"Government regulations keeping pace with the market," "exit strategies," and "international data privacy" were found to be the top three areas where organizations have the lowest confidence in cloud computing.

The findings were based on the first global survey jointly conducted by non-profit organizations ISACA and Cloud Security Alliance (CSA) on 252 participants in 48 countries, representing cloud users, providers, consultants and integrators from 15 industry segments.

In the "Cloud Market Maturity study," those who identified themselves as cloud users (85%) were asked to rank on a scale of zero to five a number of considerations in cloud computing, with zero being the least confident. The following shows the top 10 issues that cloud users have (ranked from least confident to most confident):

  • Government regulations keeping pace with the market (1.80)
  • Exit strategies (1.88)
  • International data privacy (1.90)
  • Legal issues (2.15)
  • Contract lock-in (2.18)
  • Data ownership and custodian responsibilities (2.18)
  • Longevity of suppliers (2.20)
  • Integration of cloud with internal systems (2.23)
  • Credibility of suppliers (2.30)
  • Testing and assurance (2.30)

"One of the most interesting findings is that governance issues recur repeatedly on the list of the top 10 concerns. Cloud users recognize the value of this [cloud computing] model, but are wrestling with such questions as data ownership, legal issues, contract lock-in, international data privacy and government regulations," said Michael Yung, past president of ISACA Hong Kong Chapter.

"I am aware that in one of the worst cases, a cloud service user has lost its data completely as a result of vendor lock-in."

-- Antony Ma, chairman, CSA Hong Kong & Macau Chapter

"Government regulations keeping pace with the market" refers to data jurisdiction requirements, Yung said. Some of the common issues include whether a company's data can be stored outside of Hong Kong, and whether their data will be viewed or obtained by other governments. Some enterprise cloud users are also concerned about the performance of utilities like power availability, in certain countries where their cloud service providers operate their facilities in.

Concerning exit strategies, the survey respondents were keen to know whether it is easy for them to exit a cloud service and migrate their data from one cloud service provider to another, should they become unsatisfied with the existing cloud service.

As for contract lock-in, survey respondents in Asia did not see this as significant a problem in terms of being addressed as do their counterparts in Europe or North America. However, Asian participants have less confidence that exit strategies are being addressed when compared with European or North American participants.

"Vendor lock-in does not necessarily mean that a cloud user will be stuck with a cloud service provider," said Yung. "Rather, it often requires the cloud service user to go through complicated procedures to retrieve the data [from a proprietary cloud-based service.] For example, one needs to spend the cost of writing a software, exporting the data, and importing the data to a new system."

"I am aware that in one of the worst cases, a cloud service user has lost its data completely as a result of vendor lock-in," said Antony Ma (pictured, right), chairman of Cloud Security Alliance (CSA) Hong Kong and Macau Chapter. "Therefore, when companies use cloud services that are new in the market, which offers a free video encoding platform, for example, the user has the responsibility of looking after the its data."

Developing and adopting industry standards

"When it comes to testing and assurance, cloud users would want to know how it can test the cloud services. This includes stress test, disaster recovery and business continuity planning," Yung said.

The IT industry often discusses the need to develop and adopt cloud standards. Standardization of the cloud will involve the areas of governance, audit and product and data interoperability, and some commonly adopted standards include COBIT, OCF (Open Certification Framework developed by Cloud Security Alliance) and ISO27001 on information security.

"As cloud services continue to evolve, it is critical that we work together as an industry to provide insights and recommendations on these issues so that service and solution providers can look to innovate and deliver what the cloud services market needs to advance and what enterprises need to succeed," Yung said.

In Hong Kong, the Office of Government Chief Information Officer (OGCIO) has in April formed the Working Group on Cloud Computing Interoperability Standards (WGCCIS), under the Expert Group on Cloud Computing Services and Standards announced in March. WGCCIS carries the aim of developing the best practices on interoperability and portability in cloud computing, and contributing to the development of cloud standards by governmental and standardization organizations in China, among many others.

There have also been industry efforts to drive standardization of cloud computing. In April, six local ICT bodies and quasi-government ICT bodies in Hong Kong found the Hong Kong Cloud Standards Alliance. The Alliance aims to develop "the best and the most appropriate practices scheme, and promotes cloud computing connectivity standards across the different industry sectors and regions."

Further business buy-in needed

While there are many positive indicators that support the planned adoption and perceived use and value of cloud services in the years ahead, there remains much progress to be made to engage and gain the buy-in among business leaders.

"As a first step, we as an industry must still work to provide a clearer definition of what cloud is and how the many innovative and secure services can help positively impact today's businesses," said Antony Ma, chairman of Cloud Security Alliance (CSA) Hong Kong and Macau Chapter. "But, we need to start at the top and engage senior management. Cloud needs can no longer be thought of as a technical issue to address, but rather a business asset to embrace."

Aren't there numerous cloud definitions in the market already? Are all these definitions unclear?

The problem is, "cloud" has been interpreted too broadly. "A lot of definitions of 'cloud computing' broadly cover internet-based data transmission, so 'cloud' was being equated with the internet," said Ma. "Such a broad interpretation mix up services, applications and data all together, does not help anyone, not the buyers or the sellers."

Business enablement factors

The survey also asked the respondents to rank on a scale of zero to five a number of considerations in cloud computing including:

  • Use of cloud services and level of satisfaction
  • Factors in making cloud decisions
  • Level of cloud maturity
  • Innovation in the cloud
  • Expectations about the cloud
  • Cloud support for business goals
  • Forces that influence adoption and innovation
  • Confidence and optimism in the cloud market

Results of the study provide much insight on the progression of cloud adoption. For example, business enablers (score 4.08) rather than financial considerations (score 3.5) are the primary factors in making cloud decisions, with the least important factor being the ability to reduce the environmental footprint of the organization (score 2.67). The business enablement factors that most influence cloud computing decision making are related to the reliability and availability of services (mean score 4.59) and quality of service (score 4.29).

Overall, respondents feel there is room for improvement when it comes to innovation in the cloud. Nearly one in four (24%) survey takers indicate that there is no or limited levels of innovation in the market. Forty-three% of respondents believe there is a moderate level of innovation, while 33% report that the level of innovation in terms of products, services and business use is significant.

"Survey results show that CIOs and IT management understand cloud best and are most involved in driving cloud innovation in their organizations. This limits cloud maturity and innovation since cloud continues to be viewed as a technical solution and not as a business enabler," said Yung. "Cloud can provide business-building innovation, but to get to that point, there needs to be more buy-in and a better understanding among business leaders and C-level executives of the cloud's value and risk."

Nearly all respondents feel that cloud computing is far from reaching maturity, with only software-as-a-service (SaaS) cautiously placed at the earliest state of growth level, with infrastructure and platform services still considered in the infancy stages.

Still, the respondents remain moderately confident that cloud services are meeting service and strategy expectations and that problems are being addressed. Many rated cloud services as providing confidence in strategy and problem resolution (means score 3.47), indicating cautious optimism that cloud will advance in maturity and problems limiting its adoption will be addressed.

The full survey report is available at www.isaca.org/cloud-market-maturity and https://cloudsecurityalliance.org/research/collaborate/#_isaca.