Cloud First. Two simple words, but the approach is now well and truly ensconced into the architecture of many organizations across the world. The desire to migrate quickly towards cloud computing appears to be on the agenda for most organizations. This year the average time before respondents thought their IT budgets would be 80% cloud-based was 15 months. We can still see some dark clouds on the horizon. It is evident that the lack of cybersecurity skills is having an impact on cloud adoption for organizations of all sizes. Previous concerns about the lack of trust in public clouds seem to be dissipating compared to the responses in 2015.
Perhaps one of the reasons that a Cloud First approach is moving ahead is that incidents are decreasing. More practical issues dominate, such as interoperability, transparency of data movement, public cloud operations.
In September 2016 Intel Security surveyed over 2,000 professionals for its annual cloud security research study. This includes approximately 100+ cloud end user executives from Saudi Arabia and UAE.
Usage of hybrid cloud jumps dramatically from 19% to 57%
The past year saw a dramatic shift in cloud architecture, from private-only or public-only to predominantly hybrid. Utilisation of private-only was significantly reduced, from 51% last year to just 24% this year. Public-only architectures also recorded a big drop, from 30% to just 19%. The majority 57% are running a hybrid public-private architecture, up dramatically from last year’s 19%. This shift to hybrid architecture was accompanied by a significant decrease in the average number of cloud services in use, which dropped from 43 in 2015, to just 29 in 2016, as organisations appear to be consolidating their cloud applications and services. Overall, 93% of those surveyed are operating some type of cloud services in their organisation.
According to the survey data, cloud usage was lowest in Japan, with 23% stating they were not using any cloud services. This does not appear to be a trust issue, as the Japanese respondents were not any less trustful of public cloud than the average. It appears to most likely be due to security workforce issues, as the most common concern about using cloud services in Japan was the skills required by IT security staff.
By industry, utilisation of cloud services was lowest in government 27% and education 19%. This appears to be related to trust and control issues in both industries. Governments were least likely to consider their data safe within the public cloud. Educational institutions were least likely to think that the public cloud is secure from hackers. Both industries were concerned about their ability to maintain identity and access control.
By industry, use of private-only cloud was highest in engineering 30%, primarily due to compliance concerns, and government 29% organisations, due to trust and control issues, as mentioned above. Purely private cloud infrastructures were lowest in services companies 16%, due to concerns over IT security skills, and media organisations 17%, who had issues with insufficient visibility of their security posture.
Public-only usage was highest in services companies 28%. Pure public cloud usage was lowest in insurance 9% and retail 12%. Retailers, not surprisingly in their price-competitive industry, were primarily concerned about costs. The top concern of insurance companies was compliance, specifically the location of cloud service providers’ datacentres and data stores outside of the country of operations.
Private-only cloud usage remained highest in the GCC including Saudi Arabia and United Arab Emirates 30% and Mexico 28%. GCC organisations were much more concerned about public cloud costs and the ability of cloud service providers to meet service level agreements than average. Mexican organisations were also concerned about meeting service level agreements, but their top concern was protecting sensitive data as it moves to and from the cloud, well above the rest of the group 54% vs 34%.
Japan had the lowest usage of private clouds, at just 7%, once again due to higher than average concerns about staff security skills.
Public-only usage remained highest in Australia 33% and Canada 32%. Australians were primarily concerned about the challenges of having consistent security controls integrated across both traditional and virtualised infrastructures. Canadians were primarily concerned about maintaining compliance across hybrid services. Pure public cloud usage was lowest in Brazil 4%, Mexico 8%, and the UK 10%. Brazilians have the highest usage of hybrid architectures, at 74%. Mexican organisations are high private cloud users, as mentioned above. In the UK, low public cloud usage appears to be predominantly a trust issue, as they reported the lowest opinions of the public cloud’s abilities to maintain identity and access control, and to keep their organisation’s data safe and secure from hackers.
80% organisations now following a cloud-first strategy
More than 80% of the organisations surveyed stated that they are now following a Cloud First strategy, where priority is given to applications that can be purchased as a service or deployed in the cloud over requiring hardware and physical servers and systems to be deployed in the datacentre. Those with a Cloud First strategy believe that their IT budgets will be 80% cloud services in less than 12 months, while those without such a strategy think it will be closer to 20 months.
The rate of cloud investment and adoption continues to be significant, but overall organisations do not seem to be getting much closer to the point where 80% of their IT budget will be comprised of cloud services. Comparing last year’s responses, the average number of months until they think this will happen dropped from 16 months to 15 months, indicating last year’s respondents were overly- optimistic. The cloud skeptics in the UK reported the most significant year-over-year change, from 28 months to 21 months, showing that their comfort with cloud is improving, but leaving them still the laggards in this study.
The Germans, ranking among last year’s skeptics at 18 months, are much closer to this year’s average, reporting that they think this shift to predominantly cloud will take 16 months. The Australians now think their cloud migration will take a little longer, from 11 to 13 months. Perhaps most notable, the percentage of IT professionals who stated that they do not think their IT budget will ever be 80% cloud was cut by half, from 12% in 2015 to just 6% in 2016.
Data in public clouds as secure as in private cloud
There appears to be an improving perception of public clouds. Overall, respondents see public cloud as more likely to deliver the key benefits stated below over private cloud. The majority believe that a public cloud is more likely to deliver lower total costs 59%, provide better visibility of their data 54%, and keep their data safe 51%. Respondents indicated they believe data in public clouds is as secure from hackers as it is in their private cloud.
Only 15% respondents say they do not have a skills shortage
The ongoing shortage of security skills is continuing to affect cloud deployments. Almost half of the organisations report that the lack of cybersecurity skills has slowed adoption or usage of cloud services, possibly contributing to the increase in Shadow IT activities. Another 36% report that they are experiencing a scarcity but are continuing with their cloud activities regardless. Only 15% state that they do not have a skills shortage.
By country, the skills shortage is worst in Japan, Mexico, and the GCC, and also in engineering and telecommunications firms. Engineering firms are most likely to have slowed their cloud adoption plans due to the lack of security skills, with more than 60% reporting this. The largest organisations are least likely to have a shortage, and as a result are also least likely to have slowed their cloud adoption plans.
Respondents who distrust public clouds drops from 50% to 29%
A strong indicator for the improving perception of public clouds is an organisation’s willingness to store sensitive or confidential data there. Almost 85% of professionals surveyed report they store some or all of their sensitive data in the public cloud. Almost a quarter 23% completely trust it to keep their data secure, a strong increase from 13% in 2015. In addition, the total of those who distrust public clouds dropped from 50% to 29%.
The most common type of data stored in the cloud is personal customer information. This appears to be influenced by online business models. Industries with a high proportion of online transactions are the most likely to store their customer data in the public cloud, such as utilities 79%, services 73%, insurance 65%, and finance 64%.
Government organisations were more likely to keep staff information 66% than customer information 59% in the cloud. Media and entertainment companies, not surprisingly, were most likely to keep proprietary and internal company information in the public cloud, which encompasses their product and service offerings such as music, videos, and other content.
PaaS now in use by 40% respondents up from 21% last year
Cloud services are available in three primary options: SaaS, IaaS, PaaS, and organisations can use any combination of these, in both private and public variants. The shift to a hybrid public-private architecture has been accompanied by a strong increase in organisations adding PaaS to their mix of cloud services. Overall, PaaS is now in use by 40% of organisations surveyed, up from 21% last year. PaaS usage and hybrid architecture are strongly related, with more than half of those running a hybrid architecture also using PaaS as part of their cloud services. This year’s investment plans are 66% SaaS, 64% IaaS, and 59% PaaS, which is consistent with their relative usage rankings.
Make public clouds more secure
Addressing concerns and increasing public cloud adoption requires some additional work, from both cloud service providers and security vendors. Reducing the cost is the number one action that providers can take to increase adoption. However, the next four are related to protecting data in the cloud and in transit and controlling user access.
Cloud providers and security vendors must work together to address these critical issues:
- Enhancing the ability to protect data in motion and within cloud applications
- Providing greater assurance that data remains under the owner’s control
- Enabling stricter access and identity management
- Delivering greater transparency
Organisations are consolidating cloud usage with top tier providers
Organisations continue to experience issues related to data loss with their cloud service providers. While the incidence of actual breaches declined a small amount, unauthorised access to data or services was cut in half, to just 10%, and credential theft also dropped, from 13% to 10%. This could be related to the reduction in the overall number of cloud applications and services in use. Organisations are consolidating their usage, especially with the top tier service providers, which are gaining market share at the expense of smaller service providers. The top tier providers, such as Amazon, Microsoft, Google, and Salesforce, have been improving their security posture and expanding their security resources, increasing the differences between them and smaller cloud service providers.
High costs-poor value is now the number one operational issue that IT professionals have experienced with their cloud providers in the past year, and poor customer service is number two. Compare this to last year, when difficulty migrating services or data, which is now in fourth place, was the top issue. Lack of visibility into cloud provider operations is now the top technical issue, although it has not changed much over the past year. Poor availability and uptime has moved up into the top five, increasing from 17% last year to 22% this year.
The pressures of speed, efficiency, and cost will push more applications and data outside the trusted network and into a service provider’s clouds, where those benefits can be realised. The growth of cloud services and movement of sensitive data between private and public clouds means that those services will become increasingly valuable as targets of attack. As enterprises cloud-enable their operations, gaps in control, visibility, identity, and security are the most likely paths to data breaches. Integrated or unified security solutions are a strong defense against these threats, giving security operations visibility across the cloud services in use and which data sets are permitted to traverse them.
Data in transit top concern for SaaS
SaaS users were most concerned about protecting sensitive data moving to and from the cloud, understandable given that half have experienced a malware infection from SaaS applications and a quarter have suffered a data breach. The second most common concern of SaaS users was cost, reinforcing how mature these services are becoming. Security operations concerns were similar to those using other types of clouds, including data compliance, advanced threats, and identity management. Ability to meet service level agreements and departmental Shadow IT cloud use rounded out the list.
SLAs and datacentre location concerns for IaaS
IaaS users’ top concern this year was integrated and consistent security controls, followed closely by concern about staff security skills. As organizations adopt Amazon, Google, or Microsoft infrastructure services, their security teams are having to adapt to the new shared responsibility model. Working with multiple services makes it more difficult to ensure that policies are configured and enforced consistently across multiple environments.
Security concerns do not appear until fifth on the list, which may imply responders were slightly more comfortable with IaaS provider’s security operations than general operational issues. Operational concerns about the provider included inability to meet service level agreements and location of datacentres. Top security operations concerns were: maintaining compliance, identity and access management, and dealing with advanced threats.
Key takeaways
- Government more likely to keep staff information 66% than customer information 59% in cloud
- Industries with high proportion of online transactions most likely to store customer data in public cloud
- Majority 57% are running a hybrid public-private architecture, up dramatically from last year’s 19%
- Media and entertainment companies most likely to keep proprietary and internal information in public cloud
- Only 15% respondents state that they do not have a skills shortage
- Organisations are consolidating cloud usage especially with top tier service providers
- PaaS now in use by 40% respondents up from 21% last year
- Private-only cloud usage remained highest in the GCC 30% and Mexico 28%
- Public-only architectures recorded a big drop, from 30% to just 19%
- Public-only usage remained highest in Australia 33% and Canada 32%
- Pure public cloud usage was lowest in Brazil 4%, Mexico 8%, and UK 10%
- Pure public cloud usage was lowest in insurance 9% and retail 12%
- Purely private cloud infrastructures were lowest in services companies 16%, and media organisations 17%
- Reducing cost is the number one action that providers can take to increase public cloud adoption
- Respondents believe data in public clouds is as secure from hackers as it is in their private cloud
- Respondents who distrust public clouds drops from 50% to 29%
- Shift to hybrid public-private architecture accompanied by strong increase in PaaS
- This year’s investment plans are 66% SaaS, 64% IaaS, and 59% PaaS
- Those with a Cloud First strategy believe their IT budgets will be 80% cloud services in less than 12 months
- Top tier providers Amazon, Microsoft, Google, Salesforce, gaining market share at expense of smaller providers
- Use of private-only cloud was highest in engineering 30%, and government 29% organisations
- Utilisation of cloud services was lowest in government 27% and education 19%.
- Utilisation of private-only was significantly reduced, from 51% last year to just 24% this year
Excerpted from Building Trust in a Cloudy Sky, The state of cloud adoption and security by Intel Security.