What are IT decision makers be focusing on?

Growing comfort levels in the Cloud lead to question “what’s next”; seeking modularity and external help

The priorities and concerns of CIOs and their IT departments are of much wonder to those looking to service and work in the industry.

For the past several years, the Cloud Security Alliance has surveyed its members and audience with these main 5 guiding questions in mind:

1. What cloud services are they using or planning to use?
2. What are the main concerns and threats anticipated with cloud migration or integration?
3. What compliance requirements (regulatory, jurisdiction of data, internal standards) are they subject to?
4. How are CSPs (Cloud Security Providers) evaluated and how can confidence in security be increased?
5. What controls have been implemented and what investments are most desired to manage risk? How can external certifications help?

Through analyzing our survey results, we have noted three important points in time: 2013, 2015, and 2016. 2013 is marked by security concerns and uncertainty, 2015 by the realities of implementation, and 2016 by growing comfort levels with the cloud, to the point where complexity and cost are still an issue, but not as much as what lies ahead.

Many organizations have or are looking to outsource their cloud needs (whether planning, compliance, monitoring, or implementation). According to analyst Gartner, 2017 is also likely to see an uptick in enterprises looking to manage public, private and hybrid cloud resources from a multitude of providers, as their digital transformation efforts in this area continue to mature and evolve.

Gartner¹ notes that; “While public cloud usage will continue to increase, the use of private cloud and hosted private cloud services is also expected to increase at least through 2017”

Our own survey validates this claim, noting that spending and deployment in all models is up. The Community cloud may be saturated while the Public cloud grows steadily. The survey supports that the Hybrid cloud is being adopted aggressively and could overtake private cloud quickly.

It is not difficult to find any number of articles touting hybrid cloud as the future. The 2016 survey results leave no doubt, with current deployments rising to 47% from 28%. The results support Gartner’s statistic incredibly.

Interestingly, Hybrid cloud is the most complex deployment model, and yet plans were being made to adopt it during the period signifying the implementation phase when the biggest concern of cloud adoption was with integrating it with existing IT operations. Perhaps businesses realized that cloud adoption was not as simple as the sales pitch made it seem but plowed forward anyways. Also, they may have found public cloud unsuitable, presumably for security or compliance reasons, while private cloud remained prohibitively expensive or simply against the reasons why cloud adoption was sought in the first place.

It would be worth looking into the ROI on both the customer and CSP end for hybrid investment. CSP and cloud consultant/architect marketing focused on flexibility and customized solutions. Companies are looking for CSP’s with a more integrated approach, with the providers of controls being more able to contract out verification and testing of those controls.

The survey comments that customers seem ready to move to the cloud in spite of negative experiences. Data breach or loss is always the top concern. Threat related to shared systems are more critical than against cybercrime or malice, with the exception of malicious insiders. Even fewer have experienced losses due to cloud adoption. However, it is unlikely that even a data breach stopped cloud migration in most cases due to the nature of the process of cloud adoption: significant research time and preparatory work has already been done. There is some cross-analysis of data that suggests that firms that experience a breach and/or legal issues are more concerned with the lack of ability to measure security services and a lack of transparency or ability to perform audits.

The following are four data points highlighting the attitude of the industry in 2016

1. Noted demand for procedural, iterative frameworks that use period-of-time monitoring with an emphasis on continual compliance demanded in atmosphere of rapid deployment and regulatory changes. Service offerings with continual monitoring of the baseline configurations is essential
2. Organizations more responsive to improved security controls and transparency, although approaching the point of information overload. There appears to be a high demand for managed solutions
3. Compliance more important than ever – regulatory requirements, jurisdiction of data, privacy laws. Internal standards codify unique requirements. Compliance requirements have never been the top concern related to cloud adoption, but they are critical and serve as blockers to full or even partial implementation
4. Privacy and security concerns fall both due to the industry responding to the 2013-era concerns, and because the same concerns are being expressed in much more concrete ways. As more and more organizations use the cloud, regulatory frameworks serve as a simple way of verifying the impossible up and down the chain of clients and vendors (of one sort or another). The shift towards internal standards are taking some of the guesswork out of these issues. The issues dealing with the unknown (risk management and complexity) are leveling off as technologies mature and organizations and vendors gain experience. This sort of trend may repeat itself as the “next big thing” (hybrid cloud?) comes along.

 

Three anonymous online surveys

1. Nov 2012 – Jan 2013 (Refer to as 2013)
   • 107 responses from CSA chapter members worldwide and ISSA (Information Systems Security Association) chapter members in Seattle area
2. Oct 2014 – Feb 2015 (Refer to as 2015)
   • 134 responses from above as well as Seattle Technical Forum
3. Oct 2015 – May 2016 (Refer to as 2016)
   • 272 responses from CSA, Cloud Talk, and SIM (Society for Information Management)

¹http://www.gartner.com/newsroom/id/3443517