Management software and solutions firm CA Technologies recently published its May 2013 TechInsights Report: Cloud Succeeds. Now What?. I spoke with Patrick Ancipink, VP of Solutions Marketing at CA Technologies, about the cloud computing security issues and success factors that the report highlights.

Luth Research and Vanson Bourne conducted the survey for CA Technologies, interviewing 542 IT leaders in the U.S., U.K., France, Germany, Italy and Benelux from December 2012 to January 2013, to learn how “cloud computing is being used, problems or successes encountered, and how its use changed as IT teams gained more experience.”

According to the report, security remains a “contradiction.” While 98 percent of respondents stated that cloud results met or exceeded their expectations for security, 46 percent indicated that “security” was the main reason an application was not moved to the cloud.

Also, experienced cloud customers said “enterprise control” was essential for success in the cloud, and named these four IT management areas as the most important: end to end service automation, service level management, the ability to switch providers, and identity management

Key takeaways: Cloud migration compels firms to review and update their security practices; businesses are more reluctant to move sensitive applications to the cloud; the more experience firms have with the cloud, the more likely they see IT management as a key success factor; IT needs to shift from being a ‘gatekeeper’ to being a ‘broker’; cloud is not a ‘panacea’ for a CIO, new responsibilities come with it.
The report states that security remains a contradiction-actual cloud results compared to reservations about migrating to the cloud. Why does security remain the number one reason against moving a sensitive application to the cloud when security results are meeting or exceeding expectations?
Patrick Ancipink: There are a few factors. In terms of the security with cloud deployments being better than expected, one possible explanation could be a lack of preparation on the internal side. Maybe you had a federated internal model, with different departments, and applications pulled from different components within IT or across lines of business, and maybe security practices were immature or incomplete.

A cloud supplier that is actually dialed-in on security is going to have a more holistic view. Things like single sign-on suddenly become part of what you rent from a SaaS provider, or what you contract for from PaaS. And it actually simplifies what a lot of companies haven’t covered fully internally.

The second thought is the type of applications you are moving to the cloud. Most likely, the initial applications migrated, are not the ones that have the regulatory and privacy issues. Now IT is confronted by the business expectation to move to the next wave. And IT is saying, wait a minute, that’s a different class of application. So that’s why security probably remains a top concern – and therefore, a top priority and focus.

Enterprises are also getting better at classifying applications-figuring out what makes the most sense in their specific environment to move to the cloud. Providers are getting savvier about improving security for mission-critical applications that require more scrutiny and regulatory attention.

How and why does IT management’s understanding of the need for “enterprise control” change over the length of cloud deployments?
Patrick Ancipink: There are a lot of unplanned, ‘Rogue IT‘ cloud projects, where frankly, some enterprise IT teams moved too slowly or tried to exert too much control, and business users went around IT, securing cloud services as easily as typing in the numbers on their corporate credit card. The tradition of IT has been to have a high level of control, but never have there been so many choices for IT and the business. One of the concepts we talk to our customers about is becoming the “department of good choices.” And that means being more of a broker than a gate keeper.

The data tells us that the more experience companies have with cloud computing, the more they see IT management as central to their success. Specific needs that cropped up include end-to-end service automation and service level management across cloud and non-cloud. We often ask our customers if they have full awareness, authority, and visibility across all of the cloud and on-premise assets that are being used.

For IT, their traditional universe of control is shrinking and they are adapting to the hybrid computing environment reality to meet the business requirements for speed and flexibility. They can essentially achieve some of those same aspects of control with the right degree of visibility, automation and management – meeting both their own needs and the needs of the business to move faster and be more responsive.

Regarding the ability to switch between service providers-I think that’s perhaps the most interesting item on the list. In the sense of the changing role of IT-moving from gatekeeper to broker–you want to bring the best possible solution to a line of business that might be, from a historical perspective, nearly instantaneous to deploy. The expectation is moving from application and service releases just a few times a year to a “continuous delivery” mode where agility is critical.

So while network and server up-time remain important, they’re so far below the waterline of what the business is looking at to measure success.

Rather than focusing on traditional metrics like up-time, IT needs to be talking to its suppliers with different tradeoffs: for example, can you take a four millisecond delay on this type of application to get it cheaper and still have acceptable performance for the end customer? There’s not a normalized index across providers with that type of measurement so that’s part of the role of IT to figure out now.

For companies with cloud deployments longer than four years, do you think the four top “enterprise control” areas that respondents named (end to end service automation, service level management, the ability to switch providers, and identity management) are “solid” from an IT best practices standpoint?
Patrick Ancipink: I think it’s pretty solid. I’ve been working in IT management and security for quite some time now, and the definition of end to end automation is changing. And now ‘end to end’ means including your suppliers and not having a ‘telco’-like contract with a cloud provider that’s hosting critical applications. It’s not just dial tone, it’s more than that.
I think the point is that management and security have to be in the forefront of the discussion. Going into the cloud adoption research, we traditionally heard that cost was the biggest driver. And now it’s number four on the list (see page three of report). It’s like asking, why do people leave work now? Salary is number four or five on the list of reasons. It’s more about quality and flexibility, right? And for IT what’s really important is to understand that end to end view.

And IT has to change its view, and not say, well, that transaction went out to Amazon Web Services, or to (Windows) Azure, and it’s not my responsibility anymore. To remain relevant, IT must think differently – it is their job to figure out how to write the contract, to figure out the risk, the penalties, cost, and performance needs. To orchestrate those complex and composite services and come up with the best advice for the business, rather than say, we’ll see what happens. The point is that management is at the forefront.

Cloud is not a panacea for a CIO, because everything is going to be easier and it’s someone else’s fault if something goes wrong. That’s a negative view, right? The truth is that we’re moving in the direction of hybrid cloud, hybrid services, a mix of environments and providers, crossing internal and third-parties, cloud and non-cloud.

Today’s applications, like taking a picture of your check and depositing it in your bank, have about 500 moving pieces underneath them. Some of them are inside the institution, and some of them are SaaS-based with a cloud provider. And so it’s IT’s job to know all of that, and understand-it is secure? And, am I doing better than my competition?

The TechInsights Report: Cloud Succeeds. Now What? Can be downloaded at: