TheInfoPro, a service of 451 Research, has released its semi-annual report on cloud computing, which surveyed 100 IT professionals from February through May of 2013. While the results predict the explosive growth of enterprise cloud projects, non-IT roadblocks are on the rise.
Peter ffoulkes, TheInfoPro's Research Director for Cloud Computing, hosted a webinar about the survey on September 17. TechRepublic had the chance to speak with him by telephone about the survey, and the people and process issues that enterprises are facing in their cloud deployments.
- 68 percent of respondents said they had non-IT roadblocks: 37 percent said “organization and budget,” 16 percent said “buy-in, resistance to change,” and 15 percent said “trust: reliability and visibility.”
- Additional roadblocks, each at 10 percent, were: “security policies,” “regulation and compliance,” and “people and time.”
- Roadblocks are increasing because we are still in the early stages of cloud deployment
- At the end of 2012, only a third of respondents were “sufficiently virtualized.” Virtualization process will last into 2015
- Companies are finding the cloud deployment process is harder than expected
- Staff members need to be aligned and educated during cloud deployments
- Financial services industry leads others in cloud adoption
- Enterprises need cloud expertise; IT pros need to learn new skills and adapt
- Concerns about visibility and reliability are slowing down cloud adoption
- Security is a “speed bump,” compliance is a “wall”
- Cloud security depends on adapting practices to a new model and effective implementation
- Companies have realized that the physical location of their data in the cloud can become a regulatory issue
TechRepublic: What are the major non-IT roadblocks in your survey and why are they increasing?
Peter ffoulkes: Let me take it at first at the top level, why they are increasing, and then we’ll go down and look at what the issues are. The reason they are increasing, I believe, is that we are still very much in the early stages of cloud computing deployment.
Cloud computing deployment process
Although it has been hyped for some time, there’s actually quite a lot of preparatory work that people need to do before they can really use cloud architectures in a fully-functioning production environment. This is a multi-year journey, and the first stages really have to do with just getting your data centers and IT systems consolidated and standardized, and in most cases virtualized. And as of the end of 2012 we still had 61 percent of our respondents who were at the stage of working on that consolidation, standardization and virtualization.
Most people are looking to get, in their x86 environments, between about 80 to 90 percent of their workloads virtualized. Most respondents are not at that level yet. About a third of the people that we spoke with at the end of 2012 were at the stage of “sufficiently virtualized.”
That means another quarter will come on in 2013, and that only takes you up to 50 percent. And so in 2014 and 2015, there will still be people working on just qualifying their workloads in a large enterprise environment.
And most people will have to get that done before they can move to cloud, even internally. And we’re talking largely private cloud at this point, more so than public cloud services for large enterprise customers.
Once they’ve done that, there’s a sort of automation level that they need to work through and an orchestration level where you have to make policy-based decisions about what can be done. That once again is a stage of development that most people have to get through before they can really go to fully cloud-based environment.
One the reasons that the non-IT roadblocks are increasing, is that as people get into this, they’re finding out that it’s harder than they thought. Not only do they have to find the right technologies, but they also have to get their people educated and thinking in the same way.
Organization and budget
So, if we start looking at the non-IT roadblocks, then 37 percent of people said it was “organization and budget.”
Part of it is the alignment of people, and part of it is that if you’re going to move to a cloud-based architecture, you’ve got to have the people agreeing to do it, you’ve go to get people to say, yes, this is the right thing to do. Not everybody will do that.
Then you’ve got to have the resources, you’ve got to have the funding. You often have to upgrade your computing systems, which is usually part of the virtualization journey. But typically the x86 systems are not as good in a cloud-based environment as the more modern ones, so there’s often a refresh of systems that takes time, people and money.
It depends also on where people are. If one looks at the financial services market, these guys are banks. They have lots of money. They know how to make money, and those guys are often on the leading edge of things. And they’ve realized that, by moving to a cloud-based model, they can save money. So they’re willing to invest so they can save money and be more competitive at the same time.
On the other extreme, if we look at something like the defense industry, which is usually based around government contracts, these guys are like, we want to get there—we don’t even know if there’s going to be money to spend. We depend on the government and Congress to fund certain initiatives and make other things happened so that we can get money, and we can’t spend money on ourselves until we’ve got a revenue stream coming in.
So there are a number of political conditions, global, macro-economic considerations that are slowing down the process for a number of companies.
Buying in and resistance to change
That’s one roadblock. The next one that came in was sort of “buying in” and “resistance to change.” This happens in a lot of different ways. We’ve had a look at some organizations, where people will say—but we’re the IT department, if you put everything in the cloud, our jobs will go away! Now, in a lot of cases that isn’t actually true. Usually what happens, especially in the better organizations, is that people realize they need IT expertise.
But, instead of just running around, swapping out all its provisioning servers, etc., they can be better used to do things above the mundane processes that can be automated. So they’ll actually focus on supporting users, developing new applications, getting new things up online faster so that business becomes more productive.
But very often it’s not so much that you’re going to get rid of people because you’re going to move to a cloud-based architecture, but you’re going to have people doing more important business. Those people often need to learn new skills, and that sometimes takes time. Sometimes people resist learning new things, and sometimes there’s a change in control when this happens. And that can also cause people to do political infighting. So that’s one of the issues, although it’s not the major one, but it is there in some IT departments.
But much more often, you’ve got people, if you like, users saying the old systems work just fine. We paid for these servers, we want to keep our stuff. We don’t want to move to a new model if we don’t have to. So there’s a lot of education that needs to happen, that’s causing people to resist change, really those that have convinced themselves that the current system works for them, and they don’t really understand or value that things might be even better.
So there’s an educational element, getting people to accept new things. And this is part of the people, process thing, also with the technology, it’s just—technology moves pretty fast but people don’t. I have been doing this the same way for the last five years, why would I change?
Trust: Visibility and reliability
Then the next one, which we’ve called trust, described as “visibility” and “reliability,” that was about 15 percent of the people. That comes down in the areas of, if I am going to put my stuff into a new system, how do I know what’s happening? If I know that my application is sitting on a particular server over in a particular building, I know what’s happening, I can get reports on it.
But if I just say, I am going to sign up for a service, and you’re going to supply it, and I don’t know which servers I am getting, I don’t know whether I am getting the best quality, I don’t know if it will work to my requirements. How do I know that?
Now, that basically requires quite a lot of tooling, so that people can actually measure service levels, so they can tell they’re getting the quality of service that they want, that they’re getting it at the right level of reliability, that they’re getting what they paid for, or what they’ve signed up for. And a lot of those tools either are fairly immature, or they’re only slowly being implemented, because there are so many other things going on.
But essentially what it comes down to is there’s got to be a change. Is my life going to be same, is it going to get better, or is it going to get worse? And there needs to be a feedback mechanism to prove that, and once again there’s an education and there’s access to technology to do that.
And it doesn’t help, that you keep getting reports in the news of, oh well, Netflix service went down because Amazon had a glitch. Or some other cloud service provider had a glitch and something went offline for many, many hours. And so people look at those things and because it’s new and unfamiliar, there’s a lack of trust. And so those things are sort of inhibiting the whole industry.
Another thing that has happened, and once again this is sort of a typical thing in technology. There’s a whole bunch of stuff going on in news recently about a storage cloud provider called Nirvanix going belly-up. And they’ve basically said, we’ve lost our funding, so we’re going to have to shutter the doors in two weeks. So if you’ve got your data in our service, that’s too bad. That’s a little alarming for people.
It’s perfectly typical. We’ve had technology companies going belly-up ever since technology was invented. And it’s a typical thing with start-ups, they get moving and they do fail.
But these kinds of things, in any new area, cause people to switch from, wow this is a great opportunity to, hmm, should I be risk-averse here? And once again, it’s not just visibility of technology, it’s the reliability of the service, the company underpinning it, and—it this the safe thing to do?
And that will cause line of business people who are responsible for moving their IT department to say, if you’re taking us to a new cloud offering, how do we know it’s going to work, are we going to be exposed? Am I going to get a lot of heat from upper management, because of something you do? And that slows down the process of getting approvals.
TechRepublic: Could you summarize the different categories of non-IT roadblocks and the percent of respondents who identified them?
Peter ffoulkes: Yes, out of the people who said they had non-IT roadblocks, it was 68 percent of the total number of respondents, which was effectively two-thirds. From that, 37 percent, just over a third, indicated “organization and budget” issues as their primary roadblock. Sixteen percent were in the “buy-in, resistance to change” category. Fifteen percent were in the “trust: reliability and visibility” group.
Now, beyond that, there were three others, all at ten percent. They were: “security policies,” “regulation and compliance,” and then “people and time.” So, even if we cut the budget, we’ve got to have the people, we’ve got to have the time, and that’s slowing us down.
But if we go back to security, and regulation and compliance, those are very important areas. A colleague of mine very accurately said, security is a “speed bump,” compliance is a “wall.”
TechRepublic: A wall? (laughs)
Peter ffoulkes: A wall, yes. That’s also very current and pertinent. So the security thing, we keep getting news items about people getting hacked, etc. Now, this is just as much a problem for people inside their own companies, as it is for public cloud companies. So it isn’t necessarily saying that people think public cloud companies are insecure. In fact, many of them have better security than many people doing their own IT.
So, the issue is not really about, or you secure or are you not. That’s a problem for everybody. But it’s really that companies have their own security policies, and they’ve got their own internal mechanisms by which they manage security and of course they’re going to have all sorts of liability risk issues, if they don’t manage security properly, whether it is because their customers lose confidence or whether the can be sued. So they’ve got to look at security very properly and manage that.
And basically there are a couple of things happening. The first thing is that as people are moving into this virtualized arena, a lot of security used to be done by managing how people got access to individual computers, all the identity management and access.
That changes when you go into a virtualized world, or a cloud-based world, where your virtual machine, or your virtual application stack can move from hardware system to hardware system. So there’s a much more complex and difficult way of having to implement security, even if you are doing this internally inside your own organization.
So that is, although it is technology related, you then have to look at your security policies and ask, well, how do I implement them in this new world?
When you then start looking at going outside to a public cloud provider, the first question is what sort of policies does that external provider have? How do I make sure they are compatible and meet the minimum standards that I need in my own organization? And do they have the tools in place to keep an eye on that and audit it and make sure that it meets the standards that I personally have?
So it’s not necessarily about whether it’s secure or not secure, but how is that security managed, how do I implement my own security policies in this cloud environment? Especially when I have to go outside of my own organization. So that’s clearly a headache for people, it’s difficult.
Regulation and compliance
Regulation and compliance, however, is still going to require good security and other things, but if you’re in the financial services industry, you’ve got certain regulatory requirements that must be met. And if a cloud provider cannot meet those requirements, then it cannot even be considered as an option.
Healthcare has similar kinds of things that need to be met. So whatever system you’re doing, whether it’s private or public, needs to meet those things.
Some things that come up are not industry-specific, but they’re related to in which state the data reside. Certain industries will say, you data must reside in our state. That also can be a problem, especially for going into the public cloud, because that means there has to be a data center available in that specific state. And the data must not move outside of that state.
That isn’t necessarily the case if you’ve got a public cloud provider that works on region, and says we’re going to give you disaster recovery and protection availability zones. But to do that we’re going to replicate things in different places. You then have to get that cloud provider to save for certain things, and that certain sets of data will no go outside of that state. Some cloud providers will be able to offer that, some won’t.
It gets much worse when you get into the international scenario, because you’ve got many more different international laws. If you’re a German company governed by German laws, you want to be pretty careful if your data is going to Ireland, or France or the UK, because the laws aren’t the same, and the systems aren’t the same, and you could still be held accountable.
And that’s definitely causing people to rethink, what does regulation and compliance really mean, and how much control do I have? Once again, it’s a non-IT roadblock and it’s quite a powerful one and we’re seeing this coming up more as people get further into deployments. They’re beginning to understand that there are issues they need to address that they haven’t thought of previously.
TechRepublic readers: stay tuned for Part 2 of the Peter ffoulkes interview, in which he discusses the cloud and change management, a successful example of managing change in the retail industry, several of the big players in the cloud marketplace, and how they along with OpenStack are capturing mindshare among the survey respondents.
Brian will do client work for AtTask.
Brian Taylor is a contributing writer for TechRepublic. He covers the tech trends, solutions, risks, and research that IT leaders need to know about, from startups to the enterprise. Technology is creating a new world, and he loves to report on it.