Canvassing the Cloud. An Eversheds LLP and PA Consulting Group study into the adoption of Cloud technologies

(1)

PA Consulting Group study into

the adoption of Cloud technologies

(2)

Study results

4

General

4

Business benefits

6

Security

9

Legal

11

Risk

17

Technical

19

Background to study and respondents

The online study was conducted over a 6 week period (closing May 2012)

Roles within organisations:

Management

Procurement

IT

Legal

Risk / Compliance

37%

14%

16%

30%

3%

Annual turnover of organisation:

£150m+

£50-150m

<£10m

Chose not to answer

40%

3%

40%

17%

Africa

Americas

Asia

Europe – Central

and Eastern Europe

Middle East

Oceania (incl. Australia

and New Zealand)

Geographical spread of organisation’s

responsibility:

14%

24%

44%

8%

7%

3%

Location of current / likely Cloud provider:

Europe – Western Europe

– UK

Europe – Western Europe

– non UK

Americas – North America

Europe – Central and

Eastern Europe

Americas – South America

Asia – East Asia

Asia – South East Asia

and New Zealand)

Don’t know

45%

18%

12%

10%

3%

3% 3%

(3)

In the space of just a few years, Cloud computing has gone from

a strange and unfamiliar technology to an innovative force that is

changing the way suppliers and customers are using IT.

To further understand how organisations have successfully realised the benefits of Cloud

computing and explore the current perceived legal and technical risks to adopting Cloud

services, Eversheds LLP and PA Consulting Group joined forces to undertake a study of a

collection of senior business leaders including CFOs, General Counsel and other in-house

counsel and IT heads – the headline results of which are set out in this report.

We hope you find the contents of the report useful and thought-provoking and we would

welcome any comments on the findings.

For further information, please contact:

Foreword

Charlotte Walker-Osborn

Partner and Head of TMT Sector

Eversheds LLP

Direct: +44 845 497 1220

Mob: +44 7799 075 756

[email protected]

www.eversheds.com

– UK

– non UK

Americas – North America

Europe – Central and

Eastern Europe

Americas – South America

Asia – East Asia

Asia – South East Asia

and New Zealand)

Don’t know

Conrad Thompson

Partner

PA Consulting Group

Direct: +44 207 881 3742

Mob: +44 7887 540 082

[email protected]

www.paconsulting.com

(4)

Insights from the study

1.

Legal issues

are still perceived as a significant barrier to adoption of the cloud.

2. The standard and/or negotiated

contractual documentation

which is entered in to

does not always match the Cloud offering being purchased.

3. The

technical challenges

of adopting Cloud have largely been solved, yet

organisations’ commercial and business models are not always optimised to achieve

the full benefits.

4. The

management style

of Cloud contracts hasn’t evolved from the management

of traditional IT services, resulting in the loss of benefits and innovation potential

of the Cloud.

4. The

language

between service providers and business customers can be

misunderstood, with some providers focusing on the technical capabilities

and perceived benefits without always recognising the commercial and

business challenges.

(5)

Defining the Cloud

Cloud is a flexible way of consuming managed computing services. There are various

models and service definitions but, in this study, we focus only on “Enterprise Cloud”

services.

“Enterprise Cloud” has the following attributes from a user perspective:

•

Shared resources (hosting, storage, email, collaboration services, helpdesk);

•

Delivered and managed by someone else (i.e. not the user’s organisation);

•

Easy to access from a modern user interface such as a browser or applet;

•

Meets the functional and capacity needs of the individual or business;

•

Always “on” (with apparent 100% availability) and is accessible anywhere from any

device;

•

Implicitly secure;

•

Delivers consistent and dependable performance; and

•

Contracted on a “Pay-As-You-Go” (PAYG) basis.

Do you agree with our definition?

Why do you say that?

“...the definition is what we’d like Enterprise Cloud to be but I’m not convinced

it’s there yet.”

“Not all Cloud providers will give pure PAYG, private Cloud may require start up

investment.”

“It gives true flexibility of service provision.”

“Not sure about the security aspect...”

“I agree with most statements, but not that it is implicitly secure or always on.”

“...there are very few providers that have actually made the transition to

pay-as-you-go - most are still licensing by seat.”

Yes

No

Don’t know

60%

30%

10%

(6)

G2. How likely is it that you will procure Cloud services in the next 12 months?

G1. Does your organisation already use Cloud services?

Study results

General

Yes, widespread use

Yes, occasional use

No

17%

40%

43%

Very unlikely

Unlikely

Neither likely or unlikely

Likely

Very likely

8%

54%

15%

8%

(7)

G3. What are the key barriers to the adoption of Cloud for your organisation?

*respondents were able to choose multiple options

A sample of respondents choosing political restrictions as a barrier, gave the following examples:

•

Lack of exposure, experience and trust in Cloud services

•

NHS organisations are governed by an IT toolkit by which all NHS organisations must conform

•

Loss of control

A sample of respondents choosing legal restrictions as a barrier, gave the following examples:

•

Data protection and remote hosting

•

Regulatory issues in certain EMEA jurisdictions regarding how some business records must be kept (in territory

and in hard copy)

•

Dealing with a lot of personal and commercial information

A sample of respondents choosing regulatory restrictions as a barrier, gave the following examples:

•

Some countries require that all business data is hosted within that country - typically no Infrastructure as a

Service (IaaS) services are available locally

•

Health records are geographically restricted to where they can be stored

0% 10% 20% 30% 40% 50% 60% 70% Obtaining necessary customer consent

Reliability / availability

Increased dependency on supplier

Loss of control of IT management processes Degree of internal organisational

change to realise benefits Negative publicity / bad PR when things go wrong

Political restrictions

Promised savings can’t actually be realised

Lack of portability on exit

Legal restrictions

Existing application performance, if hosted remotely

Regulatory restrictions

Cloud services maturity and market adoption

Security of the data

9%

18%

27%

36%

45%

64%

(8)

B2. How do you measure and ensure your Cloud solutions deliver on your objectives?

Business benefits

B1. What business benefits have you realised from implementing the Cloud?

*respondents were able to choose multiple options Lower headcount Internal IT department focus on business

challenges / strategic proje.cts Improved service levels Reduced reliance on internal technical expertise Reduction in un-supported technology

New capabilities

Increased delivery agility

Lower cost Scalability 0% 10% 20% 30% 40% 50% 60% 70% 80%

71%

64%

50%

36%

29%

21%

14%

*respondents were able to choose multiple options 60% 50% 40% 30% 20% 10% 0% Service level

report satisfaction User survey

Cost savings Management

meetings Audit Payment of service credits for non-achievement of SLAs Not measured

56%

50%

44%

38%

25%

19%

6%

(9)

*respondents rated on a scale of 1-3 (where 1 is low/not included and 3 is high/included) or answered ‘Don’t know’

B4. What does your Cloud contract pricing model include?

B3. To what extent have you achieved the expected benefits and how have you measured these?

Still defining measures / KPIs

Not measured / tracked

Cloud adoption has not been as beneficial as expected Evidence of tangible benefits equal to or

greater than expected Benefits realised but most of benefits are non-tangible Benefits delivered close to expected, but

lack of evidence to support the benefits

30%

20%

10%

0% 5% 10% 15% 20% 25% 30%

Capped Burst Capacity

Minimum monthly service payment

Prices reduce with usage volume

Transparent pricing

Pure PAYG on demand

Costs to stop / exit Cloud services

Costs to start up Cloud services

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Definitely not included

Sometimes included

Definitely included

Don’t know

(10)

B5. How do you evaluate and assess the services offered by your Cloud service provider?

40% 35% 30% 25% 20% 15% 10% 5% 0% Benchmark vendor services against the services offered by its

closest competitors

Conduct a gap analysis between vendor services

and services offered by in-house IT / outsourced

on-site service provider

Benchmark vendor services against industry best practices

Don’t know Accept the standard package offered by the vendor

6%

10%

22%

40%

(11)

Security

S1. What are the top 3 concerns, in order of importance, for your security teams?

0% 20% 40% 60% 80% 100%

Patching

Regulatory / legal concerns

Data segregation policies

Server Security

Back-up / Replication policies

Network Security Encryption Physical Security

3rd priority

2nd priority

Top priority

(12)

S2. To what extent would you require Cloud vendors to tailor their security processes and controls?

50% 40% 30% 20% 10% 0% To my requirements in

key cases only

Completely or mainly customised to meet my organisation’s internal security requirements Not particularly concerned, as long as the supplier can demonstrate industry best practice Not particularly concerned, as long as we can audit processes and controls

Proportionately Don’t know

44%

32%

12%

4%

A sample of respondents choosing ‘to my requirements in key cases only’, gave the following examples:

•

New physical servers

•

SSO

•

Federated ID Management

•

Central Claims via SMAL assertions

•

Industry regulation

•

IL3

•

Secure encryption

•

Geographical ring-fencing

•

Storage of data on and off shore

•

Customer data

•

PCI DSS compliance

•

FSA obligations

•

Safe harbour data management for US / overseas servers

•

“Golden” server images

•

Evaluation v commercial

•

Privacy legislation

(13)

L1. Would EU (or other) data protection compliance concerns stop you from using a Cloud service?

Of respondents confirming EU data protection is a concern, risks are regarded as:

•

Data compromise or security breaches (85% of respondents)

•

Damage to reputation (69% of respondents)

•

Fines, enforcement action, claims for non-compliance (58% of respondents)

•

Business disruption (38% of respondents)

•

Patriot Act, foreign Authority, litigation discovery access or seizure (38% of respondents)

Legal

50% 40% 30% 20% 10% 0% If data location non-EU / EEA based or not in a location deemed “safe” under data protection laws

If personal data Possibly For high risk data Always

50%

38%

28%

25%

(14)

*or in any country that was not deemed ‘safe’ under relevant data protection laws

L2. Which types of data would you be uncomfortable with being hosted by a Cloud provider?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Others

Procurement information

Protectively marked materials

Corporate file shares / general storage of documentation

Corporate email

Company financial projections

Company core financial data

Information on business customers

Customer information / data where customers are consumers HR / payroll information regarding staff

E-discovery data for litigation

Roll out plans / business plans

Patents and other product development data

Don’t know

With the data being hosted outside of the EU / EEA*

With the data being hosted externally by any cloud provider

(15)

L3. What types of Cloud services would you be prepared to unconditionally agree to in the supplier’s

standard terms and conditions?

L4. What level of contractual liability protection against loss best describes what you would expect

from a Cloud supplier before signing up?

*respondents were able to choose multiple options 35% 30% 25% 20% 15% 10% 5% 0% Liability to cover likely losses and their likely value

Unlimited

liability level agreement Upfront service with pre-agreed sum Limited liability to a maximum of charges in last 12 months Limited liability to cost of services

across the life of a deal

Monetary cap for breaches expected

to be much lower than likely

monetary loss Other

32%

27%

14%

5%

12%

0% 10% 20% 30% 40% 50% 60% 70% 80%

18%

24%

29%

35%

76%

Email

External payment services

Development and test infrastructure environments

Internal-facing websites / portals

Customer-facing websites / portals

Production infrastructure environments SaaS for regulated applications

Established SaaS applications

(16)

A sample of respondents choosing the ‘right to terminate the contract quickly and without charge in the event of

one significant outage’ gave the following examples as ‘significant’:

•

“Any loss of capability resulting in any patient safety issues, negative financial issues or damaging to our

reputation.”

•

“24 hours is maximum.”

A sample of respondents choosing the ‘right to terminate the contract quickly and without charge in the event of a

number of outages in any month exceeding a set period’, gave the following examples:

•

“3 periods in a row or any 4 periods in a 6 month period.”

•

“Depends on severity.”

•

“Once is too much....”

A sample of respondents choosing to ‘expect a decent service credit payable that fully or significantly recompenses

your business for its loss’, gave the following percentages of the monthly or annual service charge they would expect

to claim:

•

“Should be on a pro-rata basis I.e. 7 days outage = 25% of monthly charge.”

•

“Full credit for period of non use.”

A sample of respondents choosing to ‘expect a decent service credit payable accepting that this will not fully

recompense your business for its loss’, gave the following percentages of the monthly or annual service charge they

would expect to claim:

•

“100% of cost from downtime plus financial loss (if applicable).”

•

“Sliding scale on severity and down time.”

•

Respondents choosing to ‘accept paying a termination fee’, 25% is the expected level of termination fee.

L5. Your Cloud service(s) experiences an outage (so that the Cloud service could not be accessed

or used for a period of time) – what contractual comfort would you expect to be written in to your

contract (without which you would not sign up)?

0% 5% 10% 15% 20% 25% 30% 35% 40%

40%

21%

18%

15%

6%

You would accept paying a termination fee to exit the Agreement, regardless of the reason

Right to terminate the contract quickly and without charge, if there is one significant outage

Service credit payable, which fully or significantly recompenses your business for its losses

Service credit payable, accepting this will not fully recompense your business for its losses

Right to terminate the contract quickly and without charge, if there are a number of outages in any month exceeding a set period

(17)

L6. Your Cloud service(s) experiences an outage (so that the Cloud service could not be accessed or

used for a period of time) – what are your expectations in relation to service restoration?

L7. How do you measure that the key legal protections and business benefits of Cloud

solutions are being met?

L8. Do you have insurance to cover data losses under your Cloud contract?

50% 32% 14% 4% No Don't know Yes, capped Yes, unlimited

All critical data restored within 4 business hours (with the

rest of the data restored within a number of business days)

All data restored within 4 business hours

All critical data restored within 1 business day (with the

rest of the data restored within a number of business days)

All data restored within 1 business day

Lower expectations than any of the above but expect

a reasonable endeavours commitment from supplier to

restore as soon as reasonably possible

No

Don’t know

Yes, capped

Yes, unlimited

50%

32%

14%

4%

Annual audit

Monthly service level reports

Other

33%

34%

65%

17%

6%

(18)

L10. What dispute resolution clause provisions would you insist on being included in your Cloud

contract?

L9. Are you comfortable signing up to a Cloud contract that is not subject to the law in

the jurisdiction in which your organisation is registered?

Uncomfortable

Comfortable

80%

20%

*respondents were able to choose multiple options 80% 70% 60% 50% 40% 30% 20% 10% 0%

80%

60%

20%

Escalation provisions Court located in the jurisdiction that matches the law of

the contract

Court located in

(19)

R1. Which risk factors are most important when adopting a specific new Cloud service?

*respondents rated on a scale of 1-6 (where 1 is most important and 6 is least important)

A sample of respondents also commented:

•

“Performance and reliability is critical, but only relevant if the supplier is operating from a base of robust data

protection laws and political stability free from endemic corruption/espionage.”

•

“...the service has to work in the first place so performance is critical, as is knowing the risk of changes that may

affect access to the data.”

•

“Security and the political environment are key...”

Risk

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Mature and transparent

currency market

Stable political and legislative environment

Number of other Cloud services operating in that jurisdiction

Restrictions / limitations on the ability of third parties to access data

Strength of local applicable Data Protection / privacy laws

Performance and reliability of communications

Most important

2nd

3rd

4th

5th

Least important

(20)

R2. What risks would you seek to mitigate in your Cloud computing contract?

A sample of respondents also commented:

•

“Lack of functionality will prevent us achieving our main objectives and bring a halt to all activity within our

organisation. Recompense can always be addressed post-incident.”

•

“Industry regulations - if data is lost, all or most of our investment is gone.”

•

“Loss of data will impact more materially than downtime business reputation and thus performance.”

*respondents rated on a scale of 1-6 (where 1 is most important and 6 is least important)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Lack of recompense

Data loss

Lack of full functionality

Clarity of service

Downtime / lack of availability

Most important 2nd

3rd 4th

(21)

55% 20% 10% 10% 5% No Don't know

Yes (including personal data, and will involve leaving EEA*) Yes (including personal data and not involving exi>ng EEA*) Yes (non-‐personal data only)

*or in any country that was not deemed ‘safe’ under relevant data protection laws

35% 15% 15% 35% Be#er Same Worse Don't know

T1. Do any of your Cloud services involve data moving across regional boundaries for

back-up or disaster recovery purposes?

T3. How is your team best equipped to respond to the challenges raised by the Cloud?

Technical

No

Don’t know

Yes (including personal data, and will involve leaving EEA*)

Yes (including personal data and not involving exiting EEA*)

Yes (non-personal data only)

55%

20%

10%

5%

T2. Compared with your non-Cloud Disaster Recovery environment, what does your

contract provide you with?

Better

Same

Worse

Don’t know

35%

15%

35%

0% 10% 20% 30% 40% 50% Service desk Service integration Demand management

Business relationship management

Sourcing and vendor management

Monitoring

Risk and security

Strategy and architecture

Performance management

18%

27%

36%

45%

(22)

T4. In the event of a total disaster (e.g. Data Centre destruction) what does your supplier offer?

T5. What features are included in your Cloud contract?

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Instant access to world-‐class innova<ons

Technology refresh performed automa<cally with no service interrup<on Parts of the service are sub-‐contracted, e.g. burst capacity

Included 2nd Not included

I don’t know

Full functionality restored

No restore

Tiered priority restores for critical services only

50%

30%

10%

*respondents rated on a scale of 1-3 (where 1 is low/not included and 3 is high/included) or answered ‘Don’t know’ Parts of the service are

sub-contracted, e.g. burst capacity

Technology refresh performed automatically with no service interruption Instant access to world-class innovations Included 2nd Not included 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

(23)

(24)