The adoption of cloud-based services

8/13/2019 The adoption of cloud-based services

http://slidepdf.com/reader/full/the-adoption-of-cloud-based-services 1/11

Copyright Quocirca © 2013

Bob Tarzey

Quocirca Ltd

Tel : +44 7900 275517

Email: [email protected]

Bernt Østergaard

Quocirca Ltd

Tel: +45 22 112 55 91

Email: [email protected]

The adoption of cloud-based services

Increasing confidence through effective security

July 2013

There is much research to show that the adoption of cloud-based services

is now widespread. It is also widely reported that the foremost concern

about such services is the security of data. The new research presented in

this report shows that those that are enthusiastic about cloud have the

same level of concern about security as the sceptics who avoid cloud

services.

One of the main differences between these two groups is that the

enthusiasts have put in place the security measures to allay their concerns

whilst the avoiders have not. Furthermore, enthusiasts are often using

cloud sourced security services to do so – cloud feeds on cloud .

This report examines the issues around the adoption of cloud-based

services and looks at the security technology that is being deployed by

enthusiasts and why the avoiders are holding back. It should be of interest

to any IT or business manager who knows there are plenty of benefits for

their organisation to gain from such services, but realise that they have to

explain to their colleagues how perceptions around the vulnerability of

sensitive data can be overcome.

mailto:[email protected]



mailto:%[email protected]








© Quocirca 2013 - 2 -

The adoption of cloud-based services Increasing confidence through effective securityWe all worry about security in both our business and personal lives so it should come as little surprise that it is the

top concern when it comes to the adoption of cloud-based services; this is as true for cloud enthusiasts as it is forcloud avoiders. The former stand out due to the measures they take to overcome their security concerns and the

benefits they gain from doing so.

There is wide

acceptance of cloud

services as a way to

deliver formal IT

requirements

Attitudes regarding cloud-based services range from the belief they should be used whenever

possible (22%), through those that evaluate them as alternatives to in-house deployments in

most cases (35%), those who evaluate them on a case-by-case basis (17%) to those that avoid

them as much as possible (23%). A small number pro-actively block such services (3%). An

analysis of the enthusiasts versus avoiders shows that the latter lack confidence in their ability

to use cloud services securely rather than dismissing them outright as a way to deliver

enterprise IT requirements.

Drivers for adoption

of cloud services

extend well beyond

cost savings

Whilst lower cost of ownership topped a list of drivers for the adoption of cloud-based services,

this was closely followed by better working practices for employees, improved efficiency and

easier external interaction. Access to applications that could not otherwise be afforded was atthe bottom of the list, but still significant for many. Needless to say, all of these drivers were of

far greater importance to enthusiasts than avoiders.

Blockers to adoption

of cloud services

varied significantly

by industry

Government organisations fear data protection laws, whilst financial services organisations

worry about the regulations that affect all the personal data they hold. Commercial

organisations, including retailers, worry most about the personally identifiable data they

collect. Manufacturers and telcos see intellectual property as a key competitive asset and

worry most about that.

Security is a concern

for all

All of the top blockers have a security component to them and it is a widely reported fact that

data security is the top concern when it comes to the use of cloud-based services. However,

the level of concern shown about security is similar for both enthusiasts and avoiders. What the

latter worry about is a lack of resources and skills to ensure secure use of cloud services. If

these concerns can be addressed then it will eliminate important stumbling blocks to faster

cloud adoption by all.

Enthusiasts invest in

security technology

to ensure they can

safely use cloud

services

Enthusiasts are far more likely to recognise the importance of a range of security technologies

and to have invested in them. This includes the ability to manage identities, provide safe access

and filter incoming/outgoing content. 97% of enthusiasts have an IAM system compared to just

26% of avoiders. Enthusiasts spend a greater percentage of their IT budget on IT security (7% as

opposed to 5%), reflecting the fact that they see the need for better security but also that their

ability to leverage cloud services reduces their top line IT costs.

The key security

requirements can be

delivered from the

cloud too

Whilst the safe use of cloud services requires an investment in IT security, enthusiasts also see

the cloud as a source of a wide range of security services. Even avoiders show some acceptance

that the cloud can be the best way to deliver single sign on (SSO), federated identity

management and identity governance; 30% of them accepted that there were advantages to

using identity and access management as a service (IAMaaS), however, the figure forenthusiasts was 92%.

Conclusions

The cloud genie is out of the bottle and there will be no putting it back because the benefits nearly always outweigh

the problems that need to be overcome when using such services for the delivery of mainstream IT requirements. This

research report shows the measures that organisations in the vanguard are taking to embrace the use of cloud

services. It also shows that, with some help and encouragement, today’s avoiders of cloud could become tomorrow’s

enthusiasts.




© Quocirca 2013 - 3 -

Introduction – enthusiasts and avoiders

There is plenty of research, including that presented in

this report, to show that cloud-based services are now

a mainstream way of delivering certain aspects of the

IT requirements of many organisations. Of course, the

range of cloud services is very broad and mostly it

helps to be specific about what is involved. A line

should at least be drawn between informal and formal

use.

From the perspective of an IT department, informal

use is anything that may not have been sanctioned

although in many cases is accepted. This includes end-

users making valid business use of social media and

other online applications, such as LinkedIn, YouTube

and Dropbox, and lines of business subscribing directly

to online services paid for out of their own budgets.

Formal use is where the IT department has decided to use a service rather than deploying something in-house. Just

under 75% of the European organisations Quocirca interviewed for the latest research confirmed they are already

doing so (Figure 1) although levels of adoption varied somewhat by industry. As providers, as well as consumers of

cloud services, telcos are the biggest users, followed by commercial organisations, which includes retailers, who

often interact directly with their customers online. Government organisations are the most likely to hold back, but

there are initiatives to encourage them in many countries with the prospect of cost savings for tax payers during

hard economic times.

Across the board, a very small number (3%) said they proactively blocked cloud services (blockers), and this should

be taken to include informal and formal use. However, the remainder fell in to one of four categories with asignificant number in each:

Those that use cloud services whenever they can (22%) – ENTHUSIASTS

Those that evaluate them as an alternative in most IT procurements (35%)

Those that evaluate them in some cases (17%)

Those that tend to avoid them (23%) – AVOIDERS

This report will focus on the two extremes that we have called enthusiast s and avoiders and tease out the

differences between them (the other two groups fall neatly between the two in most of their actions and views).

The avoiders (and even blockers) must at least face up to informal use. Even if they manage to put in place effective

controls to limit the use of cloud services on their own networks, users will still be able to access them across public

networks and from mobile devices.

The good news, for advocates of cloud at least, is that the avoiders are not a hugely negative bunch but simply

nervous about cloud and need some handholding to reap the benefits that are readily recognised by the

enthusiasts.




© Quocirca 2013 - 4 -

Drivers and blockers

A good place to start is to look at the drivers and blockers that

determine the uptake of cloud services. As with almost any

procurement, cost saving is a major driver for most, with lower

cost of ownership at the top of a list of drivers (Figure 2).

However, there is much recognition of the added value to be

had from cloud services; scoring almost the same was the

enablement of better working practices for employees (for

example, ease of access to cloud-provisioned applications

makes flexible and home working easier to support), improved

efficiency and easier external interaction. Access to

applications that could not otherwise be afforded was at the

bottom of the list. Needless to say, all of these drivers were of

far greater importance to enthusiasts than avoiders.

An analysis of blockers proves more interesting (Figure 3). The

top five issues all relate to security and privacy – no surprises there, this is in line with most other research. Each

industry has its own bug-bears (Figure 4):

For Government organisations it is privacy; a fear of data protection laws, having been damaged the most

by reports of careless handling of data

For financial services it is compliance; worries about the regulations that affect all the sensitive data they

hold

For commercial organisations it is crime; they worry most about personally identifiable data, which is not

surprising, as this group includes retailers who gather such data through their online sales channels

For manufacturers and telcos it is industrial espionage; they deal less with personal data and see

intellectual property as a key competitive asset




© Quocirca 2013 - 5 -

“There is not much to

separate enthusiasts from

avoiders; for both groups

data security issues top

the list”

Most interestingly, when looking at the top three blockers listed, there is not much to separate enthusiasts from

avoiders (Figure 5); for both groups data security issues top the list. Only when they are forced to select one issue

do the differences really start to stand out (Figure 6). Whilst the single top concern of avoiders remains in the area

of data security and privacy, for enthusiasts it is all about complexity of access. The lesson here for providers of

cloud services is, sure, they must be able to demonstrate their product is secure, but if there is not also solid

support from the provider to make sure provisioning, implementationand on-going access is as straight-forward as possible, they will lose out

to more agile competitors.

Looking more closely at security issues tells more. Overall the variation

between issues is not huge (Figure 7). However, focusing on the

enthusiasts and avoiders shows there is an equal level of concern about

the secure transmission and storage of data, but the avoiders stand out in

feeling they lack the skills and resources to ensure their use of cloud

services is secure (Figure 8). In other words, if they were provided help

with implementation of cloud services and the necessary security many

may overcome their reticence.




© Quocirca 2013 - 6 -

Securing the use of cloud

Perhaps we should not be surprised that securing the cloud is a big

issue for all. Apart from countless previous research reports telling us

this is the case, security concerns are inherent in everyone about all

sorts of issues in our personal and business lives. However, the focus

on security is misleading; what is more important is how security

concerns are addressed. Cloud enthusiasts feel more able to overcome

them than avoiders. So, what security measures are the former taking

to provide them with the greater level of confidence?

It would seem just about everything. Six key security areas were

looked into; for the enthusiasts all were seen as important (Figure 9).

Avoiders focussed mainly on their compliance responsibilities and the

need to keep audit trails, reflecting the fact that no one can avoid

cloud services altogether and all must face up to governance, risk and

compliance (GRC) demands. The truth is that unless they make

investments in every area of security to ensure that cloud services can

be used in a way that is compliant, protects against crime and

preserves privacy, the doubters will continue to hold back.

Enthusiasts recognise the need to put in place sufficient identity

controls as part of this; identity and access management (IAM), single

sign on (SSO) and the linking of identity and policy are all high on their

list but largely overlooked by avoiders. Indeed, 97% of enthusiasts

have an IAM system in place compared to just 26% of avoiders (Figure

10) and this is, in itself, likely to be a cloud service (IAM as a

service/IAMaaS) or at least have an on-demand component (hybrid

deployment, for example linking back to in-house directories). Havingsuch an IAM system is seen as a key enabler for the use of software-as-

a-service (SaaS) and other cloud services (Figure 11).

Of course, security comes at a cost. Enthusiasts spend a greater

percentage of their IT budgets on security than do avoiders (Figure 12).

This reflects two things:

1. Enabling the adoption of cloud-based services does indeed

involve increased security investment

2. Many cloud services have a lower cost than deploying the

same technology on-premise, so will reduce the overall cost of

IT delivery. This means security will rise as a proportion of

overall IT spending, even if security spending itself was notincreased

One way enthusiasts keep the cost of securing the use of cloud-based

services under control is to use cloud-based security services.




© Quocirca 2013 - 7 -

Security from the cloud

It may be a step too far to persuade avoiders that the best

way to make the use of cloud services secure is to use cloud-

based security services; however, enthusiasts have few

doubts. They do so for many of the same reasons that they

adopt cloud in the first place; ease of deployment, lower cost

of ownership etc.

Overall there is an acceptance that security services, ranging

from identity governance to privileged user management,

could be delivered either as pure cloud services or at least

hybrid ones, i.e. mixed with an on-premise capability (Figure

13). Enthusiasts were many times more likely to agree with

this proposition compared to avoiders. The avoiders close the

gap a little when it comes to SSO, federated identity

management and identity governance (ensuring the

compliant use of identities); this is most likely because these

services help facilitate external interaction, which even they

cannot avoid.

Focussing in on one particular security requirement shows

how stark the difference is (Figure 14). There was some

variation in the recognition of benefits of IAMaaS across

industries, but a huge gap between the enthusiasts and

avoiders. As with adoption of cloud services in general the

benefits of cloud security services, such as IAMaaS, include a

range of issues that cover both cost savings and increasedbusiness value. The relative benefits are shown in Figure 15.

The reasons for and benefits of delivering on-premise, hybrid

and cloud-based IAM are detailed in another Quocirca report

entitled “Digital identities and the open business”1. The

report is based on the same data sets that have been used to

prepare this report and can be freely downloaded (see

references).

Overall there is an acceptance that

security services ranging, from

identity governance to privileged

user management, could be

delivered either as pure cloudservices or at least hybrid ones




© Quocirca 2013 - 8 -

Conclusions

This report has shown that the adoption of cloud-based services is widespread; the move to cloud seems unlikely to

go into retreat at any time soon, if ever. The move is fundamentally changing the relationship between IT

departments and the businesses they serve. The IT teams in organisations that are furthest down the road with

cloud are generally more focussed on application delivery and business outcomes than those who maintain most IT

platforms in-house; they spend much more of their time dealing with the underlying technology.

Ensuring good security is a fundamental requirement of making the use of cloud-based services safe and giving

organisations the confidence to adopt such services more and more. The rising adoption of cloud services and

increasing security investment go hand-in-hand. However, the investment in additional security is outweighed by

the benefits of cloud adoption and the cloud-based security services can help keep down the cost of delivering the

required security – cloud feeds on cloud .

The cloud genie is out of the bottle and there will be no putting it back because the benefits nearly always outweigh

the problems that need to be overcome when using such services for the delivery of mainstream IT requirements.

This research report has shown the measures that organisations in the vanguard are taking to embrace the use of

cloud services. It has also shown that, with some help and encouragement, today’s avoiders of cloud could become

tomorrow’s enthusiasts.

Appendix 1 – references

“Digital identities and the open business”, Quocirca Feb 2013

https://www.ca.com/gb/register/forms/collateral/Quocirca-European-Research-Digital-Identities-and-the-Open-

Business.aspx

Appendix 2 – analysis methodology

For the data presented on Figures 3, 4, 5 and 6, the respondents were asked to select 5 issues from a list of 11 and

place them in order of importance.

In the analysis used for Figures 3 and 4 each issue selected was given a weighting; 5 for the most important, 4 for

the second down to 1 for the fifth. The cumulative scores were then recast as a percentage of the highest possible

score. If all had selected the same issue as the most important, it would have scored 100%.

In the analysis used for Figure 5 the percentage shown is the number that placed a given issue in 1

st

, 2

nd

or 3

rd

place.

In the analysis used for Figure 6 the percentage shown is only the number that placed a given issue in 1st

place.

https://www.ca.com/gb/register/forms/collateral/Quocirca-European-Research-Digital-Identities-and-the-Open-Business.aspx








© Quocirca 2013 - 9 -

Appendix 3 – demographics

The data presented in this report was gathered during the final months of 2012. The following figures show the

distribution of the research respondents by country, organisation size, industry sector and job role.



About CA Technologies

CA Technologies (NASDAQ: CA) provides IT management solutions that help customers manage and secure complex

IT environments to support agile business services. Organisations leverage CA Technologies software and SaaS

solutions to accelerate innovation, transform infrastructure and secure data and identities, from the data center to

the cloud.

IT Security solutions from CA Technologies can help you enable and protect your business, while leveraging key

technologies such as cloud, mobile, and virtualisation – securely – to provide the agility that you need to respond

quickly to market and competitive events. Our identity and access management (IAM) solutions can help you

enhance the security of your information systems so that you can improve customer loyalty and growth, while

protecting your critical applications and data, whether located on-premise or in the cloud. With more than 3,000

security customers and over 30 years’ experience in security management, CA offers pragmatic solutions that help

reduce security risks, enable greater efficiencies and cost savings, and support delivering quick business value.

CA CloudMinderTM

provides enterprise-grade identity and access management capabilities as a hosted cloud service

supporting both on-premise and cloud-based applications. Deployed as a service, CA CloudMinder drives

operational efficiencies and cost efficiencies through speed of deployment, predictability of expense and reduced

infrastructure and management needs.

www.ca.com/mindyourcloud

<vendor logo>

http://www.ca.com/mindyourcloud






About Quocirca

Quocirca is a primary research and analysis company specialising in the

business impact of information technology and communications (ITC).

With world-wide, native language reach, Quocirca provides in-depth

insights into the views of buyers and influencers in large, mid-sized and

small organisations. Its analyst team is made up of real-world

practitioners with first-hand experience of ITC delivery who continuously

research and track the industry and its real usage in the markets.

Through researching perceptions, Quocirca uncovers the real hurdles to

technology adoption – the personal and political aspects of an

organisation’s environment and the pressures of the need for

demonstrable business value in any implementation. This capability to

uncover and report back on the end-user perceptions in the market

enables Quocirca to provide advice on the realities of technology

adoption, not the promises.

Quocirca research is always pragmatic, business orientated and conducted in the context of the bigger picture. ITC

has the ability to transform businesses and the processes that drive them, but of ten fails to do so. Quocirca’s

mission is to help organisations improve their success rate in process enablement through better levels of

understanding and the adoption of the correct technologies at the correct time.

Quocirca has a pro-active primary research programme, regularly surveying users, purchasers and resellers of ITC

products and services on emerging, evolving and maturing technologies. Over time, Quocirca has built a picture of

long term investment trends, providing invaluable information for the whole of the ITC community.

Quocirca works with global and local providers of ITC products and services to help them deliver on the promise thatITC holds for business. Quocirca’s clients include Oracle, IBM, CA, O2, T -Mobile, HP, Xerox, Ricoh and Symantec,

along with other large and medium sized vendors, service providers and more specialist firms.

Details of Quocirca’s work and the services it offers can be found at http://www.quocirca.com

Disclaimer:

This report has been written independently by Quocirca Ltd. During the preparation of this report, Quocirca may

have used a number of sources for the information and views provided. Although Quocirca has attempted

wherever possible to validate the information received from each vendor, Quocirca cannot be held responsible for

any errors in information received in this manner.

Although Quocirca has taken what steps it can to ensure that the information provided in this report is true andreflects real market conditions, Quocirca cannot take any responsibility for the ultimate reliability of the details

presented. Therefore, Quocirca expressly disclaims all warranties and claims as to the validity of the data presented

here, including any and all consequential losses incurred by any organisation or individual taking any action based

on such data and advice.

All brand and product names are recognised and acknowledged as trademarks or service marks of their respective

holders.

REPORT NOTE:This report has been writtenindependently by Quocirca Ltd

to provide an overview of theissues facing organisationsseeking to maximise theeffectiveness of today’sdynamic workforce.

The report draws on Quocirca’sextensive knowledge of thetechnology and businessarenas, and provides advice onthe approach that organisationsshould take to create a moreeffective and efficient

environment for future growth.

http://www.quocirca.com/




Documents

The adoption of cloud-based services