics CRM, Oracle CRM

On Demand, RightNow, SuccessFactors, and Yammer.

Adoption of niche SaaS applications and web services is visibly commonplace now in most

enterprises. Use of apps such as Google Maps and Microsoft Bing Maps, for example, is now

almost ubiquitous.

The use of Google Apps and Microsoft Online Services by universities has been an interesting

evolution. The case for cloud email was an early and obvious use case because of the large number

of users and the immediate applicability of relatively simple consumer market style email services

such as gmail and live@edu. However, the evolution of universities to using one cloud collaboration

platform for both students and staff (at Monash University, for example) is a powerful demonstration of

the fact that these public cloud services have actually now fully measured up to enterprise-grade

requirements.

Adoption of Salesforce has similarly matured as the scope and functionality of the services has

expanded over the years from one SaaS app, CRM, to a wider range of apps and to PaaS offerings.

These proof points illustrate that some enterprises in Australia do see value in public cloud services. It

is also apparent, however, that public cloud services are still a relatively small though fast-growing

subset of the overall enterprise ICT market.

The remainder of this report will explore some of the issues that are slowing down the adoption of

public cloud services and will provide guidance for enterprise executives considering the public cloud.

PUBLIC CLOUD IS A TRADE-OFF OF BENEFITS AND RISKS

Public cloud service benefitsA more effective and efficient way to source selected ICT capabilities

Much has been asserted about the benefits of public cloud services, which revolve primarily around

six distinguishing characteristics of the public cloud model:

Pooling of investment and resources to create economies of scale in the development,

operation, and evolution of a standardized service that is shared by many customers and can

be scaled up and down on demand.

Configurable multi-tenant infrastructure and application architectures to enable efficient

allocation and configuration of standardized resources and software to meet diverse needs

with minimal need for software customization.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 6

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Iterative evolution to enable customers to benefit from regular releases of new functionality in

the service.

Automation and self-service to enable faster and easier ordering from a service catalogue and

provisioning and administration of the service.

Subscription and usage-based pricing models to lower the entry costs for new customers and

enable flexibility in the way the service is paid for.

Internet ecosystems to leverage the rapid innovations enabled by social networking and

mobile technologies and a diverse ecosystem of vendors.

Cloudy is as cloudy does

The benefits from a business perspective stem from the opportunity to consume shared standardized

services that already exist, and that iteratively evolve, instead of building and maintaining services

that are dedicated and “hard-coded” customized to an individual organization's needs.

We often use the phrase "cloudy is as cloudy does" to describe a mature cloud service from an

executive's perspective. Such a service is already operating at scale to deliver a defined catalogue of

functionality at a defined level of quality and cost.

This characteristic is often viewed by executives as one of the biggest benefits of cloud services when

compared to their previous experiences of more traditional ICT projects which involve the

procurement, customization, and implementation of new ICT infrastructure and applications. Projects

all too often run over time and over budget while also failing to fully deliver the promised functionality.

For many, traditional ICT has developed a reputation for unreliable delivery, which makes executives

eager to explore an alternative model based on acquiring services that can be seen to be already

operating and which iteratively evolve.

Public cloud services are now outpacing many ICT departments on innovation

Maintaining both the operational efficiency and innovative capabilities of in-house ICT departments is

a constant challenge for any enterprise. The practical reality for many is that the ICT department is

under increasing stress due to budget cuts, ageing assets, an ageing workforce, and skills

constraints, leaving limited capacity for innovation and renewal.

By contrast, public cloud services are at the leading edge of innovation in four areas that most

enterprises are now discovering are becoming critical to achievement of their mission.

High-availability, secure, global service delivery platforms - operational scale obliges cloud

providers to deliver high levels of operational reliability, resilience, and security in a

standardized and scalable platform. The leading public cloud platforms deliver higher

performance than many enterprises would be able to afford for themselves.

Agile application development - competitive pressures drive public cloud providers to employ

agile development processes in order to provide iteratively evolving services.

Integration with social networking - being born and bred in, and running in, the Internet

ecosystems that are driving social computing means that public cloud services are well

positioned to accelerate enterprise adoption of social networking innovations.

Support for mobility - web services, open APIs, and early adoption of HTML5 put public cloud

services at the forefront of enabling mobility. Public cloud services can typically already be

accessed from any device and are increasingly being optimized natively for mobile devices.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 7

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

The market-leading public cloud services are now outpacing all but the largest and best-resourced

enterprise ICT departments on these four aspects of ICT innovation, and are likely to continue to do

so into the future.

The eye of the beholder

As with many things, the degree to which the benefits of public cloud services are positively valued

depends very much on the eye of the beholder. This is driven by two main factors: the existence of a

burning platform and the pressure to innovate.

From a burning platform

For some enterprises the appeal of public cloud services arises out of disillusionment with the

alternatives, perhaps reinforced by a catalyst such as the need to replace assets or renew contracts

or by an imperative of timeframes that cannot be met by a traditional ICT project. These enterprises

are looking for a better way of sourcing some elements of their ICT environment as a matter of

necessity. The status quo is no longer adequate.

To drive innovation

For others, the appeal rests on the specific functional or financial superiority of the public cloud

solution. A public cloud service may just happen to provide the best or most affordable way of meeting

a business need, independently of any particular interest the enterprise may have for cloud

computing. This is often because the service is built using the latest thinking in software and

technology innovation and can be brought to market more quickly than alternatives. The innovation

cycle in public cloud services is rapid, and innovations can be made available globally as soon as they

are released into production.

Enterprises that are at the leading edge of using ICT to interact with customers, citizens, suppliers,

and business partners using the Internet, social media, and mobile technologies are some of the first

to appreciate the value of public cloud services because they quickly grasp the benefits of interacting

on and in an Internet platform.

Public cloud risksPublic cloud services are a new, more radical, way to externalize ICT capabilities

Broadly speaking, the risks involved in public cloud services are similar to those associated with other

forms of outsourcing. Public cloud services, however, represent a greater degree of externalization of

ICT capabilities than many enterprises have previously experienced. It is now possible, for example,

for a complete business process to be externalized to a public cloud service along with its back-end

infrastructure, applications, and ICT operations.

Six “somewhat novel” public cloud risks

This radical externalization of ICT capabilities creates six “somewhat novel” risk factors:

Ungoverned adoption - the ease of adoption, relatively low entry costs, and the compelling

benefits of public cloud services can lead to a proliferation of cloud services within enterprises

through ungoverned piecemeal adoption.

Technology immaturity - the technologies that enable cloud computing (whether in a public or

private delivery model) are relatively new and rapidly evolving. It takes a large investment in

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 8

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

R&D, technology, process design, and skilled people to successfully implement an

enterprise-grade cloud computing service. Technology risk reinforces the need for enterprises

to select the largest and most mature public cloud providers.

Multi-tenancy - the ability of one integrated ICT environment and application to simultaneously

support the needs of a multitude of different corporate and government enterprise customers

is one of the defining innovations of public cloud services. Multi-tenancy, however, creates

potential risks. What if unauthorized users obtain accidental, mischievous, or criminal access

to my data?

Data location - data in public cloud services is located wherever the provider's data centers

are located, and can flow across national boundaries in the cloud provider's network. This

creates potential risks arising from the obligations of enterprises to ensure that they and their

vendors are at all times compliant with nationally specific regulations relating to data security,

privacy, and record keeping.

Non-negotiable contract terms - public cloud services necessarily seek to minimize the variety

of different contracts under which services are sold, with most vendors preferring all

subscribers to sign up to standardized services on standardized terms and conditions.

Enterprise ICT buyers, however, are accustomed to negotiating contract terms and conditions

in order to address specific risk issues, and may have legitimate needs to do so because of

legal and compliance requirements.

Vendor lock-in - some enterprise buyers are concerned that public cloud services may lead to

increased “lock-in” to the cloud provider because the provider holds the data and users will

become reliant on the functionality and configurations of the service. If the public cloud

provider fails technically or commercially there is little power that an individual customer can

exert to recover the situation.

We use the term “somewhat novel” for these risks because in the main they are all variations on well

understood ICT procurement and management themes. The issue is largely about awareness of the

new nuances created by the degree of radical externalization inherent in the public cloud services

model.

Public cloud services involve new benefit/risk tradeoffsIt comes down to choices

Whether the six “somewhat novel” risk factors are risks or benefits, however, tends to be a matter of

judgment about the tradeoffs inherent in the public cloud model as illustrated in Figure 1.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 9

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Tradeoffs between “traditional ICT” and public cloud services

Source: Ovum

The tradeoffs are about choices and judgments.

The limited ability to customize a SaaS application can be viewed as a risk (may not be able

to meet a unique new business need) or as a benefit (minimizes costs, reduces complexity,

and better supports process standardization).

The global nature of SaaS providers can be viewed as a risk (not as tuned to local

requirements) or as a benefit (the vendor is pooling requirements across a much larger

number of different customers and building new functionality iteratively into the service to the

benefit of all customers).

The relative inability to tailor specific contract conditions and performance sanctions can be

viewed as a risk (weak one-to-one legal influence over the vendor) or as a benefit (the vendor

is exposed to collective wrath of a large number of customers all using one service under the

same terms).

Tradeoff preferences reveal vested interests

The tradeoffs require new mindsets and skills. The characteristics of public cloud services offer

exciting opportunities, but are uncomfortable for some in the ICT industry because of their novelty,

and threatening to others because they challenge the status quo of enterprise ICT departments and

traditional ICT vendors alike.

Those who see their careers being disadvantaged or the competitiveness of their companies put at

risk by public cloud services tend to be skeptical, or even critical, of the new model. Those who see

career opportunities or fresh ways to solve existing problems to drive innovation and to cut costs

using public cloud services tend to be positive proponents.

The propensity to embrace the tradeoffs of public cloud services depends very much on the degree to

which decision-makers and commentators are seeking to challenge or to protect vested interests and

the status quo.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 10

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

RISK PERCEPTIONS NEED TO BE KEPT IN CONTEXT

Regulatory and security authorities fuel cloud skepticismRegulators are perceived to have placed constraints on public cloud adoption

Our conversations reveal that there is a widespread perception that regulatory constraints comprise a

substantial barrier, particularly in the financial services and public sectors, to the use of public cloud

services. This section describes some of the statements made by regulators and security agencies

and puts them in perspective.

Note from APRA: public cloud services are outsourcing

The Australian Prudential Regulation Authority (APRA) issued a statement in November 2010 voicing

concerns that "…its regulated institutions do not always recognize the significance of cloud computing

initiatives and fail to acknowledge the outsourcing and/or off-shoring elements in them. As a

consequence, the initiatives are not being subjected to the usual rigor of existing outsourcing and risk

management frameworks, and the board and senior management are not fully informed and

engaged"

(http://www.apra.gov.au/lifs/documents/letter-on-outsourcing-and-off-shoring-adi-gi-li-final.pdf).

This statement was aimed at professionalizing, not preventing, the adoption of public cloud services,

and some public cloud service providers have embraced it. Salesforce, for example, stated publicly

that it "welcomes APRA’s recent guidance on cloud computing as an important step toward

implementing robust cloud solutions for the Australian financial services industry".

APRA's statement was, in effect, a wake-up call to directors and CIOs to rein in ad hoc adoption of

public cloud services by business units and to bring public cloud services under formal ICT

governance and risk-management processes.

OAIC is considering amending data privacy legislation

The Office of the Australian Information Commissioner (OAIC) has not provided any specific advice

relating to cloud computing, but proposed amendments to Australian Privacy Act have attracted media

comment recently due to a tightening of the extent that organizations will be held accountable for the

actions of contracted service providers that store data outside of Australia

(http://www.oaic.gov.au/news/speeches/speech_080911-tp-calma.html).

Privacy principles at state and federal government levels propose two specific areas of theoretical

challenge for public cloud services. The first relates to the obligation to ensure that appropriate

security arrangements are in place to protect personal and sensitive data. The second is the

obligation to ensure that any vendors involved in the outsourcing of sensitive data also comply with

the obligations of Australian state and/or national privacy legislation.

These obligations are often raised as barriers to public cloud services, which they are not. Services

provided by mature enterprise-grade providers can accommodate these obligations.

OVPC focuses on data location issues

The Office of the Victorian Privacy Commissioner (OVPC), which is responsible for regulating the way

Victorian state government agencies and local councils collect and handle personal information,

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 11

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

issued an information sheet on cloud computing in May 2011, which states: "Where the provider is

located outside of Victoria or off-shore, taking reasonable steps to protect personal information from

misuse, loss, unauthorized access, modification or disclosure" (a legal requirement under the

Victorian Information Privacy Act) "may be difficult or even impossible. By using cloud services, the

government agency is relinquishing some – if not all – control over their data. This includes being able

to control security measures” (http://www.privacy.vic.gov.au/privacy/web2.nsf/files/cloud-computing).

The OVPC’s concerns about data location seem overly parochial in an increasingly networked

economy. We suspect, however, that the concerns are founded more on the known inadequacy of

agency information management arrangements than on any serious belief that data is only secure if

stored within Victorian state boundaries.

DSD encourages agencies to keep data on-shore

The Defence Signals Directorate (DSD), the government's lead ICT security agency, issued a paper in

April 2011 titled "Cloud Computing Security Considerations". In this paper DSD stated, "DSD

recommends against outsourcing information technology services and functions outside of Australia,

unless agencies are dealing with data that is all publicly available. DSD strongly encourages agencies

to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and

stores, processes and manages sensitive data only within Australian borders"

(http://www.dsd.gov.au/infosec/cloudsecurity.htm).

This, in our view, reflects DSD's assessment that many public cloud services were not designed for

use by government agencies, and do not fully meet enterprise-grade standards of data security. DSD

also proposed a checklist of security considerations that assists agencies to decide, when all things

are considered, whether or not a public cloud service is adequately secure for the categories of

information it will handle.

AGIMO talks about cost versus security tradeoffs

More positively, the Australian Government Information Management Office (AGIMO) issued a cloud

computing strategic direction paper in April 2011, which set out a broad way forward for the use of

cloud computing in federal government agencies. The paper proposed a principle and risk-based

approach to cloud adoption under the following policy statement: "The Australian Government and its

agencies may choose cloud based services if they demonstrate value for money and adequate

security" (http://www.finance.gov.au/e-government/strategy-and-governance/cloud-computing.html).

The strategic direction paper supported a tactical approach to the adoption of public cloud services for

uses involving publicly available data, and noted that agencies may also choose to evaluate whether

the use of improved business processes, security technologies such as encryption, or other mitigation

strategies may open further opportunities for public cloud use.

AGIMO has subsequently published a series of Cloud Better Practice Guides covering the privacy,

legal, and financial issues of cloud computing for federal government agencies. These guidelines

reinforce the fact that normal standards of procurement due diligence apply to cloud services.

Agencies should only consider buying cloud services from vendors capable of meeting information

privacy and other legal requirements

(http://agimo.govspace.gov.au/2011/11/14/cloud-computing-draft-better-practice-guides).

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 12

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Put regulatory authorities’ statements in contextBe careful, but not alarmed

Organizations with no direct experience of cloud computing services can be forgiven for being

alarmed by the cautionary statements by regulators and government authorities.

However, these statements are simply reminders that the apparent ease and convenience of public

cloud services does not excuse enterprises from the need to be careful about how and where they are

used. Public cloud services, while they may be a radical externalization of ICT capabilities, do not

suspend normal enterprise ICT governance and information management obligations.

Privacy compliance is primarily about due process

It is useful to consider the case of the hacking of customer data in the Sony PlayStation Network to

gain a glimpse of the reality of privacy compliance. Even though Sony is not a public cloud services

provider, this incident has been used by detractors of public cloud services to reinforce privacy

compliance concerns when data is managed offshore by global corporations exposed to the Internet.

This was an unusually serious information security incident involving actual access to financially

sensitive information affecting 77 million customers worldwide. The Australian Privacy Commissioner

recently completed an own motion investigation to determine if Sony complied with the National

Privacy Principles in the privacy legislation. The Principles require organizations to take reasonable

steps to protect personal information, and to limit the circumstances in which organizations can use

and disclose personal information, particularly when trans-border data flows are involved. The Privacy

Commissioner concluded:

"I found no evidence that Sony intentionally disclosed any personal information to a third party.

Rather, its network platform was hacked into. I also found that Sony took reasonable steps to protect

its customers' personal information, including encrypting credit card information and ensuring that

appropriate physical, network, and communication security measures were in place."

The commissioner noted the potential challenges for regulation of the flow of personal information

"where large global companies undertake different functions relating to the provision of services and

products, including the collection of personal information, while operating out of different jurisdictions",

but he made no conclusions against Sony in regard to trans-border data flows

(http://www.oaic.gov.au/publications/reports/own_motion_sony_sep_2011.html).

This case illustrates the fact that even a situation where a severe breach of the actual security and

privacy of sensitive customer information occurred is not necessarily in breach of privacy legislation.

The issue that enterprises need to address is the actual policy, process, and technology controls

surrounding the management of their information wherever, and by whoever, it is processed and

stored. Privacy compliance was, in fact, the least of Sony's worries in regard to this incident.

Risks inherent in the status quo should not be understated

There is often a temptation to understate the familiar risks of the status quo while overstating the risks

of a new and unfamiliar approach such as the use of a public cloud service.

ICT audit reports sometimes reveal that the actual quality of ICT security controls in organizations is

much lower than ICT executives would like to admit. For example, a recent Information Systems Audit

report tabled by the Western Australian Auditor General concluded: “Fourteen of the 15 agencies we

tested failed to detect, prevent or respond to our hostile scans of their Internet sites. These scans

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 13

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

identified numerous vulnerabilities that could be exploited to gain access to their internal networks and

information” (http://www.audit.wa.gov.au/reports/pdfreports/report2011_04.pdf).

Such a scathing audit result is also by no means unique to public sector agencies. Results like this

are illustrative of the challenges facing all ICT departments as they attempt to do the best job they can

with the financial means available.

Proverbially, "people who live in glass houses shouldn't throw stones". The reality is that many ICT

departments that question the security of public cloud services would struggle to measure up

themselves to both the actual security performance and the transparency of trust reporting of the

leading enterprise-grade public cloud service providers.

Enterprises must face the reality of securing a connected, socially networked, and mobile workforce in the Internet age

The combined effect of funding and skills constraints and the increasing complexity and sophistication

of threats means that some enterprises are struggling to adequately secure their organization's

perimeters. This is part of a general trend toward more porous organization perimeters, which is

accelerated by Internet connectedness, the increasing use of social networking and mobile devices,

and the digital blurring of our work and personal lives.

We need to acknowledge the reality that public cloud services are part of a broader Internet age trend

away from information being “locked away” inside the enterprise network and toward the emergence

of information ecosystems that transcend organizational and national boundaries.

Enterprise executives should also consider the very real possibility that an enterprise-grade public

cloud service provider may well be capable of higher standards of information security in this new

Internet age than their own ICT department.

HOW DOES PUBLIC CLOUD FEEL IN PRACTICE?

The research approachThe objective

The objective of the research was to respond to the views about the benefits and risks of public cloud

services expressed in the previous sections of this report and to explore how they play out in practice.

The aim was to reveal direct observations from the front line of enterprise adoption of public cloud

services, and more specifically to understand how enterprises have dealt with the perceived issues

and risks of public cloud services.

The sample

Ovum conducted a program of interviews with enterprise executives from 10 different organizations to

discover how public cloud adoption feels in practice. Interviews were conducted face-to-face and/or

over the telephone in order to gain qualitative insights into the rationale for choosing a public cloud

service and how the process was managed.

The interviews do not purport to comprise a fully objective survey. In the main the executives

interviewed were self-selected advocates of public cloud services.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 14

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Some executives were interviewed a number of times to fully discuss their experiences. All were

senior business or ICT executives who had been responsible for decision-making regarding their

enterprise’s adoption of a public cloud service.

The enterprises were representative of a range of sectors, including banking and finance, utilities,

government agencies, universities, and not-for-profit organizations. Public cloud services adopted by

these organizations included Google Apps, Microsoft Online Services, RightNow, and Salesforce.

Confidentiality

Discussions were under Chatham House Rules out of respect for the regulatory and compliance

sensitivities of the organizations interviewed. The executives did not consent to the enterprises being

named.

Questions

The discussions with interviewees are summarized in terms of their responses to a range of questions

regarding their experiences of the use of public cloud services, including:

Why was a public cloud service chosen?

Who made the adoption decision and with what process?

What was the deployment experience like?

Cost effectiveness?

Commercial issues?

How was Privacy Act compliance addressed?

What about data security?

What happens if things go wrong?

What about lock-in?

What has been your operational experience?

What were some of the concerns going forward?

Overall impressions from the interviewsThe overall impression drawn from the interviews is that appropriately governed and judicious use of

public cloud services is not seen as creating undesirable risks or issues for the organizations. The

services are universally viewed as a positive step forward compared to traditional ICT approaches.

In most cases the public cloud service was selected because it was better and faster, not just

cheaper, than the alternatives. This is an important observation because it explains why a public cloud

service was adopted, or retained, even though doing so may have incurred new compliance costs

such as the creation of information categorization and management processes and on-site data

replication. Public cloud services are not seen primarily as a way to cut costs.

Concerns about data security and regulatory compliance are taken seriously, but are not viewed as

“showstoppers” as long as careful thought is given to the categories of data that will be stored in the

cloud and to identifying risks and implementing contractual and process mitigations.

Not all public cloud service providers are judged to be appropriate for enterprise use, so each vendor

needs to be tested as to the degree to which the service is genuinely “enterprise-grade”.

Distinguishing characteristics of the trustworthy services appeared to be the rigor of their data security

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 15

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

arrangements and the extent to which they are willing and able to contractually address specific

requirements regarding data security and privacy compliance.

One of the most strongly valued benefits of the public cloud services appears to be their iterative

functional evolution. This is valued because it addresses user frustrations with the slow cycle of

innovation of past solutions as well as addressing user expectations that modern Internet applications

should be constantly evolving in terms of their functionality and support for new end-user devices

such as tablets and smartphones.

While there is an undercurrent of “worry” around offshore data storage created by both operational

concerns and regulatory uncertainties, this is acknowledged as a justifiable benefit/risk tradeoff. The

key mitigation of offshore data risks is the quality and maturity of the cloud provider's operational and

technical security arrangements.

Interview outcomes1. Why was a public cloud service chosen?

In most cases the public cloud service was selected because it offered better functionality and faster

implementation than alternatives. Several executives commented that the service was the best

solution, and was not chosen because of any particular interest in the cloud model per se.

A number commented that a cloud-based solution was preferred after repeated failure with the

implementation and/or rollout of on-premise application projects. A public cloud approach was viewed

as offering a more reliable, lower-risk way to get users from across multiple parts of the organization

onto one common platform.

In one case the need was so urgent that a public cloud solution was the only way a system could be

provisioned to meet the business requirements in time.

Several commented that regular releases of new functionality were an appealing benefit of the cloud

model. Configurability of the solution without customization was strongly valued.

In a number of organizations the service was used as a relationship management system for external

industry partners/brokers so the fact that it was cloud hosted was a positive benefit in terms of

accessibility via the Internet.

Lower total cost of ownership was not regarded as the main justification, but the in some cases the

low entry cost of a subscription was material in the decision either because it kept the procurement

beneath corporate ICT procurement thresholds or because it offered a flexible way to experiment,

starting small and scaling if the application proved to create business value.

2. Who made the adoption decision and with what process?

Decisions made several years ago, particularly for SaaS apps, were typically made by a business

executive with no or little ICT department involvement, though this is now less common. In some

cases the early adoptions were made by individual executives as an expedient way to address a

business need, literally buying the service on a credit card. One organization had accumulated over

10 separate SaaS contracts by uncoordinated ad hoc adoption in different business units.

In all the organizations interviewed, however, previous ad hoc adoption had since been “normalized”

and brought within formal ICT governance and risk-management arrangements.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 16

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Most decisions made in the past year or so were made by the ICT department as part of a formal ICT

procurement process, typically comprising a selective tender, formal evaluation of a range of cloud

and on-premise application alternatives, and formal assessments of data security and privacy risks.

3. What was the deployment experience like?

All of the executives interviewed were positive about the deployment experience, particularly when

they compared them to previous ICT project experiences. The services worked largely as expected,

user adoption was reportedly good, and the ability to configure the services to meet specific business

needs was felt to be adequate.

Many commented specifically about the benefits of iterative evolution of the functionality. While in

some cases this caused some issues associated with deciding when and how to make the new

functionality available to users, the overall impact was highly positive as the users appreciated the fact

that the service was continually improving.

Several commented on the advantages of a limited degree of configuration over previous approaches

based on customization of on-premise systems. Once the users had experienced a few cycles of

iterative evolution of the standard system they became less worried about defending fixed ideas about

specific requirements and more inclined to adapt their process to the way the standard software

already worked.

4. Cost-effectiveness

Views on cost-effectiveness were generally positive, with most organizations expressing the view that

there were significant savings over alternative approaches when all things were considered.

Some, however, commented that as the number of users grew then costs certainly "spiraled" and that

this had led to the imposition of caps on the number and types of users to ensure that costs stayed

within budget.

5. Commercial issues

It was apparent that most of the organizations had had detailed negotiations with the cloud service

providers over matters of data security and privacy and that various accommodations had been

reached. Several remarked on the fact that the leading vendors had acknowledged the need to

address the requirements of Australian regulatory authorities and had been adequately flexible in

changing some standard contract terms and operational delivery arrangements.

Conversely, lack of flexibility of “one-size-fits-all” contract terms was cited as a reason for either not

selecting or terminating some public cloud services.

Subscription-based licensing approaches were felt by several organizations to be something of a

two-edged sword. A range of pricing arrangements for different categories and numbers of users

provided more granular pricing, but also brought overheads associated with managing variable costs

and ensuring that users were using the service under the most advantageous pricing arrangement.

6. How was Privacy Act compliance addressed?

Understanding and assuring privacy act compliance was often cited as one of the major hurdles, but it

was not in the end a showstopper for any of the organizations interviewed.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 17

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Privacy compliance concerns are often overstated

The comment was made several times that legal advisers adopted a very conservative stance on

interpretation of the information privacy principles, which tested both the cloud providers and the

executive responsible for managing the procurement and deployment. Some legal advisers initially

recommended against the adoption of public cloud services on compliance grounds, but became

more comfortable once issues were worked through and resolved one at a time, either by contractual

or operational process mitigations.

Most, but not all, organizations conducted a formal independent privacy impact assessment (PIA). In

some case multiple PIAs were conducted over the years as the scope and depth of use of the cloud

service expanded.

Some executives commented that resolving the privacy issues was "hard work" and required a

sustained effort of will to keep battling resistance from both internal and external stakeholders and

advisers. It was observed that it can be a challenge to maintain a practical approach to balancing

various business and legal risks in the face of stakeholders and advisers who have no stake in the

benefits of the new model and who aren't necessarily aware of, or accountable for, the limitations and

risks in the current environment.

Privacy compliance is all about information management

Working through the issues, however, was later regarded as having been a positive process because

it confronted the organization's historically informal and ad hoc approach to information categorization

and the result was an overall increase in the integrity of information management - and privacy

compliance.

One organization used the fact of using a public cloud service as a catalyst for a major review of

information management and the development of new business processes for categorizing and

handling information and testing a range of scenarios and risk mitigations around the handling of

sensitive data.

Some organizations effectively avoided exposure to privacy act requirements by making a conscious

choice either to only use the public cloud service for uses cases that did not involve personal data or

to avoid storing data categorized as “sensitive”.

Generally, there was recognition that the move to using a public cloud platform required a new

approach to thinking about information security on a more granular, transactional, basis, whereas in

the past the thinking was mainly at a higher level. Some types of information in some types of

transactions can be safely trusted to the cloud. One executive commented that he felt that this was a

necessary evolution in information management that was driven by increasing use of the Internet and

mobile platforms for customer interactions. Cloud platforms are one element of a bigger change under

way in the way information needs to be managed. His view was that use of a public cloud service was

a useful catalyst for changes that needed to happen anyway.

Specific contractual provisions may be required for privacy compliance

Most organizations required the cloud provider to agree to specific contract provisions relating to their

compliance with the provisions of the privacy act, particularly regarding their obligations to uphold

principles for fair handling of information that are substantially similar to the national privacy principles.

In some cases the contracts have specified particular data centers where data must, and must not, be

stored based on the privacy legislation that exists in those particular countries or regions. Japan, for

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 18

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

example, is viewed more favorably than Singapore, and some states in the US (California, Virginia,

and Illinois) are regarded as having stronger privacy legislation than other states.

In some cases privacy issues have required explicit director-level exemptions to be granted from

internal corporate policies, and these have been approved in the context of an overall assessment of

the risk mitigations and the benefits to the organization of continuing to use public cloud services that

had already gained support in the business. It was clear, however, that board-level exemptions were

an uncomfortable experience. One executive noted that the strong preference of directors was for

customer data to stay within its country of origin where possible.

No privacy breach incidents reported

To put all this into context, despite (and perhaps because of) the perceived risks, none of the

organizations reported any actual incidents regarding privacy compliance since adopting a public

cloud service.

7. What about data security?

Not all public cloud services have good enough security

A few organizations admitted that data security concerns had led them to block or terminate public

cloud services in the past where they had been adopted by the business but were not assessed to be

adequately robust. Several remarked that not all public cloud services were appropriate for enterprise

use from a data security perspective, which was why they had retrospectively imposed ICT

governance arrangements over adoption of all cloud services.

The leading public cloud services have adequate security

All of the organizations had rigorously assessed and tested the security of the public cloud services

currently in use. Where the initial adoption, perhaps several years ago, was via an informal

business-led process, the ICT department had typically conducted reviews and retrospectively

implemented policy-compliant data security arrangements.

Reviews by external ICT security experts or audit firms were a common practice. One government

agency had also explicitly engaged the Auditor General's office to review the overall security

arrangements around their use of a public cloud service. Smaller agencies remarked that it was useful

when they could "travel in the wake" of a larger agency's adoption of a public cloud service and

benefit from the precedent set by their resolution of contractual issues.

The comment was made many times that the market-leading public cloud services actually had strong

security credentials. The fact that all customers were served out of one shared operational

environment was perceived as a benefit from a security perspective because the service needed to be

operated to the standards required by the most demanding customers, and most organizations were

therefore confident that the security standards were higher than they could ordinarily justify funding

themselves.

Offshore data remains an “emotional leap”

Another common remark, however, was that even after deep security testing it was still a big

emotional leap to fully trust the public cloud provider. It still felt uncomfortable because of the lack of

direct control, and it took a while for confidence to grow. Some remained uncomfortable because they

felt that the organization's data-protection requirements, and the regulatory environment, were

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 19

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

constantly changing so there was always a residual sense of exposure with data being stored

offshore.

Encryption of data at rest so that only the enterprise customer had access to the encryption keys was

regarded by some but not all organizations as a necessary evolution of data security in the public

cloud.

Several organizations noted that they had made a policy decision not to keep some primary data in

the public cloud service. Copies of data were replicated daily to the cloud service.

Ability to audit may be necessary

Most organizations had negotiated some degree of ability to audit the cloud provider if they could

demonstrate grounds to do so. Most also required access to the cloud provider's own regular

independent external audit reports for SAS70 Type2 and ISO27001 compliance.

8. What happens if things go wrong?

Some executives commented that sourcing from a public cloud provider was a new experience in

terms of the power relationships with a large outsourced vendor. They were accustomed to the

comfort of a "thick contract and SLA" and were initially uncomfortable with the idea that they would be

likely to have little influence over the public cloud provider in the event of something going badly

wrong.

In practice, however, the sense was that most felt that there was a positive advantage in the fact that

all the cloud service provider's customers were using a shared system, so that there was a “crowd”

effect that worked to the advantage of customers. If something goes wrong then the cloud provider is

likely to be under realtime pressure from all customers, not just one.

A number of executives observed that the public cloud actually provides greater confidence than

some previous outsourcing arrangements. Some told stories of being let down in the past by both

small and large ICT providers to illustrate that the contract and SLA approach sometimes provided

little actual assurance despite the illusion that they provided leverage over the vendor.

There was an acceptance of the fact that the organizations are totally reliant on the cloud services

provider to deliver a quality, reliable, service. Several commented that this was just a reality, part of

the tradeoff of a cloud service, and that this made it even more important to choose a provider with

the scale of investment and operations to be trustworthy.

9. What about lock-in?

Most, but not all, organizations had negotiated explicit provisions for a daily or weekly on-site

replication of data from the public cloud service as a measure of protection against loss of data in the

event the service is interrupted for a sustained period or withdrawn. This was also regarded as

necessary to meet record-keeping requirements.

Several organizations had also actually implemented simple applications to report and enable

rudimentary access to the backup data in an emergency.

In practice, however, lock-in was pretty much accepted as a fact of life. Some were not that worried

about it because their use of the public cloud service was for relatively simple and generic

applications that would be straightforward enough to replicate. Others just regarded this as a tradeoff

necessary to obtain access to the functionality unique to the provider, and accepted the need to

manage it at a practical level.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 20

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

One executive commented that she felt that one advantage of moving to a public cloud service was

that for the first time the entire organization was using one platform. In theory, this then made the task

of migrating to another provider easier than in the previous fragmented, multi-vendor, environment.

10. What has been your operational experience?

The operational experience of consuming a public cloud service was overwhelmingly positive. No

organization reported any significant operational issues or disappointments once they had selected a

public cloud service that they regarded as trustworthy.

Some executives commented that not having to manage the infrastructure environment with

processes such as server operating system upgrades and the application of software patches was a

welcome benefit.

Reliability experiences were universally good, and regarded as on par with or better than in-house

systems performance.

11. What were some of the concerns?

Governance of cloud adoption is essential

“Stealth” cloud adoption was regarded as one of the dangers of public cloud because of the risks of

inadvertent exposure to security and privacy compliance issues. The move to a public cloud service

therefore needs to be properly planned and implemented. Ad hoc adoption was perceived as a real

risk, and was acknowledged to be at the root of APRA's concerns over cloud computing. Some

executives noted that it had taken quite a lot of effort to regain ICT governance control over ad hoc

adoption of public cloud services by business units.

Need to refocus on business analysis and information management

The configurability of the service can lead to many different and incompatible deployments in different

business units. One executive commented that the ease of adoption and configurability provides a

faster way to go in the wrong direction. Using a public cloud service frees the organization from many

of the more operational ICT tasks, but it reinforces the need for the development of the business

analysis, process design, and training capabilities needed to ensure that effective use is made of the

new tools.

Several noted concerns about the inevitable expansion of the scope of use of the cloud services over

time as users became more comfortable with the services and extended the functionality by

configuration and use of other apps. This was, on the one hand, a good thing because it endorsed the

fact that the services were valued by the business. On the other, however, it increased the risk that

the use of the public cloud service could eventually create inadvertent compliance exposures if

personal or sensitive data was stored in the system without proper consideration of compliance

obligations.

Another remarked on the increased importance of information management and governance. In most

cases approval to use the public cloud services was based on constraints around the categories of

data that were permitted to be stored offshore in the cloud. Remaining within these constraints

required active and ongoing attention to information management, which was a new discipline in the

organization.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 21

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Strong encryption of data at rest will ultimately be an essential requirement

A number of executives acknowledged that information management disciplines, while an essential

element of the safe use of a public cloud services, would be unlikely to be foolproof. In the end the

ability to fully trust a public cloud service would require efficient mechanisms for implementing strong

encryption of data at rest.

PaaS and app ecosystems introduce an element of unpredictability

The evolution of ecosystems of apps around the leading public cloud platforms was viewed as a

useful source of innovative functionality, but it was also highlighted by two executives as a significant

emerging risk factor. The app ecosystems are dynamic, with new apps emerging, being acquired by

other companies, and forming partnerships and alliances.

In this context the reliability, security arrangements, and trustworthiness of some of the app vendors is

a constantly moving target. The comment was made that enterprise-grade PaaS providers will need to

carefully manage their exposure to risks created by partners in their app ecosystems.

RECOMMENDATIONS

Recommendations for enterprisesDo not discount public cloud services on security and privacy grounds

Regulatory concerns regarding data security and privacy should be regarded as important business

requirements, but they are not necessarily showstoppers for the use of public cloud services. There

are numerous corporate and government enterprises in Australia that are currently using public cloud

services after having carried out rigorous risk assessments.

Ovum recommends that enterprises should not discount consideration of public cloud services on

data security and privacy grounds.

Approach use of public cloud services from a strategic perspective

It is important to approach consideration of cloud computing from a strategic perspective, rather than

a tactical or narrow cost-cutting perspective. Public cloud services are a radical externalization of ICT

capabilities that require some new tradeoffs and a willingness to "think outside of your box". The

tradeoffs between owning and controlling resources and accessing and participating in Internet

services require new mindsets and skills.

Managing a shift in the balance of these tradeoffs is part of a strategic transformation of the

enterprise's approach to ICT, not simply an expedient way to source a new point solution. A strategic

approach requires a “warts and all” analysis of the strengths and weaknesses of the current in-house

ICT operations and capabilities and how these are projected to evolve, and the strengths and

weaknesses of cloud services and how these are projected to evolve.

Ovum recommends that enterprises are realistic about both the weaknesses of their current ICT

capabilities and their actual ability to address these weaknesses. Our view is that public cloud

services are evolving rapidly in terms of their functionality and trustworthiness. It is likely that the pace

of evolution of the capabilities of public cloud services will be much faster than the evolution of

in-house ICT capabilities within most enterprises, particularly those that are under financial pressure.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 22

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

A strategic perspective is necessary to appreciate the broader advantages of public cloud services

and to assess their benefits in the context of enterprise ICT realities.

Acknowledge that scale counts in the cloud where bigger will be better

Building reliable and trustworthy enterprise-grade cloud services is a challenging exercise for any

organization, whether an in-house ICT department, an ICT vendor, or a global public cloud services

provider. Significant investments in technology, processes, and people are required, and the

performance of any under-invested or resource-constrained cloud services is unlikely to live up to

service expectations.

Concerns about the fact that global public cloud services providers will store data offshore need to be

balanced against the advantages that these vendors offer in terms of their capacity to invest in service

innovation, application functionality, and reliable, secure, operational processes and facilities. The

primary concern should be the depth and quality of the overall service offering, not simply the location

of the data.

Don't compromise on enterprise-grade compliance requirements

One of the distinguishing characteristics of enterprise-grade public cloud services providers is the

extent to which they understand and support enterprise-grade compliance requirements. Global

one-size-fits-all services and “take it or leave it” contract terms and conditions are a characteristic of

consumer and small business market cloud services, but are unrealistic in the enterprise market.

Public cloud providers that are serious about attracting and retaining enterprise business understand

the need to provide contractual and operational solutions such as:

Assurances about compliance with process quality and security standards.

Assurance about compliance with information privacy principles.

Access to routine external audit reports, and (if there are grounds) consent to some forms of

ad hoc external audits.

A range of options for data encryption.

Local data replication.

Assurances about how data will be made available to the subscriber on the termination of the

service and/or permanently deleted from the cloud provider's databases.

In addition, they will have a clear strategy for longer-term resolution of data-sovereignty concerns,

which may include significant investments in data encryption and the creation of a network of data

centers distributed around the globe in countries with trusted legal and regulatory regimes.

See beyond the contract and SLA to harness the power of the “wrath of the crowd”

Some enterprises are concerned that they will have less power in public cloud services relationships

than in more traditional arrangements. While a contract and SLA is essential to reach an agreed basis

for the commercial relationship, in practice enterprises need to appreciate the importance of the

“wrath of the crowd” in public cloud service relationships. The bigger the crowd, the greater the wrath,

and the greater the pressure on the cloud provider to prevent service issues and to resolve them

quickly.

The fact that large numbers of customers share a common service means that there is safety in

numbers, which is a change in the logic of power relationships in ICT procurement. In the past being a

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 23

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

small customer among many of a large ICT provider tended to leave the customer powerless if things

went wrong. With public cloud services the opposite is true. Being a small subscriber among many of

a large cloud provider makes the subscriber part of powerful crowd that quickly attracts media

attention if it has a service grievance. This observation further reinforces the importance of scale and

critical mass in public cloud services.

Rein in “stealth” cloud, the main driver of public cloud adoption risks and regulatory concerns

While it was fashionable for a while to admire the innovative energy of business units that acted

independently of the ICT department to acquire public cloud service “because they could” this

behavior has already led to cautionary statements from regulators including APRA. The reality is that

ICT departments must rein in “stealth” cloud adoption and bring public cloud adoption under normal

ICT governance arrangements, particularly in the financial services and government sectors.

We can be sure that auditors and directors will pay increasing attention to this over the next year, so

CIOs are recommended to get onto the front foot in order to be able to deal with issues proactively

rather than in a crisis.

Recommendations for vendorsMaking the public cloud safe and trusted for enterprise use is not optional

The rate of growth of the public cloud market in the enterprise sector will be very much determined by

the success of the major vendors in meeting the enterprise expectations outlined above. It is not

enough for the public cloud to offer superior functionality, it also has to offer superior trust.

The actual and perceived trustworthiness of individual public cloud vendors will become a significant

source of differentiation in the enterprise market.

The ability to efficiently encrypt data at rest will be strongly valued by Australian enterprise executives.

As soon as this is technically, operationally, and commercially feasible it is likely to be strongly

recommended by regulators, and will therefore be regarded as a prerequisite for the use of public

cloud services by auditors and company directors.

Find ways to develop peer-to-peer networks of customers and prospects

Public cloud providers have much to gain and little to lose by encouraging networking and

information-sharing between customers and prospects. The rate of enterprise adoption of public cloud

services will be accelerated by greater transparency around how data security and privacy concerns

are overcome in practice to counterbalance the cautionary statements made by regulators and

security agencies.

The sharing of best practices across enterprise buyers will be viewed by some vendors as a

two-edged sword because it will also make buyers on average more demanding. Ovum's view,

however, is that this is a necessary evolution in both buyer expectations and the ability of public cloud

providers to meet the specific data security and privacy requirements of doing business in Australia.

Public cloud services that can meet these requirements will be at a strong competitive advantage.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 24

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Develop proactive support for ICT governance-as-a-service

The fact that all customers use one platform means that public cloud providers have a unique

opportunity (compared to most other modes of providing ICT services) to support enterprise ICT

governance processes.

Stealth adoption of cloud services by different business units in an enterprise, for example, is easy for

cloud providers to monitor because they have visibility of all services being consumed by an

enterprise in real time.

We recommend that vendors seek to understand the governance challenges that public cloud

adoption creates for enterprises and provide functionality within the platforms to support governance

processes.

We also note the problems that some vendors are creating for ICT governance, and for enterprise

confidence in public cloud services generally, by sales strategies that proactively target stealth

adoption. Vendors that are serious about the enterprise market need also to demonstrate an

understanding of enterprise ICT management realities. Vendors, despite building a groundswell of

bottom-up user adoption, gain little if their service is ultimately blocked in the enterprise firewall by the

CIO once the ICT department becomes engaged.

Make it easy for customers to leave and ensure that they have no reason to want to

Concern about lock-in is somewhat over-hyped, but nonetheless we recommend that public cloud

services providers make a virtue of making it easy for customers to both subscribe to and terminate

the service. Paradoxically, customers will be less anxious about adopting a public cloud service if they

are confident that that can leave at any time, taking all their data and erasing any trace of their use of

the service.

The reality is that switching costs will rise for the customer over time as they become more invested in

the service, but making a public cloud service a safe and easy choice is an important differentiator

versus both in-house and other cloud alternatives. Once the customer has signed up to a subscription

then the onus is on the vendor to ensure that the service actually does what it says on the label, and if

it does then most customers are likely to become stronger advocates if they feel that they are in the

relationship because of choice rather than because they are locked in by contract.

APPENDIX

Further readingCloud Computing: From Patriot Act to Parochial Marketing (OI00127-076) November 2011

Revisiting the NIST definition of cloud computing (OI00127-074) November 2011.

Public cloud computing services global market forecast model (OI00147-045) September 2011.

Cloud computing in the US federal government - the state of a market at tipping point (OI00130-026)

June 2011.

2011 Trends to Watch: cloud computing technology - one of the most important ICT trends of the

decade has barely started (OI00001-011) January 2011.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 25

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Planning for cloud computing - understanding the organizational, governance, and cost implications

(OI00005-006) November 2010.

Cloud computing fundamentals (OI00127-075) August 2010.

Cloud-computing quality of service in perspective (OVUM052345) July 2010.

The role of multi-tenancy in a cloud environment (OVUM052476) June 2010.

Cloud computing costs in perspective (OVUM052010) March 2010.

Cloud computing will be hybrid (OVUM051761) January 2010.

Will cloud computing enable or undermine public sector ICT climate change? (OVUM050757) May

2009.

AuthorDr Steve Hodgkinson, Research Director ICT, Asia-Pacific

[email protected]

MethodologyThis research report was based on a wide-ranging set of inputs including insights gained by Ovum

from discussions about cloud computing with more than 400 executives over the past two years and

from detailed discussions with executives from 10 corporate and government enterprises in

September and October 2011. Our research was complemented by online research and Ovum's

extensive prior research insights.

Ovum ConsultingWe hope that this analysis will help you make informed and imaginative business decisions. If you

have further requirements, Ovum’s consulting team may be able to help you. For more information

about Ovum’s consulting capabilities, please contact us directly at [email protected].

DisclaimerAll Rights Reserved.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form

by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior

permission of the publisher, Ovum (an Informa business).

The facts of this report are believed to be correct at the time of publication but cannot be guaranteed.

Please note that the findings, conclusions, and recommendations that Ovum delivers will be based on

information gathered in good faith from both primary and secondary sources, whose accuracy we are

not always in a position to guarantee. As such Ovum can accept no liability whatever for actions taken

based on any information that may subsequently prove to be incorrect.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 26

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

Ovum ConsultingWe hope that this analysis will help you make informed and imaginative business decisions. If you

have further requirements, Ovum’s consulting team may be able to help you. For more information

about Ovum’s consulting capabilities, please contact us directly at [email protected].

Copyright notice and disclaimerThe contents of this product are protected by international copyright laws, database rights and other

intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our

affiliates or other third party licensors. All product and company names and logos contained within or

appearing on this product are the trademarks, service marks or trading names of their respective

owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced,

distributed or transmitted in any form or by any means without the prior permission of Informa

Telecoms and Media Limited.

Whilst reasonable efforts have been made to ensure that the information and content of this product

was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any

person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any

errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as

no liability can be accepted in this regard – readers assume full responsibility and risk accordingly for

their use of such information and content.

Any views and/or opinions expressed in this product by individual authors or contributors are their personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa Telecoms and Media Limited.

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 27

Enterprise Adoption of Public Cloud Services Is All About Pragmatic Tradeoffs

CONTACT US

www.ovum.com

[email protected]

INTERNATIONAL OFFICES

Beijing

Dubai

Hong Kong

Hyderabad

Johannesburg

London

Melbourne

New York

San Francisco

Sao Paulo

Tokyo

© 2014 Ovum. All rights reserved. Unauthorized reproduction prohibited. Page 28