TheInfoPro, a service of 451 Research, has released its semi-annual report on cloud
computing, which surveyed 100 IT professionals from February through May of
2013. While the results predict the explosive growth of enterprise cloud
projects, non-IT roadblocks are on the rise.

Peter ffoulkes, TheInfoPro’s Research Director for Cloud
Computing, hosted a webinar about the survey on September 17. TechRepublic had
the chance to speak with him by telephone about the survey, and the people and
process issues that enterprises are facing in their cloud deployments.

Key takeaways:

  • 68 percent of respondents said they had non-IT
    roadblocks: 37 percent said “organization and budget,” 16 percent said “buy-in,
    resistance to change,” and 15 percent said “trust: reliability and visibility.”
  • Additional roadblocks, each at 10 percent, were:
    “security policies,” “regulation and compliance,” and “people and time.”

  • Roadblocks are increasing because we are still
    in the early stages of cloud deployment

  • At the end of 2012, only a third of respondents
    were “sufficiently virtualized.” Virtualization process will last into 2015

  • Companies are finding the cloud deployment
    process is harder than expected

  • Staff members need to be aligned and educated
    during cloud deployments

  • Financial services industry leads others in
    cloud adoption

  • Enterprises need cloud expertise; IT pros need
    to learn new skills and adapt

  • Concerns about visibility and reliability are
    slowing down cloud adoption

  • Security is a “speed bump,” compliance is a

  • Cloud security depends on adapting practices to
    a new model and effective implementation

  • Companies have realized that the physical
    location of their data in the cloud can become a regulatory issue

What are the major non-IT roadblocks in your survey and why are they

Peter ffoulkes:
Let me take it at first at the top level, why they are increasing, and then
we’ll go down and look at what the issues are. The reason they are increasing,
I believe, is that we are still very much in the early stages of cloud
computing deployment.

Cloud computing deployment process

Although it has been hyped for some time, there’s actually
quite a lot of preparatory work that people need to do before they can really
use cloud architectures in a fully-functioning production environment. This is
a multi-year journey, and the first stages really have to do with just getting
your data centers and IT systems consolidated and standardized, and in most
cases virtualized. And as of the end of 2012 we still had 61 percent of our
respondents who were at the stage of working on that consolidation,
standardization and virtualization.

Most people are looking to get, in their x86 environments,
between about 80 to 90 percent of their workloads virtualized. Most respondents
are not at that level yet. About a third of the people that we spoke with at
the end of 2012 were at the stage of “sufficiently virtualized.”

That means another quarter will come on in 2013, and that
only takes you up to 50 percent. And so in 2014 and 2015, there will still be
people working on just qualifying their workloads in a large enterprise

And most people will have to get that done before they can
move to cloud, even internally. And we’re talking largely private cloud at this
point, more so than public cloud services for large enterprise customers.

Once they’ve done that, there’s a sort of automation level
that they need to work through and an orchestration level where you have to
make policy-based decisions about what can be done. That once again is a stage
of development that most people have to get through before they can really go
to fully cloud-based environment.

One the reasons that the non-IT roadblocks are increasing,
is that as people get into this, they’re finding out that it’s harder than they
thought. Not only do they have to find the right technologies, but they also
have to get their people educated and thinking in the same way.

Organization and budget

So, if we start looking at the non-IT roadblocks, then 37
percent of people said it was “organization and budget.”

Part of it is the alignment of people, and part of it is
that if you’re going to move to a cloud-based architecture, you’ve got to have
the people agreeing to do it, you’ve go to get people to say, yes, this is the
right thing to do. Not everybody will do that.

Then you’ve got to have the resources, you’ve got to have
the funding. You often have to upgrade your computing systems, which is usually
part of the virtualization journey. But typically the x86 systems are not as
good in a cloud-based environment as the more modern ones, so there’s often a
refresh of systems that takes time, people and money.

It depends also on where people are. If one looks at the
financial services market, these guys are banks. They have lots of money. They
know how to make money, and those guys are often on the leading edge of things.
And they’ve realized that, by moving to a cloud-based model, they can save
money. So they’re willing to invest so they can save money and be more
competitive at the same time.

On the other extreme, if we look at something like the
defense industry, which is usually based around government contracts, these
guys are like, we want to get there—we don’t even know if there’s going to be
money to spend. We depend on the government and Congress to fund certain
initiatives and make other things happened so that we can get money, and we
can’t spend money on ourselves until we’ve got a revenue stream coming in.

So there are a number of political conditions, global,
macro-economic considerations that are slowing down the process for a number of

Buying in and resistance to change

That’s one roadblock. The next one that came in was sort of
“buying in” and “resistance to change.” This happens in a lot of different
ways. We’ve had a look at some organizations, where people will say—but we’re
the IT department, if you put everything in the cloud, our jobs will go away!
Now, in a lot of cases that isn’t actually true. Usually what happens,
especially in the better organizations, is that people realize they need IT

But, instead of just running around, swapping out all its
provisioning servers, etc., they can be better used to do things above the
mundane processes that can be automated. So they’ll actually focus on
supporting users, developing new applications, getting new things up online
faster so that business becomes more productive.

But very often it’s not so much that you’re going to get rid
of people because you’re going to move to a cloud-based architecture, but
you’re going to have people doing more important business. Those people often
need to learn new skills, and that sometimes takes time. Sometimes people resist
learning new things, and sometimes there’s a change in control when this
happens. And that can also cause people to do political infighting. So that’s
one of the issues, although it’s not the major one, but it is there in some IT

But much more often, you’ve got people, if you like, users
saying the old systems work just fine. We paid for these servers, we want to
keep our stuff. We don’t want to move to a new model if we don’t have to. So
there’s a lot of education that needs to happen, that’s causing people to
resist change, really those that have convinced themselves that the current
system works for them, and they don’t really understand or value that things
might be even better.

So there’s an educational element, getting people to accept
new things. And this is part of the people, process thing, also with the
technology, it’s just—technology moves pretty fast but people don’t. I have
been doing this the same way for the last five years, why would I change?

Trust: Visibility and reliability

Then the next one, which we’ve called trust, described as
“visibility” and “reliability,” that was about 15 percent of the people. That
comes down in the areas of, if I am going to put my stuff into a new system,
how do I know what’s happening? If I know that my application is sitting on a
particular server over in a particular building, I know what’s happening, I can
get reports on it.

But if I just say, I am going to sign up for a service, and
you’re going to supply it, and I don’t know which servers I am getting, I don’t
know whether I am getting the best quality, I don’t know if it will work to my
requirements. How do I know that?

Now, that basically requires quite a lot of tooling, so that
people can actually measure service levels, so they can tell they’re getting
the quality of service that they want, that they’re getting it at the right
level of reliability, that they’re getting what they paid for, or what they’ve
signed up for. And a lot of those tools either are fairly immature, or they’re only
slowly being implemented, because there are so many other things going on.

But essentially what it comes down to is there’s got to be a
change. Is my life going to be same, is it going to get better, or is it going
to get worse? And there needs to be a feedback mechanism to prove that, and
once again there’s an education and there’s access to technology to do that.

And it doesn’t help, that you keep getting reports in the
news of, oh well, Netflix service went down because Amazon had a glitch. Or
some other cloud service provider had a glitch and something went offline for
many, many hours. And so people look at those things and because it’s new and
unfamiliar, there’s a lack of trust. And so those things are sort of inhibiting
the whole industry.

Another thing that has happened, and once again this is sort
of a typical thing in technology. There’s a whole bunch of stuff going on in
news recently about a storage cloud provider called Nirvanix going belly-up.
And they’ve basically said, we’ve lost our funding, so we’re going to have to
shutter the doors in two weeks. So if you’ve got your data in our service,
that’s too bad. That’s a little alarming for people.

It’s perfectly typical. We’ve had technology companies going
belly-up ever since technology was invented. And it’s a typical thing with
start-ups, they get moving and they do fail.

But these kinds of things, in any new area, cause people to
switch from, wow this is a great opportunity to, hmm, should I be risk-averse
here? And once again, it’s not just visibility of technology, it’s the
reliability of the service, the company underpinning it, and—it this the safe
thing to do?

And that will cause line of business people who are
responsible for moving their IT department to say, if you’re taking us to a new
cloud offering, how do we know it’s going to work, are we going to be exposed?
Am I going to get a lot of heat from upper management, because of something you
do? And that slows down the process of getting approvals.

Could you summarize the different categories of non-IT roadblocks and the
percent of respondents who identified them?

Peter ffoulkes: Yes,
out of the people who said they had non-IT roadblocks, it was 68 percent of the
total number of respondents, which was effectively two-thirds. From that, 37
percent, just over a third, indicated “organization and budget” issues as their
primary roadblock. Sixteen percent were in the “buy-in, resistance to change”
category. Fifteen percent were in the “trust: reliability and visibility”

Now, beyond that, there were three others, all at ten
percent. They were: “security policies,” “regulation and compliance,” and then
“people and time.” So, even if we cut the budget, we’ve got to have the people,
we’ve got to have the time, and that’s slowing us down.

But if we go back to security, and regulation and
compliance, those are very important areas. A colleague of mine very accurately
said, security is a “speed bump,” compliance is a “wall.”

TechRepublic: A
wall? (laughs)

Peter ffoulkes: A
wall, yes. That’s also very current and pertinent. So the security thing, we
keep getting news items about people getting hacked, etc. Now, this is just as
much a problem for people inside their own companies, as it is for public cloud
companies. So it isn’t necessarily saying that people think public cloud
companies are insecure. In fact, many of them have better security than many
people doing their own IT.

So, the issue is not really about, or you secure or are you
not. That’s a problem for everybody. But it’s really that companies have their
own security policies, and they’ve got their own internal mechanisms by which
they manage security and of course they’re going to have all sorts of liability
risk issues, if they don’t manage security properly, whether it is because
their customers lose confidence or whether the can be sued. So they’ve got to
look at security very properly and manage that.

And basically there are a couple of things happening. The
first thing is that as people are moving into this virtualized arena, a lot of
security used to be done by managing how people got access to individual
computers, all the identity management and access.

That changes when you go into a virtualized world, or a
cloud-based world, where your virtual machine, or your virtual application
stack can move from hardware system to hardware system. So there’s a much more
complex and difficult way of having to implement security, even if you are
doing this internally inside your own organization.

So that is, although it is technology related, you then have
to look at your security policies and ask, well, how do I implement them in
this new world?

When you then start looking at going outside to a public
cloud provider, the first question is what sort of policies does that external
provider have? How do I make sure they are compatible and meet the minimum
standards that I need in my own organization? And do they have the tools in
place to keep an eye on that and audit it and make sure that it meets the
standards that I personally have?

So it’s not necessarily about whether it’s secure or not
secure, but how is that security managed, how do I implement my own security
policies in this cloud environment? Especially when I have to go outside of my
own organization. So that’s clearly a headache for people, it’s difficult.

Regulation and compliance

Regulation and compliance, however, is still going to
require good security and other things, but if you’re in the financial services
industry, you’ve got certain regulatory requirements that must be met. And if a
cloud provider cannot meet those requirements, then it cannot even be
considered as an option.

Healthcare has similar kinds of things that need to be met.
So whatever system you’re doing, whether it’s private or public, needs to meet
those things.

Some things that come up are not industry-specific, but
they’re related to in which state the data reside. Certain industries will say,
you data must reside in our state. That also can be a problem, especially for
going into the public cloud, because that means there has to be a data center
available in that specific state. And the data must not move outside of that

That isn’t necessarily the case if you’ve got a public cloud
provider that works on region, and says we’re going to give you disaster
recovery and protection availability zones. But to do that we’re going to
replicate things in different places. You then have to get that cloud provider
to save for certain things, and that certain sets of data will no go outside of
that state. Some cloud providers will be able to offer that, some won’t.

It gets much worse when you get into the international
scenario, because you’ve got many more different international laws. If you’re
a German company governed by German laws, you want to be pretty careful if your
data is going to Ireland, or France or the UK, because the laws aren’t the
same, and the systems aren’t the same, and you could still be held accountable.

And that’s definitely causing people to rethink, what does
regulation and compliance really mean, and how much control do I have? Once
again, it’s a non-IT roadblock and it’s quite a powerful one and we’re seeing
this coming up more as people get further into deployments. They’re beginning
to understand that there are issues they need to address that they haven’t
thought of previously.

TechRepublic readers: stay tuned for Part 2 of the Peter
ffoulkes interview, in which he discusses the cloud and change management, a
successful example of managing change in the retail industry, several of the
big players in the cloud marketplace, and how they along with OpenStack are
capturing mindshare among the survey respondents.