The adoption of cloud -based services

Increasing confidence through effective security July 2013 There is much research to show that the adoption of cloud-based services is now widespread. It is also widely reported that the foremost concern about such services is the security of data. The new research presented in this report shows that those that are enthusiastic about cloud have the same level of concern about security as the sceptics who avoid cloud services. One of the main differences between these two groups is that the enthusiasts have put in place the security measures to allay their concerns whilst the avoiders have not. Furthermore, enthusiasts are often using cloud sourced security services to do so – cloud feeds on cloud. This report examines the issues around the adoption of cloud-based services and looks at the security technology that is being deployed by enthusiasts and why the avoiders are holding back. It should be of interest to any IT or business manager who knows there are plenty of benefits for their organisation to gain from such services, but realise that they have to explain to their colleagues how perceptions around the vulnerability of sensitive data can be overcome.
Bob Tarzey Quocirca Ltd Tel : +44 7900 275517 Email: bob.tarzey@quocirca.com Bernt Østergaard Quocirca Ltd Tel: +45 22 112 55 91 Email: bernt.ostergaard@quocirca.com

Copyright Quocirca © 2013

The adoption of cloud-based services

The adoption of cloud-based services
Increasing confidence through effective security
We all worry about security in both our business and personal lives so it should come as little surprise that it is the top concern when it comes to the adoption of cloud-based services; this is as true for cloud enthusiasts as it is for cloud avoiders. The former stand out due to the measures they take to overcome their security concerns and the benefits they gain from doing so.

There is wide acceptance of cloud services as a way to deliver formal IT requirements Drivers for adoption of cloud services extend well beyond cost savings Blockers to adoption of cloud services varied significantly by industry Security is a concern for all

Attitudes regarding cloud-based services range from the belief they should be used whenever possible (22%), through those that evaluate them as alternatives to in-house deployments in most cases (35%), those who evaluate them on a case-by-case basis (17%) to those that avoid them as much as possible (23%). A small number pro-actively block such services (3%). An analysis of the enthusiasts versus avoiders shows that the latter lack confidence in their ability to use cloud services securely rather than dismissing them outright as a way to deliver enterprise IT requirements. Whilst lower cost of ownership topped a list of drivers for the adoption of cloud-based services, this was closely followed by better working practices for employees, improved efficiency and easier external interaction. Access to applications that could not otherwise be afforded was at the bottom of the list, but still significant for many. Needless to say, all of these drivers were of far greater importance to enthusiasts than avoiders. Government organisations fear data protection laws, whilst financial services organisations worry about the regulations that affect all the personal data they hold. Commercial organisations, including retailers, worry most about the personally identifiable data they collect. Manufacturers and telcos see intellectual property as a key competitive asset and worry most about that. All of the top blockers have a security component to them and it is a widely reported fact that data security is the top concern when it comes to the use of cloud-based services. However, the level of concern shown about security is similar for both enthusiasts and avoiders. What the latter worry about is a lack of resources and skills to ensure secure use of cloud services. If these concerns can be addressed then it will eliminate important stumbling blocks to faster cloud adoption by all. Enthusiasts are far more likely to recognise the importance of a range of security technologies and to have invested in them. This includes the ability to manage identities, provide safe access and filter incoming/outgoing content. 97% of enthusiasts have an IAM system compared to just 26% of avoiders. Enthusiasts spend a greater percentage of their IT budget on IT security (7% as opposed to 5%), reflecting the fact that they see the need for better security but also that their ability to leverage cloud services reduces their top line IT costs. Whilst the safe use of cloud services requires an investment in IT security, enthusiasts also see the cloud as a source of a wide range of security services. Even avoiders show some acceptance that the cloud can be the best way to deliver single sign on (SSO), federated identity management and identity governance; 30% of them accepted that there were advantages to using identity and access management as a service (IAMaaS), however, the figure for enthusiasts was 92%.

Enthusiasts invest in security technology to ensure they can safely use cloud services The key security requirements can be delivered from the cloud too

Conclusions
The cloud genie is out of the bottle and there will be no putting it back because the benefits nearly always outweigh the problems that need to be overcome when using such services for the delivery of mainstream IT requirements. This research report shows the measures that organisations in the vanguard are taking to embrace the use of cloud services. It also shows that, with some help and encouragement, today’s avoiders of cloud could become tomorrow’s enthusiasts.

© Quocirca 2013

-2-

The adoption of cloud-based services

Introduction – enthusiasts and avoiders
There is plenty of research, including that presented in this report, to show that cloud-based services are now a mainstream way of delivering certain aspects of the IT requirements of many organisations. Of course, the range of cloud services is very broad and mostly it helps to be specific about what is involved. A line should at least be drawn between informal and formal use. From the perspective of an IT department, informal use is anything that may not have been sanctioned although in many cases is accepted. This includes endusers making valid business use of social media and other online applications, such as LinkedIn, YouTube and Dropbox, and lines of business subscribing directly to online services paid for out of their own budgets. Formal use is where the IT department has decided to use a service rather than deploying something in-house. Just under 75% of the European organisations Quocirca interviewed for the latest research confirmed they are already doing so (Figure 1) although levels of adoption varied somewhat by industry. As providers, as well as consumers of cloud services, telcos are the biggest users, followed by commercial organisations, which includes retailers, who often interact directly with their customers online. Government organisations are the most likely to hold back, but there are initiatives to encourage them in many countries with the prospect of cost savings for tax payers during hard economic times. Across the board, a very small number (3%) said they proactively blocked cloud services (blockers), and this should be taken to include informal and formal use. However, the remainder fell in to one of four categories with a significant number in each:  Those that use cloud services whenever they can (22%) – ENTHUSIASTS  Those that evaluate them as an alternative in most IT procurements (35%)  Those that evaluate them in some cases (17%)  Those that tend to avoid them (23%) – AVOIDERS This report will focus on the two extremes that we have called enthusiasts and avoiders and tease out the differences between them (the other two groups fall neatly between the two in most of their actions and views). The avoiders (and even blockers) must at least face up to informal use. Even if they manage to put in place effective controls to limit the use of cloud services on their own networks, users will still be able to access them across public networks and from mobile devices. The good news, for advocates of cloud at least, is that the avoiders are not a hugely negative bunch but simply nervous about cloud and need some handholding to reap the benefits that are readily recognised by the enthusiasts.

© Quocirca 2013

-3-

The adoption of cloud-based services

Drivers and blockers
A good place to start is to look at the drivers and blockers that determine the uptake of cloud services. As with almost any procurement, cost saving is a major driver for most, with lower cost of ownership at the top of a list of drivers (Figure 2). However, there is much recognition of the added value to be had from cloud services; scoring almost the same was the enablement of better working practices for employees (for example, ease of access to cloud-provisioned applications makes flexible and home working easier to support), improved efficiency and easier external interaction. Access to applications that could not otherwise be afforded was at the bottom of the list. Needless to say, all of these drivers were of far greater importance to enthusiasts than avoiders. An analysis of blockers proves more interesting (Figure 3). The top five issues all relate to security and privacy – no surprises there, this is in line with most other research. Each industry has its own bug-bears (Figure 4):  For Government organisations it is privacy; a fear of data protection laws, having been damaged the most by reports of careless handling of data  For financial services it is compliance; worries about the regulations that affect all the sensitive data they hold  For commercial organisations it is crime; they worry most about personally identifiable data, which is not surprising, as this group includes retailers who gather such data through their online sales channels  For manufacturers and telcos it is industrial espionage; they deal less with personal data and see intellectual property as a key competitive asset

© Quocirca 2013

-4-

The adoption of cloud-based services
Most interestingly, when looking at the top three blockers listed, there is not much to separate enthusiasts from avoiders (Figure 5); for both groups data security issues top the list. Only when they are forced to select one issue do the differences really start to stand out (Figure 6). Whilst the single top concern of avoiders remains in the area of data security and privacy, for enthusiasts it is all about complexity of access. The lesson here for providers of cloud services is, sure, they must be able to demonstrate their product is secure, but if there is not also solid support from the provider to make sure provisioning, implementation and on-going access is as straight-forward as possible, they will lose out to more agile competitors. Looking more closely at security issues tells more. Overall the variation between issues is not huge (Figure 7). However, focusing on the enthusiasts and avoiders shows there is an equal level of concern about the secure transmission and storage of data, but the avoiders stand out in feeling they lack the skills and resources to ensure their use of cloud services is secure (Figure 8). In other words, if they were provided help with implementation of cloud services and the necessary security many may overcome their reticence.

“There is not much to separate enthusiasts from avoiders; for both groups data security issues top the list”

© Quocirca 2013

-5-

The adoption of cloud-based services

Securing the use of cloud
Perhaps we should not be surprised that securing the cloud is a big issue for all. Apart from countless previous research reports telling us this is the case, security concerns are inherent in everyone about all sorts of issues in our personal and business lives. However, the focus on security is misleading; what is more important is how security concerns are addressed. Cloud enthusiasts feel more able to overcome them than avoiders. So, what security measures are the former taking to provide them with the greater level of confidence? It would seem just about everything. Six key security areas were looked into; for the enthusiasts all were seen as important (Figure 9). Avoiders focussed mainly on their compliance responsibilities and the need to keep audit trails, reflecting the fact that no one can avoid cloud services altogether and all must face up to governance, risk and compliance (GRC) demands. The truth is that unless they make investments in every area of security to ensure that cloud services can be used in a way that is compliant, protects against crime and preserves privacy, the doubters will continue to hold back. Enthusiasts recognise the need to put in place sufficient identity controls as part of this; identity and access management (IAM), single sign on (SSO) and the linking of identity and policy are all high on their list but largely overlooked by avoiders. Indeed, 97% of enthusiasts have an IAM system in place compared to just 26% of avoiders (Figure 10) and this is, in itself, likely to be a cloud service (IAM as a service/IAMaaS) or at least have an on-demand component (hybrid deployment, for example linking back to in-house directories). Having such an IAM system is seen as a key enabler for the use of software-asa-service (SaaS) and other cloud services (Figure 11). Of course, security comes at a cost. Enthusiasts spend a greater percentage of their IT budgets on security than do avoiders (Figure 12). This reflects two things: 1. Enabling the adoption of cloud-based services does indeed involve increased security investment 2. Many cloud services have a lower cost than deploying the same technology on-premise, so will reduce the overall cost of IT delivery. This means security will rise as a proportion of overall IT spending, even if security spending itself was not increased One way enthusiasts keep the cost of securing the use of cloud-based services under control is to use cloud-based security services.

© Quocirca 2013

-6-

The adoption of cloud-based services

Security from the cloud
It may be a step too far to persuade avoiders that the best way to make the use of cloud services secure is to use cloudbased security services; however, enthusiasts have few doubts. They do so for many of the same reasons that they adopt cloud in the first place; ease of deployment, lower cost of ownership etc. Overall there is an acceptance that security services, ranging from identity governance to privileged user management, could be delivered either as pure cloud services or at least hybrid ones, i.e. mixed with an on-premise capability (Figure 13). Enthusiasts were many times more likely to agree with this proposition compared to avoiders. The avoiders close the gap a little when it comes to SSO, federated identity management and identity governance (ensuring the compliant use of identities); this is most likely because these services help facilitate external interaction, which even they cannot avoid.

Overall there is an acceptance that security services ranging, from identity governance to privileged user management, could be delivered either as pure cloud services or at least hybrid ones

Focussing in on one particular security requirement shows how stark the difference is (Figure 14). There was some variation in the recognition of benefits of IAMaaS across industries, but a huge gap between the enthusiasts and avoiders. As with adoption of cloud services in general the benefits of cloud security services, such as IAMaaS, include a range of issues that cover both cost savings and increased business value. The relative benefits are shown in Figure 15. The reasons for and benefits of delivering on-premise, hybrid and cloud-based IAM are detailed in another Quocirca report 1 entitled “Digital identities and the open business” . The report is based on the same data sets that have been used to prepare this report and can be freely downloaded (see references).

© Quocirca 2013

-7-

The adoption of cloud-based services

Conclusions
This report has shown that the adoption of cloud-based services is widespread; the move to cloud seems unlikely to go into retreat at any time soon, if ever. The move is fundamentally changing the relationship between IT departments and the businesses they serve. The IT teams in organisations that are furthest down the road with cloud are generally more focussed on application delivery and business outcomes than those who maintain most IT platforms in-house; they spend much more of their time dealing with the underlying technology. Ensuring good security is a fundamental requirement of making the use of cloud-based services safe and giving organisations the confidence to adopt such services more and more. The rising adoption of cloud services and increasing security investment go hand-in-hand. However, the investment in additional security is outweighed by the benefits of cloud adoption and the cloud-based security services can help keep down the cost of delivering the required security – cloud feeds on cloud. The cloud genie is out of the bottle and there will be no putting it back because the benefits nearly always outweigh the problems that need to be overcome when using such services for the delivery of mainstream IT requirements. This research report has shown the measures that organisations in the vanguard are taking to embrace the use of cloud services. It has also shown that, with some help and encouragement, today’s avoiders of cloud could become tomorrow’s enthusiasts.

Appendix 1 – references
“Digital identities and the open business”, Quocirca Feb 2013 https://www.ca.com/gb/register/forms/collateral/Quocirca-European-Research-Digital-Identities-and-the-OpenBusiness.aspx

Appendix 2 – analysis methodology
For the data presented on Figures 3, 4, 5 and 6, the respondents were asked to select 5 issues from a list of 11 and place them in order of importance. In the analysis used for Figures 3 and 4 each issue selected was given a weighting; 5 for the most important, 4 for the second down to 1 for the fifth. The cumulative scores were then recast as a percentage of the highest possible score. If all had selected the same issue as the most important, it would have scored 100%. In the analysis used for Figure 5 the percentage shown is the number that placed a given issue in 1 , 2 or 3 place. In the analysis used for Figure 6 the percentage shown is only the number that placed a given issue in 1 place.
st st nd rd

© Quocirca 2013

-8-

The adoption of cloud-based services

Appendix 3 – demographics
The data presented in this report was gathered during the final months of 2012. The following figures show the distribution of the research respondents by country, organisation size, industry sector and job role.

© Quocirca 2013

-9-

About CA Technologies
CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex IT environments to support agile business services. Organisations leverage CA Technologies software and SaaS solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to the cloud. IT Security solutions from CA Technologies can help you enable and protect your business, while leveraging key technologies such as cloud, mobile, and virtualisation – securely – to provide the agility that you need to respond quickly to market and competitive events. Our identity and access management (IAM) solutions can help you enhance the security of your information systems so that you can improve customer loyalty and growth, while protecting your critical applications and data, whether located on-premise or in the cloud. With more than 3,000 security customers and over 30 years’ experience in security management, CA offers pragmatic solutions that help reduce security risks, enable greater efficiencies and cost savings, and support delivering quick business value. CA CloudMinder provides enterprise-grade identity and access management capabilities as a hosted cloud service supporting both on-premise and cloud-based applications. Deployed as a service, CA CloudMinder drives operational efficiencies and cost efficiencies through speed of deployment, predictability of expense and reduced infrastructure and management needs.
TM

www.ca.com/mindyourcloud

<vendor logo>

The adoption of cloud-based services

REPORT NOTE: This report has been written independently by Quocirca Ltd to provide an overview of the issues facing organisations seeking to maximise the effectiveness of today’s dynamic workforce. The report draws on Quocirca’s extensive knowledge of the technology and business arenas, and provides advice on the approach that organisations should take to create a more effective and efficient environment for future growth.

About Quocirca
Quocirca is a primary research and analysis company specialising in the business impact of information technology and communications (ITC). With world-wide, native language reach, Quocirca provides in-depth insights into the views of buyers and influencers in large, mid-sized and small organisations. Its analyst team is made up of real-world practitioners with first-hand experience of ITC delivery who continuously research and track the industry and its real usage in the markets. Through researching perceptions, Quocirca uncovers the real hurdles to technology adoption – the personal and political aspects of an organisation’s environment and the pressures of the need for demonstrable business value in any implementation. This capability to uncover and report back on the end-user perceptions in the market enables Quocirca to provide advice on the realities of technology adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC has the ability to transform businesses and the processes that drive them, but of ten fails to do so. Quocirca’s mission is to help organisations improve their success rate in process enablement through better levels of understanding and the adoption of the correct technologies at the correct time. Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of long term investment trends, providing invaluable information for the whole of the ITC community. Quocirca works with global and local providers of ITC products and services to help them deliver on the promise that ITC holds for business. Quocirca’s clients include Oracle, IBM, CA, O2, T -Mobile, HP, Xerox, Ricoh and Symantec, along with other large and medium sized vendors, service providers and more specialist firms. Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com Disclaimer: This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may have used a number of sources for the information and views provided. Although Quocirca has attempted wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for any errors in information received in this manner. Although Quocirca has taken what steps it can to ensure that the information provided in this report is true and reflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented here, including any and all consequential losses incurred by any organisation or individual taking any action based on such data and advice. All brand and product names are recognised and acknowledged as trademarks or service marks of their respective holders.

Sign up to vote on this title
UsefulNot useful