Cloud computing has been around for decades, better known as IT services in the earlier avatar, but have never seen the growth it is experiencing today, backed by key advances in technology, which makes this area of computing the key to improving business agility and increase everyone’s access to computing. It has been widely hailed as one of the most important computing trends of all times; being called as the “foundation for the technology industry’s next 20 years of growth” by research firm IDC. According to 2011 Global Information Security Survey (GISS) conducted by Ernst & Young, 61 per cent of respondents are currently using, evaluating or planning to use cloud computing-based services within the next year indicating an increasing focus on adoption of cloud. What really has propelled this sudden interest of everyone towards this aspect of computing is the widespread availability of high-speed internet, and significant reduction of storage cost, which in turn has ensured that service providers can finally build infrastructure and applications to meet the buyers’ need for simplicity, cost and flexibility.
The rapid advent of cloud in almost all spheres of computing is benefitting both business and individual consumers. For business organisations, it means significant cost savings coupled with greater flexibility, as they can pay-as-per-use and scale up or down with ease when they need. Organisations no longer need to build and maintain IT infrastructure, they can simply focus on value-creating differentiation to ride atop that infrastructure. For individual consumers, almost all aspects of their daily lives are being touched by the access made easy by the recent proliferations of smart handheld wireless computers — application functionality to which is provided by the cloud. Cloud computing has the potential to instantly deliver simple, easy-to-use, sophisticated and high-powered computer applications and information that consumers could not otherwise access. With the adoption of cloud becoming more widespread, the enhanced business agility is likely to lead to an increasing pace of change for all industries worldwide.
Cloud computing services are available across the entire computing spectrum; three primary service models defined by the US National Institute of Standards and Technology are providing infrastructure as a service, platform as a service and software as a service. Hybrid models are also emerging gradually; for instance, some components of the above three can be combined to offer an entire business process as a service.
According to the 2011 GISS survey conducted by EY, more than half of the respondents have done almost nothing to mitigate new or increased challenges related to the use of cloud computing. As mainstream adoption of cloud services begins in earnest, there is a multitude of factors that cloud service providers (CSPs) and cloud users must carefully consider; some of which are mentioned below.
Pricing and business models: The most compelling reason for most businesses to consider changing to a new approach, and adopt cloud services, is the cost advantage they stand to have — not just resulting in spending lesser than what they are spending today, but in the spending being significant enough for them to take the “cloud” plunge. But the business models in cloud computing are not often simple. The much advertised “pay only for what you use” as a flat-rate subscription fee per used or pay-as-you-go usage fee for precisely defined service levels, appears to be far more complex as you dig deep. For the CSP to determine the right price points, a thorough analysis encompassing the full range of costs necessary to sustain the services over long term is required (including aspects like upgrades, maintenance, capacity planning and incorporating innovative new technology). They then need to articulate to potential customers how they create tangible economic value compared with the customer’s existing models. As it’s a relatively new market, not many service providers have experience with pricing of cloud computing business models yet, and hence more changes are likely to happen in pricing models for cloud services in times to come.
Vendor management and strategic sourcing: Moving to cloud services comes coupled with challenges of vendor management as organisations lose some control and are not able to have a transparent view of the infrastructure at CSP’s end. Deciding what all to put on cloud is also based on concerns around data security, privacy and compliance, as well as on what application functionality can be easily extracted from the rest of enterprise architecture. Strategic sourcing decisions need to be constantly revisited, as maturity levels evolve, as will organisations’ needing to lay emphasis on shift focus from having technical experts to having people more skilled at managing vendor relationships.
Availability and interoperability: Matching the availability and interoperability attributes of a CSP, diligently, to the requirements of an organisation’s business is imperative to achieving the promised benefits to switching over to the cloud. While availability challenges are easier to manage, addressing interoperability (enabling processes from different IT systems to work collaboratively or to share data) will pose formidable challenges as seen in the past, and will remain the make-or-break factor in many cloud migration decisions.
Security: It is extremely difficult for organisations to forgo control of the security of their IT infrastructure; a fact corroborated by various surveys. A research survey of North American and European businesses found 50 per cent respondents mentioning security concerns as their chief reason for avoiding cloud computing. Organisations looking at adopting the cloud should undertake a thorough diligence of their approach matching their risk posture, as well as security requirements to the risk posture, service level agreements and demonstrated capabilities of the provider. Research projects that within five years cloud security will become one of the prime drivers for adopting cloud. The reason for the shift of security from concern to driver is that CSPs are expected to invest far more in the development of their security infrastructure and expertise than any typical enterprise.
Standards and risk management: Relin- quishing control is linked with adding a bit of risk to the current situation, hence for organisations looking at cashing in on the opportunity by adopting cloud, the associated risks need to be carefully managed. Data security and privacy breaches, as well as regulatory and legal compliance, are the areas which undergo most changes from a risk management perspective while moving to cloud services. Cloud computing being a relatively recent phenomenon, development of standards for the cloud is underway, and the risk management will ease out for CSPs as well as their users, once such standards are in place. Currently, efforts to address risk management are disjointed and inconsistent as there are no definitive standards — no agreed upon baseline. Users presently are turning to standards originally created for different purposes; most CSPs have developed their technologies adhering to such prior standards in areas such as security, networking and protocol standards.
Government: Cloud computing is also getting adopted widely by governments worldwide for their own use — for pretty much the same advantages as are sought by the private organisations — lower cost, increased agility, reduced energy consumption, and increasing access to services. However, for governments, concerns about security, privacy and data location are of paramount importance and hence CSPs need to be extra cautious about handling these concerns while doing business with the government. Another key aspect that CSPs need to consider carefully is the organisations’ capability to adapt to changes which are frequently happening in the cloud ecosystem, it being an evolving field; whereas governments are not known to be early adapters to change. Another important priority for the governments is to be able to switch vendors if required, which makes the establishment of interoperability standards in cloud an imperative.
Accounting: The cloud services delivery model which allows fast and easy way to integrate applications, platforms and infrastructure, gives rise to practical complexities in accounting for cloud services transactions, which often creates accounting challenges for CSPs, particularly around revenue recognition and the treatment of certain costs. Revenue recognition needs to be carefully contemplated by the CSPs, aiming to make it more predictable (as is the case with more long service contracts), in turn making forecasting and revenue expectations easier.
Cross-border taxation of CSP arrangements: As multinationals respond to their customers’ requests for global service delivery, cloud computing models will play a critical role in how these companies build their service delivery models. Such models are ensuring global service delivery by CSPs, but the world’s taxing authorities have not evolved a definitive model for its taxation. Most jurisdictions, to date, view CSPs as the responsible party for tax purposes regardless of any arrangements struck between CSPs and their users. A complete range of tax implications for CSPs will continue to evolve and more clarity around this will emerge in times to come.
Regulatory and privacy compliance: As cloud computing services often strive to be borderless, potentially material compliance issues with respect to the national regulatory frameworks, especially regarding privacy and data location, can arise for users of cloud services. A research survey of North American and European businesses found 77 per cent respondents believing in cloud computing making privacy protection more difficult. Beyond data protection, the core privacy problem for enterprise businesses adopting cloud computing stems from the diversity of privacy regulations from country to country.
Industry specific compliance requirements such as Health Insurance Portability and Accountability Act, Payment Card Industry Data Security Standard, etc may also require special arrangements between cloud users and their CSPs. CSPs should approach compliance as a potential competitive advantage; whereas cloud users should do their due diligence to determine what contractual commitments, regulatory requirements and what technical capabilities and support a CSP offers — and how they can be monitored. Some predict the creation of specialised “compliant clouds” that will offer certified compliance with specific regulations for different industries and countries, including a guarantee to store and manage data within the borders of a given nation, as appropriate. As the cloud computing model becomes mainstream, higher level services, that is, business process as a service will evolve.
The potential of cloud to transform the business enterprise is increasing as cloud computing gains traction with a variety of organisations and user groups across the globe. Treading the next few years cautiously, and taking definitive steps post a careful consideration of the factors outlined above, will truly determine how much impact the “cloud” will have on businesses and users worldwide.
Co-authored by Mini Gupta Parulekar is partner, advisory services, and Gupta is senior manager, advisory services, Ernst & Young Views expressed are personal.