Security, management and advantage in multicloud
Cloud computing can be complicated. Ensuring applications and workloads have the right supports, access and protections, as well as the ability to scale without bill shock, can be difficult.
When this is extended across multiple cloud providers, but with dependent interlinks too, things can get very messy indeed.
TechBeat, in association with Logicalis Ireland, sought to understand the challenges and opportunities facing Irish organisations in their cloud journeys, with a particular look at efforts to simplify and secure the multicloud environment, as it increasingly becomes the default approach for enterprises globally. The survey was carried out between November 2019 and early January 2020, with 103 IT professionals taking part.
Firstly, the survey sought to establish the levels of usage of the various deployments. More than a third (34%) said they use hybrid cloud primarily to manage business workloads and applications, this was followed closely by on premises infrastructure (33%), well ahead of private cloud (15%) and public cloud (12%). Just 7% of respondents said they are using multicloud as their primary approach.
This means a combined proportion of almost half (46%) of Irish organisations are already using public or hybrid cloud as their primary architecture for enterprise applications and workloads. That figure distinctly lags the global public and hybrid cloud adoption rates, which are well over half, and up to three quarters in some geographies.
“A third of respondents indicated they still utilise on-premises as their primary workload deployment architecture, which is much higher than what we’ve seen in other markets,” said Loman McCaffrey, sales manager, Logicalis Ireland. “While Irish adoption of cloud may be seen as lagging behind other countries, it’s not necessarily a negative thing. In Ireland we tend not to be leading edge in adopting technology, instead letting trends settle down and learning from the mistakes of the early adopters. As a result, when we do it, we do it right. Furthermore, Ireland typically runs leaner operations in terms of IT resources. With smaller teams, decisions can be delayed, but this leads to smarter decisions as more time is taken to consider what the next steps of cloud will be and if it’s right for the business.”
“So, the delay in Ireland in embracing cloud is partly intentional, partly strategic and partly economical,” said McCaffrey, “some businesses may have only invested or reinvested in the virtualisation of hardware in the last number of years so are, understandably, unwilling to throw out that investment just yet.”
With the extent of public and hybrid cloud usage, the survey asked if there was a preferred public cloud vendor. While 40% said they had no preferred vendor, Microsoft Azure was the leader by some margin at more than a quarter (27%), ahead of AWS (17%), Google (7%) and IBM (4%). Other came in at 5%, and mainly listed smaller cloud platform providers.
The lack of a preferred vendor may reflect a certain maturity in the market, insofar as where a requirement arises, an evaluation process would establish the best fit, rather than going to a default provider. This correlates with McCaffrey’s wider experience in the market.
“We do find that a proper cloud strategy isn’t typically linked to a single hyperscaler, and as customers mature in their understanding and acceptance of what is right for their organisation, it shouldn’t matter where their workloads sit,” said McCaffrey. “If you take the right approach – considering security, deployment and automation – your structure could span multiple cloud providers. It doesn’t need to make it more complex, but it can make the deployment and development more effective. The last thing businesses should focus on is where the workload sits; instead you need to consider and define what you and your data needs. It’s also important to remember that no two workloads are the same, even within a single organisation, and it is no longer relevant to say ‘30% of our workloads are with this hyperscaler so let’s move everything there’. By using multiple providers, you get what you need for each workload, you remove limitations and you increase your chances of cloud success.”
The survey asked about what percentage of workloads or applications are held in the cloud, with respondents asked for their best estimate. Just 4% said none, with nearly a third (29%) indicating that between 1 and 20% of workloads or applications were held in the cloud. Nearly a quarter (24%) said 21-40%, with 13% indicating 41-60%, 15% indicating 61-80%, while 13% said 81-100%.
A little surprisingly, 3% indicated they did not know how much of their organisation’s workloads or applications were held in the cloud. Just 12% of respondents do not expect their organisations to move more workloads or applications to the cloud in the next 12 months, leaving nearly nine out of 10 (88%) who do. Of that strong majority, more than a quarter (28%) expect to increase by up to 20%, just less than a quarter (23%) expect an increase in the range of 21-40%, 17% expect a rise of 41-60%, 9% expect a rise in the range of 61-80%, while a significant 12% expect a rise in the range of 81-100%, or a more or less complete migration to cloud platforms.
McCaffrey acknowledges that not everything belongs in the cloud, and admits that some workloads have also been repatriated, but affirms the general trend reflected.
“While there are some that have moved workloads back out of the cloud, no customer is saying ‘we’re not putting more into the cloud’. The cloud journey is a continuous process that needs to be reviewed and improved to make it cheaper, faster, more agile. If an organisation decides to move into the cloud and does nothing further to develop, they are missing the opportunity it presents,” said McCaffrey.
With such momentum behind the move towards public, hybrid and multicloud, respondents were asked about their cloud strategies. Just 9% said they had none. Some 42% said their cloud strategy was adequate, or a work in progress, with nearly a quarter (24%) saying it was well defined, and enabling business success. Somewhat less (18%) said it was focused on reducing costs and outsourcing infrastructure management. One in 10 said their strategy was focused on driving CapEx to OpEx and focusing on as-a-service consumption. Almost a fifth (19%) said that a digital strategy was driving cloud adoption to accelerate innovation.
On the negative side, 14% thought of their cloud strategy as outdated or limiting to their business, but 13% said their strategy was fragmented, with each department or project determining its own needs.
“Clearly, a lot of organisations continue to work on their cloud strategy,” said McCaffrey. “Cloud, as a deployment architecture, is rarely fully understood, well-resourced or effectively managed. People, by in large, tend to adopt a ‘cloud-first’ approach, but we encourage a ‘cloud-right’ mentality. We all know that the right cloud brings many benefits for the right workloads, so the first stage should be deciding which workload are suited to the cloud with consideration given to compliance, security, accessibility, data recovery capabilities and so on. So, the reasons for moving workloads need to be right. It’s not a one-size-fits-all approach.”
“I think there is another element to this in that those who see cloud strategy as just adequate may not be fully understanding the benefits that can be achieved with cloud,” he added. “A common challenge for a lot of organisations is to measure and report on the benefits that cloud may or may not be bringing. Some of the measures, such as security or availability, can be quite binary and easy to measure. Others, such as agility and flexibility, may not be as easy to measure.”
“Where cloud is used as part of a solution to address a business challenge,” said McCaffrey, “the rate of success may not be captured outside that business unit. So, part of the problem here in terms of strategy is fully understanding what cloud can do and measuring its success. It has to be more elaborate than ‘it’s going well’ -there needs to be proper scoring and benchmarking processes in place and these need to be established from the outset.”
One issue that is recurrent in any discussion of cloud platforms is compliance. Perhaps surprisingly, 16% said that maintaining compliance with regulatory requirements across cloud environments was not a focus for them currently. Almost half (47%) said it was vital in their industry and a key consideration in cloud migration, while almost a quarter (24%) said it was important, and they could probably build a report of such if required. Some 14% said they employed specific staff and tools for such purposes.
While a combined 71% specify regulatory compliance across their cloud estate as important or vital, it is still surprising how many do not regard it as a focus area. It begs the question if ignorance is a factor.
McCaffery says there is no reason that cloud cannot be used as a vehicle to increase compliance, but that understanding requirements is necessary first, and then designing solutions that meet them.
“Compliance needs to be a cornerstone and incorporated from the beginning in a ‘Secure by Design’ led approach, as opposed to a bolt-on or a blocker to cloud adoption,” he said.
With the strong intent to increase cloud usage comes a cost. Respondents were asked for their best estimate as to how much their organisations were planning to spend on cloud services, investments and technologies in 2020. Just 3% said nothing, and 23% said they didn’t know. The largest proportion to indicate a figure (23%) said in the range of €100,001 to €500,000, followed by 17% who said in the €50,001 to€100,000 range, 16% in the €10,001 to €50,000 range and 6% in the €1 million to €3 million range. Interestingly, 2% said they would spend €5 million plus in 2020.
The average amount that Irish enterprises will spend on cloud services, investments and related technologies on 2020 is €487,405, McCaffrey observes.
“Spending on cloud services, investment and technologies needs to be viewed as a long-term investment and one that will serve the entire organisation,” he said. “It also needs to be viewed within the context of your organisation — while it would be impossible for a two-person team to spend this, for others it’s a drop in the ocean. The vital thing is that organisations are spending money, whatever the amount, on the right solutions for their individual requirements.”
Technology partners are important agents in the cloud plans of most organisations. Some 43% of respondents said they engage with a technology partner to help manage cloud or multi-cloud services, as it simplifies cloud management. In a multi-choice option, 39% also said they did so as there was a lack of in-house knowledge and skills. For 13% of respondents, a technology partner was responsible for leading their cloud and technology strategy. However, a just over a fifth (21%) said they did not engage a technology partner for such functions. For the 4% who said other, some indicated that such support came directly from the cloud platform providers.
“As the march to cloud continues,” McCaffrey observed, “the management of a company’s IT estate continues to rapidly expand beyond its internal capability and classic IT departmental structures. This has made the engagement of external providers to manage day-to-day IT the norm as companies looking to harness the true power of cloud are increasingly leaning on the expertise and know-how of the service provider community. There is a recognition that the move to cloud can be complex and a wrong decision when not identified quickly and can become costly, so experience of having done it before is imperative.”
“Another challenge with which organisations struggle is translating business challenges into technology solutions and specialists can help with this. More and more, line of business people are being asked to drive innovation and can benefit from assistance into finding technical solutions to address these business challenges.”
There are still some concerns about how spend and utilisation of cloud assets are managed. More than one in 10 (12%) report they don not know enough about cloud to manage spend and utilisation for cloud assets, with a further 13% saying there is no inter-departmental communication in relation to cloud spend and utilisation.
With that said, 42% said they actively manage the environments to optimise utilisation and spend, while 23% cross-charge internally and track budget utilisation at the department/project level. Almost a third (31%) say they negotiate hard on agreements then pay the bills arising, while 17% say they have teams tracking spend on each cloud environment individually.
“From talking regularly to Irish businesses,” McCaffrey reports, “cost management is a huge area of concern and a major challenge to cloud adoption. Internationally we have seen a huge uptake in interest in cloud cost governance processes and tools which help companies control and optimise their cloud spend. And while this is clearly a huge concern for organisations deploying cloud, we were surprised only 42% of the respondents indicated that they actively manage cloud environments to optimise utilisation and spend. Of course, when organisations get the approach right and can prove the return, this tends to free up more investment.”
There is an air of familiarity to the main barriers and challenges to increased cloud adoption expressed by respondents. In a multichoice question, more than half (56%) still express security concerns, some way ahead of a lack of in-house knowledge and skills (38%). Budget constrains did follow closely (37%), as did data compliance concerns (35%) and lack of visibility of all workloads or applications (32%). A lack of cloud understanding and perceived lack of control both were expressed by 25%. Though still a significant proportion, only 20% said a lack of buy-in from senior executives or board members was a cloud barrier. Among the 12% who specified other, some indicated that there were no barriers to cloud adoption, while other appearances were legacy systems, lack of cloud strategy and concerns of exit strategies, particularly for data.
Security is still a major concern for enterprises across the Irish market, McCaffrey acknowledges.
“While there are other barriers to increased cloud adoption, security concerns clearly dwarf all the others as a challenge for CIOs, CTOs and CISOs. There is a perception that cloud applications are not as secure as on-premises. With skills in this area being in short supply, those who want to find a barrier to cloud adoption will default back to security,” he said.
“Ironically, we find the opposite to be true. We work with clients to develop a secure-by-design cloud architecture, and often we find their security controls and posture is more effective in their newer cloud architecture than in their original on-premises infrastructure. Unfortunately, it is often the case that when customers come to accept this, they also realise that their move to cloud could have been accelerated and they may have potentially lost momentum.”
This perception around security feeds into the perceived benefits of increased cloud usage.
In a multi-choice response, almost two thirds (61%) highlighted enhanced flexibility and remote working capabilities, with half (50%) specifying improved end user experience, and enhanced back-up and disaster recovery (48%). Application performance optimisation was a benefit seen by 42%, with greater control over compliance achieved by 33%, and the ability to prioritise workloads by 32%. Enabling artificial intelligence was specified by 12%, with just 4% saying there were no specific benefits achieved.
Within this, 39% said they had enhanced security. Perceived benefits have shifted in recent years, McCaffrey reports.
Normally the key benefits would have been around reducing costs and increasing profits, he says, but now businesses are looking beyond that and realise that there are other benefits that support their performance and results.
“Of course, employers are increasingly prioritising accessibility to allow staff to work remotely. This also helps with attracting and retaining staff, not to mention widening the pool of potential recruits with relevant skills on a global scale. In a way, organisations see two sets of customers: those consuming their products or services and those providing them. The flexibility that cloud offers goes beyond internal employees and also includes external customers. Moreover, it is a long-term flexibility that enables them to scale resources as needed, such as during the festive period for retailers.”
Respondents were asked what their organisations’ main concerns were when it came to cloud security. Asked to select all that applied, the clear leader was cloud associated data breach (70%), followed by human error (60%). Permanent data loss came in at 44%, followed closely (43%) by denial of service. Relatively closely behind was compliance violation (38%), with drop back to account hijacking (30%). Insecure interfaces (28%), loss of data to the dark web (24%) and insider attacks (20%) were grouped closely. Under other (5%), adulteration of data and cloud provider going out of business were highlighted as security concerns.
Cloud security as the primary concern is consistent with McCaffrey’s experience, where the prospect of reputational damage is perhaps the key organisational and governance risk tracked by the board.
“While it’s not surprising that human error is one of the top concerns,” said McCaffrey, “we are surprised that this seems to be an area that is neglected in terms of addressing the issue. I think companies act faster when it’s a technical problem, as opposed to a human one. This is despite the fact that companies can easily provide training and awareness to reduce this risk.”
McCaffrey notes the concern over dark web data exfiltration.
“This is a hot topic at the moment, and as many people are providing solutions, there are as many working on the dark side and hacking customer data that has huge value. It’s a massive industry.”
“But while there is an awareness of threats like phishing, sometimes people forget to relate it to their day-to-day lives – that’s where the danger lies and that’s why it’s so important that all organisations, from the smallest to the largest, should have a clearly defined IT security strategy that protects the availability, integrity and confidentiality of the company’s information and that includes people, processes and IT systems.”
When asked about the IT environment which poses the greatest risk, unsurprisingly, public cloud led (38%), followed fairly closely (31%) by on-premises infrastructure. Some way behind was multicloud (16%), trailed by hybrid cloud (9%) and private cloud (6%).
Again, McCaffrey emphasises the right measures for the right needs. “By applying an approach whereby solutions are identified based on specific requirements, the right solutions will have the level of security,” he said.
In terms of security incident response, more than a quarter (27%) said very experienced individuals in the security team were well informed to respond. Just less (26%) said response was reactive, as incidents arose. A fifth (20%) said there was a standardised and automated incident response to a high degree. Some way behind this (13%) said documented workflows allowed a consistent incident response, while the same proportion said there was no incident response plan in place. Don’t knows were at a reassuring 1%.
McCaffrey warns of response plans that may too narrowly focused and advocates a risk-based approach.
“It’s vital to fully understand the commercial impact of exposure; it’s not just loss of production and reputation, you could end up unable to process payments for a month, for example, and this could cause significant damage to your business,” he said.
A final multi-point question found the following:
• Integrated cloud security plan in place: yes 45%, no 55%
• Greater worry over cloud security threats in coming 12 months: yes 74%, no 26%
• In-house IT team have the requisite skills/knowledge to effectively manage cloud workloads: yes 41%, no 59%
• Have tools and processes to manage a multi-cloud environment: yes 28%, no 72%
• Currently deploying workloads/apps across multiple cloud environments: yes 57%, no 43%
• Visibility over all organisation workloads in the cloud: yes 50%, no 50%
• Plan to use automation in 2020: yes 61%, no 39%
• Plan to use AI technologies in 2020: yes 40%, no 60%
In conclusion, what emerges is that Irish organisations are rapidly adopting cloud technologies, and hybrid and multicloud are a significant and growing proportion of this. However, there is also an underlying pragmatism that tempers this wave, learning from more advanced markets, and benefiting from provider knowledge and experience.
While security remains a concern, overall, the risks appear to be well known, and to a certain extent, understood. Management of these environments is understood to be challenging, and the willingness to engage and partner with technology partners and platform providers, again, reflects a pragmatism about how to leverage such capabilities without necessarily having the entire capability to manage in-house.
The results overall, are encouraging of an industry that is aware of the benefits, and the risks of the various cloud environments, but is working hard to ensure that requisite needs are met, while exploring the possibilities of emerging capabilities and technologies to gain competitive advantage.