Coupa, a 2006 startup that helps more than 200 customer companies manage purchasing and procurement, doesn't own any IT infrastructure -- it is run completely from the Amazon Web Service cloud.
Business applications don't get much more mission-critical than a company's entire operations, and Sanket Naik, who leads Coupa's cloud strategy, isn't worried about being all-in with AWS, with backup capacity in other clouds, such as Rackspace. "I know there are a lot of issues and questions around the cloud, especially about security, but I think some people are just resistant to change" if they haven't yet embraced cloud, he says. Naik is completely comfortable keeping his entire business in the cloud -- that's the way the company has always been.
But not everyone is as willing at Coupa and Naik to move completely to the cloud. Large enterprise customers are not yet widely using public, multi-tenant clouds for mission-critical applications, according to consultants and industry experts.
"Large enterprises continue to embrace private clouds," says Andi Mann, vice president of Strategic Solutions at CA Technologies, who recently wrote a blog post titled "Why the public cloud is a big fat enterprise fail." "IT organizations increasingly understand the risks, opportunities, roles and potential benefits of public and private cloud computing. And they're largely putting their chips on the private cloud card." Public cloud vendors, he argues, aren't catering to the needs of enterprises around security, interoperability and reliability. The result is reluctance on the part of enterprises to embrace the public cloud for larger, more sensitive programs.
MORE CLOUD SECURITY: Gartner: Don't trust cloud provider to protect your corporate assets
According to Gartner cloud analyst Thomas Bittman, about half of enterprise customers he works with use the public cloud for development and testing functions with the other half using it for miscellaneous applications. Few are relying on public cloud infrastructure for mission-critical applications, though.
Various studies back up the point: According to research and consultancy firm Wisegate, more than half of executive-level respondents to a recent survey indicated they would not move protected data to the public cloud because it is "too risky." Another quarter reported they have plans to investigate using a public cloud for critical application needs, but they have not yet made the change. When asked what's holding them back, 73% of respondents indicated security as the top reason for not moving to cloud-based applications for the company's critical programs.
Some cloud services providers believe their technology is getting a bad rep.
Michael Crandell, CEO and co-founder of RightScale, which is a cloud management platform that sits between the cloud users and providers, has a simple response to the question of whether the cloud is ready for mission critical apps: "Absolutely, resoundingly, yes."
"Virtually all of our customers are running production businesses in the cloud," he says, noting Coupa as one example. Security remains the top concern related to the cloud, he admits. "But public clouds have shown themselves to be as secure, if not more secure than private clouds," Crandell says.
In fact, some cloud providers are embracing the concerns around security and using that as a point of differentiation in their offering. FireHost is a Payment Card Industry (PCI) 2.0 compliant multi-tenant public cloud infrastructure offering that has more than 1,000 customers. "Security is our bread and butter," says CEO Chris Drake.
"The key to cloud security is to assume that nothing is secure," he adds. FireHost automatically encrypts customer data and gives customers the keys, meaning that no one but the customer can access the information. FireHost, he says, gleans insights from the threats it stops for each of its customers and uses those to protect the entire infrastructure. FireHost recently claimed that it blocked 19 million cyberattacks for customers during the second quarter of this year.
Still, other cloud providers say security is a "shared responsibility" between the service provider and the customer, as Rackspace CTO John Engates notes. Providers can install top-of-the-line security features, becoming government- and industry-compliant for their infrastructures. But customers have a responsibility to make sure the data they send up into the cloud and the access points to that data are secured on their end.
Engates believes there is an education process that's needed to validate the security features of providers by compliance bodies, which will ease some customers' concerns.
Some enterprise customers just may never be comfortable putting their most mission-critical applications in the cloud though, which creates a necessity for hybrid clouds, says Allwyn Sequeira, CTO and VP of cloud networking and security at VMware. Enterprises will be willing to use the public cloud for various applications, and they will want a private cloud for their programs they're not comfortable putting in a public cloud. Having the ability to connect those two to create a hybrid environment is what he believes the future of cloud will be. "CIOs want the cloud, but they want to maintain control," Sequeira says.
But perhaps it's not the security that's holding enterprises back; maybe it's the infrastructure. "If you peel the onion back on a number of these providers, they have pretty good security measures in place," says David Goodman, director of the cloud solutions group at Unisys Corp., which advises enterprise clients on cloud strategies. The problem is, despite advancements the cloud can bring around agility and potential cost savings, there's just not a compelling enough reason for enterprises to move existing applications into a public cloud.
"These enterprises have made huge investments in their legacy infrastructure getting that in place," he says. "They accept cloud and are interested, but they'll be going at it at a different pace compared to small and medium sized businesses."
Startups that are building their IT infrastructure from scratch, he says, are putting everything in the cloud, without hesitation. Many enterprises he works with, though, already have infrastructure that can handle the company's IT needs. When companies have new or expanded IT needs, they are willing to go to the public cloud, he says.
As the IT needs of the business continue to outpace the resources, Goodman expects enterprises to move toward the cloud, and even be willing to put sensitive programs in the public cloud. But that, he says, will take time and continued market maturity.