|Summary: The Cloud market is on the verge of the next wave of market penetration, yet it’s likely that only one in five Cloud Service Providers (CSPs) in today’s marketplace will still be around by 2018, as providers fail or are swallowed up by aggressive competitors. So what do CSPs need to do to survive and prosper? (October 2013, Foundation 2.0, Executive Briefing Service, Cloud & Enterprise ICT Stream.)|
Introduction: one in five Cloud providers will survive
The Cloud market is on the verge of the next wave of market penetration, yet it’s likely that only one in five Cloud Service Providers (CSPs) in today’s marketplace will still be around by 2018, as providers fail or are swallowed up by aggressive competitors. So what do CSPs need to do to survive and prosper?
This research was sponsored by Trend Micro but the analysis and recommendations represent STL Partners’ independent view. STL Partners carried out an independent study based on in-depth interviews with 27 senior decision makers representing Cloud Service Providers and enterprises across Europe. These discussions explored from both perspectives cloud maturity, the barriers to adoption and how these might be overcome. The findings and observations are detailed in this three-part report, together with practical recommendations on how CSPs can address enterprise security concerns and ensure the sustainability of the cloud model itself.
Part 1: Cloud – coming of age or troubled adolescent?
While the concept of organising computing as a utility dates back to the 1960s, the cloud computing model as we know it today is built on the sub-classifications of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS).
We’ve covered telcos’ role in Cloud Services in depth in our Cloud research stream, and found that hype, hope and uncertainty have been notable features of the early stages of development of the market, with many optimistic forecasts of adoption being somewhat premature.
In terms of the adoption cycle adoption today, our analysis is that Cloud Services are on the brink of ‘the chasm’: well established among early adopters but less well known, trusted and used by the mass market segment of the enterprise market.
Building trust among new customer segments is the key to bridging this gap. For the industry it is a make or break point in terms of achieving scale. For CSPs, trust will be a key to survival and prosperity in the next phase of the market, enabling them to open up new opportunities and expand the amenable market, as well as to compete to retain and grow their individual market shares.
Many of the obstacles to and inhibitors of cloud adoption stem from customers’ perceptions of product immaturity – “will it be safe and work how we want without too much hassle and commitment?” In this report we examine findings on the general inhibitors and drivers of adoption, and then those related to the main inhibitor, data security, and how they might be addressed.
Overcoming the obstacles
Enterprise decision-makers in the study admitted to being deterred from the cloud by the prospect of migration, with the “enterprise/cloud barrier” perceived as a significant technical hurdle. While CSPs with enterprise-grade propositions have in place the business model, margins and consultative resources to offer customers an assisted journey to the cloud, standard public offerings are provided on a Do-It-Yourself basis.
However, data privacy and security remain the biggest inhibitors to cloud adoption among enterprises, due in no small part to a perceived loss of visibility and control. Recent headline-grabbing events relating to mass surveillance programmes such as PRISM have only served to feed these fears. As will be seen in this report, a lack of consistent industry standards, governance and even terminology heightens the confusion. Internal compliance procedures, often rooted in an out-dated “physical” mind-set, fail to reflect today’s technological realty and the nature of potential threats.
According to the UK Department for Business Innovation & Skills, the direct cost of a security breach (any unauthorised access of data, applications, services, networks or devices) is around £65,000 for SMEs and £850,000 for larger enterprises. However, add to this financial penalties for failure to protect customer data, reputational damage, diminished goodwill and lost business, and the consequential losses can be enough to put a company out of business. It’s little wonder some enterprises still regard cloud as a risk too far.
In reality, CSPs with a heritage in managed services and favourable economies of scale can typically match or better the security provisions of on-premise data centres. However, as “super enterprises” they present a larger and therefore more attractive target for malicious activity than a single business. There is simply no room for complacency.
CSPs must shift their view of security from a business inhibitor to a business enabler: crucial to maintaining and expanding the overall cloud market and confidence in the model by winning customer trust. This requires a fundamental rethink of compliance – both on the part of CSPs and enterprises – from a tick-box exercise to achieve lowest-cost perimeter protection to cost effectively meeting the rigorous demands of today’s information-reliant enterprises.
Cloud services cannot be considered mature until enterprises en masse are prepared to entrust anything more than low-sensitivity data to third party CSPs. The more customer security breaches that occur, the more trust will be undermined, and the greater the risk of the cloud model imploding altogether.
State of the nation
The journey to the cloud is often presented in the media as a matter of “when” rather than “if”. However, while several CSPs in our study believed that the cloud model was starting to approach maturity, enterprise participants were more likely to contend that cloud was still at an experimental or “early adopter” stage.
The requirements of certain vertical markets were perceived by some respondents to make cloud a non-starter, for example, broadcasters that need to upload and download multi-terabyte sized media files, or low-latency trading environments in the financial sector. Similarly, the value of intellectual property was cited by pharmaceutical companies as justifying the retention of data in a private cloud or internal data centre at any cost.
CSPs universally acknowledged that their toughest competitor continues to be enterprises’ own in-house data centres. IT departments are accustomed to having control over their applications, services, servers, storage, network and security. While notionally, they accept they will have to be less “hands on” in the cloud, a lack of trust persists among many. This reticence was typically seen by CSPs as unwarranted fear and parochialism, yet many are still finding it a challenge to educate prospective customers and correct misconceptions. CSPs suggested that IT professionals may be as likely to voice support for the cloud as turkeys voting for Christmas. However, more enlightened IT functions have embraced the opportunity to evolve their remit to working with their CSP to monitor services against SLAs, enforce compliance requirements and investigate new technologies rather than maintaining the old.
For tentative enterprises, security is still seen as a barrier to, rather than an accelerant of, cloud adoption, and one of the most technically challenging issues for both IT and compliance owners. Enterprises that had advanced their cloud strategy testified that successful adoption relies on effective risk management when evaluating and engaging a cloud partner. Proponents of cloud solutions will need compelling proof points to win over their CISO, security team or compliance officer. However, due diligence is a lengthy and often convoluted process that should be taken into account by those drawn to the cloud model for the agility it promises.
The majority of CSPs interviewed were relatively dismissive of customer security concerns, making the valid argument that their security provisions were at least equal to, if not better than, that of most enterprise data centres. However, as multiple companies concentrate their data into the hands of a few CSPs, the larger and more attractive those providers become to hackers as an attack target. Nonetheless, CSPs rarely offer any indemnification against hacking (aside from financial compensation for a breach of SLA) and SaaS providers tend to be more obscure than IaaS/PaaS providers in terms of the security of their operations. Further commercial concerns explored in this report relate to migration and punitive contractual lock-in. Enterprises need to feel that they can easily relocate services and data across the cloud boundary, whether back in house or to another provider. This creates the added challenge of being able to provide end-to-end audit continuity as well as in transit.
There are currently around 800 cloud service providers (CSPs) in Europe. Something of a land grab is taking place as organisations whose heritage lies in software, telecoms and managed hosting are launching cloud-enabled services, primarily IaaS and SaaS.
However, “cloudwashing” – a combination of vendor obfuscation and hyperbole – is already slowing down the sales cycles at a time when greater transparency would be likely to lead to more proofs of concept, accelerated uptake and expansion of the overall market.
Turbulence in the macro economy is exacerbating the problem: business creation and destruction are among the most telling indicators of economic vitality. A landmark report from RSM shows that the net rate of business creation (business births minus deaths) for the G7 countries was just 0.8% on a compound annual basis over the five-year period of the study. The BRICs, by contrast, show a net rate of business creation of 6.2% per annum – approximately eight times the G7 rate.
In parallel, the pace of technology success is accelerating. Technologies are considered to have become “mainstream” once they have achieved 25% penetration. As cloud follows this same trajectory, with a rash of telcos, cable operators, data centre specialists and colocation providers entering the market, significant consolidation will be inevitable, since cloud economics are inextricably linked to scale.
Figure 1 – Technology adoption rates
Source: STL Partners
Lastly, customers are adapting and evolving faster than ever, due in no small part to the advent of social media and digital marketing practices, creating a hyper-competitive environment. As a by-product, the rate of business failure is rising. In the 1950s, two-thirds of the Fortune 500 companies failed. Throughout the 1980s, almost nine out of ten of the so-called “Excellent” companies went to the wall, and 98% of firms borne out of the “Dot Com” revolution in the late 1990s are not expected to survive.
As a result, STL Partners anticipates that by 2018, a combination of consolidation and natural wastage will leave only 160 CSPs in the marketplace – a survival rate of one in five.
Drivers of cloud adoption
The business benefits of the cloud are well documented, so the main value drivers cited by participants in the study can be briefly summarised as follows:
Figure 2 – Business and IT Drivers of cloud adoption
- Introduction: one in five Cloud providers will survive
- Part 1: Cloud – coming of age or troubled adolescent?
- Overcoming the obstacles
- State of the nation
- Drivers of cloud adoption
- Inhibitors to cloud adoption
- Cloud migration and integration with internal systems
- Vendor lock-in and exit strategies
- Governance and compliance issues
- Supplier credibility and longevity
- Testing and assurance
- Part 2: Cloud security and data privacy challenges
- Physical security
- Data residency and jurisdiction
- Compliance and audit
- Identity and Access Management
- Shared resources and data segregation
- Security incident management
- Continuity services
- Data disposal
- Cloud provider assessment
- Industry standards and codes of practice
- Migration strategy
- Customer visibility
- Part 3: Improving your ‘security posture’
- The ethos, tools and know-how needed to win customers’ trust
- The Four Levels of Cloud Security
- Key take-aways for Cloud Services Providers
- About STL Partners
- About Trend Micro
Table of Figures
- Figure 1 – Technology adoption rates
- Figure 2 – Business and IT Drivers of cloud adoption
- Figure 3 – Information security breaches 2013
- Figure 4 – The four levels of Cloud security
- Figure 5 – A 360 Degree Framework for Cloud Security