It should come as no surprise at this point that organizations of all sizes are flocking to the cloud with high hopes of reducing CapEx, making OpEx more predictable, enhancing scalability, making management easier and improving disaster preparedness. In fact, here in the opening weeks of 2013, a new study by Symantec finds that 94 percent of enterprises are at least discussing cloud or cloud services, up from 75 percent a year ago. But Symantec also reports that companies that rush into cloud deployments inevitably encounter a host of hidden costs.
ReRez conducted Symantec's Avoiding the Hidden Costs of Cloud 2013 Survey from September to October 2012, gathering responses from 3,236 organizations in 29 countries—1,358 of the responses came from smaller and midsize businesses, while 1,878 came from larger enterprises.
"This is a broad, robust survey," says Dave Elliott, senior product marketing manager for Global Cloud Marketing at Symantec. "It was in planning for nine months and took two months to implement. What we found is that organizations have, in fact, actually embraced the cloud. Organizations have said, 'Yes, the cloud is a real thing. We're there.'"
But ReRez and Symantec also found that the path to the cloud is often a rocky one.
"There were a bunch of hidden costs or second-order issues that organizations are facing when they move to the cloud," Elliott says. "In their rush to the cloud, they perhaps haven't thought through all the implications of it. These second-order issues are significant, they're real, but frankly they're easy to overcome with just a little bit of planning."
The most common hidden costs are tied to rogue cloud use, complex backup and recovery, inefficient storage, compliance and eDiscovery issues and data in transit issues, according to the study.
Rogue Cloud Implementations
The survey found that 77 percent of businesses saw rogue cloud deployments last year—implementations of public cloud applications by business groups that are not managed by IT or integrated into the company's IT infrastructure. It is more common among enterprises, 83 percent of which saw rogue cloud deployments within the last year. Among the SMB respondents, 70 percent said they experienced rogue cloud deployments within the last year.
"It's not getting any better," Elliott says. "In fact, it may be getting worse. Seventy-nine percent think it's going to stay as bad as it is or get worse."
And those rogue cloud deployments often lead to issues. The survey found that 40 percent of organizations who reported rogue cloud issues experienced the exposure of confidential information as a result. More than 25 percent said they faced account takeover issues, defacement of Web properties or stolen goods or services as a result.
"By taking control of cloud deployments, companies can seize advantage of the flexibility and cost savings associated with the cloud, while minimizing the data control and security risks linked with rogue cloud use," says Francis deSouza, group president of Enterprise Products and Services at Symantec.
Cloud Backup and Recovery Issues
The survey also found that cloud complicates backup and recovery.
"Organizations are rushing to move to the cloud, but they don't think through how important backup and recovery is," Elliott says. "Sixty-one percent of respondents use three or more solutions to back up physical, virtual and cloud data. That's just really inefficient."
It leads to increased risk and training costs, he says. In addition, 43 percent of organizations say they have "lost" cloud data (47 percent of enterprises and 36 percent of SMBs) and had to recover from backups. Elliott clarifies that "lost" could mean actually lost, but it could also mean deleted or even lost or damaged by the cloud service provider. To make matters worse, 68 percent of organizations reported recovery failures when attempting recovery of data in the cloud.
That includes data that may have been recovered eventually, but not in time to meet a particular need. Twenty-two percent of organizations report that it can take three or more days to recover from a catastrophic loss of data in the cloud.
Inefficient Cloud Storage
The simplicity of provisioning storage in the cloud leads to another hidden cost, according to Elliott. One of the reasons organizations love cloud storage is that they pay only for what they use, in theory anyway. But that's true only if you work to maintain efficiency. While most organizations strive to maintain a storage utilization rate above 50 percent, cloud storage utilization is much lower: a mere 17 percent on average. Enterprises do a little better here with an average utilization rate of 26 percent, while SMBs only manage a "shockingly" low 7 percent average utilization. The problem is compounded by the fact that about half of organizations admit that little if any of their cloud data is deduplicated.
Compliance and eDiscovery Concerns
"Organizations are concerned about meeting their compliance obligations when it comes to data in the cloud," Elliott says. "Even more so, they're concerned about proving compliance as they more to the cloud. Twenty-three percent of respondents have been fined for privacy violations in the cloud. That tells me that this is a bigger problem than most people have recognized. As more and more data moves to the cloud globally, there's more and more regulation about how that data needs to be managed. As you move to the cloud, you really need to think about compliance in the context of the overall organization."
The survey found that 49 percent of organizations were concerned about meeting compliance requirements and 53 percent were concerned about being able to prove they have met cloud compliance requirements.
Organizations are also struggling with eDiscovery when it comes to the cloud. The survey found that more than one-third of organizations have had an eDiscovery request for cloud data and two-thirds of that group missed their deadline, leading to fines and legal risks.
"Forty-one percent weren't ever able to find the data," Elliott says. "Taken together, those create significant liability."
Data in Transit Issues
Managing the exploding number of SSL certificates held by organizations is already a struggle today, and the cloud is compounding the problem, according to the study. Assets in the cloud require SSL certificates to protect the data—personal information, financial information, business transactions and other online interactions—in transit.
"The cornerstone of cloud transactions is SSL encryption," Elliott says. "You have to be able to manage your SSL certificates in an efficient way. Only about 27 percent of organizations say managed SSL certificates related to the cloud is easy. Many think it's highly complex. And 40 percent say they're not sure their cloud-partner's certificates meet or comply with their own internal corporate standards."
4 Steps to Avoid Hidden Cloud Costs
While the hidden costs of cloud deployments may be plentiful, Elliott says the good news is those hidden costs are easy to overcome with a bit of planning. He recommends four simple steps IT can take to avoid the hidden costs of the cloud:
- Focus policies on information and people, not technologies or platforms. Cloud technologies and platforms are evolving at a rapid pace, Elliott says, and too much policy focus on technologies and platforms can lead to getting left behind. By focusing policies on information and people, you'll stay nimble regardless of the technology or platform you use.
- Educate, monitor and enforce policies. "There is an education process here," Elliott says. "Like anything else, it takes time to mature. You need to monitor their performance and have mechanisms in place to enforce your policies."
- Embrace tools that are platform agnostic. Platform-specific tools increase the cost of migrating to a new platform when necessary.
- Deduplicate data in the cloud. "You're paying for the storage you use," Elliott says. "Deduplicate and you use less storage, reducing your overall cost."
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at firstname.lastname@example.org