Continuous risk research for secure cloud environments

The need for a customer-centered cloud migration approach

Since the digital transition of conventional enterprises has become a global trend, many clients are hoping to migrate their legacy systems to the cloud. In the cloud market, there are the rules of games that were formed by key players, such as AWS, Azure, Google Cloud, Naver, and so on. When clients introduce new management information systems (MIS), a supply-centered approach has been used in general, and leading CSPs have been focusing on the mass production of goods (increase the number of products) and the advancement of functions (improve the specification).

At a time when technology gaps are widening over time, the cloud industry's successors are at a crossroads. They are forced to decide whether they follow the rules of the existing game in pursuit of volume increase based on resource investment and imitation or take the demand-oriented approach, moving away from the supply-oriented framework. As the complexity of technology increases, technological complementarities and the strategic product release are needed in the world of cloud competition. Under such circumstance, successors cannot grow much simply by imitating others. We can ask ourselves in this context, "What is a key factor that allows successors to achieve strategic growth in the cloud market?”

To explore this, we would like to take the demand-driven perspective, taking into account clients’ stance. In particular, when clients are adopting a new management information system (MIS), they would like to get insight into the cloud migration process based on a technology acceptance model, which can analyze what drives or hinders the utilization of a solution. We want to explore the direction of the cloud business based on the technical and organizational factors that influence how our clients introduce the cloud into the process.

The technology acceptance model and clients’ purpose of cloud migration

Two reasons why it is difficult to adopt new technologies: Internal factors and environmental factors

We intend to utilize the technology acceptance model – technology organization environment (TAM-TOE) to measure the company's acceptance of a new management information system (MIS). This model explains why it is difficult to introduce new technologies from two perspectives.
1) The internal factors of the service has to do with usefulness and usability of the solution, and 2) the external factors include technical, organizational, and environmental factors.

Client’s key factors for cloud migration: Environmental factors

By incorporating this framework into cloud technology, we can see that environmental factors are key to promoting the cloud to our clients. In addition to the trend of general digital transitions and the normalization of cloud services, the competitors and partners of the clients have begun to adopt a cloud-based MIS, and a sense of crisis that they may fall behind in the market unless they jump on the bandwagon has highly affected their decision to seek out cloud solutions. (from the interview with the Consulting Team of Samsung SDS)

[Figure 1. TAM-TOE model implemented in the cloud]

With these powerful external drivers at play, let's take a look at the impact of the rest on cloud adoption for our clients.

Key Risks in the Cloud

There are six key risks in which technical and organizational factors hinder the usability and usefulness of the cloud. (from the interview with Ideation TF of Cloud Product Planning Team):

Three technical factors that hinder cloud migration

1. Information security risk: Despite the availability of various security products for cloud services, concerns about potential information leaks due to the use of joint infrastructure by clients are an inevitable characteristic of public clouds. There are clients who find the data protection mechanism rigid because the security design pursued by each company is not customizable.

2. Operational risk: In the event of a failure, the client has an operational black box that does not have access to the area the service provider is responsible for. Other operating systems trusted by the client cannot be applied to ensure the quality of service for failures.

3. Dependency risk: The inability to migrate across other infrastructures or platforms with different architectures results in clients becoming overly dependent on one vendor. In addition, SaaS, which relies on legacy systems, is subject to dependency risks that cannot escape from the conventional environment during cloud migration. (from the interview with MIS Transition TF at Samsung SDS).

Three organizational factors that hinder cloud migration

1. Cultural risks: Clients often don't know how to implement DevOps concepts or develop cloud services. For clients who are unfamiliar with agile culture, they cannot avoid the cultural entry barrier to the cloud migration process (from the interview with SDS Consulting Team). For clients who are not sure what kinds of people they need and how to train them, cultural risks are a critical risk factor.

2. Financial risk: The perception that cloud transformation can reduce costs for physical equipment is widely recognized. However, clients who have introduced the cloud believe that the initial cost of migration and ongoing operational costs are higher than expected, and the financial burden is forcing them to be cautious about making decisions.

3. Human risk: Continuous change in technology requires professionals to respond to demands, such as computing resources, product upgrades, architectural redesign, and additional certification. During this process, clients have been facing concerns over human errors and limitations in instance management occurring due to the supply of various solutions.

[Figure 2. Technical and organization risks of the cloud, from the interview with Ideation TF of Cloud Product Planning Team at Samsung SDS]

Risk mitigation measures to promote client's cloud migration

We identified the technical and organizational factors that hinder the usefulness and usability of a cloud-based MIS and the six risks involved. Most of the technical risks highlighted above has to do with characteristics of cloud technology itself, regardless of which CSP they are, and it seems necessary to explore solutions through continuous research. Therefore, strategies to mitigate organizational risks in a way that can increase the usefulness and usability of the cloud play a key role at this point.

[Figure 3. How to address organizational risks to the clients’ cloud migration]

Cultural risk mitigation actions

To invigorate the cloud culture, other CSPs are driving technology-driven training on cloud mechanisms and emphasizing the “what” rather than the “why.” For clients who are not sure about how to leverage a cloud-based MIS, there is a need to emphasize management factors, instead of functional descriptions. In particular, it is necessary to introduce case studies in business areas that have improved work efficiency by introducing the cloud to the CEO of the client company and to emphasize the MIS model, which enables benchmarking. By persuading the CEO, we expect to pave the way for creating a top-down culture.

Financial risk mitigation actions

Major CSPs offer a number of products and features, and clients are paying high operating and usage costs. Many of the products contain key features that clients actually do not use (from the interview with MIS Transition TF at Samsung SDS), and it is necessary to explore ways to provide packages for key products for each business area of the clients. It is also a good idea to suggest that you can ease the financial burden by providing a LITE version capable of managing small-scale operations for clients who are particularly concerned about the higher initial cost of the cloud than expected. There seems to be a need for business-critical services based on easy deployment through simple migrations, simple operations of selective products, and quick response to light failures.

Human risk mitigation actions

To improve understanding of the constantly changing cloud technology, various CSPs provide online education curricula and certificate programs. However, many of our clients who lack cloud expertise have limitations when it comes to embracing the latest technologies that are changing and reflecting them in their operations. Therefore, rather than running training programs for an unspecified number of people, an alternative of holding regular workshops for practitioners of the contracted clients seems more important. If a minority group is designated as a target for training, more resources will be allocated, and it will be possible to promote practice-based training to increase the client's acceptance of new technologies.

Closing: Continuous risk research allows clients to achieve secure cloud migration.

We have looked into factors that drive and hinder cloud migration when clients introduce a new MIS based on a technology acceptance model. As digital transition and cloud migration have become commonplace, safe cloud migration will be available only when you thoroughly look into the risks of introduction from the customer's point of view and consider measures to remove or mitigate risks for the introduction of a cloud-based MIS.