Benefits and Challenges

Firms cited several different benefits and challenges they encountered during their cloud journey.

In particular, firms noted that in assessing the potential benefits and challenges related to the use of cloud computing it is important to assess them in comparison to the other alternatives available to firms, such on-prem environments (which carries its own relative benefits and challenges). The discussion that follows highlights some of these key benefits and challenges noted by firms related to their agility, resiliency, cost structure, cybersecurity, staffing, and operations.

• Agility: Several firms indicated that cloud-based technology infrastructure may allow them to be more innovative and nimbler in deploying new products and services. Some firms noted that time-to-market was improved in comparison to an on-prem environment because they did not have to provision for new servers and personnel to configure and maintain them. Instead, on the cloud, resources for new projects could be spun up within a day instead of within months and could be scaled up or down as needed. This enhanced ability to “fail fast” without incurring significant costs increased their capacity to develop new products and services. In addition, the cloud environment was cited by firms as being highly modular, enabling firms to select from a host of software and tools that can be customized to firms’ needs. Cloud service providers noted the parallel of building in the cloud to building with LEGOs, with a much broader menu of tools and applications to use than might be available with existing legacy infrastructure. To fully leverage the cloud, however, firms also noted the importance of modifying workflows and the challenges involved in changing these workflows particularly in large organizations.
   
• Resiliency: Firms’ views on resiliency generally focus on the ability to provide services in the face of any adverse external event or stress. The onset of the pandemic was an example of an adverse shock that tested firms’ ability to accommodate surges in market activity and a shift to remote work for employees. Firms hosting or consuming applications on the cloud generally found comfort in the rapid scalability of cloud services as well as the geographically distributed nature of cloud providers’ data centers so as to provide secure back-up storage and create more of a seamless failover solution should one data center or area suffer outages. The ease of scaling up computing usage within the cloud provided firms with high responsiveness to the surge in demand for IT resources that firms experienced during the pandemic. The ability to easily scale was noted as a benefit not only in the face of major external events but for day-to- day workloads, particularly for firms whose computational demands varied by time and had peak demands that were significantly larger than their average use. In addition to the resiliency benefits, however, firms also noted that cloud computing presented challenges with respect to resiliency as they considered issues related to lock-in risk to any cloud service provider.
   
• Cost Structure: Firms indicated that the potential cost implications of cloud migration were nuanced and dependent on factors such as activities conducted in the cloud, time horizon, resource governance and the condition of legacy system being retired. With respect to activities and time horizon, many firms considered that the financial benefit of migrating to the cloud might be felt only in the longer term, particularly with respect to activities where the computation and data storage needs of the firm did not fluctuate. In addition, firms noted challenges associated with closely monitoring, managing, and optimizing cloud usage, given that on-demand operating expenses could easily accumulate when opportunities for consumption are vast. In the short term, the costs associated with retraining staff and hiring new expertise also may present challenges for firms. Other transition costs include time and expenses needed to refashion existing workflows and rearchitect data and applications to take advantage of a cloud environment. The opportunity cost of foregoing existing infrastructure is also a consideration. Despite many of these structural and short term challenges, though, several firms noted that in the long term, they viewed a cloud-based infrastructure as being a cost benefit by better enabling them to align their costs to their needs on a real-time basis and by providing opportunities to create operational efficiencies. Firms also noted the potential opportunity to enhance revenues by more efficiently delivering competitive products and services.
   
• Cybersecurity: Firms cited cybersecurity as a potential benefit to cloud computing due to the many security features available in a cloud environment, in part, because of cloud service providers’ ability to enjoy economies of scale in managing massive data centers. However, several firms noted challenges in making sure their systems are appropriately configured for security on the cloud and indicated that the cloud environment could be less secure than an on-prem environment if appropriate measures were not taken. For example, developing appropriate encryption and key management protocols were cited by firms as important components to developing comfort to committing sensitive data to the cloud. Automating certain processes was also cited as advantageous for minimizing human error. Firms also noted the importance of correctly identifying responsibilities for maintaining cloud security (i.e., the safeguarding of data and systems associated with cloud computing) to limit the potential for security or control gaps or misconfiguration of cloud resources based on the mistaken assumption that the cloud service provider would take on cloud security tasks that the firm should be assuming. As seen below, firms perform varying number of tasks for maintaining cloud security at different levels of service.²⁶

The challenges of maintaining a strong cloud security posture exists on many levels, and that was reflected by firms. Many firms noted the importance of well-designed governance policies that clearly laid out roles, processes, standards, and accountability around security in the cloud. Other firms noted the criticality of implementing appropriate user access rights to data and applications as well as developing strong authentication techniques for end-clients using cloud-based products.²⁷ Training users to avoid common traps, such as phishing,²⁸ was seen as a constant effort to protect the firm from external breaches. To help firms manage these risks, cloud service providers are bolstering the toolsets that help simplify firms’ ability to track cloud security, by including offerings such as dashboards and scores related to security risk as well as consulting services to provide expertise related to cloud-based security. For those in the process of rolling out a pilot program or new applications on the cloud, “penetration tests”²⁹ are also regarded as a helpful exercise to identify potential vulnerabilities. Ensuring appropriate access management controls in the cloud environment is also critical.

• Staffing: The need to attract new staff with cloud expertise and train existing staff to operate in a cloud environment was cited by several firms as one of the challenges associated with cloud adoption. Many firms seeking to migrate to the cloud explored the potential of hiring new staff, re-train existing IT staff, and utilizing a third-party consultant or the cloud service provider. Firms noted that the demand for trained or certified cloud engineers has been outpacing supply, particularly considering the growth in cloud adoption in other industries. Despite these challenges, some of the fintech or larger firms that have heavily invested in building their cloud presence noted that their cloud-forward stance facilitated their ability to attract and retain staff with cloud expertise. They noted that engineering talent generally was migrating from traditional on-premise architectures to cloud-based ones. For several small firms, the primary option indicated was to outsource much, if not all, of their IT and cloud needs to a third-party cloud service vendor.
  
  Firms also noted challenges associated with developing processes to continually refresh, update and train staff on the evolving offerings associated with cloud computing. This observation was relevant not only to understanding the growing ecosystem of cloud-native applications and technologies but also potential threats, which reinforced the need for constant training in the cybersecurity sphere to maintain an appropriately vigilant cybersecurity posture.
   
• Operational: One of the main operational challenges discussed by firms was “lock-in” risk, in which a firm is excessively dependent upon a specific cloud provider. ³⁰ This is a risk that could compromise a firm’s business resilience to external adverse events if the cloud service provider becomes less reliable. Overall, while no firms were significantly concerned that their cloud service provider would abruptly terminate service, firms did see the benefits of having a flexible stance towards the cloud so that is was possible to seamlessly move across providers as warranted by business demands and risks. The actual implementation of achieving portability across clouds, however, was a challenging task. For example, building expertise in multiple clouds added to the challenge of building the necessary human resource capabilities. In addition, the technology available to allow portability of data is complex and incomplete. Many firms spoke of “containerizing” data as a way to modularly manage data and applications such that they could be more easily ported to different cloud environments. However, most firms said that this was a task more easily said than done and may potentially introduce disruptions to business availability.
  
  Some firms seeking to mitigate lock-in risk are starting to leverage multiple clouds for different types of workloads, thus gaining aptitude in multiple cloud environments. Many industry participants, including cloud providers, have openly embraced open source software as a way to build out cloud applications that could be used across cloud environments. Some cloud providers are starting to focus on providing platforms that can enable firms to develop applications and launch them in any environment, thus bridging incompatible cloud architectures and helping firms run across hybrid or multiple clouds. To the extent warranted by each firm’s risk considerations and to the extent practicable, firms are also developing “exit plans” that lay out a process for moving to another provider(s) over the course of a period of time. Firms may consider how long their service agreements allow them to remain with a service provider in the event the provider ends the agreement, and how much time would be required to switch to a different provider. In addition, the ability to potentially move data via application programming interfaces (APIs) may offer some flexibility for firms looking to limit lock-in risk. Despite these offerings, some friction is likely to still exist in moving data across cloud environments, but the trend appears to be towards greater inter-operability across cloud providers.