European CIO Cloud Survey

(1)

European CIO Cloud Survey

Addressing security, risk and transition

April 2011

(2)

Executive Summary

Cloud computing is one of the fastest growing, and potentially most exciting IT innovations in a generation. Cloud computing is a major step-change in the evolution of IT, providing the means through which services ranging from computing power, storage and networks to software, applications and business processes can be delivered as and when needed. Cloud computing, however, is not without controversy with vague definitions of what’s “in the cloud” and heated debate regarding the best deployment model.

Following on from previous surveys in 2009 and 2010, Colt, a leading provider of integrated managed IT and networking solutions, again has commissioned industry research amongst CIOs to explore current attitudes and adoption levels of cloud computing. The aim being to provide an evidence-based view of cloud sentiment and deployment in European enterprises in 2011. The results of the Colt European CIO Cloud Survey are based on more than 500 interviews with IT decision makers in a cross-section of organisations with some level of familiarity with cloud computing. At least 100 interviews were conducted in each of the UK, France, Germany, Spain and Benelux.

The research finds that although still in early adopter territory, with relatively few company-wide cloud implementations, the cloud agenda has shifted beyond concerns about security to a wider view of risk. It also highlights various challenges associated with supplier lock-in and transition. Despite such concerns, cloud services look set to dominate the IT landscape in next couple of years and those enterprises taking a more holistic view of the benefits, drawbacks and various models of cloud seem best placed to make informed choices to deliver a more agile operating model and sustainable ROI.

Fig. A: Sample breakdown – Industry sector

Online retail / wholesale 5% Consumer products manufacturing 4% Media Services 3% Professional services 22% Financial services 9%

Public sector & education

21%

High tech products manufacturing 16% Industrial products manufacturing 7% Chemicals & petroleum manufacturing 2% Other 14%

(3)

Page 3V18.0 CIO Cloud Survey March 2011

Some highlights of the research include:

Cloud watching

• 60% of enterprises think cloud will be their most significant IT operating method by 2014 • Few companies have company-wide cloud implementations showing we are still in early

adopter territory but adoption levels in parts of the organisation are encouraging

• The key challenges for cloud adoption are ease of transition (58%), quality assurance (55%), cost justification (55%) and regulation on security and control of customer data (54%) • The top five cloud applications deployed company-wide are website hosting (24%), email

hosting (23%), database hosting (22%), servers (22%) and storage (20%)

Security sticking points

• Security still remains the biggest identified barrier to adoption (63%), followed by integration issues (57%) and performance / reliability concerns (55%) although these are all far less pressing concerns than last year

• Security is deemed an ongoing issue that goes beyond cloud (74%) but is certainly a priority in evaluating and managing IT delivered via cloud (80%)

• 43% say it will not prevent them adopting more cloud services

Cloud and risk

• 63% see business risks in the transition to the cloud but 42% think they are not in a position to fully assess the risks associated with cloud services

• The key risks are considered to be compromises in security (45%) and worry that a major cloud performance or security incident could damage the brand (42%)

• Perhaps reflecting this inability to quantify risk, the preferred cloud deployment in 2011 is via private cloud (53%), up significantly since 2010 (27%).

Fig. B: Sample breakdown – Cloud adoption

Not thought about it 5%

Not evaluated at all 10%

Evaluated but decided not to go ahead 5% Evaluating options 24% Planning to adopt in next 12 months 16% Currently implementing 24% Already adopted 16%

(4)

Cloud supply

• As in 2010 the key requirement of a cloud supplier is that they provide data security and privacy (73%) – having strong business continuity and disaster recovery processes has grown in importance (70%), whilst providing performance SLAs (67%) remains the third biggest consideration

• Most prefer to use a mix of cloud suppliers (71%) rather than relying on a single service provider (25%)

2011 is a year that will define cloud adoption across Europe. Whilst awareness and definitions of cloud models preoccupied end-user businesses (and the IT industry) in 2009 / 2010, there is a tangible change in 2011. Real world cloud usage today is characterised by email hosting and data storage services – extensions of hosted services and the high volume / low risk components of IT infrastructure. Web services, such as e-commerce, are firmly placed in the next phase of cloud adoption, benefitting from domain expertise and a raft of wrap-around services that deliver convincing ROI for margin-hungry retailers. Whilst these deployments contribute to the established use of cloud services, the key enterprise applications deployment marches on at a slower pace.

Methodology overview

The Colt CIO Cloud Survey was conducted by Loudhouse, an independent marketing research consultancy based in the UK. The survey comprised more than 500 online interviews IT decision makers in companies with a turnover of at least €100K and some level of familiarity with cloud computing. The research was conducted in January 2011. At least 100 interviews were conducted in each of the UK, France, Germany, Spain and Benelux.

(5)

What does this all mean?

Whilst the absolute deployment of cloud services is very difficult to establish, the trend is clear: Companies are evaluating and deploying cloud services at a higher rate year-on-year, fuelled by the need to be more agile and responsive in today’s business climate and the market is transitioning to a more ‘mature’ phase. The key developments in this trend, as defined by the Colt European CIO Cloud Survey, are:

Security factors prevail Risk evaluation of cloud

Data privacy and contract issues

Quality assurance and transition management Infrastructure and service provider business

Security factors prevail as cloud adoption grows

Security is not a simple case of considering ‘if’ cloud computing is secure. Moreover, adoption-levels show that a healthy regard for security is an integral part of cloud usage, not a barrier. However, businesses are now asking ‘how’ the services are secured and ‘what’ the weak points are in the end-to-end service.

Risk evaluation of cloud deployment is hard to find

Whilst risk evaluation of any IT issue remains a complex matter, the absence of risk assessment in moving to cloud models is alarming. Some of this concern can be mitigated by the nature of cloud usage to date – smaller companies, low-level applications, deployments at departmental levels. However, in order to

(6)

Data privacy and contract issues are increasingly important

for adoption

Businesses are beginning to ask the seemingly mundane but critically important questions about cloud deployment. Even in a cloudy world, the demands from enterprises to know the location of data, to elicit meaningful service level obligations and the need for an integrated end-to-end service are indicators of cloud services moving out of the “playground”.

Quality assurance and transition management are key enablers

As shown by detailed adoption figures, businesses are taking a phased approach to cloud adoption. The nature of the delivery model makes this a relatively comfortable deployment path. However, there is always the concern that a phased approach will not embrace the new services model inherent in cloud computing and lead to internal politics and conservatism compromising momentum.

Infrastructure and service provider business will drive enterprise

cloud adoption

With the metaphor of “electricity utility’ still at large, it is not surprising that enterprises initially viewed cloud services as simply a question of largest scale and lowest cost, driven by service providers who owned internet-scale data centres or were traditional enterprise software and systems houses. The issue of service market understanding and the ability to understand and meet specific European customer needs in order to accommodate cloud transitions will define the success in the nascent ‘enterprise’ phase of cloud adoption that 2011 promises in Europe.

(7)

Page 7V18.0 CIO Cloud Survey March 2011 Fig.1: Key enablers of cloud adoption

Charts and commentary

Cloud watching

There is much discussion about the drivers and benefits of cloud computing. In the current economic climate, a key starting point of cloud adoption is substantially reduced or no capital spending for a given application in favour of a flexible, on-demand model helping enterprises to better adapt to market needs. The key enablers of this process, as highlighted in Figure 1 are ease of transition (58%), quality assurance (55%), addressing cost saving pressures (55%) and regulations on the security and control of customer data (54%).

Making the transition from legacy operating environments to the cloud or integrating cloud alongside legacy infrastructure is a daunting prospect for many companies. It is encouraging to see that many cloud providers are now focusing on easing this transition process. The fact that ease of transition has now emerged as the most significant enabler of cloud adoption, up from third place in 2010, reveals a more mature marketplace where the realities of implementation are now coming to the fore. As in 2010, companies continue to think that quality assurance is vital to the wider adoption of cloud computing – assurances of uptime helping to allay any reliability and performance concerns. Security regulations and control of data are another sought after feature for CIOs (54%); their importance continually reinforced through high profile press horror stories of corporate and public sector data leaks. The high profile of cloud computing is also putting such outages under the microscope.

(8)

Ease of transition and quality assurance are rated consistently high by all countries in the survey. Costs saving pressures are particularly noted as a cloud enabler in the UK (63%) whilst Germany is more likely to cite the need for in-country government endorsement (45%) than other countries. Regulations on security and control of customer data both resonate more strongly as cloud enablers in Germany (66%) and the UK (65%).

Figure 2 shows that the cloud operating model is most likely to become mainstream within the next two to three years, 60% of CIOs considering that it will become the most significant method of IT delivery by 2014. Spain and Italy appear more optimistic - where 52% and 51% of companies respectively believe cloud adoption will reach this level of penetration by 2013. Only time will tell exactly how much reliance the market will place on cloud services. Whilst predictions may vary, the emphasis on cloud being widely accepted sooner rather than later is a view that IT decision makers consistently hold. Only 6% remain sceptical.

(9)

Cloud choices

The cloud computing marketplace is for convenience divided into three strata – Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). Figures 3, 4 and 5 show the relative levels of company-wide and partial adoption of cloud amongst specific applications / services. It becomes apparent that company-wide usage of cloud only occurs in a minority of cases, even in applications that are used extensively across the business, such as email, backup and desktop applications. Most cloud adopters are taking a measured approach with implementations only in part of the business. Looking across the three different strata, it is interesting that there appears to be similar levels of adoption of cloud amongst service users in each area – even though SaaS service revenues currently dominate the market figures. Typically, around 30% to 40% of other companies are using cloud in more of a piecemeal fashion.

SaaS may be considered the oldest and most mature element of cloud computing, but it should be noted that there is a blurring of SaaS, PaaS and IaaS with the distinctions between these three prevailing service models unclear. PaaS, for example, speaks to a more generalised services platform concept and in many cases these models are seen as a continuum. Looking at the top five cloud applications across the entire business – with examples such as website hosting (24%), email hosting (23%), database hosting (22%), servers (22%), storage (20%) - it becomes clear that SaaS, PaaS and IaaS implementations can be comparative in adoption terms. The use of platform as a service as a “development cloud” really is in its infancy across Europe.

Fig.3: SaaS adoption amongst application users

Compromises in security Major cloud performance/ security

incident could damage brand More complexity in managing mixed environments Service delivery compromised customer

service/ business operations More staff pressure on internet IT teams Service delivery compromises end user / staff experience Predicted return on investment is not achieved There would be no business risk

45 42 30 25 22 22 21 5 0 10 20 30 40 50 60 70 80 0 10 20 30 40 50 60 70 80

(10)

Fig.4: PaaS adoption amongst application users

Fig.5: IaaS adoption amongst application users

One would expect that company-wide implementations will become more widespread as organisations experience the benefits that cloud brings and manage and mitigate any associated risks. Gartner, for example, is already reporting growth in both the number of businesses signing cloud deals and the size of those deals (Source: IT Pro, October 2010) – although one always has to be aware of “cloud washing” – companies claiming cloud implementations when they aren’t really. Many internal virtualisation projects can be magically renamed private cloud.

(11)

Fig.6: Biggest barriers to adoption of cloud services

Security sticking points

As more information on individuals and companies is placed external to the organisation, concerns about security dominate discussions about cloud computing. Figure 6 shows that it remains the single biggest hurdle impacting cloud take up (63%) despite being less significant than in last year’s survey (71%). Security is a particular issue for companies in the UK (74%) and Germany (70%). However it is worth noting that other issues associated with a more mature marketplace are starting to emerge such as supplier lock-in (46%) and geographic location (31%). The key issue is that security concerns are not new. The changing nature of this “perennial” priority, however, is important. Organisations still clearly lack the certainty that they or their cloud provider can secure their data beyond their own four walls. It is worth noting, however, that most of what typically gets ascribed to security in the cloud boils down to data management and compliance issues. However, security must be recognised as a continual concern.

(12)

As shown in Figure 7, three quarters (74%) of CIOs think IT security is a concern whether IT systems and applications are delivered via the cloud or not. Against this backdrop, the fact that 80% see security issues as a priority when evaluating and managing IT via cloud services may in part be simply due diligence in coming to terms with a new approach. Concerns over cloud security are grounded in common sense. However, further detail on security shows it is not a wholesale obstacle to adoption, 35% saying they will become less concerned the more reliant their company become on cloud. Yet, for 43% these will not prevent their organisation from adopting more cloud services.

The security agenda is likely to shift further still in the coming year as cloud stakeholders increase their understanding of cloud security issues, companies deploy more advanced security options and issues regarding security architecture, location, transition and contracts prevail.

(13)

Cloud and risk

It seems that although cloud is associated with risk, the nature of this risk is unclear. Almost two-thirds (63%) of CIOs think that there are business risks associated with the transition from in-house IT management to a cloud service. This is particularly the case in the UK where this figure stands at 81%. It seems, however, that companies are not applying the same risk-management and governance disciplines to the cloud environment as they do with their other IT initiatives. 42% claim they are not in a position to fully assess the risks associated with cloud services whilst one in four (25%) believe that their business has made errors in adopting cloud services without full consideration of the impact on the company.

Risk can be defined as the potential that a chosen action or activity will lead to a loss or an undesirable outcome. For many companies, risk is synonymous with security, as shown in Figure 8 where compromises in security (45%) and brand damage as a result of performance issues or security incidents (42%) are pinpointed as specific business risks associated with adopting cloud services. Other risks relate to more internal concerns such as increased IT complexity (30%) and more pressure on IT staff (22%).

(14)

Community Cloud 13% Privacy Cloud 27% Public Cloud 8% Enterprise Cloud 53%

2010

Public Cloud 13% Community Cloud 9% Private Cloud 53% Enterprise Cloud 21% None of the above

4%

2011

Fig.9: Preferred deployment of cloud

Figure 9 shows the preferred deployment of cloud. Private clouds are particularly popular as an option in Spain (58%), Germany (57%) and the UK (56%). Private clouds are somewhat contradictory as a notion of cloud “philosophy”. As a sentiment, private clouds overcome security concerns whilst compromising on scalability and cost savings. Enterprise clouds, defined as “a concoction of two or more cloud types (internal, community, or public) bound together to enable data and application portability” are the preferred choice of one in five companies (21%) and their popularity is likely to grow further with increased awareness of the benefits that a hybrid approach can bring. As customers begin to untangle the options available to them in the market for deployment, preferences are certain to fluctuate.

(15)

Cloud supply

Alongside the explosion of choice of cloud models and suppliers, buying organisations now seem more open to considering cloud services from a range of different supplier types, with network infrastructure and services providers (48%) and managed hosting companies (42%) most trusted to deliver cloud computing services. Figure 10 shows those factors that CIOs look for in cloud suppliers. Not surprisingly, given the consistent focus on security issues, providing data security and privacy (73%) emerges as the most important factor, followed by business continuity and disaster recovery processes (70%) and the provision of performance assurances / SLAs (67%). Data security and privacy was the key concern in 2010 although this year strong business continuity and disaster recovery has moved up from 5th place to 2nd place whilst taking end-to end responsibility for services has dropped from 2nd place to 4th place.

Given organisations’ focus on risk reduction and security, it is not really surprising that CIOs are choosing not to put all of their cloud “eggs in one basket”. Figure 11 shows that only one in four companies would opt for a single supplier, most instead opting to spread the risk by using more than one supplier. Part of this will be due to the levels of supplier expertise in certain cloud models and application areas, but given the relative immaturity of the sector, this is likely to also be a risk-reduction strategy by companies.

Fig.10: Key requirements of cloud suppliers

Fig.11: Future business use of cloud service providers

Don't know 3%

One service provider will deliver a range of application and network

services for the business 25%

A small number of service providers will provide the majority of cloud

services for an organisation 38%

A mix of services providers will deliver services for specific

aspects of IT use 33% None of the

above 4%

(16)

Conclusion

The themes that define the 2011 Colt European CIO research, Security, Risk and Transition are likely to endure as they reflect corporate IT concerns. However, the priorities surrounding these issues, the way that organisations overcome their associated challenges and realise tangible business benefits is evolving as the market matures. Companies are now looking for service providers to mirror their need for agility and responsiveness through their cloud offerings whilst also providing the necessary geographical reach, integration expertise and security reassurances that the market demands. With such a range of cloud service providers now emerging, it is those that can stay ahead of these evolving customer needs who are best placed to succeed.

Across Europe attitudes to cloud computing vary from the increased focus on security and control of customer data in the UK and Germany to the optimistic projections of cloud usage in Spain and Italy. As the hype around cloud computing gives way to a more solid market understanding, so a more mature service provider approach is emerging, offering tailored cloud services to meet diverse customer needs rather than expecting enterprises to re-design themselves to better align to the cloud model. The trend towards increased cloud use is apparent but, whilst the cloud model promises flexibility, it is clear that enterprise deployment remains multi-faceted. The technology-driven view of cloud computing is what has been flawed. Perhaps it is better for companies across Europe to look at cloud computing as a single philosophy comprising many different solutions.

(17)

Appendix:

(18)

European CIO Cloud Survey