AN ISACA CLOUD VISION SERIES WHITE PAPER Due to its exponential growth, cloud computing can no longer be considered an emerging technology, but neither is it (yet) a mature and stable technology. This white paper reports the results of a recent study conducted by ISACA and the Cloud Security Alliance (CSA) to examine cloud market maturity through four lenses: cloud use and satisfaction level, expected growth, cloud-adoption drivers, and limitations to cloud adoption. The study determined that the increased rate of cloud adoption is the result of perceived market maturity and the number of available services to implement, integrate and manage cloud services. Business drivers influencing cloud adoption include user satisfaction and cloud- driven innovation, and technology drivers focus on scalability, agility and cost reduction. While small/medium enterprises and large organizations have differing priorities, overall the mean scores are high for expected and realized benefits from cloud usage. ISACA/CSA CLOUD COMPUTING MARKET MATURITY Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 2 INTRODUCTION Cloud computing continues to evolve from a concept to revolutionize the way computing resources are managed and distributed to a proven solution that delivers many benefits to enterprises of all sizes. A recent ISACA assessment of the top 10 technology trends found that cloud computing continues as a leading business trend driving business strategy.1 Cloud computing is no longer considered an emerging technology, due to its exponential growth in recent years. However, cloud computing cannot yet be considered a mature and stable technology. Cloud computing offers both the benefits and the drawbacks that come with innovation. The main technology drivers for cloud adoption remain consistent: enterprises’ expectations for scalability, agility and cost reduction. A recent cloud market maturity study by ISACA and the Cloud Security Alliance (CSA) determined that the increased rate of cloud adoption is the result of perceived market maturity and the number of available services to implement, integrate and manage cloud services.2 The study looked at four specific areas: cloud use and satisfaction level, expected growth, cloud-adoption drivers and limitations to cloud adoption. Other major contributors to cloud market growth that the study identified are the standardization of cloud services, protocols and platforms for application development and deployment and the establishment and proliferation of cloud service brokers/integrators. The purpose of this white paper is to report on the maturity of the cloud computing market to provide better insight for users and providers into the business drivers (e.g., strategic purposes, user satisfaction, assurance that cloud-specific issues are being addressed and cloud-driven innovation) and technology drivers (scalability, agility and cost reduction) that influence cloud adoption. Cloud Computing Maturity Stage According to the market maturity model in figure 1, cloud computing is in the growth stage: Adoption and innovation are on the rise and enterprises are experiencing the promised benefits. However, roles and responsibilities are still unclear, especially in the areas of data ownership and security and compliance requirements. Cloud market trend studies by North Bridge3 and RightScale4 report findings that are similar to the ISACA/CSA cloud market maturity study and corroborate its conclusions, which are based on the following factors: • Cloud adoption and growth • Cloud use for business as usual (BAU) or strategic purposes • Level of user satisfaction • Extent of innovation in the cloud and who is driving it • Objectives and value expectations delivered • Common understandings, definitions, and assignment of roles and responsibilities • Issues that need to be addressed • Optimism that issues are being addressed and can be solved 1. ISACA, “Why Cloud Computing Should Be Part of Business Strategy,” USA, 2015, www.isaca.org/innovation-insights 2. The ISACA/CSA cloud computing market maturity study surveyed ISACA and CSA members during the third quarter of 2013. Completed surveys were received from 315 members, representing North America (35.6 percent), Europe (26.2 percent), Asia (18.7 percent) and Latin America (8.9 percent). 3. North Bridge, “The Future of Cloud Computing 4th Annual Survey 2014,” 2014, www.northbridge.com/2014-future-cloud-computing-survey 4. RightScale, “State of the Cloud Report,” 2014, http://assets.rightscale.com/uploads/pdfs/RightScale-2014-State-of-the-Cloud-Report.pdf Figure 1–Cloud Market Maturity Model STAGE DISTINGUISHING ELEMENTS OF THE CLOUD MARKET Infancy The market is small with a potential for growth and innovation that has not been realized. The definition of cloud and related roles and responsibilities is not clear. Return on investment (ROI) is uncertain. Users and providers can be considered early adopters. Growth The market demonstrates significant adoption, rapid growth, and notable innovation in terms of product offerings and use. Definitions of cloud computing and how it can be leveraged are clear. Roles and responsibilities for cloud within the enterprise have evolved to address cloud’s unique aspects. Cloud computing is being integrated into core business activities. ROI is clear and examples of successful use are well known. Innovation leads to new product offerings not possible in earlier stages. Maturity Market growth has reached its peak. The level of innovation is slowing. New entrants have a difficult time distinguishing themselves from established service providers. Organizational roles and responsibilities are stable, as are relations between users and providers. Cloud computing is business as usual. Decline The cloud market is saturated with suppliers. Cloud computing is a commodity. Market leaders are clearly defined. There is little room for new entrants or new product offerings. Users and providers are looking for the next big opportunity. Source: ISACA/CSA, “2012 Cloud Computing Market Maturity Study Results,” 2012, table 1 Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 3 KEY INSIGHTS Security and privacy continue to be the main inhibitors of cloud adoption because of insufficient transparency into cloud-provider security. Cloud providers do not make available to cloud users information about the security that is implemented to protect cloud-user assets. Transparency into the adequacy of the system of internal controls provides “trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.”5 Audits and certifications are the traditional security assurance tools that are used to determine whether a service provider is in compliance with a set of security controls, but these tools may not be adequate for users in a cloud ecosystem who need to demonstrate a greater level of assurance for compliance purposes. Enterprise size influences cloud use. The ISACA/CSA cloud market maturity study found that: • Platform as a Service (PaaS) is preferred by large enterprises that need resources to develop and test new applications. • Softwar e as a Service (SaaS) is preferred by small and medi- um-sized enterprises (SMEs) that see value in the use-per-pay model for applications that otherwise would be major invest- ments to develop, test and release using in-house resources. • Private and hybrid are the preferred deployment models for large enterprises that need to integrate existing technology with cloud products, or that may have legal and compliance requirements that limit their adoption of public clouds. Note: For the ISACA/CSA cloud market maturity study, enterprises with one to 999 employees are considered to be small and medium-sized enterprises (SMEs); enterprises with 1,000 or more employees are considered to be large enterprises. Economic factors, political stability, regulatory requirements and cultural differences influence cloud market development. While historically companies in the United States have adopted technology earlier than their European counterparts, a recent Cloud Security Alliance survey found that is not the case with cloud technology. Just 69 percent of companies in the Americas are moving forward with cloud services, compared to 84 percent in other regions surveyed.6 Market share is expected to change dramatically as emerging regions experience even faster growth over the next five years. Enterprises are experimenting with cloud computing and trying to determine how cloud fits into their business strategy. For some, it has become clear that cloud can be an enabler for new process models that can transform the business and add to their competitive advantage. By adopting cloud-based applications to support the business (e.g., accounting, email services, printing, customer relations management, supplier relations management and disaster recovery), SaaS adoption is enabling enterprises to channel capital into the development of their core competencies. IaaS and PaaS adoptions enable enterprises to experiment with new technologies and new services that require resources that would be prohibitively expensive if they were procured via in-house implementation. IaaS and PaaS also allow enterprises to adapt to the rapid changes in market demand, because they have the option of creating a completely new offering faster and cheaper. CLOUD ADOPTION AND GROWTH Use of cloud services has increased significantly since 2012— with both supply and demand growing. A study by KPMG found that a majority of organizations had already begun adopting some form of cloud (or `as-a-service’) technology, with respondents expecting to move even more business processes to the cloud in the future.7 Figure 2 shows the cloud computing adoption growth between 2013 and 2015. 75% 94% 93% 2013 2014 2015 Cloud Adoption Figure 2—Cloud Adoption Growth 8,9,10 (930 Respondents)(1068 Respondents)(625 Respondents) 5. ISACA, COBIT® 5 for Information Security, USA, 2012, www.isaca.org/COBIT/Pages/Product-Family.aspx 6. Cloud Security Alliance, “Cloud Adoption Practices & Priorities Survey Report,” January 2015, https://cloudsecurityalliance.org/download/cloud-adoption-practices-priorities-survey-report 7. KPMG, “The cloud takes shape,” February 2013, http://www.kpmg.com/global/en/issuesandinsights/articlespublications/cloud-service-providers-survey/pages/default.aspx 8. Weins, Kim; “RightScale State of the Cloud 2013: A New Industry Survey,” RightScale, Inc., 25 April 2013, www.rightscale.com/blog/cloud-industry-insights/rightscale-state-cloud-2013-new-industry-survey 9. Op. cit. RightScale 2014 10. RightScale, “State of the Cloud Report,” 2015, http://assets.rightscale.com/uploads/pdfs/RightScale-2015-State-of-the-Cloud-Report.pdf Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 4 A great number of enterprises have adopted some degree of cloud technology; however, the depth of adoption remains limited and a great deal of potential value remains to be exploited (figure 3).11 Several factors affect the consistent increase in use of cloud services—especially uncertainty in the economic environment, which has fueled more pay-per-use than pay- at-once models. Another influential factor is the ability to shift capital expenditures to operating expenses by using cloud services that maximize information technology (IT) budgets. The most common and compelling influence for cloud adoption growth is cost reduction. The expectation of enterprises adopting cloud services is that they will have lower-cost and more-agile IT resources to support the growth of their core business. Other factors that influence the rapid cloud market growth include:12 • Standar dization of services, protocols and platforms for application development and deployment. Standardization allows for the efficient integration and maintenance of cloud services. • Establishment and proliferation of cloud service brokers/ integrators. Because of the increasing complexity of applications and enterprises that are procuring multiple cloud- based applications, cloud service brokers/integrators partner with enterprises to help integrate applications and data to reduce conflicts in accessing shared data repositories. Cloud Service and Deployment Model Use The ISACA/CSA study concluded that SaaS remains the most adopted type of cloud service, and PaaS had the most growth between 2012 and 2013 (54.8 percent). (See figure 4.) SaaS dominates the public cloud market, accounting for 58 percent of the US $44.2 billion in annual global spending, according to Capgemini TME Strategy Lab. SaaS is an attractive option due to the ability to subscribe to key applications and business processes and pay only for the resources actually used. Many enterprises cannot host their own diverse array of systems required to conduct their business, such as customer relationship management (CRM), enterprise resource planning (ERP), human resources, inventory systems or payroll systems.13 82.9% Level of Adoption 2012 2013 Figure 4—ISACA/CSA Cloud Use and Growth SaaSPaaSIaaS Cloud Service Model 62% 23% 50% 64.9% 36% Note: Some respondents reported more than one type of cloud service in use at their enterprise. 11. Op. cit. ISACA 2015 12. PRWeb, “Cloud Services Brokerage Market to Grow at 45.90% CAGR by 2018 Says New Research Report at ReportsnReports.com,” www.prweb.com/pdfdownload/11670468.pdf 13. Linthicum, David; “SaaS is cloud computing’s quiet killer app,” InfoWorld, 26 November 2013, www.infoworld.com/article/2609464/cloud-computing/saas-is-cloud-computing-s-quiet-killer-app.html Early Majority Early Adopters Innovators Late Majority Laggards 2.5% 13.5% 34% 34% 16% Figure 3—Cloud Computing Adoption Maturity Source: ISACA, “Why Cloud Computing Should Be Part of Business Strategy,” USA, 2015, figure 2 Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 5 PaaS growth is the result of enterprises embracing new ways to meet market demands. PaaS helps to reduce the time to deploy custom applications, because projects can be launched without requiring the provisioning of internal resources (e.g., network, servers, backup devices and security infrastructure) for development and testing.14 Private cloud is still predominant and is the preferred deployment model across all industry sectors. However, hybrid cloud is expected to grow because it offers greater flexibility. Private clouds will be reserved for specific end uses. Community clouds are generally used by a cluster of enterprises within a particular industry and enable enterprises to exploit the full benefits of the cloud and collaboration. Most community clouds are expected to be replaced with a model that still allows enterprises to collaborate and benefit from using cloud services, but moves away from the community model. Expected Growth ISACA/CSA study respondents expect their enterprises to expand the use of all categories of cloud services and deployment models, except community clouds. The rate of cloud adoption is closely related to the perceived level of market maturity, according to the ISACA/CSA study results. As vendors become more proficient in selling, implementing and sustaining cloud services, the rate of adoption should continue to grow. Enterprises that use cloud services are evolving from early adopters to early maturity users that are integrating cloud computing into core business activities successfully. However, the roles and responsibilities for cloud operations are still being defined. Continuous maturity growth will be driven by improvements to cloud services delivery, the availability of more information to help enterprises decide whether cloud computing is a viable option for them and how best to use the benefits, and the emergence of new cloud brokers and integration vendors. Cloud computing is not marketing hype anymore; for many enterprises, cloud has become a critical part of the IT landscape. “As cloud begins to become more mainstream within the business environment, we are seeing organizations move from the ‘when and why’ of the cloud adoption process to instead focus on the ‘how’.”15 Expected Growth by Enterprise Size SMEs favor SaaS because ready-to-use applications that are procured under pay-per-use terms fit their strategic goals. Large enterprises may have goals or obligations that require applications to be hosted in-house, eliminating SaaS as a viable option. However, large enterprises recognize that using cloud services in the early stages of the application life cycle has value. Using IaaS, PaaS or both can help increase developer productivity, reduce time to market and save money in the process. BUSINESS AS USUAL OR STRATEGIC PURPOSES The ISACA/CSA study results show that cloud services are commonly used to meet BAU and strategic goals. Figure 5 shows the mean response of cloud users regarding the use of cloud services and models to accomplish both types of goals. Responses were recorded on a range of 1 to 5, where 1 indicates that the user strongly disagrees that the service or model is an essential part of BAU or strategy, and 5 indicates that the user strongly agrees that the service or model is an essential part. However, the long-term expectation is that cloud services will be more important for BAU than strategic plans. The proliferation of ready-to-use SaaS applications is already an essential part of BAU, and most cloud market analysts predict that SaaS will continue to grow and become more intrinsic to day-to-day and some mission-critical business processes. 14. OutSystems, “Application Development and Delivery: When and Where to Leverage the Cloud,” www.outsystems.com/res/OutSystems_Tech-Target-Paper.pdf/ 15. Op. cit. KPMG 2013 CLOUD SERVICE/ MODEL ESSENTIAL TO BAU ESSENTIAL TO STRATEGY IaaS 4.29 4.33 PaaS 4.23 4.38 SaaS 4.27 4.32 Private 4.08 4.26 Hybrid 4.14 4.30 Community 4.08 4.18 Figure 5—Cloud Use for BAU and Strategy Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 6 USER SATISFACTION The level of satisfaction with cloud services is on the rise, according to the ISACA/CSA respondents. The most significant level of satisfaction was reported for PaaS. PaaS is highly favored by IT professionals, especially developers, who prefer to spend their time writing and testing code rather than managing servers, administering databases and managing user access. PaaS offers developers “a highly automated environment in which elements like patches, service packs, and upgrades are abstracted away, and libraries of application services are available for easy plug in to a newly developed application.”16 Ease of use and increased productivity result in greater user satisfaction and tangible economic benefits for the enterprise. SMEs are highly satisfied with IaaS, PaaS and SaaS, but large enterprises are only moderately satisfied with the three cloud service models. Satisfaction levels are closely related to the ability to use cloud services throughout a system’s life cycle. The responses to the survey question inquiring into the level of user satisfaction with deployment models show a pattern similar to the responses regarding the level of satisfaction with service models. The level of satisfaction with cloud services and deployment models is expected to increase as the market matures and vendors define standards to minimize the complexity around cloud adoption and management. Furthermore, the proliferation of cloud service brokers and integrators is helping enterprises to integrate applications, data and shared storage in a more efficient way, thus making ongoing maintenance easier. INNOVATION Cloud innovation is driven by service and product developers who are trying to meet public demands for ubiquitous access to data. Examples of enterprises that are benefiting from cloud innovation are multiplying as the market matures and grows. According to Pat Romzek, vice president of global market development and collaboration solutions for Cisco, “Cloud- based tools and platforms are enabling an unprecedented wave of collaboration within and between enterprises.”17 Enterprises of all sizes need to have a consistent set of experiences and capabilities among all their locations and multiple vendors. Some enterprises face the challenge of being trapped in a set of legacy capabilities that are disparate, while other enterprises face the challenge of needing to implement new capabilities to establish collaboration. The cloud provides a broad array of capabilities to everyone, anywhere in the world, in real time and at a lower cost (when compared to system upgrades or new in-house implementations).18 Figure 6 shows the most common cloud applications. FIGURE 6—Most Popular Cloud Apps19 Mobile apps connect enterprises and consumers and became more effective and valuable with readily available cloud data and processes, rather than proprietary data stores. Networking applications, such as LinkedIn, use the cloud to connect professionals worldwide. Gartner’s “Nexus of Forces is the convergence and mutual reinforcement of social, mobility, cloud and information patterns that drive new business scenarios.”20 One particular example of cloud-driven innovation is the User-Managed Access (UMA) protocol that was awarded the 2014 Best Innovation in Information Security Award from the European Identity & Cloud Conference. The protocol was initially designed to help individuals control Internet data sharing, but UMA’s capability to provide authorization as a service is now Business Applications Deployed IT operations Productivity Web apps Sales & marketing appls Collaboration & communication apps 43% 39% 30% 29% 26% 16. Pariseau, Beth; “PaaS adoption upswing predicted for 2014; will it last?,” TechTarget, 6 December 2013, http://searchcloudcomputing.techtarget.com/news/2240210631/PaaS-adoption-upswing -predicted-for-2014-will-it-last 17. McKendrick, Joe; “How Cloud Adds A New Dimension To Innovation,” Forbes, 28 October 2013, www.forbes.com/sites/joemckendrick/2013/10/28/how-cloud-adds-a-new-dimension-to-innovation/ 18. Ibid. 19. Adapted from: Schulze, Holger; “Cloud Security Spotlight Report,” Information Security Community on LinkedIn, 2015, http://media.scmagazine.com/documents/114/cloud-security-spotlight-repor_28381.pdf 20. Gartner IT Glossary Nexus of Forces, www.gartner.com/it-glossary/nexus-of-forces Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 7 enabling enterprises to control access to sensitive resources in cloud and mobile environments. “UMA’s flexibility toward users and enterprise authorization makes it a key business enabler innovation for the evolution of business driving, and privacy respective, identity and access management.”21 Demand for Innovation The ISACA/CSA study results show that the demand for innovation is much greater for large enterprises than it is for SMEs. This demand difference may be related to the fact that large enterprises need to innovate existing processes to stay relevant, but SMEs use innovation to create new products to enter the market. Changing existing technology and processes requires coming up with inventive ways to meet business goals without extensive investments. OBJECTIVES AND VALUE EXPECTATIONS Reliability, agility and elasticity appear to be the most important cloud-use technology benefits to users, and financial benefits are slightly less important. Enterprises that are focused on performance prefer large cloud service providers that have invested in an extensive infrastructure and the ability to manage these infrastructures. For many enterprises, IT is not a core competency, and outsourcing to achieve increased reliability, agility and elasticity (plus reduction in cost) is the key technology driver for adopting cloud solutions. The highest adoption of cloud is occurring with SMEs and is due largely to a lack of capability in IT. In the North Bridge survey referenced previously, agility, cost and scalability are the top three drivers behind the decisions to adopt cloud services. Innovation or competitive advantage is a driver for 35 percent of the respondents. For companies with over 5,000 employees, moving capital expenses to operating expenses is becoming more important as a driver.22 As the cloud market matures, SMEs and large enterprises may favor the innovative solutions of small cloud providers over the stability of large cloud service providers. Enterprises that use small cloud providers will also gain stability, because the small, innovative cloud providers host their solutions at large, stable, infrastructure cloud providers. Costs may go down because large cloud service providers will enjoy economies of scale. The ISACA/CSA study found that the difference in importance between performance and financial benefits is more evident when comparing responses of SMEs and large enterprises. It may be that the cost of technology and the percentage of total cost that it represents in large enterprises influence a slight preference for reducing the costs that are associated with IT resources. SMEs are primarily influenced to adopt cloud for IT services to improve capabilities, rather than to reduce costs. SMEs prefer leveraging the cloud to obtain technical capabilities, rather than building their own infrastructure and hiring the necessary resources to run it. Preference for performance-improvement benefits seems to correlate to the rate of SaaS adoption by SMEs, and the preference for financial benefits correlates with the rate of IaaS and PaaS adoption by large enterprises. According to the Microsoft Trustworthy Computing SME cloud trust study, 94 percent of SMEs have experienced performance benefits from using cloud services. The performance benefits have led to financial benefits and the ability to invest in areas such as product development and innovation and expanding to new markets.23 Following are the Microsoft Trustworthy Computing study findings:24 • 94 percent of SMEs have experienced security benefits, such as up-to-date system patching, up-to-date antivirus protection and spam email management. • 91 percent of SMEs have seen improvement in the security of the enterprise. • 75 percent of SMEs have experienced improvements in service availability. • 96 percent of SMEs are confident their cloud provider can quickly and effectively restore services during an outage. • 91 percent of SMEs said their cloud provider makes it easier for them to meet compliance obligations. 21. Marketwired, “User-Managed Access Awarded 2014 Best Innovation in Information Security Award From European Identity & Cloud Conference,” @CloudExpo Blog , 22 May 2014, http://cloudcomputing.sys- con.com/node/3092656 22. Op. cit. North Bridge 23. Microsoft, “Small and midsize businesses cloud trust study: U.S. study results,“ June 2013, www.microsoft.com/en-us/news/download/presskits/security/docs/twcjune13us.pdf 24. Ibid Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 8 The ISACA/CSA study showed high mean scores for expected and realized benefits. InformationWeek has been collecting information about the state of the cloud since 2010; that material shows that enterprises that use cloud services are not planning to revert to on-premise infrastructure. The decision to keep current cloud services is based on the fact that cloud does deliver the promised benefits.25 Expected benefits of cloud adoption are high, but it is important to remember that the cloud market is still maturing and the results reported are based on the experiences of early adopters who are trying to figure out the best way to exploit cloud benefits. The cloud market is transitioning from the infancy stage of the market maturity model into the next stage in the market maturity model—growth. In the growth phase, enterprises that are already using cloud and those adopting cloud for the first time should see a better balance between expected benefits and realized benefits. COMMON UNDERSTANDING/ ROLES AND RESPONSIBILITIES In 2008, there was no agreement on a definition of cloud computing; since then, cloud computing adoption and understanding have grown consistently and continue to gain followers.26 Cloud providers and users are improving their understanding of how to implement and sustain cloud services. During the cloud market’s infancy, most implementations were the result of enterprises responding to new business requirements. As the market matures, the definition of cloud and how to use it are becoming clearer; roles and responsibilities for providers, integrators and users are evolving to address specific needs; and innovation and investment are improving cloud infrastructures. The cloud computing market does not have common criteria by which to measure cloud-provider security. CSA, European Network and Information Security Agency (ENISA), US National Institute of Standards and Technology (NIST) and other international organizations have published studies, surveys and recommendations on measuring cloud-provider security, but no formal standards exist. This lack of standards is mainly because of the multiple regulations in various regions of the world. An example of a mature cloud-security assessment program is the US Federal Risk and Authorization Management Program (FedRAMP), which is a “government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”27 ISACA, CSA, NIST, ENISA, the Open Web Application Security Project (OWASP) and the British Standards Institution (BSI) are some of the organizations that have published materials to help enterprises to decide whether the cloud is a viable option for them and how best to leverage the benefits. However, even if the market outlook is optimistic, enterprises should avoid rushing to adopt cloud services until they have a solid strategy that includes roles and responsibilities for IT, the business and cloud service providers. CHALLENGES The ISACA/CSA study found that the most significant cloud concerns involve security and international data privacy requirements, data custodianship, legal and contractual issues, provider control over information, and regulatory compliance. Figure 7 shows the cloud computing concerns of the ISACA/CSA cloud market maturity study respondents. FIGURE 7—Fear Factor of Cloud Adoption—Cloud Computing Concerns 54.0% 46.7% 39.8% 38.7% 37.5% 30.3% 21.4% 20.1% 16.8% 16.2% 15.5% 14.4% 14.0% Security/Privacy Data Ownership Legal & Contract Issues Regulatory Compliance Control Information Assurance Contract Lock-in Disaster Recovery/Business Continuity Performance Monitoring Performance Standards Longevity of Supplier Technical Stability Capability of Supplier 25. Masters Emison, Joe; “Research: 2013 State Of Cloud Computing,” InformationWeek, 2 April 2013, www.reports.informationweek.com/abstract/5/10475/Cloud-Computing/Research:- 2013-State-Of-Cloud-Computing.html 26. Healey, Mike; “Research: 2012 State of Cloud Computing,” InformationWeek, 31 January 2012, http://reports.informationweek.com/abstract/5/8658/cloud-computing/research-2012-state-of-cloud-computing.html 27. FedRAMP, Program Overview, www.fedramp.gov/about-us/about/ Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 9 Studies by other organizations report similar concerns about cloud computing and the main obstacles for cloud adoption. For example, the 2014 North Bridge study reports that security, privacy and compliance are the top inhibitors:28 • Although security declined as an inhibitor in 2013, to 46 percent, it rose again in 2014, to 49 percent. • The privacy inhibitor increased from 25 percent in 2011 to 31 percent in 2014. • Regulatory/compliance concern makes it an inhibitor for over 33 percent of the North Bridge survey respondents. • Inter operability dropped 49 percent as an inhibitor. • Concer n about lock-in is an inhibitor for 29 percent of the respondents. • Network bandwidth is an inhibitor for 25 percent of the respondents. • Concer n about reliability decreased from 30 to 16 percent, between 2011 and 2014.29 Cloud adoption in the European Union public sector is being delayed because of fears about how sensitive data can be secured, according to a 2015 report by ENISA.30 Growing complexity in the management of cloud services and providers is becoming as prevalent a fear as security.31 ENISA reports that European Union member states encounter the following challenges to cloud adoption for governmental services: • Data pr otection and compliance • Inter operability and data portability • Identity and access management • Auditing • Adaptability • Availability • Risk management • Detailed security service-level agreement formalization32 Overcoming Cloud Concerns Both cloud providers and users have a role to play in addressing cloud concerns. Cloud providers need to demonstrate their capabilities to deliver services in a secure and reliable manner. Enterprises must understand their own accountability for security and compliance and their responsibility for implementing the necessary controls to protect their assets. The following can also help to overcome concerns with cloud computing: • Cloud pr oviders understand that their survival depends on meeting user expectations. Robust security and reliability are part of the competitive advantage that can make a provider the preferred partner. • Cloud security processes are maturing to address security, privacy, data custodianship, and legal and contractual issues. • Over time, customer needs drive improvements in all areas, including security. • Enterprises may not want to wait until all cloud risk is addressed before adopting cloud computing for its benefits. • As cloud providers improve the features that make cloud attractive—on-demand, easy-to-scale and pay-per-use capabilities—cloud adoption will increase. • Major cloud providers should consider regional strategies for satisfying regional requirements for data security and privacy. Currently, the EU is leading the charge on privacy laws, while Asia is just beginning to consider privacy and cyberthreats as real concerns. • Contract lock-in may not be resolved completely until the cloud market reaches maturity and cloud services are more interoperable. > If cloud providers have heavy integration with business operations (i.e., managed services and SaaS), lock-in will remain pervasive, because changing providers can be costly and time-consuming and can potentially contain high risk and commensurate high impact. > IaaS is maturing to a level where enterprises are more confident to simply power these services on and off, based on demand. • Assurance over provider processes and procurement processes depends on the ability of the industry to provide suitable transparency mechanisms for a variety of requirements from various customers. 28. Op. cit. North Bridge 29. Ibid. 30. Burton, Graeme; “Cloud computing security and privacy fears stopping EU from moving to ‘government cloud’—report,” 3 March 2015, Computing, www.computing.co.uk/ctg/news/2397802/cloud-computing- security-and-privacy-fears-stopping-eu-from-moving-to-government-cloud-report. 31. North Bridge, “The Future of Cloud Computing 3rd Annual Survey 2013,” 2013, www.northbridge.com/2013-cloud-computing-survey 32. Op. cit. Burton Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 10 OUTLOOK Full cloud integration will be a key priority for enterprises over the next five years as cloud computing market maturity reshapes the landscape and awareness of cloud benefits increases. The ecosystem should become seamless among public, private and hybrid clouds. Public cloud popularity stems from the level of maturity that it has achieved in the last few years and the demonstrated robust infrastructure supporting this delivery option. The “public” connotation does not infer inadequacy; many public clouds are more robust and secure than private clouds. The hybrid cloud model will allow enterprises to use private and public clouds, depending on individual business goals. PaaS will continue to grow, but eventually it will merge with IaaS to create a new, more robust cloud service. Some of the drivers behind this convergence are the collaboration of PaaS and IaaS providers, the purchase of PaaS providers by IaaS providers and the fact that IaaS needs a platform to develop applications and PaaS is a natural option. Furthermore, PaaS users are finding this service to be complicated and incomplete for development efforts. By combining the strengths of PaaS and IaaS, cloud providers can offer what Forrester Research calls “IaaS-plus.”33, 34 Security and privacy concerns will continue to be a primary inhibitor to the adoption of cloud computing, but these fears will wane as enterprises continue to put more weight on reliability and scalability as the key factors in deciding whether to adopt cloud or maintain the status quo. An improved understanding of roles and responsibilities of clients and providers will further the development of security and privacy plans. The RightScale 2015 cloud study reveals that concerns about cloud security declined in 2014 to 41 percent; as enterprises gain more experience with cloud security options and best practices, cloud security concerns decrease.35 Cloud adoption rates in Africa, Asia and Latin America will start showing improvement in the next five years as more cloud providers invest capital to either start or expand services in these areas. High demand in developing countries will continue to grow, as enterprises better understand the positive impact that cloud can have on their business operations, including modifying existing processes and services and developing new capabilities that transform operations to create new value chains.36 The decision to invest in cloud products and services should be a strategic decision. Boards of directors and top management need to be involved throughout a cloud product’s life cycle. Any cloud-specific risk should be treated as a business risk, thereby requiring management to understand cloud benefits and challenges to be able to address cloud-specific risk. The assumption that cloud adoption is driven by IT is incorrect. Businesses want to be enabled and have already shown an appetite to adopt cloud even if the IT department has not sanctioned it. For example, Dropbox, which is a consumer- oriented, file-sharing application for sending large files to third parties or internal recipients, has been used to bypass antiquated email attachment policies that were established by IT departments. Regardless of who is driving the decision to adopt cloud services, the need remains for better explanations of the benefits that cloud can bring to an enterprise and how cloud computing can fit into an overall enterprise strategy. 33. Linthicum, David; “PaaS isn’t dying—it’s becoming part of IaaS,” InfoWorld, 21 January 2014, www.infoworld.com/article/2610224/paas/paas-isn-t-dying----it-s-becoming-part-of-iaas.html 34. Op. cit. Pariseau 35. Op. cit. RightScale 2015 36. Babcock, Charles; “Cloud Computing Can Drive Business Innovation,” InformationWeek, 10 February 2012, www.informationweek.com/cloud/cloud-computing-can-drive-business-innovation/d/d-id/1102781 Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 11 ISACA® ISACA helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus™ (CSX), a holistic cybersecurity resource, and COBIT®, a business framework to govern enterprise technology. Disclaimer ISACA has designed and created Cloud Computing Market Maturity white paper primarily as an educational resource for security professionals. ISACA makes no claim that use of any of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific information, procedure or test, governance, risk and security professionals should apply their own professional judgment to the specific circumstances presented by the particular systems or information technology environment. Additional Resources ISACA: Cloud Computing: Business Benefits With Security, Governance and Assurance Perspectives Guiding Principles for Cloud Computing Adoption and Use Controls and Assurance in the Cloud: Using COBIT 5 Why Cloud Computing Should Be Part of Business Strategy ISACA Top 10 Technology Trends Cloud Security Alliance (CSA): Security Guidance for Critical Areas of Focus in Cloud Computing v3.0 Cloud Controls Matrix v3.0 Info Sheet Cloud Controls Matrix v3.0.1 GRC Stack Top Threats to Cloud Computing 3701 Algonquin Road, Suite 1010 Rolling Meadows, IL 60008 USA Phone: +1.847.253.1545 Fax: +1.847.253.1443 Email: info@isaca.org Web site: www.isaca.org Provide feedback: http://www.isaca.org/cloud- computing-market-maturity Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center Follow ISACA on Twitter: https://twitter.com/ISACANews Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial Like ISACA on Facebook: www.facebook.com/ISACAHQ Cloud Computing Market Maturity © 2015 ISACA. All rights reserved. 12 ACKNOWLEDGMENTS ISACA wishes to recognize: Theresa Grafenstine CISA, CGEIT, CRISC, CPA, CIA, CGAP, CGMA, US House of Representatives, USA, Vice President Leonard Ong CISA, CISM, CGEIT, CRISC, CPP, CFE, PMP, CIPM, CIPT, CISSP ISSMP-ISSAP, CSSLP, CITBCM, GCIA, GCIH, GSNA, GCFA, ATD Solution, Singapore, Vice President Andre Pitkowski CGEIT, CRISC, OCTAVE, CRMA, ISO27kLA, ISO31kLA, APIT Consultoria de Informatica Ltd., Brazil, Vice President Eddie Schwartz CISA, CISM, CISSP-ISSEP, PMP, WhiteOps, USA, Vice President Gregory T. Grocholski CISA, SABIC, Saudi Arabia, Past International President Tony Hayes CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Past International President Robert E Stroud CGEIT, CRISC, CA, USA, Past International President Zubin Chagpar CISA, CISM, PMP, Amazon Web Services, UK, Director Matt Loeb CAE, ISACA, USA, Director Rajaramiyer Venketaramani Raghu CISA, CRISC, Versatilist Consulting India, Pvt., Ltd., India, Director Jo Stewart-Rattray CISA, CISM, CGEIT, CRISC, FACS CP, BRM Holdich, Australia, Director Development Team Frank Guanco Cloud Security Alliance, USA JR Santos Cloud Security Alliance, USA John Yeoh Cloud Security Alliance, USA Ron Hale Ph.D., CISM ISACA, USA Cheryl Ritts ISACA, USA Eva Sweet CISA, CISM ISACA, USA Contributors Ali Adam Embassy of The UAE Kuala Lumpur, Malaysia Tabitha Alterman USA Andres Alvarez Spain Alexander Anoufriev ThousandEyes, USA Mariano J. Benito Gomez CISA, CISM, CGEIT, CRISC, GMV Solutions, Spain Roberth D. Chavez Jara CISA, Deloitte, Ecuador Chintan Chawla CGEIT, India Ramon Codina Munoz CISM, Villanova I La Geltru, Spain Adnan B. A. Dakhwe CISA, CRISC, CRMA, Protiviti Inc., USA Anthony Figueroa CISA, CSOE, PMP, PMOC, Microsoft, USA Vicki L. Gatewood CGEIT, CRISC, USA Nigel J. Hedges CISA, CISM, CGEIT, CISSP, Prospect Service and Growth Pty Ltd., Australia Masatoshi Kajimoto CISA, CRISC, Japan Valdez Ladd CISA, CISSP, Siemens Medical Solutions, Inc., USA Yves LeRoux CISM, CISSP, CA Technologies, France Sean McLeod CISM, CGEIT, CRISC, Long View Systems, The Netherlands Sylvester Muoki Joseph CISA, ITILv3F, Kenya Antonio Ramos Garcia CISA, CISM, CRISC, CDPP, exQSA, ITIL, Leet Security, SL, Spain Michael H. Piers CISA, CISM, CRISC, BS25999, CISSP, ITIL, Luxembourg Evan Scoboria USA Kendall Scoboria USA Sandeep Sharma CISA, India JD Sherry Cavirin Systems, Inc., USA John Simiyu Masika CISA, CISM, MCSE, Kenya Airways, Kenya Bob Sipes HP Enterpise Services, USA Joao Souza Neto CGEIT, CRISC, UCB - Catholic University, Brazil Jaroslaw Stawiany CISA, CISM, CRISC, Orange Poland, Poland Vishwanath Thanalapatti CISA, CISM, Infosys Ltd., India Tiamiyu Opeyemi Sunmonu CISA, Planned Parenthood Federation of Nigeria, Nigeria Ian L. Webster CGEIT, CRISC, Microsoft Corporation, Brazil Michael Yung CISA, CISM, Asia Miles Limited, Hong Kong Tichaona Zororo CISA, CISM, CGEIT, CRISC, CIA, CRMA, EGIT I Enterprise Governance of IT (Pty) Ltd., South Africa ISACA Board of Directors Christos K. Dimitriadis Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, International President Rosemary M. Amato CISA, CMA, CPA, Deloitte, Amsterdam, The Netherlands, Vice President Garry J. Barnes CISA, CISM, CGEIT, CRISC, MAICD, Vital Interacts, Australia, Vice President Robert A. Clyde CISM, Clyde Consulting LLC, USA, Vice President