Placing Your Trust in the Cloud

Arguably the single biggest challenge for Cloud vendors is helping customers understand and justify the implications of handing over not only data but business processes to a Cloud Vendor, especially when the Cloud space has lacked maturity and standards.

And it’s becoming an increasingly important decision as Cloud becomes the “default” choice for many businesses, they need to understand where their data is and how safe it is.

Yes, Cloud Computing is still in its relative infancy, but it’s growing up fast.  To hear a highly respected and influential Gartner analyst saying that he rarely recommends anything but SaaS solutions to companies looking to change their email security service shows that the die is well and truly cast.  It’s a similar picture in the archiving space.  SaaS vendors are growing far faster than their on-premise counterparts, although SaaS still accounts for a small share of the overall market.  And of course, with Microsoft’s strategic priority to transfer the on premise dominance of Exchange into the cloud (with Office 365), it’s fairly clear that at some point in the future, all these technologies will be delivered to customers from the cloud.

It’s a matter of when, not if.

What’s surprising however, there seems to be a two stream approach to Cloud adoption, the haves and the have not’s- those who have Cloud and those who don’t. Yet.

On the one hand, especially in the SMB and midmarket, cloud vendors are now dealing with a far more enlightened customer base.  Many CIOs are now on their second or third cycle of purchasing cloud services.  They have wised up to vendors who over-promise, or hide behind bogus SLAs, and they will have rejected out of hand any service that doesn’t do what it says on the tin.  Their next decision could potentially be based on a specific business or technical need, but more likely, it will be based not simply on the service but on the vendor’s approach to delivering that service.  In other words, it will be based largely on the vendor itself.

The second stream is convincing the have not’s to adopt, often larger enterprises that their data is safe in the cloud. This is a slower burning challenge, because these businesses often have massive legacy investments in on premise IT resources, both in terms of tin and human capital.  That makes a move to cloud technology not only a technological change in mindset but a cultural shift as well.  But it doesn’t matter how big the organization is, the pressure on IT departments to reduce costs while delivering more value is the same.  And most if not all roads lead to the cloud.

But IT departments needn’t fear- Jevons Paradox predicts that more IT will be required for the future, not less- it’s just going to be different to what they’re doing today. But that’s technology for you. When was the last time IT staff used their Windows 3.1 skills?

The danger here is that CIOs of large enterprises tend to ‘trust’ the biggest, most established technology brands with the deepest marketing pockets, best placed to “Cloudwash” their dated technologies. I use the term ‘danger’ because, when it comes to cloud, money can’t buy you trust.  The big brands have whole shoals of fish to fry and are usually more interested in wooing consumers than they are safeguarding the interests of customers and their data.  For smaller, pure play cloud vendors like Mimecast, this is ALL we do.  And that means we can’t slip up.  So we have to earn trust the hard way, and the only way.  And that’s by building a history of excellence in delivering Cloud Services.

For those CIOs who’ve already made the leap of faith and are committed to a cloud strategy, we’re now hearing – anecdotally at least – that customer service and support has jumped up the purchasing priority list alongside cost.  That is largely because customer support has been the single biggest pain point for consumers of cloud service over the last two years.  Why?  Because it is, arguably, the most underinvested business function in the cloud industry.

But of course, the economics of SaaS and cloud only work if you retain those customers for long periods.  At Mimecast we retain over 98% of our customers. It goes without saying that the product has to work.  But perhaps the key variable is our ability to look after our customers.  To put it politely, the cloud industry has a patchy record in providing customer service.

To some extent, then, in the SMB and mid-market space, there will be a period of ‘natural selection’, where the new breed of cloud savvy IT purchasers weed out the suppliers whose service doesn’t match the promise, for whatever reason -- unreliable product, unrealistic SLA, non-existent support, dodgy security protocols, or fudged solutions built on OEM arrangements or poorly integrated acquisitions.  The cloud vendors who are playing the long game and investing properly where it matters will rise to the top through this process, and others will fall by the wayside.  (In fact we’re already seeing this happening in the early part of 2012.)

For first time purchasers and larger enterprises, though, we still have to help them with their trust issues, and we won’t achieve that by focusing on customer service excellence.  Instead, we have to put our weight behind meaningful industry initiatives that can turn ‘trust’ from an intangible to a tangible purchasing criterion.  One example of this is Cloud Security Alliance’s Security Trust and Assurance Registry, or STAR, which is addressing the need for Enterprises moving applications and data to the cloud, or consuming a provider’s services, to understand cloud provider security. Another is an organisations willingness to adhere to security standards such as ISO 27001. But providers remain hesitant to give up proprietary information, or expose themselves to exploitation.  In fact, to date, only Mimecast, Microsoft and Solutionary have agreed to publish their STAR controls.

Transparency is clearly going to be a major factor in the success of cloud technology, particularly as a means of building confidence amongst enterprise CIOs that their data is safe and secure in the cloud.  But while we will continue to embrace standards initiatives such as STAR and ISO27001 that make trust a tangible factor, our growth in the mid-market will most likely come from good old fashioned values, such as delivering strong after-sales support, and from sharing stellar recommendations from existing customers.

STAR launched in the fourth quarter of last year and its aim is to be a public repository of providers’ security controls. Providers who are STAR members can fill out either the CSA’s Consensus Assessments Initiative Questionnaire or the Cloud Controls Matrix framework questionnaire, both built according to the ISO 27001 standard, and ultimately agree to have that data published online and publicly accessible. 

Image CC Flickr- Lyncis