End user preferences for cloud suppliers Claranet research programme For more information: claranet.co.uk - twitter.com/claranet To book an appointment or to discuss our cloud services: Call us: 0845 355 2000 - Email: business@claranet.co.uk
Executive summary Based on the findings of Claranet s research into cloud adoption in the UK (see page 3, Marketing and Sampling), this white paper reports on the preferences that IT decision-makers have when looking for a cloud provider. It also poses reasons as to why these preferences exist. The findings of the research show that the evolution of a cloud approach to IT has reached a tipping point in the UK. A majority of UK-based organisations are now using IT-as-a-service in some form and even more plan to over the next 12 months. The strongest preferences expressed by IT decision-makers are for cloud providers that offer secure, private networks that commit to store data in either the UK or the EU. These services also need to be easily integrated within existing IT infrastructure and allow for data to be easily transferred between existing onsite systems and cloud-based infrastructure with minimal effort. These preferences are driven by a risk-averse approach from IT decision-makers who do not yet trust the cloud. Fears still exist around data security, privacy and sovereignty with the result that cloud is not being used to its full potential. Research shows that cloud adoption is dominated by functions and applications that are either less critical to the operations of organisations or that do not use highly sensitive data. Some of the largest benefits in cloud adoption can be found from using it for data storage and IT infrastructure, yet only a distinct minority feel confident in using the cloud for these services. As stated, enterprise grade organisations are looking for providers that can guarantee integration with all of their other IT. However, alongside an integrated service, IT decision-makers are seeking integrated accountability. As more and more IT services move to a pay-per-use model, working out who is responsible for what can become more challenging. Cloud suppliers that provide a full breadth of service, including network provision, stand to gain from this focus on integration and accountability of service. This white paper reports on the preferences that IT decisionmakers have when looking for a cloud provider. It also poses reasons as to why these preferences exist The importance of the network goes beyond integration when committing to any cloud service. Providing a resilient network that has the appropriate level of data protection is an essential element of any cloud solution. The third big driver from end users can be summed up in the word flexibility. Procuring IT on a pay-per-use service model is new for many people and procurement decisions being made today may not be appropriate in even a short period of time. Keeping technology in step with end user demands has always been a top issue for IT decision-makers and the cloud approach has evolved in part to better accommodate change. With the advent of a more flexible way to deliver IT, there are ever increasing demands for more flexible contracts, Service Level Agreements and termination clauses. The current economic circumstances of many organisations also adds pressure for more flexible agreements. Demands for flexibility also extend into the level of technical integration required by IT decisionmakers. A hybrid approach is now dominant for example, using a form of cloud computing like Infrastructure-as-a-Service (IaaS) for some areas but then keeping a traditional on-premise solution for data use in more operationally critical areas. A cloud service needs to easily integrate with onpremise servers, with data migration between the two being seamless. Agnostic hypervisors have also been noted to be an important element of the offer of a successful cloud supplier. This research provides a clear indication as to what IT decision-makers look for in a cloud provider. As the market for cloud-based solutions accelerates, the success of providers will be determined by how closely they follow the priorities articulated by respondents to this latest research.
Methodology and sampling In October 2011, Vanson Bourne conducted research on behalf of Claranet to determine cloud adoption and understanding amongst end users in the UK. The research polled 300 senior IT and business decision-makers in small to medium businesses (SMBs) and enterprise organisations. Of the 300 respondents, 18 per cent came from the IT and technology sector; 15 per cent from financial services, business and professional services and the manufacturing sectors respectively; and 12 per cent from the retail sector. The remaining 25 per cent comprises a mixture of professionals from the construction and property, wholesale distribution, entertainment, media and leisure, and utilities and telecoms sectors. Two thirds of those surveyed work in a company that is identified as a medium-sized business, categorised by the number of people employed there (between 100 and 1,000 employees). At the lower-end of this scale are small businesses, employing less than 100 people, and at the larger end, enterprise-sized businesses employing over 1,000 people. Both small and enterprise businesses account for 17 per cent of respondents respectively. How many employees work in your organisation? 17% 16% 67% Fewer than 100 employees 100-1,000 employees More than 1,000 employees Page 3
1. Reducing security risks Key findings: The research indicated that end users prefer cloud service providers that: Offer a secure private cloud service. Offer an integrated network and hosting service. Tailor their Service Level Agreements to meet specific data security concerns. It has been well documented that IT decision-makers have ongoing concerns regarding data security, privacy and sovereignty when it comes to procuring the cloud. However, what came through in this research is that it is one of the most significant drivers for preferences in choosing a service and supplier. Over half of the respondents to the survey (54 per cent) believe that cloud computing poses a greater security risk than traditional in-house infrastructure. More strikingly, 79 per cent would prefer to only use a private cloud solution (i.e. one that does not use the public internet to transfer data) if the costs were the same. Which of these statements best describes the way you feel about cloud computing? 12% 54% 33% Cloud computing poses a greater security risk than in-house infrastructure Cloud computing poses the same security risk as in-house infrastructure Cloud computing poses a lesser security risk than in-house infrastructure
To what extent do you agree or disagree with the following statement: If the cost was the same, I would prefer to only use a private cloud and not a public cloud to store my data 2% 3% 17% Completely agree 48% Agree 31% Not sure Disagree Completely disagree This cautionary approach is reinforced by the functions/applications that IT decision-makers are comfortable placing in the cloud. A majority (see page 6 for graph) were confident about the cloud only for functions that are not, by-and-large, considered essential for business operations, or do not involve handling the more sensitive types of data used by their organisations. Finally, respondents who use the cloud to some extent were asked whether they used a public, private or hybrid solution 58 per cent stated they used a private solution. It is clear that perceived risks to data are driving the type of cloud being adopted and the functions it is being tasked to undertake. More than any other factor, it is risk, or more accurately, avoiding risk, that is guiding adoption in the UK today. What type of cloud services do you use to meet your organisation s needs? 2% 4% 15% Private 21% 58% Hybrid Public Community Don t know The important issue to understand is that a cloud approach does not pose greater risks, just different risks Page 5
The fact that risk-aversion is a primary driver indicates a failure on the part of IT suppliers. Are there risks to data by adopting a cloud approach? Yes there are, but these are no more significant than storing and using data in traditional ways. Data loss and breakdowns in security or privacy were happening before people started using cloud. The important issue to understand is that a cloud approach does not pose greater risks, just different risks. The research suggests that the failure of IT suppliers to explain this is leading to organisations not using the cloud to best effect. Only 21 per cent of respondents felt confident in placing their IT infrastructure in the cloud and 37 per cent for storing their data. However, it is in using cloud in these two areas that enterprise organisations stand to make some of the best efficiencies in cost reduction, as well as increase flexibility and service quality. A lack of industry standards in explaining cloud services and in basic Service Level Agreements could be playing a significant part in the lack of trust prevalent amongst end users. Which of the following functions/applications do/would you feel confident in placing in the cloud? 100% 90% 80% 70% 60% 58% 55% 54% 52% 50% 47% 44% 43% 41% 40% 30% 37% 37% 32% 29% 25% 21% 20% 13% 10% 0% Email Web portal Web applications Advertising & online marketing services Data back-up/disaster recovery E-commerce web applications Collaboration applications IT asset management services Service management/help desk services Data storage IT operations management Office automation Workflow systems IT infrastructure Accounting & finance applications 1% 2% Niche vertical applications Other
A further issue is the use of what is regarded as cloud-wash in the market. Many providers apply cloud terminology to their products and services, when in reality the service offered does not differ significantly from more traditional forms of IT delivery. When confronted by a confusing array of providers, all claiming to be cloud but with different types of service offering, caution is a natural response. The UK seems, therefore, to be missing out on the increased efficiencies that cloud offers because over-emphasis on fears about data have deterred IT decision-makers. Preferred cloud service providers are likely to be meeting customer needs in two key ways when it comes to security. Firstly, and this will be discussed in more detail in section three of this paper, offering a private network is key for many IT decision-makers seeking a secure solution. Secondly, cloud providers need to have data security hardwired into all of their processes and need to demonstrate this in the Service Level Agreements made with their customers. Contracts should stipulate how data will be managed and protected and potential customers should be able to negotiate the details of service they need when it comes to data security. Enterprise grade organisations need tailored services from their suppliers. Many cloud providers veer away from tailored solutions and toward a mass commoditised style of service. Our research shows that for the enterprise at least, such an approach will only have a limited value. Cloud providers need to have data security hardwired into all of their processes and need to demonstrate this in the Service Level Agreements made with their customers Page 7
2. Secure sovereignty of data Key findings: The research indicated that end users prefer cloud service providers that: Are transparent about where customers data resides. Store data in the same country in which the customer operates. Have their data sovereignty commitments clearly detailed in their Service Level Agreement. An end user preference that is linked to the issue of data security is where the data is actually stored. In the survey, 67 per cent of respondents stated that the location of data was important when deciding on a cloud provider. Delving further, 87 per cent said they would be reassured if the data was stored in the United Kingdom, 44 per cent reassured if it was stored in the wider European Union and 33 per cent reassured if the data was stored in the United States of America. This seems to indicate that cloud providers that can commit to storing data within a specified country (and in the case of British customers, within the UK) stand to have a clear competitive advantage over other providers that cannot do this. Concerns over data sovereignty and security are underlined by respondents, with 71 per cent stating that there needed to be greater EU regulation concerning data protection. How important is the location of your data when deciding which cloud service provider to use? 27% 40% 4% 7% 22% Extremely important Important Not sure Unimportant Extremely unimportant Concerns over data sovereignty and security are underlined by respondents, with 71 per cent stating that there needed to be greater EU regulation concerning data protection Would you be reassured, concerned or indifferent if your data was stored in: UK? 6% 7% 87% Reassured Concerned Indifferent
Would you be reassured, concerned or indifferent if your data was stored in: EU (excluding UK)? 30% 44% Reassured Concerned 26% Indifferent Would you be reassured, concerned or indifferent if your data was stored in: United States of America? 25% 33% Reassured Concerned 42% Indifferent The reasons for this preference are probably threefold. Firstly, IT decision-makers often wish to be able to conduct their own audits and spot-checks, so they can ensure their data is being stored and managed in line with contracts and Service Level Agreements. If data is not stored in the same country as the customer, these kind of checks become much harder to carry out. Secondly, data being stored in the same country as the customer is also a sign that support services will also be close at hand. The research found that nearly 60 per cent of respondents felt that it was important that the account management and service team should be UK based. While outsourcing to different countries can have major cost benefits, it can also create on-going issues due to separate time zones and language issues through having to work with non-native speakers of the end users language. The third reason is a legal one. Different legal jurisdictions create different levels of data privacy and also impact on the liability for any loss or damage to the service. So selecting the country where the service will be provided is a crucial part of the Service Level Agreement. The research seems to indicate that successful cloud service providers in the market will be the ones that can cater to these data sovereignty demands. Being clear about where data will be stored, including in the event of failover, being flexible on which legal jurisdiction the contract will be held under so as to meet customer concerns over privacy and liability; and making sure all of these commitments are detailed in a transparent way in the Service Level Agreement are obvious preferences that have been indicated through this research. The research found that nearly 60 per cent of respondents felt that it was important that the account management and service team should be UK based Page 9
3. Importance of the network Key findings: The research indicated that end users prefer cloud service providers that: Have a clear single line of accountability with their customer. Provide an integrated, secure private network alongside their cloud offering. Paying for IT-as-a-service removes the need for hardware asset ownership and allows for the use of infrastructure located externally to the organisation. This places a renewed emphasis on the network and its reliability. One of the key risk factors that respondents look to overcome is ensuring their internet connection (45 per cent stated this as a risk when taking a cloud approach), and 67 per cent of IT decision-makers had considered the role of the network in any cloud-based solution. An overwhelming 81 per cent felt it was crucial for IT managers to ensure the robustness of the network infrastructure to guarantee availability. Which of the following risk factors are most important when considering cloud services? 100% 90% 85% 80% 70% 72% 60% 50% 45% 44% 40% 36% 34% 33% 30% 29% 28% 27% 20% 17% 13% 10% 0% Data security Data privacy Dependency Internet access Confidence/reliability of vendor Cost of migration Enforcing contractual liability Complexity of migration Confidence in vendors business capability Vendor lock-in Confidence in the clarity of charges Knowing who to choose to supply service Lack of business case Lack of any advice from within the company 4% 3% 2% Lack of any awareness by IT suppliers Other
The network is clearly seen as integral to any cloud offer and is a major part of any transition to a cloud-based solution. This has opened up a market preference for providers that offer an integrated network and hosting service. The downside of not using an integrated provider is that there will be separate avenues of accountability in the event of a problem. When there are separate providers, getting to the bottom of a problem and finding a solution to a technical issue can be painful and more drawn out than it needs to be. The development of IT-as-a-service, especially if using a managed service provider where there is less day-to-day control of the technology by the customer, can make this situation even more complex. A big fear of many IT decision-makers expressed in this research has been a lack of control of the cloud service (46 per cent citing lack of control as an issue). Most IT decision-makers also felt that end-to-end accountability was the most important benefit of an integrated provider. Purchasing decisions are therefore driven to some degree by a desire to maximise the accountability of their providers, and that the network and infrastructure are fully integrated and optimised for cloud-based approaches. The demand for an integrated networking and hosting service is likely only to increase. As the research in this white paper shows, there is a strong preference for private cloud and that means using a network that does not involve the public internet. Cloud providers with their own existing private network will be at a distinct advantage as the cloud market matures. Most importantly, they will be able to demonstrate their integration experience, as well as provide a single line of accountability to their customers. Most IT decision-makers also felt that end-to-end accountability was the most important benefit of an integrated provider Page 11
4. Company credentials Key findings: The research indicated that end users prefer cloud service providers that: Prioritise industry accreditations when describing their service offering. Are selective over which cloud bodies to join to demonstrate industry standards. Enshrine service quality in their Service Level Agreements, which they are happy to negotiate with customers. It is not just the technology and the service on offer that are important to IT decision-makers. Respondents to the research were clear that they also look at the credentials of the cloud service provider when making procurement decisions. When asked what the most important traits in a provider are, respondents picked financial security (58 per cent), reputation (57 per cent), and experience (50 per cent). Which of the following are the most important traits that you look for when choosing a provider of cloud services? 100% Some quality assurance groups are little more than a marketing tool for their members 90% 80% 70% 60% 50% 58% 57% 50% 49% 40% 31% 30% 27% 21% 20% 10% 4% 0% Financially secure Reputation Experience UK-based Flexibility Solution set Breadth of services (cloud, network, consulting, etc.) Other Having financially secure suppliers is always important. However, the technology industry, and cloud providers in particular, are often recent start-ups with only a limited track record for potential customers to investigate to understand delivery experience. This poses a greater challenge for IT decision-makers, to make the right choice of provider in this new approach to IT delivery.
To help procurers, a plethora of industry bodies offering accreditations have come into being the value of which can be variable and in some cases creates more confusion than support. Some quality assurance groups are little more than a marketing tool for their members. However, the reputations of different bodies are becoming more established, and certification groups such as the Cloud Industry Forum (of which Claranet is a member) are standing out as the ones that can provide genuine industry advice and best practice to IT procurers. However, while industry bodies no doubt play a role, of greater importance will be the types and number of international accreditations that the cloud provider has secured. Most industry bodies base their certification on these standards anyway. Particular standards to look out for include: ISO 27001:2005: This is the only auditable international standard for information security management systems. The standard provides assurance to the levels of security provided by the cloud provider for a customer s data assets. This is particularly important when considering the heightened concerns regarding data in the market place. ISO 9001:2008: An internationally recognised standard, awarded to organisations that show understanding of their customer needs and are capable of developing products and services that meet those needs. Outside the IT industry, it is regarded as a stamp of quality in terms of internal processes followed by the organisation in question. Information Technology Infrastructure Library (ITIL): ITIL is a standard for IT service management, providing a best practice framework for IT providers to measure themselves against. Achieving this standard is particularly important for managed service providers, who take on more responsibility for delivery than providers of more basic level cloud services. Further to these industry credentials, respondents to this research felt there needed to be high standards in the Service Level Agreement to ensure quality of service. When questioned, IT decision-makers felt the most important elements of an effective agreement were service availability and resiliency (63 per cent), liability over data loss (49 per cent) and data ownership (43 per cent). Despite such a clear focus on these issues amongst end users, it is interesting to see that there is still a long way to go before Service Level Agreements are robust enough. Research produced earlier in 2012 by academics* found that there were many common clauses in a wide range of both off-the-shelf and negotiated cloud contracts that raise cause for concern. These include attempts by suppliers not to take liability for failure in service, Service Level Agreements that do not match the needs of the business, incompatibility with EU data protection rules, and the right of suppliers to change service features without notice. Research produced earlier in 2012 by academics* found that there were many common clauses in a wide range of both offthe-shelf and negotiated cloud contracts that raise cause for concern * W Kuan Hon, C Millard, I Walden, Negotiating cloud contracts - Looking at Clouds from Both Sides Now, Queen Mary University of London, School of Law, 2012. Page 13
What would be the most important elements in a cloud service provider contract to ensure flexibility to meet the changing demands of your organisation? 100% 90% 80% 70% 63% 60% 50% 49% 45% 43% 42% 40% 39% 30% 29% 22% 21% 19% 20% 13% 10% 0% Service availability/resilience Liability over data loss Data ownership Data location Data control Service resilience & termination Liabilities & indemnities Ability to break annual contracts Acceptable use policies Insurance Service transfer Other 1% A strong conclusion that can be drawn is that cloud providers are not doing enough to instill confidence in IT decision-makers. Ensuring a greater level of balance in the cost of failure to meet Service Level Agreements is a key area for improvement.
7. Conclusion The research findings highlight that risk mitigation is the major driver for enterprise grade organisations when selecting a cloud provider. This means that end users are not benefitting as much from cloud adoption as they might because cloud tends to be used in non-critical functions/ applications within the organisation. IT decision-makers prefer cloud service providers that respond to their cautious approach to data security and control. This is being achieved in a number of ways. Firstly, and most importantly, that private cloud is the preferred service within the cloud industry. Secondly, detailed and clear Service Level Agreements that address data ownership, controls and data transfer provide legal clarification and peace of mind for end users. Thirdly, clearly stipulating service availability and providing stronger resiliency through private networks means that end users trust that they will be able to access their data when they need to. Lastly, underpinning all of these areas is a willingness from the cloud provider to negotiate the Service Level Agreements to meet specific requirements. A commoditised cloud offer does not reassure end users that the service they have will meet their circumstances. A final critical consideration amongst end users when choosing a provider is the integration of accountability. This issue is set to increase as IT-as-a-service proliferates and outsourcing agreements become more complex as a result. Cloud providers that provide integrated network hosting and other cloud-based services stand to be well-positioned in the market place of the future. Page 15
About Claranet Claranet is a managed services provider with experience in providing managed IT infrastructure services since 1996. We provide network and hosting services for our customers, enabling them to focus on their core business, not IT management. The Claranet Group comprises 11 offices, 16 data centres and over 500 staff. Our international MPLS core network enables high service levels across 6 European countries and the US. We operate 24-hour network operating centres covering all countries. Claranet is carrier-neutral with a proven track record in delivering services. Our customers include Airbus, Channel 5, Amnesty International, De Vere Group, and WPA. Claranet strives for excellence and is committed to delivering the highest quality products and services. For more information: claranet.co.uk - twitter.com/claranet To book an appointment or to discuss our cloud services: Call us: 0845 355 2000 - Email: business@claranet.co.uk