This Guest blog was written by Robert Mahowald, a Group Vice President at IDC who leads IDC's Worldwide Applications research practice, in addition to co-leading IDC's Cloud Services: Global Overview program.
A surprising set of facts emerged from the most recent quarterly installment of IDC's CloudView 2017 survey (February 2017, n= 6,212 tech buyer respondents in 31 countries): Year-over-year, the percent of organizations sourcing their tech capability from cloud providers grew 137%.
But that's not all that's new:
- In large companies, respondents choosing net new and replacement technology for their companies stated that they will go with "cloud-first" for these services, rather than cloud-also and cloud-last
- The percentage of organizations that are "multi-cloud" is on track to grow from 70.6% today to 91.7% within 24 months
- For the first time, respondents pointed to "security" as the #1 driver for their company's use of cloud technology
What's not new was the fact that security retained the pole position among cloud inhibitors. We believe this apparent contradiction stems from an understanding among corporate security managers that for cloud infrastructure, security, and applications providers, somebody will be on the hook for the end-to-end security of enterprise data and other resources in the looming multi-cloud world. Who that somebody is, however, is not always clear.
But this "inside - out" transformation of where key enterprise IT assets live today and tomorrow is also turning the conventional enterprise security model on its head. The old ways of securing corporate assets involved putting a firewall around the datacenter, creating a trust model centered on a single physical location, and having bespoke "tunnels" - VPNs, proxies, remote desktops - into the trust zone. This model made sense when 100% of the technology most employees needed was in the datacenter or a web app, and employees sat in the office Monday - Friday. Today, a datacenter-centric trust model means that to onboard third-party contractors, IT typically has to ship laptops with full VPN access, and come up with other workarounds. Extending the CPE-centric trust model to mobile and remote access has meant more complexity with limited performance gains. Kludgy network access control software, or enterprise mobile device management overlays, are hard for both users and admins, and the fix is often to move stuff to the DMZ, and compromise the firewall even more.
Today we have distributed businesses, highly mobile sales forces and contract workers, and a more forgiving policy around employee hoteling and home offices. And the technology we rely on is no longer confined to the network datacenter: 80%+ of U.S. businesses use at least one SaaS application, and many use 10 or more. Building and testing code, storage, and analytics are among the top uses of cloud infrastructure, and 67% of U.S. businesses use Cloud IaaS services. Like the apps on our phones, the enterprise applications that provide the most value are composed of physically heterogeneous services for update, content delivery, orchestration, and synchronization across the public internet.
Cloud use is growing rapidly. Our research indicates that the cloud software market is over $70 billion in revenue and growing at a 24% rate. SaaS delivery growth will outpace traditional software products delivery, growing nearly five times faster than the traditional software market. IDC forecasts that by 2019, the cloud software model will account for $1 of every $3.65 spent on software, including maintenance. This new reality - that IT organizations are serving a highly mobile set of constituents and are increasingly managing "multi-cloud" topologies - is causing IT architects to think about the network perimeter in new ways.
In an IDC/Akamai SaaS User Needs Survey (August 2016, n= 704 respondents in 9 countries), tech buyers perceived clear agility, flexibility, and overall cost advantages with cloud but reported that it is harder to obtain end-to-end visibility over composite applications and networks. The cloud (and SaaS) model usually means that while the burden of delivery is on providers, these same providers lock down network components and servers so they can't be independently and granularly managed as they would be in a company datacenter. The time of security focused on packets, ports and protocols is over. Another survey finding is that in addition to greater cloud use by IT admins and employees, the predominant traffic pattern is no longer a simple north-south connection between the enterprise private cloud and a single provider cloud, or even hub and spoke. Instead, as devices, employees, and ecosystems diversify, and the cloud providers we depend upon multiply, traffic has become a complex set of east-west hops that are vastly more difficult to see, control, and secure. Tech managers are realizing that cloud is not one static environment but many dynamic individual environments.
The customer expectation for security in the cloud is also quickly changing. IDC believes that by 2020, public/provider-based cloud will be the "secure" choice, using cloud-based encryption, threat analytics, "distributed ledger" data and storage tiers, and network protection. Enterprise applications architects will have to defend their choices for introducing new risk and not deploying in the cloud. The same is true for commercial firms currently running in their own datacenters or in colocation sites. IDC expects that customers will become more discriminating about how quickly individual providers with smaller security teams can react to fast-moving malware threats, and they will begin to look to a set of providers built and run on hyperscale cloud platforms that inherit the performance, security, and redundancy attributes of these much larger operations.
IDC believes that success comes from "taking the fight where it belongs." A cloud-based perimeter is now a key part of the IT transformation effort of most network architects, and for good reason. It moves toward what it must protect - applications, data, and users - wherever they are. In a cloud-based perimeter, nobody is "trusted." Everyone and everything trying to gain access to the corporate namespace - no matter where it sits - requires sophisticated authentication and authorization. Securing only the datacenter - or even the WAN - is no longer feasible or effective. Security managers need to secure their users and applications accessed over the internet, including any physical and virtual location where their namespace and their assets reside.
Robert Mahowald is a Group Vice President at IDC and leads IDC's Worldwide Applications research practice, in addition to co-leading IDC's Cloud Services: Global Overview program. He leads a team of analysts responsible for IDC's coverage of the CRM portfolio; the ERP portfolio; SaaS, PaaS, and Cloud software research; Commerce; Software Licensing and Delivery Models; Mobile Applications; Collaboration; and Customer Experience. In his role Robert advises clients on key trends and opportunities in the changing world of applications, platforms, and software creation and delivery in the age of cloud. An experienced speaker, Mr. Mahowald is well-known as a subject matter expert in the areas of applications, software platforms, SaaS, and software application delivery, and he has been a featured lecturer at various executive events, industry seminars and conferences, and on such television programs as CNBC, Bloomberg, and CNET TV. Mahowald's research and commentary has appeared in trade journals and publications including The Wall Street Journal, USA Today, The New York Times, and Investor's Business Daily.
A 20+ year industry veteran, Mr. Mahowald previously led research for IDC's Collaborative Computing practice, and SaaS and Cloud Software research. Before joining IDC, Mr. Mahowald served in a variety of technology systems design and procurement roles for the US Department of Defense and the US Defense Intelligence Agency, and as an officer in a 26-year career in the US Army. Mr. Mahowald earned his B.A. from the University of Iowa, in Iowa City, IA., and his M.A. from Wesleyan University, in Middletown, CT.