Across all UK industry sectors, the major IT initiatives of 2011 were aimed at reducing costs and improving
operational efficiencies – server virtualisation and desktop virtualisation were near the top of most enterprise CIOs’
priority lists, as budgets and head-count were frozen or reduced. Now, however, as we move into 2012 and
firms plan for the future, CEOs look to IT to support business initiatives: they want to use IT to improve sales and
customer service performance, for example by using web-based applications internally and e-commerce to boost
external sales. The problem? All these initiatives rely on IT infrastructure and operations, which in many enterprises
have been starved of investment. To solve this problem they will need to use cloud computing technology,
which has the potential to lower IT costs and at the same time improve agility and flexibility. How can it do this?
Cloud technology makes it possible for IT to deliver new servers in minutes rather than months, and to purchase
computing and storage only when they are needed and to pay for only what is used. However, cloud services are
not without risk: they must be planned and implemented with due care.
2. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
Executive Summary
Across all UK industry sectors, the major IT initiatives of 2011 were aimed at reducing costs and improving
operational efficiencies – server virtualisation and desktop virtualization were near the top of most enterprise CIOs’
priority lists, as budgets and head-count were frozen or reduced. Now, however, as we move into 2012 and
firms plan for the future, CEOs look to IT to support business initiatives: they want to use IT to improve sales and
customer service performance, for example by using web-based applications internally and e-commerce to boost
external sales. The problem? All these initiatives rely on IT infrastructure and operations, which in many enterprises
have been starved of investment. To solve this problem they will need to use cloud computing technology,
which has the potential to lower IT costs and at the same time improve agility and flexibility. How can it do this?
Cloud technology makes it possible for IT to deliver new servers in minutes rather than months, and to purchase
computing and storage only when they are needed and to pay for only what is used. However, cloud services are
not without risk: they must be planned and implemented with due care.
Cloud Computing: the one and only future of IT, or just another tool
in the box?
It is generally agreed that cloud computing technology is the future of IT: a research study carried out in July 2010
by Portio Research for Colt, entitled “European CIOs and Cloud Services”, reported that 86% of the 353 European
CIOs surveyed believe that cloud services will be the operating method of the future. Some pundits think that
cloud computing will entirely replace IT as know it. Nicholas Carr, in his book the “Big Switch”, uses the analogy of
the public electricity grid to predict that:
“The entire computing industry is going to be turned on its ear. Instead of buying new computers,
companies will just subscribe to various software services served up online for a low monthly fee”.
Cisco Systems quotes the CTO of one of the largest states in the US as saying that:
“Five to ten years from now, I don’t foresee that our DCs will exist in their present form…We just don’t
have the scale to be cost effective.”
However, most users disagree, and regard cloud as just another tool in the box. According to Portio, the majority
of CIOs say cloud will have no impact of the number of internal servers. Forrester Research’s Q3 2010 Hardware
survey found that over half of decision makers expected expenditure on both long term hosting and on-demand
IaaS to stay about the same over the coming twelve months. Why is this? Two major issues dominate:
• Firms are not ready to adopt cloud technology. To benefit from cloud, IT departments need
standardised operating procedures, fully automated deployment and management, self-service
access for developers and deployers, and business units sharing the same infrastructure. In 2010
Forrester Research Inc reported that only 5% of enterprises were in that position.
• Immaturity of cloud services. Many of the cloud services marketed in 2010 and early 2011 were
the same old hosting services rebranded as cloud – a phenomenon known as “cloud-washing”.
The newer services that were genuinely cloud lacked maturity – they were offered without SLAs,
and generally did not adequately address key performance and security issues such as reliability,
availability, data protection, regulatory compliance, and data recovery on contract termination.
02
3. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
Cloud Computing is poised for rapid growth
2012 looks to be the year cloud computing will take off in UK enterprises. In November 2011 Tech:Touchstone
surveyed the delegates attending its UK Virtualisation/Cloud Computing Executive Summit. The survey revealed
that cloud computing already has a significant share of UK large organization IT budgets: the firms surveyed are
now spending 10% of their IT budgets on cloud computing services, and plan to increase that number to 28% in
the next 2 years. However, behind this average 10% figure there are two types or organizations: those that have
embraced cloud as an important part of their future strategy and those that are still on the starting blocks. 43% of
delegates surveyed were spending less than 1% of their IT budgets on cloud; the remaining 57% were spending
on average 18%. The survey also confirmed that making the business case for cloud is becoming easier: earlier
this year 60% of delegates at the June 2011 Tech:Touchstone Virtualisation/Cloud Computing Executive Summit
with a zero spend on cloud were unsure of the financial benefits of cloud computing; now that figure is down
to 27%.
Figure 1
Top Reasons for zero budgets on cloud computing
“If none of your IT budget is spent on cloud
computing services today and no firm plans for
next 2 years, why not?”
Base: Sample taken from Tech:Touchstone delegates – UK CIOs/senior IT Managers
Source: Survey of delegates attending the Tech:Touchstone 2011 Virtualisation/Cloud Computing Executive Summit,
November 2011
Security issues dominate firms’ thinking on Cloud
Many organizations are finding that security is the initial obstacle they must overcome to unlock the benefits of
cloud computing. To find out what was holding back the reluctant 43% who had no firm plans for using cloud
computing services, we asked them what they were worried about; 67% responded that they had technical or
security concerns (See Figure 1).
We conclude that security concerns are a major barrier that hinders and delays firms from entering the cloud
world; the survey also confirmed that cloud security is an issue for those already spending IT budget no cloud
services. In fact security is the top topic about which both existing adopters and firms new to cloud computing
firms seek information and help (See Figure 2).
03
4. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
Figure 2
Top Virtualisation/Cloud Product/Service Interests
“Please indicate which of the following type(s) of
Virtualisation/Cloud products/services you currently
have a specific interest in.”
Base: 40 UK CIOs/senior IT Managers
Source: Survey of delegates attending the Tech:Touchstone 2011 Virtualisation/Cloud Computing Executive Summit,
November 2011
The survey confirmed that security concerns underlie all firms’ strategies for adopting cloud services. Of the
organizations surveyed:
• 69% reported that they had a specific interest in cloud security products and services. Firms are
looking to outside expert vendors to help them find the right security solutions to meet their needs.
• 67% of delegates were interested in private cloud services. Private cloud is a solution which has
the benefits of cloud technology without the security risks inherent in public cloud, so this confirms the
degree to which security is a top concern.
• 46% were interested in hybrid cloud/public cloud services. Private cloud is not seen as the only
way forward; almost half of firms would like to use hybrid or public cloud, once they can be convinced
that these clouds can be made secure enough for each appropriate application.
• 39% are interested in cloud based communications services. Public cloud-based email, instant
messaging, and unified communications (such as Microsoft lync on-line) are all growing in popularity;
adequate security is the key to the future take-off of these services.
04
5. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
Security is the top challenge holding back
Cloud adoption
What is holding back cloud adoption? IDC carried out a survey which asked end user firms to rate cloud
computing implementation challenges described as “significant”. Of the end users surveyed:
• 89% listed Security. According to IDC, “Security is top of mind for the vast majority of IT
organizations looking into public cloud delivery models”.
• 88% cited Performance. According to Easynet, almost 60% of Europe’s CIOs believe that can
migrate to cloud services without any updates to their corporate networks.
• 85% mentioned Availability. The furore over the April 2011 Amazon EC2 outage suggests that some
major firms are buying cloud services without adequate consideration of availability.
All the delegates attending the Tech:Touchstone November 2011 Virtualisation/Cloud Computing Executive
Summit emphasized the need for a solid business case – cloud projects will be compared for financial return
with every other potential investment that a firm could make – but most considered that this was no longer a top
challenge for them.
Security issues dominate firms’ thinking on Cloud
IDC research carried out for VMware in 2011 found that EMEA end-users are subject to stricter compliance and
governance regulation than their U.S. counterparts, with additional complications due to the fragmented territory
and strict data protection directives. Even when solutions are identified to security issues, IDC concluded that
there is still a clear psychological barrier in knowing that data and applications reside physically somewhere else.
Gartner summarises the issues as follows:
• Risk of data loss. Sensitive data processed outside the enterprise brings with it an inherent level
of risk.
• Regulatory compliance issues. Customers are ultimately responsible for the security and integrity of
their own data.
• Data location. When you use the cloud, you probably won’t know exactly where your data is hosted.
• Data segregation. Data in the cloud is typically in a shared environment alongside data from other
customers.
• Recovery. Ask your provider if it has “the ability to do a complete restoration, and how long it will take”.
• Investigative support. Investigating inappropriate or illegal activity may be impossible in cloud
computing.
• Long-term viability. Ideally, your cloud computing provider will never go broke...
Performance is overlooked in planning Cloud strategies
In a report on telecomseurope.net in May 2011, Easynet CTO Justin Fielder was quoted as saying that:
“CIOs must realize that the ability to deliver to end-users is a vital element of any cloud strategy.”
The performance of an application running on a server in the cloud depends on several factors:
• The server capacity allocated to the application. Cloud solutions are often used where the number
of end-users is either highly variable or unknown; adequate server capacity is key to providing
acceptable response time.
05
6. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
• Server location and application design. The speed of light may seen impossibly fast, but ‘chatty’
applications written with no regard for server location can involved hundreds of messages for every
response, and will perform badly if the server is hundreds or thousands of miles away from the
end-user.
• Network bandwidth. Inadequate network bandwidth acts as a throttle, requiring packets to queue
for delivery. In the case of private clouds, this issue can be solved by providing sufficient network
capacity; in public clouds it is more difficult. Public internet performance is highly variable and rarely
covered by SLA; however the biggest bottlenecks are at international gateways and users can
generally minimise performance issues by using a cloud service provider with a data center in their
own country.
Availability requires diligent purchasing of Cloud services
In April 2011 Amazon had a significant service outage of its Elastic Cloud Compute service (EC2), which affected
more than 70 firms’ public-facing web services including parts of the New York Times. However, the outage only
impacted one of Amazon’s data centres; Amazon offers a service called “Availability Zones” where users can
specify that their service is provided by a back-up data centre if the primary fails, so the fault lies with the end user
not with Amazon, for failing to think about back-up services in their enthusiasm to use to cheaper external provider
of web services. End-users generally have back-up plans for critical applications provided in their own data
centres; when moving these applications into the Cloud they need to purchase resilient services with the same
diligence that they would apply to outsourcing their own internal IT.
Plan your Cloud Strategy to suit your
business needs
The time to act is now: all firms should put in place a cloud strategy. According to the Verdantix/Carbon Disclosure
Project published in July 2011 report entitled “Cloud Computing, the IT solution for the 21st Century”, by 2020
69% of US $1billion-plus enterprises’ IT budgets for infrastructure, platform and software will be spent on cloud
services, compared with 10% today. The top benefits cited by Tech:Touchstone summit delegates in our survey
were cost-efficiency, agility and flexibility; however there are many others; you should start by asking what your
business needs from IT. We suggest using the following three imperatives to help you plan your cloud strategy:
Imperative 1: Adopt a strategy based on business need
First you need to assess your business priorities: these will vary from firm to firm. For example, Citigroup’s Paul
Stemmler says:
“Carbon reduction is one driver, but not the primary driver. Our primary driver is time to market.
Developers used to take 45 days to get new servers, but in our virtualized private cloud environment, it
takes just a couple of minutes.”
For Dhritiman Dasgupta at Juniper Networks, the drivers for cloud computing can be summarized as cost,
resiliency and efficiency. Other end users have different priorities; for example Matthew Dines, Head of Group IT
Strategy & Architecture for Aviva, says:
“We see the cloud as reducing the administration and headache side of IT, allowing our leadership to
focus on things that are critical to the business”
(Quotes from the Verdantix/Carbon Disclosure Project July 2011 report entitled “Cloud Computing, the IT solution
for the 21st Century”.)
06
7. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
In summary, start with a business case assessment of applications where you want to use cloud, then:
• Plan to replace obsolete systems so you can virtualise all your servers
• Complete standardisation, virtualisation and automation projects to take full advantage of cloud
services.
• Add automated systems management to start to build an internal cloud
Imperative 2: Start simple and build from there
According to 451 Group, the most popular places to start are web applications, test and development, and
collaboration:
• Use public cloud services for your public web apps. Delivery is via the Internet anyway, so security
is already addressed. You can scale up to meet demand, deal with peaks cost-effectively, and only
pay for what you need.
• Test & Development is often a good place to start using public cloud services. You are not dealing
with live data, and need speed of deployment and flexibility. You can use role-based access control
(RBAC) deployment tools, and build to practices that automate promotion to QA, then production.
• Collaboration uses the cloud for delivery. Email is where most firms start in moving collaboration to
the cloud, when they wonder whether they really want to operate their own Exchange server, or to
use a vendor with greater scale and expertise. Instant Messaging often follows, and then SharePoint
and many firms are looking at Communications-as-a-Service tools such as Lync on line.
Imperative 3: Work with a partner that you trust
Find a provider that can add value to IT’s approach by using professional and managed services to plug your
organization’s skill gaps. According to Forrester Research, the top attributes that firms look for in selecting a cloud
service provider are that they:
• Offer competitive pricing
• Offer performance level assurances/ SLAs
• Understand my business and industry
• Can move cloud offerings back on-premise
Tech:Touchstone summit delegates in our survey indicated that their top choice for a provider of cloud services
was a global Systems Integrator such as IBM or HP; second choice was a global telco such as Orange or Verizon.
Both these types of vendor certainly have the in-depth skills and services, including security services, to meet end-
user needs; however they may not always be the most cost-effective or most flexible. In summary firms should
purchase cloud services with exactly the same diligence and skills that they would apply to negotiating an IT
outsource contract.
Appendix A: Methodology
For this study, Tech:Touchstone conducted an online survey of a sample of 40 participants at its November 2011
Virtualisation/Cloud Computing Executive Summit, held at the Richmond Hill Hotel. Delegates included UK-based
CIOs and other IT decision-makers directly involved in their organization’s architecture, management, and/or
operations strategy decisions, in UK and global organizations in both the private and public sectors. The online
survey provided to participants included questions about their strategy, priorities, adoption, budgets, and preferred
suppliers for virtualization and cloud computing products and services.
07
8. TECH:TOUCHSTONE | Cloud Computing 2012: Security is the key to unlocking business benefits
If you are involved in Information Security initiatives for your organisation
why not have a look at our Information Security Executive Summit
being held in Richmond, Surrey on 28th-29th February 2012.
RICHMOND HILL HOTEL. SURREY. 28-29 FEBRUARY 2012
Or our other Executive summits:
Join the Techtouchstone Group
to keep updated on the latest industry news, white papers and events.
Follow us on
08