Recent comments by David Mundell, the Under Secretary of State for Scotland, claimed that cloud computing is vital for Scotland’s economic growth.
11 In fact, his comments are not isolated, as many others in public office across the globe see the potential benefits that cloud computing can have on the macroenvironment such as the economic conditions for an entire nation. This not only refers to the potential cost savings that the technology can have on prospective customers, such as those highlighted in the M-Cloud implementation, but also includes the wealth generation (including new jobs) by such services. It is intended to focus on the macro benefits that cloud can bring, and then
analyze some real-world implementations of cloud deployments to focus on the micro benefits felt by customers.
Macro Benefits of Cloud Computing
To really understand the level of expectation placed upon cloud computing, one only has to read the recent report published by the European Commission entitled “Unleashing the Potential of Cloud Computing in Europe.”
12 Within this report, it anticipates the potential impact of cloud computing could result in “EUR 45
billion of direct spend on Cloud Computing in the EU in 2020 as well as an overall cumulative impact on GDP of EUR 957
billion, and 3.8
million jobs, by 2020.” Of course, to achieve such forecasts there are a number of key actions that the European Commission have identified need to be addressed. This includes not only resolving some of the market challenges associated with cloud computing, but also implementing policies that are regarded as “cloud friendly.” This includes the need to establish a digital single market. It is forecasted that the implementation of cloud-friendly policies would generate an estimated EUR250bn in gross domestic product (GDP) by 2020, whereas failure to implement such policies would yield a return of EUR88bn. Further, the cumulative impact of implementing such policies equates to EUR940 between 2015 and 2020; this is in contrast to EUR357bn with a no-intervention strategy. Such estimates are based on research conducted by the International Data Corporation (IDC) on behalf of the European Union in the report entitled “Quantitative Estimates of the Demand for Cloud Computing in Europe and the Likely Barriers to Take-up.”
13In terms of the specific policy actions required to realize such enormous economic benefits within Europe, the following have been identified as enabling a “cloud proactive environment”:
▪ Harmonizing data protection and privacy protection regulation across the European Union, so that CSPs and users are sure that the same regulations are respected, no matter where the data are
▪ Clarifying data jurisdiction regulation and providing European Union-wide guidelines about which laws apply to data stored in the EU MS
▪ Promoting common standards and interoperability of cloud systems, so that portability of data and processes between cloud vendors is possible and lock-in in proprietary systems is prevented
▪ Establishing clear and harmonized principles around CSPs’ accountability and liability for security breaches, no matter which country they are from
▪ Developing European Union-wide certification of cloud service vendors on their security and data protection arrangements and compliance with main regulations, to build trust in the offerings; this is specifically requested by the public sector, where ensuring compliance is a priority.
Subsequent chapters will focus on many of these requirements in greater detail; however, these concepts are introduced here to highlight the potentially enormous macro benefits the cloud can yield. Indeed, outside of these staggering sums of money, the potential benefit in terms of jobs can be as much as the creation of 2.5 million extra jobs.
Such a positive economic forecast shows exactly why in Europe so much attention has been placed on the creation of a cloud-friendly environment.
The macro economic opportunities that cloud computing represents is of course one potentially benefitting many geographies, and not only Europe, and its importance on the future economic prosperity has led to the development of policies enabling it a cloud proactive environment. Other government bodies that have focused their efforts on maximizing the benefits of cloud computing include the Australian Government. In their May 2013 “National Cloud Computing Strategy,”
14 three core goals were identified in order to realize the “promise of cloud computing.” These three goals are
1. Maximizing the value of cloud computing in the government
2. Promoting cloud computing to small businesses, not-for-profits, and consumers
3. Supporting a vibrant cloud services sector
Modeling cited within the strategy expect that the “increased adoption of cloud services across the Australian economy would grow annual GDP by $3.3 billion by 2020.”
What this and other cloud computing strategies published by government bodies demonstrate is that the cloud will generate economic opportunities for nations. Although the number of cloud-related jobs is expected to increase, it is worth noting that fulfilling such roles may prove somewhat problematic. The reason for this was demonstrated by a recent study undertaken by the IDC and sponsored by Microsoft that showed over 1.7
million jobs related to cloud computing were unfulfilled at the end of 2012.
15 Indeed, further detail
16 into the research confirms the expectation that the number of jobs within cloud computing will increase significantly in the years ahead. Demand for information technology (IT) professionals who are “cloud ready” is expected to grow by 26% annually to 2015. Such growth will be experienced in specific geographic regions, in particular the emerging markets (Latin America, Central and Eastern Europe, the Middle East, and Asia Pacific), which are expected to account for 40% of all cloud-related jobs, and are predicted to grow at 34% annually to 2015. In Europe, Middle-East, Africa (EMEA), the growth is also impressive, with jobs expected to grow by 24% annually to 2015. Although it is predicted to account for a total of 1.4
million jobs, it is somewhat off the target set by the European Union (this of course can be attributed to the fact the European Union cited their potential growth to 2020, and as a best case scenario with the development
of a cloud friendly environment). In North America, growth for cloud-related jobs is expected to reach 22% per annum from 2012, to 2.7
million jobs by 2015.
The potential lack of skills represents a significant risk with regards to the realization of such global employment gains. In terms of the types of skills/competencies sought, respondents within the study were asked to rate the most important. The findings are rated in terms of importance:
▪ Risks and consequences of cloud computing
▪ Clouds impact on IT service management
▪ Steps to successful adoption of cloud computing
▪ Business and IT perspectives of cloud computing
▪ Business value of cloud computing
▪ Technical alternatives in cloud implementation
What this clearly shows is that the skills related to risk management, and ultimately securing cloud, are cited as the most important competencies for prospective cloud customers. This bodes well for the reader, because the intention of the book is to put forward the controls required to secure cloud computing. Consider the number of new roles, and the fact that determining the risk associated with cloud implementation is the most sought after competency, and the decision to buy, and read this book can be seen as an excellent investment.
While the previous studies have largely focused on the expected number of open jobs related to cloud computing, and indeed within certain geographies, we should provide evidence on the global demand for cloud computing. There are of course a multitude of reports forecasting varying degrees of growth; therefore, we were somewhat spoilt for choice in the proceeding paragraphs.
In 2011, Morgan Stanley published their Blue Paper examining the growth within cloud computing.
17 Forecasts from within the research identified the following.
Public cloud adoption: It is predicted that the workload within the public cloud could increase at a compound annual growth rate (CAGR) of 50% within the next 3 years. This prediction is based upon a series of interviews undertaken by the research team of 300 decision makers, whereby 51% expect to use public cloud within 3 years. This is up from the current 28%.
Server growth shifts to the cloud: More servers are expected to be shipped into public cloud infrastructures, an earlier forecast for example predicted at an annual compound growth rate of 60% (to 2013). This of course will be based on the transition of workloads from on-premise to public cloud environments. To give an example of the scale, in 2013, then Microsoft Chief Executive Officer (CEO) Steve Ballmer provided a rare insight into the operations of the largest cloud providers: “We have something over a million servers in our datacenter” he went on to say “Google is bigger and Amazon is a little bit smaller.”
18 Now of course this top-level figure fails to provide a breakdown over the specific functions of the servers. This does, however, put the scale of operations behind the likes of popular cloud services such as Hotmail, Azure, and Office 365 into context. Another way of looking at the scale is presented by Sebastian Anthony: “At roughly 200
watts per server, plus perhaps another 50
watts of overhead (cooling, distribution losses, routers), that’s a total power consumption of 250
megawatts—or around two terawatt-hours (TWh) per year. That’s about the same amount of power used by 177,000 average US homes (at 11,280
kWh per year). Assuming each server costs on average $1000 (some will be beefy, some will be wimpy), that’s $1
billion of capital expenditure—and that’s before you build the data centers. Data centers are usually priced by the megawatt, with modern data centers coming in at around $10
million per megawatt. 250
megawatts, then, equates to $2.5
billion.”
On-premise server growth on decline: Respondents anticipate spending on servers for on-premise installations to reduce by 8.6% over the next 3 years.
Beyond these forecasts, which of course by the time the book is published are likely to have been proven right or wrong, is also predicted continued growth for cloud computing. Analyst firm Gartner
19 anticipates a CAGR of 17.7% through to 2016, which would mean the market is expected to grow from $76.9
billion in 2010 to $210
billion in 2016. Examining the growth of public cloud even further, it is anticipated that growth will be mainly experienced within the infrastructure-related services, which will include IaaS. Indeed, IaaS will be the fastest category of growth experiencing a CAGR of 41.3% to 2016. In comparison, PaaS is forecasted a CAGR of 27.7%, and SaaS 19.5%. In terms of geographic regions most likely to adopt such services, North America leads the way accounting for 59% of all spending, followed by Western Europe (24%).
These forecasts are not likely to surprise many. During the research for this book, we found many varying examples forecasting the growth of the cloud across many, many sources. However, there are a number of potential barriers that threaten to derail the considerable growth of cloud computing. One of the major barriers according to a number of studies is security. A study by IDG Enterprise, for example, found that “two-thirds of IT decision makers see security as the primary barrier to cloud adoption.”
20 This is a recurring theme, with countless other studies all commenting on security as the major barrier to cloud adoption. The only difference between the various studies is often the total number surveyed, or the percentage that sees security as the main barrier, the one constant is that security is usually at the top of the list.
Cloud Computing—the Concerns
Developing a business case for cloud computing or any project will invariably call for practical information to measure the likely success of migration. This
includes the return on investment and the total cost of ownership; more on these shortly.
Failure to accurately incorporate such information and indeed ensure that the implementation of the solution meets the expectations set out in the business case is likely to result in some very uncomfortable conversations. There does appear to be an entire industry overselling the benefits of the cloud, and failure to undertake appropriate diligence and relying solely on the marketed benefits is not the best approach.
Such a business case should not only address the business metrics, but also consider that many businesses have identified a number of barriers toward cloud adoption. Many of these barriers are documented in the KPMG report entitled “Breaking through the cloud adoption barriers”
21 and are based on a survey of 179
CSPs to understand the perceived barriers to cloud adoption. As mentioned previously, the presentation of supporting figures underlining the financial benefits of cloud computing is imperative in the development of a business case, and indeed the findings from the survey would support this theory. Providers certainly believe that cost reduction is the single most important factor in any decision toward cloud adoption, with 60% of providers believing this being the main goal. Perhaps more insightful than this statistic is that only 39% of providers believed that customer expectations on cost reduction is realistic, which again reinforces points raised earlier.
While much of this chapter has focused on the benefits of cloud computing, there is no doubt that many concerns do exist. The survey identifies that many of the barriers toward cloud adoption surround security and privacy. This reinforces many earlier studies in which security is perceived as the greatest barrier toward cloud adoption, and explains why cloud security skills are perceived as so important. The top 10 perceived barriers are detailed in
Table 1.1.
Table 1.1
Perceived Barriers toward Cloud Adoption
Loss of control | 48% |
Integration with existing architecture | 41% |
Data loss and privacy risks | 39% |
Not sure the promise of a cloud environment can be realized | 28% |
Implementation/transition/integration costs to high | 28% |
Risk of intellectual property theft | 27% |
Lack of standards between cloud providers (interoperability) | 25% |
Legal and regulatory compliance | 22% |
Transparency of operational controls and data | 22% |
Lack of visibility into future demand, associated costs | 21% |
While the perceived barriers are likely to include some of the well-known concerns, the order may surprise many. Indeed, if we compare the perceived barriers with those that are reported by end customers, not only are there certain barriers not included within the top 10 above, but also their order in terms of importance does vary.
Security plays a recurring concern within multiple end-customer surveys regarding concerns/barriers toward cloud adoption, as do concerns about data privacy. Based on a survey of 489 “business leaders,” the PwC report entitled “The Future of IT Outsourcing and Cloud Computing”
22 asked a series of questions to respondents across multiple geographies, industry verticals, and company sizes relating to cloud adoption.
When asked about concerns regarding data security, respondents believed it represented the biggest risk to infrastructure in the public cloud. Indeed, 62% of respondents believed data security as either a serious or an extremely serious risk. In comparison, other concerns were not rated nearly as highly, with the next risk only garnering 40% of the overall response, which interestingly was data and systems interoperability. These findings align rather closely with the view of CSPs; however, the subsequent risks did not correlate as well. In particular, the next risks were data portability (41%), viability of third parties (40%), IT governance (39%), and service level agreements (35%). The third risk relating to data and systems portability is well documented within cloud computing, whereby the concern that migrating to one provider will lead to the customer being locked into that provider for the long term, which of course is very much related to the viability of the provider. What this means is that once a customer has moved to one particular cloud provider, and spent time and money transitioning their services to this provider, they will find it very difficult to move those services elsewhere. The motivation to migrate from a cloud provider may be due to a number of reasons: whether the provider is not meeting the expectations of the customer, has gone out of business, or for any other reason. History is littered with multiple examples where either these or other scenarios have resulted (we present a large number of these throughout this book) in the customer having to find an alternate provider. This concern may be the last thing potential cloud customers think of when considering which provider to engage with, because the Web site of the provider seemed so convincing, or the customer service team at the provider was so responsive and helpful, but it is important to consider the what if scenario.
Viability of Provider
This exact same scenario was played out for customers of Pano Logic, a provider of virtual desktop infrastructures and other cloud-related services. It was reported in late 2012
23 that customers had no indication or prior warning that any problem existed, that was until they could no longer access the services that they had
paid for. According to journalist David Marshall who reported on the story,
24 there was no formal announcement, and customers took to social media asking whether a problem did indeed exist. The concern was raised shortly after October 22, 2012, when the company sent their final tweet regarding a customer who was using their technology. Thereafter, there was complete silence. This led to rumors and conjecture with many voicing questions about the company, where customers took to social media with tweets such as “is panologic dead??” and “hello are you still with us?” Both Twitter and Facebook were used to ask questions about the company “because e-mail and phone calls were evidently going unanswered.” In fact, comments from the community seemed to suggest that there was indeed a problem, with one individual stating they had driven to the company’s headquarters only to discover it was “all closed up.” What we do now know is that the company failed in October of 2012, and in early 2013, another organization confirmed they had secured the rights to support Pano Logic customers, and will “help transition the customer base to a new platform.”
25This example demonstrates why the viability of the third-party provider can be considered such a major barrier toward cloud adoption, and does indeed go some way to explain the number one perceived barrier toward cloud adoption (as indicated by providers), which is the loss of control. If you are hosting services on-premise, then at the very least you will (or should) know that there are potentially some difficulties that may impact service. When migrating any service to a third party, whether that is a cloud provider or a traditional outsourcing company, there is always the risk that you have zero visibility as to the state of the provider as Pano Logic customers can attest to. However, financial considerations are not the only reason that the viability of a CSP can be impacted, as customers of MegaUpload can attest to.
Established in 2005 in Hong Kong, as an online file storage (and viewing) service, MegaUpload garnered an enormous user base. At the time of its service being shutdown, it was able to boast 180,000,000 registered users and at its peak was the 13th most visited site on the Internet. However, the service ceased amidst accusations the service facilitated large volumes of illegal downloads of copyrighted material, costing the owners of such copyrights at least $500 million in lost revenue. While we could dedicate this chapter, and indeed many of the proceeding chapters on the case, the impact on the end customer when its cloud provider is no longer viable is the focus of this particular section.
When the service was shut down by the US Department of Justice on January 19, 2012, authorities reportedly seized 25
petabytes of data. For customers, however, the issue was compounded when it was reported that a Dutch hosting company deleted data stored on 630 servers rented by MegaUpload, which led to founder Kim Dotcom calling it a “huge disaster.”
26 For those cloud customers breathing a sigh of relief in the belief that their data was not
among the purge, attempts by MegaUpload to acquire 1103 servers owned by Carpathia Hosting have at the time of writing not proven successful. In April 2013, MegaUpload reached an agreement with Carpathia to buy the servers and ultimately preserve the data stored. However, this was reported to have been blocked by authorities, forcing founder Dotcom to issue the following statement:
“The destruction of the LeaseWeb servers demonstrates the urgent need to reach a workable solution for data preservation as soon as possible, lest the 1103 servers currently in Carpathia Hosting’s possession meet the same fate,” it concludes. “We therefore respectfully urge the Court to reconvene the interested stakeholders and renew negotiations as quickly as the Court’s schedule permits.”23
What this and the earlier example clearly demonstrate is that when utilizing any third-party services, there is undoubtedly a loss of control, and should such providers experience financial issues, or indeed face the ire of regulators, the customer may indeed be the last to know. While, of course, there are many CSPs that remain entirely financially viable, and are nowhere near facing the actions undertaken by authorities as in the case of MegaUpload, there is no doubt that the attention these examples received has resulted in serious concerns. After all, as a cloud customer, the implications of not being able to access data could be the death knell for a business, and something Kyle Goodwin can attest to. Goodwin used MegaUpload as a backup service for his business as an Ohio videographer. However, the combined actions of US authorities and a hard drive failure have meant that Goodwin has lost “valuable commercial footage” and is forced to undergo a number of court hearings to recover these data. Despite the fact that his case is supported by the Electronic Frontier Foundation (EFF), it does demonstrate as a spokesperson for the EFF cited as “the virtually insurmountable burden on innocent users seeking to get their files back by asking the court to do a slow-walking, multi-step process that takes place in a faraway court. Most third parties are not in a position to attend even one court appearance, much less the multiple ones the government envisions.”
27