Is regulation slowing down public cloud adoption?
Locations
This article is based on a speech given by Simon Briskman at the Westminster Forum, September 2011
The cloud is the start of a path towards true utility computing and can yield benefits for customers including low up-front costs, utility-based pricing and increased scalability. In theory, these benefits should make cloud services an attractive option for CIOs and according to the European Commission, cloud services are expected to generate revenues of almost €35 billion in Europe by 2014. But there are still hurdles to be overcome. The destination might be clear, but what is less certain is how quickly we will get there. One principle problem is the disconnect between what vendors are currently willing to offer and what customers need in order to meet and, equally importantly, demonstrate that they meet relevant compliance and regulatory requirements.
We often talk about the cloud, as if it is a standard offering. The reality is there is no standardisation of provision and no regulation of cloud offerings. Cloud services vary enormously, with each vendor offering its own solution. Providers range from niche players offering infrastructure, software-as-a-service and other products to meet specific needs, to vast corporations (Google, Amazon, Microsoft, HP and Dell) with wide-ranging offerings. M&A activity in the technology sector is being driven by major players looking to strengthen their cloud offerings.
When customers come to the market to seek cloud solutions, many are still not fully aware of the variety of service standards available and the differences in availability, security, robustness and other measures of technology performance. This is a genuine business issue in cloud procurements, but it also presents regulatory problems.
It is well known that there is a data protection issue in running cloud services. Data processed via cloud services may be moved to any part of the world. At the same time, EU data protection rules require sufficient protection if data is to be exported outside of Europe. Perhaps less well understood is that those controlling personal data, whether of customers, personnel or others, must keep that data secure, ensure it is used for the purposes it is gathered and comply with a range of other requirements. Organisations failing to do so are open to regulatory action and fines from enforcement bodies. It is therefore a compliance issue for the customer not just to check its cloud vendor has security measures in place but also to ensure those measures meet data protection requirements.
The problem gets worse when considering that Sarbanes-Oxley regulated companies such as those quoted on the NYSE, financial services firms regulated by the FSA, companies in the healthcare, aviation and other highly regulated sectors all have specific concerns to ensure data security and integrity and that they have robust access to their own data.
Some niche cloud providers cater specifically for these sector needs, but many mainstream cloud providers fervently believe that since they are selling utility computing, their customers must accept utility-style public declarations of reliability and utility-style no-recourse contracts. This jars with legitimate compliance concerns that many customers have.
Yet customers have to be realistic that the cloud infrastructure they buy into will not be perfect and outages and security breaches occur - if perhaps more publically when you outsource the job.
How long will it take for customers and suppliers in the cloud to meet half way? This is an incredibly important question on the path to mainstream cloud adoption.
Right now, many customers are opting for internal virtualisation projects (where they build their own personal mini-clouds); with some encouraged to have private clouds run by third party providers. Others run a mix of public and private clouds (so-called hybrid cloud solutions) depending on the sensitivity of data. Yet it is only as customers progress towards public cloud adoption that the full benefits of the cloud model will really be seen and utility computing become a mainstream reality.
This depends on cloud customers being convinced that public cloud solutions satisfy robust but achievable regulatory requirements which lead to only the most critical data being kept back at HQ. Cloud vendors and their customers have begun down this path but we anticipate continuing developments in the model in the immediate future.
Simon Briskman, Partner at Fieldfisher