ETSI SR 003 381 V2.0.0 (2015-11)

Cloud Computing Users Needs

Analysis, conclusions and recommendations from a public survey by

Cloud Standards Coordination Phase 2

CAUTION: This document is provided for information and is for approval within the ETSI Technical Committee NTECH only.

ETSI and its Members accept no liability for any further use/implementation of this Special Report.

Approved and published specifications and reports shall be obtained exclusively via the ETSI Documentation Service at

http://pda.etsi.org/pda/queryform.asp

<

SPECIAL REPORT

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 2

0

1

ReferenceDSR/NTECH-00030

Keywordscertification, cloud, Cloud Computing, standards,

users

ETSI

650 Route des Lucioles F-06921 Sophia Antipolis Cedex – FRANCE

Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 – NAF 742 C

Association à but non lucratif enregistrée à la Sous-préfecture de Grasse (06) N° 7803/88

Important notice

The present document can be downloaded from: http://www.etsi.org/standards-search

The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any

existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.

Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at

http://portal.etsi.org/tb/status/status.asp

If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx

Copyright Notification

No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.

The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2015.

All rights reserved.

DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and

of the 3GPP Organizational Partners. GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 3

2

Contents 3

4

Intel lectual Property Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5

Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7

- Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8

2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 92.1 Normativereferences..............................................................................................................................6102.2 Informativereferences............................................................................................................................611

3 Definit ions, symbols and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 123.1 Abbreviations...........................................................................................................................................713

4 The rationale for the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 144.1 Surveygoalsandobjectives.....................................................................................................................8154.2 Contentofthereport..............................................................................................................................816

5 Survey presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 175.1 Surveygoalandstructure........................................................................................................................9185.2 Surveymethodology&maintargetareas...............................................................................................9195.3 Surveydistribution..................................................................................................................................9205.4 Surveyachievementsandlimitations....................................................................................................10215.5 Otherlessonslearned............................................................................................................................1022

6 Survey analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 236.1 Significantfindings.................................................................................................................................10246.2 Trendsandpatterns..............................................................................................................................12256.3 Detailedfindings....................................................................................................................................12266.3.1 AdoptionofCloudComputing.........................................................................................................12276.3.2 Interoperability................................................................................................................................14286.3.3 Security–PrivacyandIntegrity.......................................................................................................14296.3.4 Standards........................................................................................................................................16306.3.5 Certification.....................................................................................................................................1731

6.4 ImpactonotherCloudStandardsCoordinationPhase2reports...........................................................19326.5 Relationshiptootheractivities..............................................................................................................2033

7 Conclusions and recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 34

8 Areas for further study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 35

Annex A: Survey Responses and Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 36A.1 Presentationofresults..........................................................................................................................2437A.2 Backgroundinformation.......................................................................................................................2438A.3 Generalpurposeinformation...............................................................................................................2539A.4 MovingtoCloudComputing:expectedbenefitsandchallengestoface.............................................2740A.5 AdoptionofCloudComputinginyourorganization.............................................................................3041A.6 CloudComputingadoption:preparingyourorganization....................................................................3242A.7 CloudComputing:DeploymentmodelsandServicecategories...........................................................3743

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 4

A.8 EmergingCloudServiceCategories......................................................................................................3944A.9 CloudComputingandStandards..........................................................................................................4145A.10 CloudComputingStandards:adetailedview....................................................................................4346A.11 CloudComputingCertificationStandards..........................................................................................4847A.12 Informationonthepersonreplyingtothesurvey.............................................................................5348

Annex B: List of the survey distribution channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 49

Annex C: Full text of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 50

Annex D: Change History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 51

History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 5253

Figures 54

55FIGURE1-EXPECTATIONSONPOTENTIALCLOUDCOMPUTINGBENEFITS(QUESTION7)......................................................................1356FIGURE2-MATURITYOFCLOUDCOMPUTING:CRITICALISSUES(QUESTION11)...............................................................................1457FIGURE3-MATURITYOFYOURORGANIZATION:CRITICALCHALLENGES(QUESTION9)........................................................................1558FIGURE4-CLOUDCOMPUTINGSTANDARDSIMPACTONORGANIZATIONCONCERNS(QUESTION34).....................................................1659FIGURE5-TOWHICHDEGREEARECLOUDCOMPUTINGSTANDARDSCONSIDEREDORUSED(QUESTION35)...........................................1760FIGURE6-ADOPTIONANDUSEOFCCSTANDARDS:DATAPROTECTION(QUESTION40).....................................................................1761FIGURE7–ISCLOUDCERTIFICATIONAPOSSIBILITYTOIMPROVECONFIDENCEINCLOUD(QUESTION47)...............................................1862FIGURE8-RANKINGCLOUDCERTIFICATIONAREASACCORDINGTOTHEIRIMPORTANCE(QUESTION48)................................................1863FIGURE9-AWARENESSOFCCSL,THECLOUDCERTIFICATIONSCHEMESLIST(QUESTION51)..............................................................1964FIGURE10–AWARENESSOFSOMECLOUDCERTIFICATIONSCHEMESLISTEDINCCSL(QUESTION52)..................................................1965FIGURE11–ASUMMARYOFCLOUDUSERSCONCERNS................................................................................................................2166FIGURE12-USEOFCLOUDCOMPUTINGINENTERPRISESINEUROPE(SOURCE:EUROSTAT).................................................................226768

69

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 5

Intellectual Property Rights 70

IPRsessentialorpotentiallyessentialtothepresentdocumentmayhavebeendeclaredtoETSI.Theinformation71pertainingtotheseessentialIPRs,ifany,ispubliclyavailableforETSImembersandnon-members,andcanbefound72inETSISR000314:"IntellectualPropertyRights(IPRs);Essential,orpotentiallyEssential,IPRsnotifiedtoETSIin73respectofETSIstandards",whichisavailablefromtheETSISecretariat.LatestupdatesareavailableontheETSIWeb74server(http://ipr.etsi.org).7576PursuanttotheETSIIPRPolicy,noinvestigation,includingIPRsearches,hasbeencarriedoutbyETSI.Noguarantee77canbegivenastotheexistenceofotherIPRsnotreferencedinETSISR000314(ortheupdatesontheETSIWeb78server)whichare,ormaybe,ormaybecome,essentialtothepresentdocument.79

Foreword 80

ThisSpecialReport(SR)hasbeenproducedbyETSISpecialistTaskForce486"CloudStandardsCoordinationPhase2"81astheresultofWorkItemNTECH(15)000006"STF486WIonIdentificationofCloudComputinguserneeds".82InthispresentRelease,itisproposedtotheNTECHTechnicalCommitteeforinternalreviewandtotheCloud83StandardsCoordinationwebsite(http://csc.etsi.org)forpubliccomments.8485ThepresentreportisoneoffourspecialreportsthatformtheoutputofSTF486:86

WP1: ETSISR003381:"CloudComputingUsersNeeds";87WP2: ETSISR003382:"CloudComputingStandardsandOpenSource";88WP3: ETSISR003391:"InteroperabilityandSecurityinCloudComputing";89WP4 ETSISR003392:"CloudComputingStandardsMaturityAssessment".9091

ThepresentreportwasthefirstoneproducedbySTF486andwasusedasbaseforthedevelopmentoftheother92threereports.9394InthispresentRelease,itisproposedtotheNTECHTechnicalCommitteeforapprovalandforpublicationoftheCloud95StandardsCoordinationwebsite(http://csc.etsi.org).9697

Introduction 98

CloudComputingisincreasinglyusedastheplatformforICTinfrastructureprovisioning,application/systems99developmentandendusersupportofawiderangeofcoreservicesandapplicationsforbusinessesandorganizations.100101CloudComputingisdrasticallychangingthewayICTisdeliveredandused.However,manychallengesremaintobe102tackled.Concernssuchassecurity,vendorlock-in,interoperabilityandaccessibility,servicelevelagreementsmore103orientedtowardsusersareexamplesofissuesthatneedtobeaddressed.Thesurveydiscussedinthepresentreport104aimsatcollectinginformationontherespondents'awarenessofthoseconcerns.105106StandardsandcertificationprogramsplayanimportantroleintermsofincreasingthemarketconfidenceinCloud107Computing.ThepromotionofCloudComputingstandardsandcertificationschemesthataddresscurrentconcernsis108necessaryinordertoensurethatbothcustomers/usersaswellasproviderswillregardCloudComputingwiththe109samelevelofreliability,trustandmaturityastraditionalICT.110111InFebruary2015,theCloudStandardsCoordinationPhase2(CSC-2)waslaunchedbyETSItoaddressissuesleftopen112aftertheinitialCloudStandardsCoordinationworkwascompletedattheendof2013.CloudStandardsCoordination113Phase2isinvestigatingsomespecificaspectsoftheCloudComputingstandardizationlandscape,inparticularfrom114thepointofviewoftheCloudComputingusers(e.g.,SMEs,Administrations).Itwillalsogenerateanewsnapshot115regardingthestateofstandardsandinvestigatetheinteractionandrelationbetweenstandardizationandopen116sourcebasedsoftwareandsolutions.117118ThepresentreportpresentstheresultsofthewebsurveyconductedinApril–September2015.119120 121

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 6

122

- Scope 123

InFebruary2015,theCloudStandardsCoordinationPhase2(CSC-2)waslaunchedbyETSItoaddressissuesleftopen124aftertheinitialCloudStandardsCoordinationworkwascompletedattheendof2013.CloudStandardsCoordination125Phase2isinvestigatingsomespecificaspectsoftheCloudComputingstandardizationlandscape,inparticularfrom126thepointofviewoftheCloudComputingusers(e.g.,SMEs,Administrations).Itwillalsogenerateanewsnapshot127regardingthestateofstandardsandinvestigatetheinteractionandrelationbetweenstandardizationandopen128sourcebasedsoftwareandsolutions.129130ThepresentreportpresentstheresultsofthewebsurveyconductedinApril–September2015.131132

2 References 133

2.1 Normative references 134

Thefollowingreferenceddocumentsarenecessaryfortheapplicationofthepresentdocument.135Notapplicable.136

2.2 Informative references 137

Referencesareeitherspecific(identifiedbydateofpublicationand/oreditionnumberorversionnumber)or138non-specific.Forspecificreferences,onlythecitedversionapplies.Fornon-specificreferences,thelatestversionof139thereferenceddocument(includinganyamendments)applies.140

NOTE: Whileanyhyperlinksincludedinthisclausewerevalidatthetimeofpublication,ETSIcannotguarantee141theirlongtermvalidity.142

143Thefollowingreferenceddocumentsarenotnecessaryfortheapplicationofthepresentdocumentbuttheyassistthe144userwithregardtoaparticularsubjectarea.145

[i.1] ITU-TY.3500,"Informationtechnology–Cloudcomputing–Overviewandvocabulary".146Sameas[i.5]147

[i.2] Gartner,G00271282“BudgetingfortheSaaSSecurityGap”,January28,2015.148[i.3] Skyhigh,“CloudAdoption&RiskReport",Q12015.149[i.4] StatisticalClassificationofEconomicActivitiesintheEuropeanCommunity,Rev.2(2008),see:150

http://ec.europa.eu/eurostat/ramon/nomenclatures/index.cfm?TargetUrl=LST_NOM_DTL&StrNom=NA151CE_REV2152

[i.5] ISO/IEC17788:"Informationtechnology—Cloudcomputing—Overviewandvocabulary".153[i.6] ISO/IEC17789:"Informationtechnology—Cloudcomputing—Referencearchitecture".154[i.7] ITU-TY.3502:"Informationtechnology—Cloudcomputing—Referencearchitecture".155

Sameas[i.6]156[i.8] ISO/IEC27001:"Informationtechnology—Securitytechniques—Informationsecuritymanagement157

systems—Requirements".158[i.9] ISO/IEC19086:"Informationtechnology–Cloudcomputing–Servicelevelagreement(SLA)framework159

andtechnologyPart1:Overviewandconcepts"160[i.10] ISO/IEC19941:"CloudComputingInteroperability&Portability"161[i.11] ISO/IEC27018"Informationtechnology–Securitytechniques–Codeofpracticeforprotectionof162

personallyidentifiableinformation(PII)inpubliccloudsactingasPIIprocessors"163[i.12] ETSISR003382:"CloudComputingStandardsandOpenSource"164[i.13] ETSISR003391:"InteroperabilityandSecurityinCloudComputing"165[i.14] ETSISR003392:"CloudComputingStandardsMaturityAssessment"166167

168

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 7

3 Definitions, symbols and abbreviations 169

3.1 Abbreviations 170

Forthepurposesofthepresentdocument,the[following]abbreviations[givenin...andthefollowing]apply:171AICPA AmericanInstituteofCertifiedPublicAccountants172CaaS CommunicationsasaService173CAPEX CAPitalExpenditures174CC CloudComputing175CCSL CloudCertificationSchemesList176CEF ConnectingEuropeFacility177CompaaS ComputeasaService 178CRM CustomerRelationshipManagement 179CSA CloudSecurityAlliance 180CSC CloudServiceCustomer181CSC-1 CloudStandardsCoordinationPhase1182CSC-2 CloudStandardsCoordinationPhase2183DsaaS DataStorageasaService 184ENISA EuropeanUnionAgencyforNetworkandInformationSecurity 185ERP EnterpriseResourcePlanning 186HR HumanResources 187IaaS InfrastructureasaService 188ICT InformationandCommunicationsTechnology189IEC InternationalElectrotechnicalCommission 190ISO InternationalOrganizationforStandardization 191ITU InternationalTelecommunicationUnion 192ITU-T ITUTelecommunicationStandardizationSector 193NaaS NetworkasaService194NIST NationalInstituteofScienceandTechnology 195OCF OpenCertificationFramework 196PaaS PlatformasaService 197SaaS SoftwareasaService 198SDO StandardsDevelopmentOrganization199SLA ServiceLevelAgreement200SME SmallorMediumEnterprise201SOA ServiceOrientedArchitecture 202SSO StandardsSettingOrganization203STF SpecialistTaskForce(anETSIstructureforinternalprojects)204205

206

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 8

4 The rationale for the survey 207

4.1 Survey goals and objectives 208

TheCloudStandardsCoordinationproject(CSC)209210Cloud Standards Coordination Phase1 (CSC-1) took place in 2013 as a community effort supported by ETSI and211primarilyaddressedtheCloudComputingstandardsroadmap.InDecember2013theresultswerepubliclypresented212inaworkshoporganizedbytheEuropeanCommission(EC),theCSC-1FinalReportbeingavailableat:213

http://ec.europa.eu/digital-agenda/en/news/cloud-standards-coordination-final-report214215Thereportprovidedamaturityassessment"snapshot"ontheCloudComputingstandardizationlandscapeattheend216of 2013. Important gaps in the Cloud Computing standards landscape were identified such as in the domains of217interoperability,security,privacy,servicelevelagreementandregulation,legalandgovernanceaspects.218219CloudStandardsCoordinationPhase2220221GiventhedynamicsoftheCloudComputingmarketandstandardization,CloudStandardsCoordinationPhase2(CSC-2222)waslaunchedinFebruary2015withtheobjectiveofproducinganupdatedversionofthe"snapshot"oftheCloud223Computingstandardizationlandscape.224225ThemaininvolvedstakeholdersforthepreparationoftheCSC-1snapshotwerefromtheCloudComputingindustry,in226particularCloudComputingproviders.Ontheotherhand,CSC-2aimstobettertakeintoaccounttheneedsofCloud227ComputingcustomersontheirCloudrelatedrequirementsandpriorities.ThishashelpedCSC-2tofurtherassessthe228maturity of Cloud Computing standards and evaluate how standards can support the Cloud Computing customers’229priorities.230231CloudStandardsCoordinationPhase2survey232233Tosupporttheseobjectives,CSC-2hascreatedasurveyforcollectingfeedbackfromtheCloudComputingcommunity234in terms of needs, benefits, challenges and areas of concerns regarding the adoption of Cloud Computing. The235outcome of the survey will be the primary material for evaluating the perceived maturity of Cloud Computing236standards.The resultswill alsohelp tounderstand the interestand requirementsofCloudComputingstakeholders237regardingcertification.238239ThesurveyisthereforetargetingcurrentandfutureCloudCustomersintheprivateandpublicsectors,SMEsaswellas240largeorganizationsinallverticalsectors.OtherstakeholdersfromtheentireCloudComputingeco-system(e.g.Cloud241Computingproviders)werealsoinvitedtoanswer.242

4.2 Content of the report 243

Section5ofthisreportpresentsthecontentofthesurvey,themethodologyusedforitspreparationanddistribution,244informationaboutthecollectedfeedbackaswellaslessonslearntthroughtheexecutionofthesurvey.245246Section 6 provides details resulting from the analysis of the collected survey feedback allowing to understand the247needs of the Cloud Computing community on amore granular scale and to derivemain trends and patterns as a248result.249250Section7highlightsconclusionsandrecommendationsfromthesurvey.Thisincludesanidentificationofthecloud251stakeholders'highestprioritiesleadingtopossiblerefinementsoftheCSCPhase1reportconclusions.252253Section8suggestssomeareasforfurtherwork.254255AnnexAcontainsadetailedpresentationofthesurveyresults,includingchartsandtables.256257AnnexBliststhechannelsthroughwhichthesurveyhasbeendistributed.258259

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 9

AnnexCshowsthesurveyasithasbeenproposedontheCSCwebsite(athttp://csc.etsi.org).260261

5 Survey presentation 262

5.1 Survey goal and structure 263

Tocreatethebasisfortheanalysis,asurveyhasbeendesignedandconductedfromApriltoSeptember2015.Even264thoughthesurveyistargetingaspecificsetofusers(SMEs,etc.),itisalsousingtheinputfromlargeractors.The265surveyhasalsobeendistributedtoasmanyindustrysectorsaspossible,inordertoidentifyanyindustryspecific266aspectsandconcernsthatmightexist.267268Thesurveycomprises59questionsgroupedin14pagesstretchingfromgeneralquestionsregardingtherespondent’s269companyandCloudComputingexperience,throughincreasinglyspecializedquestionsregardingCloudComputing270standards,toafinalblockofquestionsregardingcertification.Takingtheentiresurveywouldapproximatelyrequire27120-30minutes.Apartfromanumberofcorequestionsformostquestionsanswerswerenotmandatory.The272individualanswersaretreatedconfidentiallyandonlyaggregatedresultswillbepublished.273274PerSeptember25th2015,attheclosureofthewebsurvey,376respondentshavecompletedit.275276

5.2 Survey methodology & main target areas 277

Thesurveycollectsresponsestoquestionssuchas:278• Whatarethetypicalusecasesthatuserswanttoimplementintheshorttomediumterm;279• WhataretheirexpectationsandperceivedconcernsthatlimitstheadoptionofCloudComputing;280• WhataretheassetsandpossibleinvestmentsmadeinCloudComputing;281• Howaretheygoingtodealwithexistinginvestments(legacy);282• WhichrolearetheyexpectingtoplayintheCloudComputingvaluechain;283• TowhichextentindividualCloudComputingstandardsareknownandhavealreadybeenused;284• Whatsupportfromstandardsaretheyexpecting;285• Whatisthesignificanceofcertificationschemesandwhatistheintendeduse.286

287

5.3 Survey distribution 288

ThemaintargetgroupforthesurveyisendusersinSMEsintheprivatesector,butanypotentialandexistingcloud289customeriswelcometocompletethesurvey.290291ThesurveywaslaunchedonMarch30th,2015.Adistributionletterhasbeenmadeavailabletoallorganizationsthat292werewillingandabletouseitforpromotingthesurvey.Over120differentchannelshavebeencontactedtorelaythe293surveyandhavedistributedthesurveyURL.294295Awiderangeofdifferentdistributionchannelshavebeenusedlike:296

• EuropeanCommissionDGswebsitesanddistributionlist(emails,Twitter,etc.)297• StandardsSettingOrganizations,global,regionalornational298• ETSImembership(750organizationsfromvariousindustrysectors).299• IndustryAssociations(e.g.Eurocloud)300• PublicAdministrations(acrossEurope,butpredominantlyincountrieswheretheexpertsoftheCSCreside)301• LinkedIngroups302• OpenSourceprojects303• Europeanprojects(e.g.,CloudWatch,Cloud4Europe,CloudingSME)304• Cloudscape305• EuropeanGridInfrastructure(EGI)306

307

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 10

Toensurethelargestpossiblenumberofanswers,thesurveyhasbeenleftopenaslongaspossible,i.e.upto308September25th,thelastdayofthepubliccommentingphaseforthefourCSC-2reports.309310AlistofcontactedindividualsandorganizationsispresentedinAnnexB.311312

5.4 Survey achievements and limitations 313

Aspointedoutearlierinthisreport,thenumberofresponses(376per25/09/2015)isdeemedsufficientenoughin314ordertoidentifyhigh-leveltrendsandpatterns.Theresultsarealsoassessedassufficientinordertodohigh-level315comparisonsbetweenCSC-1andCSC-2.Inthisrespect,itcanbearguedthattheoutputresultingfromtheWork316Package1ofSTF486(thewebsurveyandrelatedactivities)isconsideredsuccessful.Aspresentedinthebelow317sections,responsesinmanypartsofthesurveyareencouragingintermsofawarenessoftheimportanceofstandards318andcertificationschemesamongmanyofthesurveyrespondents.319320However,thepresentsurveyisbasedonthevoluntarycontributionofasampleofrespondentsonwhichthe321promotersofthesurveyhadlittlecapacitytoanticipateandnocontrol.Onlybesteffortattemptshavebeenmadeto322collectthelargestnumberofanswerspossible,withthelargestpossiblespanoforganizationsizes,countries,sectors,323etc.Therefore,thenumberofresponsesmaynotbesignificantenoughtoallowin-depthandconclusiveanalysisata324detailedlevelforallofthequestionsofthesurvey.Anyreaderofthisreportshouldthereforebecautiousabout325makinganydecisiveconclusionbasedonthematerialsofthisreport.326327Anotheraspectwhenassessingtheresultsofthesurveythatneedstobeacknowledgedisthatthebenefits,concerns328andchallengeschosenbytherespondentsmightvarybasedontheorganization(intermsofsize),onthesector329(privateorpublic)inwhichitoperates,etc.Itisimportanttokeepinmindthatsomeoftheissuespresentedasmajor330inacertainusercategorymightverywellbeseenasinsignificantorevennon-existentinanother:thismaybe331addressedinsomesignificantcases(seesection8).332333

5.5 Other lessons learned 334

Designingasurveyisacomplextask.Themainobjectivehasbeentocoveranumberofdifferenttopicsinorderto335encompassthetargetareasidentifiedasrelevantforthequery,whileattemptingtokeepthesurvey’slengthand336complexityataminimum.Keepingthequestionsrelevantandunambiguoushasbeenanotherimportanttask.337DependingontheroleoftherespondentintheCloudComputingeco-system,thequestionsmightinsome338circumstancebeinterpreteddifferently.Toovercometheidentifiedchallenges,twoimportantelementshavebeen339helpful.Themostimportantelementtomitigatetheissuesidentifiedwasthefeedbackfromreviewersofthedraft340surveytext.AnotherpositiveelementwastheexistenceanduseofcleardefinitionsoftherolesinCloudComputing:a341significantmaturationfromtheCSC-1toCSC-2wasrecognizedinthisrespect.Whereapplicableinthesurvey,the342vocabularyprovidedinthestandard"ISO/IEC17788andITU-TY.3500–Informationtechnology—Cloudcomputing343—Overviewandvocabulary"[i.1]hasbeenused.344345

6 Survey analysis 346

6.1 Significant findings 347

General-purposeinformationregardingrespondents’organizations:Respondentsarenearlyequallyrepresenting348SMEorganizations(upto249employees)andlargeorganizations(morethan249employees).TheICTsectoris349dominating(43%)followedbyAcademiaandPublicAdministrations.Someindustrysectorsarenotrepresentedatall.350351Benefitsandchallenges:“ReductionofCAPEX”,“improvedbusinessagility”and“fastertimetomarket”areseenas352themajorpositivefactorsforadoptingCloudComputingwhilecompatibilitywithin-housesystems,security,353privacy/integrity,areviewedasthemostcriticalchallengeswithSLA,performanceandefficiency,resiliency,vendoror354datalock-inandinteroperabilityacrossvendorsolutionsrankedamongthehighestconcerns.Itcanbenotedthatthe355lackofOpenSourcesolutionsisnotseenasamajorCloudComputingchallenge(seeETSISR003382[i.12]forfurther356informationonCloudComputingstandardsandOpenSourcesolutions).357

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 11

358Adoptionandscope:Amajorityoftherespondents(58%-2015-06-04))havealreadystartedtoadoptCloud359ComputingprobablyreflectingthefactthattherespondentsaremainlyfromtheICTsector.Itshouldalsobenoted360thatnone(0%)oftherespondentsstatedthattheyareNOTplanningtoadoptCloudComputing.Themainusagearea361forCloudComputingisIaaSasthemostprominentstartingpoint.40%oftherespondentsareplayingtheroleofthe362CloudServiceCustomerintheirrespectiveorganizations.RegardingthelevelofresourcesandsupporttoCloud363Computing,nearlyhalfofrespondentsclaimthattheyarereceivinganadequatesupportfromtheirICTteamanda364thirdofthemhaveadedicatedcloudsupportteam.365366CloudComputingadoption:preparingyourorganization367TomakethetransitiontotheCloudinasecureandreliablewaysomeaspectsneedtobeconsideredandsome368conditionsmustbemet;theorganizationmakingtheleaptotheCloudmustbeprepared.Nearlyhalfofrespondents369claimthateffortsrelatedtodatacategorization(43%)anddataclassification(35%)areon-goingintheirorganizations.370Datasecurityawarenessandlevelcontrolisseenasahighlyimportantaspectthatneedstobetackledbyamajority371oftherespondents.Regardingsoftwarelicenses,37%oftherespondentsindicatethatnegotiationsareon-goingwith372thesoftwarevendorsprovidingCloudComputingsoftware&serviceswhile21%ofthemmentionthatnoactionis373deemednecessary1.374375CloudDeploymentModelsandCloudServiceCategories:PrivateClouddeploymentmodelsclearlydominate376followedbyHybridCloudandPublicClouddeployments.ConcerningCloudServiceCategories,high-availabilityisseen377asthetopusageareaforIaaSwhilesoftwaredevelopmentisalsoseenasthetopcapabilityforPaaS.ConcerningSaaS,378thegeneraldatastoragetypeofapplicationisrankedhighwhilespecializedapplicationssupportingforexample379supplychainservices,HR,ERPorCRMarelessfrequentlymentioned.Notably,54%oftherespondentsindicatean380interestinemergingCloudServiceCategoriessuchasCaaS,NaaS,DsaaSandCompaaS.381382Cloudcomputingandstandards:Security,privacyandintegrity,performanceandportabilityacrossvendorsolutions383arerankedhighregardingtheimpactthatstandardshaveontheconcernsoforganizations.Intermsofhowstandards384areconsideredintheorganizationsoftherespondents,38%indicatethatstandardsareusedwhile27%thattheyare385considered.Thisshowsapromisinginsightintothevalueandimportanceofstandards.386387Inlinewiththeresponsesregardingimpactofstandards,interoperability,security,servicelevelagreements,388portabilityandAPIsarementionedastoppriorities.Thefeedbackalsoindicatesthatrecentlypublishedstandardsare389nowbecomingknownbyasmallnumberofrespondents.ExamplesofstandardsusedorconsideredareISO/IEC39017788–ITU-TY.3500"Cloudcomputing–Overviewandvocabulary"[i.5],[i.1]andISO/IEC17789–ITU-TY.3502391"Cloudcomputing–Referencearchitecture"[i.6],[i.7].However,thenumberofanswersistooinsignificanttoclaim392thattheCloudComputingspecificstandardsarenowpartoftheCloudstrategyformostorganizations.393394Cloudcomputingcertifications:Almost75%oftherespondentsseecertificationschemesasapositivewayof395increasingconfidenceinCloudServiceProviders.Amongstthecross-cuttingaspects,thetwo(security,privacyand396integrity)seenasbothmostcriticalforthematurityofcloudcomputing[Q11]andasaspectswherestandardsare397expectedtohavehighestimpact[Q34],certificationsfortheseaspectsareactuallyrankedasclosetotheleast398important[Q48].Themostimportantissuesforcertificationare:datastoragelocation(oneaspectofprivacy),cloud399datacentreinfrastructure,cloudprovisioningprocessandinteroperability/reversibility.Amoredetailedanalysisis400foundinsectionA.11ofthepresentreport.AmajorityoftherespondentsareunawareoftheCloudCertification401SchemesList(CCSL)definedbyENISAwhileinthislist,thewell-knownISO/IEC27001[i.8]comesfirstasaschemefor402Cloudcertification.AmajorityoftheCloudServiceCustomersindicatesthattheyplantoincludeoneofthese403certificationschemesintheirCloudComputingprocuringprocesses.AmajorityofCloudServiceProvidersalsoplans404tocertifytheirCloudServiceofferings.405

1Furtheranalysisisneededonthispoint;itisnotentirelyclearifanswersinthiscategoryindicatethatactionsarenotneededorifnecessarymeasureshavealreadybeentaken.

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 12

406

6.2 Trends and patterns 407

Basedontheresponsesreceived,itispossibletomakesometentativeandhigh-levelanalysis.Fromthisanalysis,408somepatternsemergethatwillhavetobeclarifiedandconfirmedbyafinalanalysismadeattheconclusionofthe409survey.410411Thetrendsthatareassessedasthemostsignificantarepresentedbelow.412413Security,IntegrityandDataPrivacy:thesetopicsareseenasmajorconcerns forcloudmaturityandforstandards414impact,althoughnotforcertification.Thisisnotanewfinding,butthefactthatitisstillverymuchpresentisaclear415indicationontheperceivedchallengeaheadforsecuritystandardsandCloudcertificationinparticular.416417InteroperabilityandPortability:theseareasarerankedhigh.Concerninthisareaismostlikelylinkedtotheissueof418vendorlock-in,theunclearcapabilitiesofindividualcloudserviceofferingsabilitytomovedatafromoneserviceto419anotherandthelackofportabilitystandardsforcross-Cloudscenariosingeneral.420421MovingtotheCloud:thereisahighperceptionfromtherespondentsthatthetransitiontoCloudComputingshould422becarefullyplannedandorganized,inparticularinareaspertinenttodata(classification,storage,etc.),processesand423security.424425Standards:ingeneral,theroleofstandardsisseenasimportantandthereisagrowinglevelofawareness,evenin426termsofknowledgeoftheexistingsetofstandards.Itistobenotedthat,inthisperspective,thebenefitfrom427standardsrelatedtoCloudComputingisseenasmorecriticalthanOpenSource:thisfindingishoweversubjectto428furtheranalysis.ThistopicisfurtherexploredinETSISR003382[i.12]429430Certification:averylargemajority(over80%)oftherespondentsconfirmtheroleofcertificationasaveryusefulway431toimproveconfidenceinCloudComputing.HowevertheselectionofCloudCertificationschemesiscomplex:the432CloudCertificationSchemeList(CCSL)isanattempttomakeaselectionofsuchschemesbutthesurveyshowsthat433only31%ofrespondentsareawareofthislist.ThisisclearlyshowinganeedforincreasingtheawarenessoftheCloud434ComputingcommunityonCCSLandallthemeanstohaveaccesstoapre-analyzedandrecommendedlistof435certificationschemes.436437

6.3 Detailed findings 438

6.3.1 Adoption of Cloud Computing 439

ThewebsurveyclearlyindicateswhichCloudComputingServiceCategories(SaaS,PaaS,IaaSetc.)andCloud440ComputingDeploymentModels(Public,Community,PrivateorHybrid)aremostcommonintermsofusage;IaaSand441provisioninginfrastructureaswellasgeneraldatastorageconstitutethemostpopularServiceCategoriesandusage442areaswherethePrivateCloudDeploymentModelscomeoutfirstastheDeploymentModel.TheadoptionofCloud443ComputingandCloudComputingbasedservicescontinuestogrowacrossEurope.444445StudiesalsoshowthattheuseofCloudComputingservicesissteadilygrowingworldwide.Inarecentstudypublished446bySkyhigh“CloudAdoption&RiskReport”[i.3],theuseofCloudservicescontinuestoincreasequitesignificantly.447However,ouranalysiswillpointoutlaterthatthisadoptionisnotuniform.448449BasedonhowtheresultofquestionsrelatedtotheadoptionanduseofCloudComputingisinterpreted,theanswers450receivedmightshowsomediscrepancies.Considerthischart:451452

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 13

453Figure1–ExpectationsonpotentialCloudComputingbenefits(Question7)454

TheabovechartshowsasignificantinterestinusingCloudComputingtoimprovebusinessagilityandtoobtaina455fastertime-to-marketforproduct&servicesprovided.However,whenlookingattheactual,currentusageofCloud456Computing,thefullpotentialofCloudComputingisstilllargelyunexplored,basedontheanswerscollectedthrough457thewebsurvey.458459Someparticularobservationsaremadebelow.460461Supportingtheorganization462463Asmentionedabove,usingthecloudtoaddICTresourcesisthecurrentmainusageareas.Somewhatsurprisingisthe464relativelyhighnumberofresponsesthatshowCloudComputingastheplatformforsupportingBusinessProcesses.465466Cloudtransformation467468Amongmanyrespondents,thereisasignificantinsightintotheneedofunderstandinghowdatacontrol,classification469andtaxonomyimpactandpotentiallyrestrictthemovetotheCloud.Securityisseenasamajorblockerinthe470migrationtotheCloudwheredatasecurity,integrityandprivacyareparticularissueareas.Businessprocess471alignmentandidentificationisanothercloudtransformationareathatreceivesattention.Inordertomakethe472transitiontotheCloudbasedonthebestpossiblebusinesscase,theorganization’scoreandsupportingbusiness473processesmustbeunderstoodbeforetherationaleforCloudComputingsimplywill“makesense”.Well-controlled474andfullyalignedprocessesmakethecloudtransitioneasierandwillallowtheorganizationtomovetotheCloudon475thebasisofprioritizedtransitionplans.Inordertoprovisionand/oruseCloudComputingbasedservices,the476preferredarchitectureisbasedonSOA(orsimilarserviceorientedarchitectureprinciples)as74%oftherespondents477havestarted,areintheprogressorhavefinishedtheprocedurebasedonthatprinciple.SOAisseenasanimportant478cornerstoneinmanyorganizations’enterprisearchitecturestrategyandpotentiallyalsoanelementoftheCloud479transitionprogramformanyorganizations.480481SoftwareLicenses482483Manyorganizationsarenegotiatingthetermswithindependentsoftwarevendorsregardingusing/runningsoftware484intheCloud.Theresponsesreceivedsuggestthatmanyorganizationsareeitherinvolvedinorhavecompleted485negotiationspertinenttothenewtermsrelatedtoCloudusageofsoftware/applications/services.Many486organizationsarealsoworkingon“EnsuringSoftwareSuitability”,whichentailstheactivitiesmentionedabovebut487alsotomakingnecessaryadjustmentsto–forexample–theenterprisearchitecture,existingvendorcontractsand488SLAs,and–again–addressingtheconcernsandanyoutstandingworkrelatedtodata,security,integrityand489interoperabilitybetweeninternal,external,on-siteandcloudbasedsystemsandapplications.490491“Goingallin”withCloudComputing,tappingintothefullbenefitsofthePublicCloud,e.g.lowercostandaflexible492useofCloudservicesforinstance,willrequirethattheoutstandingconcernsarefullyaddressed.493

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 14

TherepliesreceivedontheadoptionanduseofCloudComputingclearlyindicatethatCloudComputingingeneral494remainsan“untappedresource”.However,theassessmentisthattheearlyadoptersandthosealreadyusingCloud495Computingareworkingtowardsexpandingtheuseonceinitialworkandnecessaryremainingeffortsarecompleted.496497

6.3.2 Interoperability 498

Oneoftherecurringconcernsraisedbythewebsurveyrespondentsconcerns“interoperability”,or–rather–thelack499thereof.Forfurtherdetailsoninteroperability,seeETSISR003391[i.13].500501AnswerstothefollowingquestionsindicateorsupporttheclaimthatInteroperabilityisoneofthetopconcerns502amongtherespondents.503504Somehighlightedaspectsofinteroperabilityinclude:505

• Interoperabilityisakeysuccessfactortoensure“Increasedbusinessagility”.Unlessahighlevelof506interoperabilityinsolutionsinternaltotheorganizationaswellasinteroperabilitywithexternalstakeholders507(collaborators,customers,suppliers,subsidiariesetc.)issecured,itwillbedifficulttoobtainahighlevelof508businessagility.509

• Interoperabilityisalsoseenasmainconcernamongmanyoftherespondents,bothintermsofageneralissue510fortheorganizationoftherespondentandintermsoflackofsupportforinteroperabilitystandards.511

512

513Figure2–MaturityofCloudComputing:criticalissues(Question11)514

Interoperability(andPortability)acrossvendorsolutionsisalsoseenasamajorconcernformanyorganizations,515illustratedbytheabovechart.516517ThewebsurveystronglysuggeststhatSDOsprovidinginteroperabilitystandardsforCloudComputingmustaccelerate518theirefforts.TheongoingworkinISO/IEConprovidingguidanceforthisdomain(ISO/IEC19041:"CloudComputing519Interoperability&Portabilityconcepts"[i.10])isanexampleofanactivitythatislikelytoprovidevaluableinformation520inthisrespect.521522

6.3.3 Security – Privacy and Integrity 523

“Security”and“Privacyandintegrity”arerecurringconcernsinthewebsurvey.Theseareasrankhighbothintermsof524aspectsseenasimportantfortherespondentanditsorganizationandalsowhenitcomestorelatedstandardsthat525areseenasmostcriticalforCloudComputing.Inseveralquestions,securityoraparticulartypeofsecurity(“data526security”)andPrivacyandintegritycomeoutattop(pleaserefertoAnnexA).527

528

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 15

529Figure3–Maturityofyourorganization:criticalchallenges(Question9)530

531Theabovefigureillustrateshow“security”,“privacyandintegrity”areconsistentlyrankedasthehighestconcerns532throughoutthewebsurvey formattersotherthancertification.533534Someobservationsthatcanbemade:535

• TheuseofSaaSforprocessingsensitivedata(incl.personaldata)rankslowintermsofusageareas.This536observationisconsistentwithhowSecurityranksasaconcern;theconclusionmightbethatthereissimply537notyetsufficientconfidenceinCloudComputingfortheuserstoprovisionandprocesssensitivedatainthe538cloudcomputingspace.Itisrecommendedtofurtherinvestigatethereasons(suchassecurityconcerns,539regulatory,etc.)fortheslowadoptionofSaaSforsensitivedataneeds.540

• TherearedifferentlegalbarriersacrossEuropeandnoup-to-dateEuropeanDataProtectionRegulationyet.541• Amongthelownumberofrespondents,ISO/IEC27001[i.8]isthestandardmostknownandused.542• “Security”isacomplex,slightlyambiguousandimpreciseconcept.Itcanbeandprobablyisinterpretedin543

manydifferentways.Securitycanforinstancemaptoandconcernoneormoreofthefollowingareas:544○ Dataprotection(andinformationclassification,dataencryptionetc.)545○ Dataaccess546○ Identitymanagement547○ Authorization548○ Authentication549○ Dataprivacy550○ Dataintegrity551○ Accessibility552○ Operations553

andprobablysomeadditionaldomains/areas.Itislikelythat“Security”and“Privacyandintegrity”arein554factgroupedtogetherandseenasasingleconcernbytherespondents.555

556“Security”ingeneraliswithoutdoubtamajorconcernformostusers,customersandprovidersalike,inparticularina557Cloudsetting,astheresourcestypicallyaresharedandthedataintegrityasaconsequenceneedsadditionalattention558toensurearetainedconfidenceintheownershipofdataaspects.Manyusersareconcernedabout“losingthecontrol559ofdata”,inmanycasesprobablyjustifiablyso.UnlessSecurity–allrelevantaspectsofSecurityrelatedtoCloud560Computing–isfullyaddressedandtheusersaremadeawareofavailableoptionsandexistingprotocolsand561standardsthatcanbeusedtobuildreliableCloudComputingofferings,theadoptionofCloudComputingislikelyto562continuetogrowslowly.563564ItcaninthiscontextbenotedthatarecentstudymadebytheGartnerGroup“BudgetingfortheSaaSSecurityGap”565[i.2]indicatesthattheorganizationsinvestinginSaaSarenotmakingthenecessaryinvestmentstoaddressCloud566ComputingSecurity.SomeofkeychallengeslistedbyGartnerarethelackofspendingonSaaSsecurityandthelackof567

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 16

fullknowledgeaboutthenewsecuritychallengescreatedwhenmovingtoSaaSastheICTplatform.Therefore568educationandawarenessofresponsibilitiesarekeyfactorshere.569570TheconclusionsmadebyGartnersupportthecaseforstandardsintheSecurityspace.Theirreportechoesthe571findingsmadeinthewebsurveyintermsofaddressingtheSecurityconcernsraisedbymanyrespondentsoftheweb572survey,anditalsoconfirmstheremarkabovethatmanyusersneedtoobtainabetterunderstandingonSecurityand573itsvariouselements,andhowtheseelementsarerelatedandcometogethertoformthenecessaryleveloftrustand574confidenceinCloudComputing.575576Thecurrentdevelopmentofa“DigitalServiceInfrastructure”andconstituentBuildingBlocksaspartoftheEC577program“ConnectingEuropeFacility”(CEF)shouldalsobereferencedandconsideredinordertounderstandthe578implicationsonCloudComputingresultingfromthepan-Europeane-IDandcertificationsolutionsnowbeing579provisioned.2580581

6.3.4 Standards 582

Standardswereoneofthemainaspectsofusers'needsforwhichthesurveywasdesigned.ThefirstphaseofCSChas583addressedinparticulartheevaluationofthematurityofCloudComputingstandards.Oneofthegoalsofthesurvey584wastoaddresstheneedsofusers,theirexpectationsvis-à-visstandardsandtheirperceptionregardingtheactual585possibilityforstandardstosupporttheirneeds.586587Anumberofquestionswereaskedmostlyintwoways:588

• Asetofquestionsrelatedtostandardsingeneral(Questions34to36);589• Adetailed(andoptional)sectionwithquestionsspecifictosomespecificStandardsdocuments(Questions37590

to46).591

Regardingthegeneralquestionsonstandards,animportantonewastheevaluationoftheimpactofCloudComputing592standardsontherespondents'organization,whoseresultsaresummarizedbelow:593

594

595Figure4–CloudComputingStandardsimpactonorganizationconcerns(Question34)596

597

2TheCEFbuildingblocksareprovidedinordertoensureareliableandinteroperablemechanismforserviceandinformationexchangecross-borderintheEC.TheongoingworkintheLargeScalePilots(LSPs)STORKande-SENSisalsoofinterestinthisrespectandcreatesinputtotheDSIande-IDandcertificationBuildingBlocks.Formoreinformation,seehttps://joinup.ec.europa.eu/community/cef/og_page/catalogue-building-blocks.

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 17

Formostofthedomains,thesumof"Medium"and"High"answersisinmostcaseabove75%withdomainswhere598theexpectationsareparticularlyhigh:Security,Interoperability,PrivacyandIntegrity.Theusers'concernsregarding599thesedomainsarenotnew,butthelevelofexpectedsupportfromstandardsisveryencouraging.600601Inadditiontothis,whenaskedabouttheactualplaceofstandardsintheirorganization,therespondentsarealso602givingthesignalthat,inmorethan75%ofthecases,standardsare"considered"or"used".603

604

605Figure5–TowhichdegreeareCloudComputingStandardsconsideredorused(Question35)606

607Regardingthedetailedstandardsproposedforevaluation,thelevelofknowledgeoftherespondentscanvary608significantly,withsomeexamplesofstandardswhosevisibilityisbelowwhatwecouldhaveexpected.Anexampleis609givenbelowwithISO/IEC27018[i.11](relatedtoCodeofPracticeforPII):610

611

612Figure6–AdoptionanduseofCCstandards:Dataprotection(Question40)613

614OneoftherecommendationsthatmaystemfromthisanalysisisthatStandardsSettingOrganizationsneedto615intensifytheirpromotionandeducationeffortstowardstheCloudComputingcommunity.616617MoredetailswillbefoundinsectionsA.9andA.10.618

6.3.5 Certification 619

ThequestionoftrustiscentraltotheadoptionofCloudComputing.Buildingtrustisacomplexissueandseveralways620havebeenaddressedinthesurvey:preparationoftheorganizationfortheadoptionofcloud(seesectionA.6),useof621standardsandalsocertification.Theyallneedtobeaddressedtogether.622623Thefirstfeedbackfromtherespondentsontheroleofcertificationisclear:itisaveryusefulwaytoimprove624confidenceinCloudComputingforaverylargemajority(over80%).625

626

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 18

627

Figure7–IsCloudCertificationapossibilitytoimproveconfidenceinCloud(Question47)628

629Oncethisagreed,thentwoquestionshavetobeaddressedbytheorganizations:1/thescopeofcertificationand2/630thecertificationscheme(s)tobeused.631632Regardingthescopeofcertification,alistof12domainshasbeenproposedwiththefollowingresults:633

634

635Figure8–RankingCloudCertificationareasaccordingtotheirimportance(Question48)636

637ThenumberonecandidateforcertificationisDatastoragelocation.Thisisreflectingtheconcernalreadyidentifiedin638theprevioussectionsofthesurvey(e.g.adoptionofCloud)onlegalandtechnicalsupporttotheprotectionofthe639organization'sdata.Certificationisseenasapotentialenabler.640641Thenextthreedomainsintherespondents'rankingareregardingtechnicalconcerns:CloudDatacenterinfrastructure,642CloudProvisioningprocessesandInteroperability/Reversibility.Hereagainthequestionofdata(integrity,643reversibility)canbeseenasamajorconcern.644645WhenfacingtheselectionofCloudCertificationschemes,anorganizationisofferedalargesetofsuchschemes.The646CloudCertificationSchemeList(CCSL)isanattempttomakeaselectionofsuchschemes.Thesurveyshowsthatonly64737%ofrespondentsareawareofthislist.648

649

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 19

650

Figure9–AwarenessofCCSL,theCloudCertificationSchemesList(Question51)651

652ThisisclearlyshowinganeedforincreasingtheawarenessoftheCloudComputingcommunityonCCSLandallthe653meanstohaveaccesstoapre-analyzedandrecommendedlistofcertificationschemes.However,itisrecommendto654furtherstudycertificationschemes,especiallytoexplorewhethertheISO27000familyofcertificationisdeemed655sufficient.656657ThisisalsoconfirmedbytheanalysisiftheawarenessofsomeoftheschemesofCCSLasshownbelow:658

659

660Figure10–AwarenessofsomeCloudCertificationSchemeslistedinCCSL(Question52)661

662Thefirstschemeinthislist(morethantwotimesnotoriousthanthenextone)isISO/IEC27001.ThisisnotaCloud663Computingspecificschemebutitisalsoaglobalworldwideone.664665MorecanbefoundinsectionA.11.666

6.4 Impact on other Cloud Standards Coordination Phase2 667

reports 668

ThewholescopeandworkprogramofCloudStandardsCoordinationPhase2hasbeendefinedwiththeintentionto669understandatbesttheexpectationsoftheusersregardingCloudComputing.Fromthisstandpoint,somefindingsof670thesurveyaredirectlyimpactingtheotherWorkPackagesofCSC-2andhavebeentakenintoaccountinthewritingof671thecorrespondingreports.672673WP2 OpenSourceandstandards674675ThemainfindingofthisreportregardingOpenSourceisthatOpenSourceisnotseenasamajorCloudComputing676challenge.Thiscanbeseenintwoquestions:677

• Q11.MaturityofCloudComputing:howcriticalarethefollowingissuesforyourorganization?The"Lackof678OpenSourcesolutions"isseenascriticalorverycriticalonlyby31%orrespondentwhereasthesamefigure679for"LackofstandardsandstandardsAPIs"is49%.FurtherconsiderationsonOpenSourcesolutionsare680discussedinETSISR003382[i.12].681

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 20

• Q34.WhichimpactcanCloudComputingStandardshaveonyourorganization'sconcerns?Itappearsthat682standardshaveamediumorhighimpactforabout75%ofrespondents.683

684TheWP2report(ETSISR003382[i.12])addressestherelationshipbetweenStandardsandOpenSource.Fromthis685standpoint,thoughtheusualwaytoapproachthisistoanalyzethewayOpenSourcemaymakeuseofstandards686(existingorindevelopment),itisalsousefultoaddresstheotherwayround,inparticularhowstandardscan687contributetothetrustthatusersorganizationsmayputinOpenSourcesolutions.688689

WP3 Security,StandardsandCertification690691Alotofemphasisisputbythesurveyrespondentsontheissuesofsecurity,andontheroleofstandardsor692certificationregardingtheresolutionofsecurityissues.TheworkofWP3revolvesaroundstrategiestoaddressallthis693aspectsinacoherentmanner,andontherecommendationsthatcanbedrawn.694695Inparticular,thequestionofcertificationiskey.Somefindingsofthesurveypointtotherelativelackofknowledgeof696therespondingorganizationsonthecertificationschemesthemselvesaswellasonthebestwaytousethem.A697clarificationofthisquestionandassociatedrecommendationsareamajorobjectiveoftheWP3report.698699WP4 StandardsMaturityLandscape700701Oneoftheobjectivesofthe"snapshot2"istoassessthematurityoftheCloudComputingstandardizationandto702evaluatetheprocessbetweenthe"snapshot1"ofCloudStandardsCoordinationPhase1(availableinNovember7032013)andthe"snapshot2"availableinSeptember2015,almosttwoyearsafter.704705Whenthe2013StandardsMaturityAssessment("snapshot1")resultshavebeenpublishedbyCSC-1,somegapshad706beenidentified(e.g.security,ServiceLevelAgreement).Thepersistenceofthesegaps–atleastfromthepointofview707ofusers'perception–issomehowconfirmedbythesurvey.708709Anumberofstandardshavebeendevelopedinbetweenthetwo"snapshots".Fromthisstandpoint,thelistof710relevantstandardsislargerthantheoneofNovember2013.Theanalysisofthestandardsfromthislisthastakeninto711accountsomeofthefindingsofthesurveyandpaidspecialattentionatleastto:712

• SecurityStandardsandCertificationschemes713• InteroperabilityandDataPortabilitystandards714• Service-Level-Agreementstandards715

716

6.5 Relationship to other activities 717

CloudSIGonSLA718TheCloudSpecialIndustryGrouponSLAwasinitiatedbytheECtoaddressCloudStandardisationforServiceLevel719Agreement.SeveralmembersofthisgroupalreadycontributedtoCSC-1.ThegroupwasinformedabouttheCSC-2720activitiesandinvitedtoparticipateinthesurveythroughtheirDGCNECTcontact.721722ItshouldbenotedthatthegroupisnotcurrentlyactiveafterhavingdeliveredtheirCloudServiceLevelAgreement723StandardizationGuidelinestotheECin2014andtotheISOSC38/WG3tobeconsideredinISO/IEC19086-1:"724Informationtechnology–Cloudcomputing–Servicelevelagreement(SLA)frameworkandtechnologyPart1:725Overviewandconcepts"[i.9].726727EuroCIO728CSC-2hasbeeninpermanentcontactwithEuroCIOsinceitsbeginningandhasparticipatedandcontributedtothe729twoWorkshopsorganizedbyEuroCIOonCloudComputing.In2015,EuroCIOhasbeentaskedbytheECtoreviewthe7304ECstrategicactionsinsupportofitsCloudComputingstrategyofwhichCSC-2ispart.731732ItshouldbenotedthatafewquestionsoftheCSC-2surveyquestionshavebeenincludedintheEuroCIOsurveyin733supportoftheirabove-mentionedaction.Theanswerscollectedhavegivenmorevaluetotheconcernedquestions734(e.g.oncertification).735736

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 21

NIST737Toalargedegree,NISTandCSC-2shareacommonapproachtoCloudComputingstandardization:theybothhavea738contributiontothestandardizationframework(thoughNISTalsocontributestostandardswhereasCSC-2doesnot).739Fromthisstandpoint,itappearedimportanttoinvestigatethepossiblecommonactionsthatwouldresultfromthis740situation.741742Tothisextent,afteracommonmeeting,wehaveunderstoodthatthecurrentsurveymatcheswellwiththe10743recommendationsforCloudComputingthatNISThaspublishedin2011.AcontributionofCloudStandards744CoordinationPhase2ontheanalysisofthe2011and2015situationshasbeenpresentedattheNISTCloud745ComputingWorkshopVIIIinJuly2015.ThispresentationisavailableontheCSCwebsiteinthe"Sharing"sectionat746http://csc.etsi.org/phase2/dissemination.html.747748

7 Conclusions and recommendations 749

ThepresentreportindicatesthatrunningawebsurveyonCloudstandardsmayyieldrelevantfindingseventhough750thenumberofrespondentsislimitedandthecompositionoftherespondentsresultingfromtheinvitationtoselected751stakeholdersisrepresentativeoftheoverallpopulationonlytoanunknownextent.752753Thefindingsmadeduringtheanalysisofthesurveysupportthecontinuedstrivetowardsclosingtheidentifiedgapsin754termsofsupportforCloudComputingstandards.Italsoshowsagrowingawarenessoftheimportanceofstandards,755ingeneralandforCloudComputinginparticular.756757

758Figure11–AsummaryofCloudUsersconcerns759

Source:CSCphase2760761Basedontheprincipalareasofconcern,illustratedintheabovefigure,theCloudStandardsCoordinationPhase2762expertshavelistedsomerecommendationsfollowingthefindingsinthewebsurvey.Theserecommendationsare763listedbelow:764765CollaborationacrosskeyCloudComputingstakeholders766EncourageandincreasecollaborationsacrossthevariousrelevantinitiativesinEuropeaswellacrossstandards767developmentorganizations(formal,dejureanddefacto)toavoidandminimizefragmentationandoverlapinthe768CloudComputingrelatedstandardizationefforts.DuringtheCSC-2,contactshavebeenmadewiththeUS769standardizationagency,NISTaswellasforexampletheEuroCIOorganization.Bothcontactshaveresultedinfollow-770upactivitiesthatwilladdfurthervaluetotheCSC-2resultsaswellassecuringawarenessoftheCSCwork.771772Disseminationandmarketing773

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 22

MakesurethatCloudComputingstakeholders(users,customersandproviders)aremadeawareofexistingstandards774andcertificationprograms.Therelativelylowresponseandawarenessfoundamongtherespondentsoftheweb775surveystronglysuggeststhattheimportanceandpotentialbenefitsofstandardsandcertificationschemesneedtobe776furtheradvocatedandmarketedbyusingintherelevantchannelsthroughtheappropriateEUagenciesandalsoby777theSDOs.778779ConducttheCloudWebSurveyregularly780KeepingtrackoftheendusersperceptionofCloudComputingbenefitsandchallengesprovidesanexcellentbackdrop781forongoingaswellasfutureeffortstoclosetheidentifiedgapsandaddressthechallengesdisclosedbytheweb782survey.TheSTF486expertsseethewebsurveyasagoodtooltogaugetheprogressandstate-of-affairsintheCloud783Computingspaceandrecommendthatthewebsurveyisreopenedandrunonaregularbasis,tentativelyonan784annuallybasis.785786Securityaspects–akeyconcern787“Security”,asaconcept,iswithoutdoubtamajorconcernformostusers,customersandprovidersalike,inparticular788inaCloudsetting,astheresourcestypicallyaresharedanddataintegrity confidentialityandavailability,asa789consequenceneedadditionalattentiontoensurearetainedconfidenceintheownershipofdata.Manyusersare790concernedabout“losingthecontrolofdata”,inmanycasesprobablyjustifiablyso.UnlessSecurity–allrelevant791aspectsofSecurityrelatedtoCloudComputing–isfullyaddressedandtheusersmadeawareofavailableoptionsand792existingprotocolsandstandardsthatcanbeusedtobuildreliableCloudComputingofferings,theadoptionofCloud793Computingislikelytocontinuetogrowslowly.Forfurtherdetails,seeETSISR003391[i.13].794795Certificationaddsconfidence796Theanalysissupportstheprovisioningofcertificationschemes,wherecertificationofvendorsandthecrosscutting797aspectsdatastoragelocation(oneaspectofprivacy),clouddatacentreinfrastructure,cloudprovisioningprocessand798interoperability/reversibilityaretoppriorities.Theseaspectsaregeneralconcernsthatneedtobeaddressedto799acceleratetheadoptionofCloudComputing.TheCSC-2willusetheresultsofthewebsurveyasinputtotheother800tasksandworkitemsoftheCSC(asdescribedin6.4and6.5).801802Insummary,theCloudStandardsCoordinationPhase2expertsseethestandardscoordinationeffortaswellfunded803andhighlyrelevant.Itisrecommendedthatthestandardscoordinationresultsbethoroughlydisseminatedandthat804theindustryandStandardsDevelopmentOrganizationcontactsandcollaborationsmadeaspartoftheCloud805StandardsCoordinationinitiativecontinue.806807808

8 Areas for further study 809

Someareasforfurtherstudyareforinstance:810• Specializationofresults.Inthisversionofthereport,theresultsforaquestionaretakenglobally,onthe811

totalityoftherespondents.Onsomequestions,amorein-depthanalysismaybeuseful,providedthatthe812numberofresponsesishighenoughtokeepsomerelevance.Anexampleofsuchanalysiscouldbeto813differentiatetheanswersbycountryoftherespondent:largedifferencesintherateofadoptioninEU814countries(asshowninthefigurebelow)mayalsobevisibleinthesurveyresults.Thelimitedtimeand815resourcesdevotedtoCSC-2madethisanalysisdifficulttoundertake.816

817Figure12–UseofCloudComputinginenterprisesinEurope(source:Eurostat).818

819

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 23

• AviewthattargetsSMEsspecifically.SlightlymorethanhalfoftherespondentsarefromSMEs.Considering820thatSMEsareamajortargetoftheworkofCloudStandardsCoordinationPhase2,ananalysisfocusedon821thispartoftherespondentswillbeuseful,providedthesizeofthesampleissufficientfordrawing822conclusions,whichwillbethecaseforsomebutmaybenotallofthequestions.823

• Validationoftrends.Someofthetrendsidentifiedinsection6.2maybefurthervalidatedbyadditional824analysis(possiblybyrunningthesurveyagainaftersometime).Inparticular,itmightbepossibletoidentify825newtrendsanddrawmorefirmconclusions.Anexamplemayberegardingsomeofthespecificstandards826addressedinquestions38to45.827

• IssueanewversionoftheUserSurveywithamodifiedstructureandpresentationofcoreconceptsbasedon828findingsmadeduringthecreationoftheotherCSC-2reportsandonthecommentsreceivedduringthe829reviewperiod.830

831832 833

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 24

834

Annex A: Survey Responses and Charts 835

A.1 Presentation of results 836

Theresultsofthesurveyarepresentedbelowintheformofchartsandcomments.Theyaregroupedbysub-section837thatcorrespondtothedivisionbypagesintheon-linesurveyitself.838839TheresultspresentedcorrespondtothesituationatSeptember25th,2015with376responsescollected.Thesurvey840willcontinuetobeavailableon-lineforacertainperiodoftime.Moreresultswillbeavailableforthefinalversionof841thereport.842843Thecompletesetofquestionsastheyappearon-linecanbefoundinAnnexC.844845Eachquestionisintroducedbyaheaderthathasthefollowingform:846847

Qn Textofthequestion848<#answers>answers-<indicator>849

example:125answers-ýý☐850where:851

• Qn representsQuestionnumbern852• <#answers> isthenumberofanswersreceivedforquestionQn853• <indicator> representstheviewoftheexpertsontheanswers.Itisasubjectiveindicationofhowfarthe854

resultscanbeinterpreted.Itcantakeoneofthefollowingforms:855856

ýýý theanswerstothisquestionaresubjecttoareliableinterpretation857ýý☐ theanswerstothisquestioncanbeusedforidentifyingtrends858ý☐☐ theanswerstothisquestioncanbeusedforinformation859☐☐☐ theanswerstothisquestionarenotmeantforanyinterpretation860

861Note: The<#answers>and<indicator>arenotcorrelated:theindicatorisbasedonmuchmoreinformation(and862

experts'discussion)thanjustthenumberofanswers.863864Thetypicalpresentationoftheresultsis:865

• Thepurposeofthequestion;866• Asummarychartwiththeanswerspresentedbypercentageofrespondents;867• Aninterpretationbytheexpertsofsomespecificpoints.868

A.2 Background information 869

Thisfirstsectionofthesurveywasusedforthepresentationofthesurveytogetherwithexplanationsonthewaythe870resultswillbestored,distributedandused.871872Q1 AreyoufamiliarwithCloudStandardsCoordination?873

366answers-ýýý874875SomeknowledgeoftheCloudStandardsCoordinationactivities(i.e.whatisnowcalledCloudStandardsCoordination876Phase1)isconsideredhelpfultobetterunderstandthecontextofthefollowingquestions.877878

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 25

879TheanswersindicatethatroughlytwothirdoftherespondentshavesomeknowledgeofCSC.880881Q2 AreyoufamiliarwithETSI?882

363answers-ýýý883884AcertainfamiliarityoftherespondentswithETSIisthesignthatonecouldexpectthattheyhaveacertainaffinity885withstandardizationprocessesandthusmaybetterunderstandthefollowingquestions.886887

888Almost80%oftherespondentsshowthisfamiliarityaboutETSI.889890

A.3 General purpose information 891

892Q3 Nameofyourorganization(notmandatory)893

115answers-☐☐☐894895ThoughthesurveywasanonymousanswerstothisquestionwouldallowtheCSCexpertstogetanimpressionofthe896compositionofthesetofrespondents.About28%providedthenamesoftheircompanies.Thisinformationisused897forinternalanalysisandisnot(assaidintheintroductionoftheon-linesurvey)meanttobemadepublic.898899Q4 Sizeofyourorganization900

307answers-ýýý901902ThemotivationforthisquestionissimilartotheoneforQ3.903904

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 26

905906

Alittlemorethanhalfoftherespondentscomefromdifferent-sizedSMEs,therestcomingfromorganizationswith907morethan249employees(e.g.companies,administrations,etc.).908909Q5 Sectorinwhichyourorganizationoperates910

307answers-ýýý911912ThisquestionisintendedtoshowtowhichextentCloudcomputingisusedindifferenteconomicalandsocietal913sectors.914915Theclassificationusedisbasedon“StatisticalClassificationofEconomicActivitiesintheEuropeanCommunity"[i.4]. 916917

918919TheICTsectorleadswith43%ofresponsesfollowedbyProfessional,ScientificandTechnicalActivitieswith14%and920Educationwith13%.Theothersectorsremainbelow3%.921922Q6 Region/Countryinwhichyourorganizationmainlyoperates 923

307answers-ýýý924925Thelocalizationoftherespondentsisanindicationofthegeographicaldistributionoftherespondents'organizations.926927

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 27

Itistobenotedthatthetotalofanswersisabove100%,whichshowsthatsomeoftheanswerscomefrom928organizationsthatoperateacrossseveralofthegeographicalzones.929930

931932

933Asanticipated,avastmajorityoftheanswersiscomingfromEurope,beittheEuropeanUnionortheotherEuropean934countries.ThisisinlinewithourexpectationssincethestudywasfirsttargetingtheEuropeansituation.935

A.4 Moving to Cloud Computing: expected benefits and 936

challenges to face 937

938Q7 HowhighareyourexpectationsonpotentialCloudComputingbenefits? 939

193answers-ýýý940941Thisquestionintendstoevaluatetheperceptionoftherespondentsonthebenefitsthattheirorganizationis942expectingfromtheadoptionofCloudComputing.943944

945946Mostcriteriareceived“Medium”,“High”and“VeryHigh”ratingsoftogether70%ormoreshowingthatthe947expectationsincloudcomputingbenefitsaresignificant.Inotherterms,theexpectationsarehigh.948949

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 28

Ifthehighestexpectationison"Improvedbusinessagility",theimportanceof"ReductionofCAPEX"isalsosignificant:950evenifitmaynotbeasessentialforlargeorganizations,thisimportanceofthisfactormaybehigherfortheSMEs951thatconstitutemorethanhalfoftherespondents.952953Q8 Ifthereareotherbenefitshighlyexpectedbyyourorganization,pleasespecify 954

38answers-ý☐☐955956Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:957

• Newbusinessmodels958• Serviceopportunities959• ScalabilityandCostcontrol960• Jointprocurementofresources961• SimplificationofICTprocesses962• Improvedresilience963• …964

965Insummary,Flexibility,Resourcesharing,Businessflexibility&innovation,Improvedsecurity,Peakdemand966managementarethemostsignificantbenefitsaddedbytherepliesreceived.967968Q9 Maturityofyourorganization:howcriticalarethefollowingchallenges? 969

197answers-ýýý970971Thisquestionintendstogetaself-assessmentbytherespondentsonthematurityoftheirorganizationregardingthe972challengesitmustfaceifitoptsfortheadoptionofCloudComputing.973974

975976Thetwomajorconcerns,notsurprisingly,are"Security"and"Privacyandintegrity".Onthesetwoaspects,theprofiles977ofanswersarealmostidentical,thusgivingthesignalthattherespondentsdonotdissociatebothaspects.These978issuesarestillextremelysensitive,despitesomeprogressintherecentyears.ItisnoticeablethatLegalissues,laws979andregulations(thirdinthelistwith20%)arealsoseenasmoreimportantthanothertechnicalchallenges.980981982Q10 Ifthereareothercriticalchallengestoyourorganization,pleasespecify 983

17answers-ý☐☐984985Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:986

• InternalgovernanceofCloudComputingdeployment987• Dataportabilitystandards;SLAstandards;integrationstandards988

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 29

• Culturalnorms989• Contractualobligations990• Lackoftransparencyofcloudproviders991• “ShadowICT”isseenasariskfollowingtheproliferationofCloudComputing–“SaaSsprawl”isincreasingly992

beingusedasthetermfortheincreaseduseofCloudComputingwithouttheretainedcontroloftheICT993department.Severalrespondentsraisethisasaconcernwherelackofgovernanceandlegalcompliance994mightcreatedifficultiesinorganizations.Lackoftherightknowledgeisalsobroughtupasanadditional995concern.996

• …997998999Q11 MaturityofCloudComputing:howcriticalarethefollowingissuesforyourorganization? 1000

194answers-ýýý10011002Thisquestionintendstogetaself-assessmentbytherespondentsonthematurityofCloudComputingitselfandhow1003thesechallengesmayimpacttheadoptionofCloudComputingbytheirorganization.10041005

10061007Notsosurprisingly,themajorityofrespondentsidentifySecurity(44%),PrivacyandIntegrity(43%)asmostcritical1008challengeswellbeforetheotherones.AsitwasforQ9,thisisanindicationthattheseissuesarestillextremely1009sensitive,despitesomeprogressintherecentyears.ItisnoticeablethatVendoranddatalock-in(thirdinthelistwith101028%)arealsoseenasamajorissuewiththeCloudComputingofferings.10111012Q12 IfthereareothercriticalissueswithCloudComputing,pleasespecify 1013

15answers-ý☐☐10141015Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1016

• Businessprocesscontinuity1017• Identityandaccessmanagement[CSCexpertscomment:maybeseenasapartofsecurity]1018• Greendatacenters1019• …1020

1021RespondentsbringupIAMandPrivacyasCloudComputingconcernsbutalsoaccesstothe“topography”ofCloud1022Serviceoffersbasedonastandardizedprofiling(alsorelatedtohowtheSLAisdefined).1023

1024Q13 HasyourorganizationstartedtoadoptCloudComputing? 1025

211answers-ýýý1026

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 30

1027ThepurposeofthequestionistoevaluatethestateofCloudComputingadoptionintherespondents’organizations.10281029

10301031Notsurprisingly,aclearmajorityoftheorganizationsalreadystartedadoptingCloudComputing.Thefactthatnoneof1032therespondentsindicatedthattherearenoplansforadoptionmaysimplyindicatethatthosewhohavenosuchplans1033areprobablynoteagertofillthiskindofsurvey.10341035

A.5 Adoption of Cloud Computing in your organization 1036

Thissectionaddressestherespondent'sorganizationadoptionstrategyandintendedroleforCloudComputing.10371038Q14 ScopeofyourCloudComputingusageinthenearterm 1039

167answers-ýýý10401041ThepurposeofthequestionistocollecttheintentionsregardingthescopeofCloudComputingfortherespondent's1042organization.Itshouldbenotedthatthetotalofanswersisgreaterthan100%,severalchoicesbeingpossible.10431044

10451046ThoughthehighestfigureisregardingCloudComputingastheICTplatformofchoice,thehighvalueofthemigration1047ofsupportingbusinessprocessesisanencouragingsign.Thisiscorroboratedbytheresultsofthenextsectiononthe1048preparationoftheorganizationforCloudComputing.10491050Q15 StageofCloudComputingAdoption 1051

169answers-ýýý1052

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 31

1053ThisquestionaddressesthematurityofCloudComputingadoptionfortherespondent'sorganization.10541055

10561057Theproportionofrespondents'thathavenotyetservicesontheCloudisbelowonethird.Itisthesignofagood1058penetrationofCloudComputingamongsttherespondents'organizations.Consideringthat43%ofthemcomefrom1059theICTindustry,thisdoesnotcomeasenentiresurprise.Itmaybeusefultoanalyzetheanswersinmoredetails1060(whataboutthenon-ICTsectors,whatabouttheSMEs,…).10611062Q16 RoleofyourorganizationinCloudComputing 1063

169answers-ýýý10641065Thisquestionintendtogathertherolesoftherespondents''organizationinCloudComputing.Itisinparticulartrying1066tomeasuretherespectiveimportanceofCloudServiceCustomers(whicharetoalargeextentthetargetofthestudy)1067andCloudServiceProviders(whohadbeenthemajorforceinCSCphase1).10681069

10701071ThoughtthepercentageofCloudServiceProviderislow,thetotalamountofanswersrelatedtoroleinvolvedinthe1072CloudServicesdevelopmentanddeployment(Auditor,Develop,Provider)isonlyslightlybelowtotheoneofthe1073CloudServiceCustomers.10741075TherelativeimportanceofCloudBrokerisalsotobenoted.Sincethisisarelativelynewrole,notalreadyvery1076developedintheCloudComputingindustry,thereisprobablyaneedtoanalyzetheresultsinmoredepthto1077understandtheprofileofthecorrespondingrespondents.1078

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 32

1079Q17 LevelofyourresourcesandsupporttoCloudComputing 1080

169answers-ýýý10811082ThepurposeofthequestionistoevaluatetheamountandadequacyofICTresourcesdevotedtoCloudComputingin1083therespondents'organization.10841085

1086

10871088Inthevastmajority(almost80%)oforganizations,supportofCloudComputingcomesfromeitheradedicatedoran1089all-purposeICTsupportteam.Inthisgroup,theresourcesdedicatedtoCloudComputingaredeemedenoughto1090satisfytheneeds.Onlyathirdofthem(32%)haveresourcesspecificallydedicatedtoCloud.10911092

A.6 Cloud Computing adoption: preparing your organization 1093

Sometypicalaspectsneedtobeconsideredandsomeconditionsmustbemetinordertomakethetransitiontothe1094Cloudinasecureandreliableway.Thisisthepurposeofthissection. 10951096Q18 DataCategorizationinyourorganization 1097

171answers-ýýý10981099Thisquestionaddressestheway"DataCategorization"ishandledintherespondents'organizationsinpreparationfor1100theadoptionofCloudComputing.11011102Thequestionissupportedbythefollowingtextinthesurvey:1103

DataCategorizationdescribesdataonthebasisofhowitistransferred,processedandused.ExamplesofData1104Categoriesarecustomerdata/content,deriveddata,cloudserviceproviderdataandaccountdata.Pleaseindicate1105abovewhereyoucurrentlyareinthisprocess. 1106

1107

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 33

11081109About80%oftherespondentsareawareofdatacategorizationandhaveatleaststartedtheprocessrelatedtoit.1110SincethisisamajorenablertoCloudComputing(andoneofthefirstactivitiestoundertake),thisisaverypositive1111signalofprogress.11121113Q19 DataClassificationinyourorganization1114

170answers-ýýý11151116Thisquestionaddressestheway"DataClassification"ishandledintherespondents'organizationsinpreparationfor1117theadoptionofCloudComputing.11181119Thequestionissupportedbythefollowingtextinthesurvey:1120

DataClassificationtypicallyreferstoawaytospecifyhowtheinformationcanbeshared,from“openly”to“non-1121disclosed”(secret).ExamplesofDataClassificationtaxonomiesare:“Public,InternalUse,Confidentialand1122RegulatoryHandling”.DataProtectionlevelsareassociatedwithexamplessuchas"Rangingfrom0(unrestricted1123use)to3(extremeconfidentiality)".Theyrequiremeasuresinordertoenforcethelevels,suchasencryption,1124limiteddistribution,etc.Pleaseindicateabovewhereyoucurrentlyareinthisprocess. 1125

1126

11271128Aforthepreviousquestion,about80%oftherespondentsareawareofdataclassificationandhaveatleaststarted1129theprocessrelatedtoit.Hereagain,thisisaverypositivesignalofprogress.11301131

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 34

Q20 DataSecurityinyourorganization1132171answers-ýýý1133

1134Thisquestionaddressestheway"DataSecurity"ishandledintherespondents'organizationsinpreparationforthe1135adoptionofCloudComputing.11361137Thequestionissupportedbythefollowingtextinthesurvey:1138

InordertomovesecurelytotheCloud,manydifferentaspectsofDataSecuritysuchasinformationsecurity,1139informationintegrity,accessandidentitymanagement,contingency,andPersonallyIdentifiableInformation(PII)1140havetobeaddressedandshouldbewelldefinedandunderstood.Pleasestateaboveyourorganization’slevelof1141controlandawarenessinthedatasecuritydomain. 1142

11431144

11451146Theresultisencouragingashalftherespondentsclaima"high"andanotherthirda"medium"datasecuritylevel1147withintheirorganizations.11481149Q21 BusinessProcessesidentification,descriptionandalignmentinyourorganization 1150

169answers-ýýý11511152Thisquestionaddressestheway"BusinessProcessesidentification,descriptionandalignment"ishandledinthe1153respondents'organizationsinpreparationfortheadoptionofCloudComputing.11541155Thequestionissupportedbythefollowingtextinthesurvey:1156

InordertoensureatransitiontotheCloudbasedontheneedsoftheorganization,itisconsideredasbestpractice1157thatthecoreandsupportingprocessesoftheorganizationbeclearlydefinedandsupported,whererelevant,by1158ICTsolutions.Well-controlledprocessesmakethetransitioneasierandallowtheorganizationtomovetothe1159Cloudonthebasisofprioritizedtransitionplans.Pleasestateaboveyourorganization’slevelofbusinessprocess1160situationintermsofidentification,descriptionandalignment. 1161

1162

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 35

11631164Roughly¾oftherespondentsindicatethattheirorganizationhasa(relatively)well-controlledprocessunderway.1165However,theproportionof"high"controlandawarenessislowerthanforthepreviousquestionsrelatedtohandling1166ofdata.Thismaybethesignthetaskathandismorecomplexandoveralllessadvanced.Thisisinlinewiththe1167previousfindingsabout"security"asthemajorconcernoforganizations.11681169Q22 ServiceOrientedArchitectureinyourorganization 1170

169answers-ýýý11711172Thisquestionaddressestheway"ServiceOrientedArchitecture"ishandledintherespondents'organizationsin1173preparationfortheadoptionofCloudComputing.11741175Thequestionissupportedbythefollowingtextinthesurvey:1176

Architecturesbasedonlooselycoupledservices,ServiceOrientedArchitectures(SOA),facilitatethemigrationto1177theCloud.SystemsbasedonSOAmaybeprogressivelytransitionedtotheCloud,basedonprioritiesandany1178policiesintermsofdatadistributionorsecurityinplace.Pleasestateaboveyourorganization’slevelofservice1179orientation. 1180

1181

1182

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 36

1183Aboutthreequartersoftherespondentsclaimthattheirorganizationhasatleaststartedserviceorientedprocedures.1184Buttheproportionofthosewhoconsiderthework"done"isstilllow.Thereasonmayberelatedtotheperceived1185challengeofBusinessProcessesadaptationtoCloudComputing:SOAisoneelementoftheglobalproblem.11861187Q23 SoftwareLicensesinyourorganization 1188

171answers-ýýý11891190Thisquestionaddressestheway"SoftwareLicenses"arehandledintherespondents'organizationsinpreparationfor1191theadoptionofCloudComputing.11921193Thequestionissupportedbythefollowingtextinthesurvey:1194

Ifyourcompanyisworkingwithcommercialsoftware,ithastypicallyacquiredsoftwarelicensesthatallowusing1195thissoftwareon-site.WhenthereisaplantousethissoftwareintheCloud,yourcompanyusuallyhasto1196negotiatewiththeindependentsoftwarevendoraboutusinglicensesforrunningthesoftwareintheCloud.Please1197indicateabovewhereyoucurrentlyareinthisprocess. 1198

1199

12001201Onlyslightlymorethanhalf(58%)oftheorganizationsthatusecommercialsoftwarehavestartednegotiationswith1202theirprovidersonthemigrationofsoftwarelicensesintotheCloud.Andonlyonethirdofthem(36%)havefinalized1203thesenegotiations.Somesignificanteffortsstillneedtobedone.12041205Q24 EnsuringSoftwareSuitabilityinyourorganization 1206

170answers-ýýý12071208Thisquestionaddressestheway"SoftwareSuitability"ishandledintherespondents'organizationsinpreparationfor1209theadoptionofCloudComputing.12101211Thequestionissupportedbythefollowingtextinthesurvey:1212

IfyouplantousesoftwareintheCloudthatyouusedon-siteuntilnow,additionalefforts(besidesresolving1213softwarelicensingissues)mightbeneeded.Examplesofrequiredeffortsare:checkingwhetherthesoftware1214canberunintheVMsoftheCloud;adaptingthesoftwareifneededtomakeuseoftheselectedCloud1215platform’sfeatures;investigatinghowtodistributethesoftwareacrossseveralVMstomaintainorincrease1216performance;evaluatingwhetherallprerequisitesfortheoperationareinplace,etc.Pleaseindicateabove1217whereyoucurrentlyareinthisprocess. 1218

1219

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 37

12201221Roughly60%oftherespondentshaveatleaststartedthesoftwaremigrationwithonlyaround25%ofthisgroupthat1222hasalreadyfinished.Thisisanothersignofthecomplexityofthetaskathand.12231224Another26%ofrespondentsindicatetheyhavenoneedtogothroughthisprocess,whichiscoherentwiththeresults1225ofthepreviousquestion.12261227

A.7 Cloud Computing: Deployment models and Service 1228

categories 1229

1230ThepurposeofthissurveysectionistounderstandwhichDeploymentmodelsandwhichServicecategoriesareof1231majorinteresttotherespondent'sorganization. 12321233Q25 WhichClouddeploymentmodelseemsbestfittoyourneeds? 1234

163answers-ýýý12351236ThepurposeofthisquestionwastoinvestigatetheintentionsoftherespondentregardingdifferentoptionsofCloud1237deploymentmodel.Privatecloudwassplitintwodifferentquestionitems.12381239

12401241PrivateCloud(underitstwoforms:on-premisesandoff-premises)isthepreferredmodel.Hybridandpublicarenot1242far.ThescoreofCommunityCloudcanbeaslowbutaswellasrelativelyencouragingforthismodel.12431244

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 38

Q26 CloudServiceCategory:IaaS(InfrastructureasaService) 1245158answers-ýýý1246

1247FourinstantiationsofIaaSapplicationsareproposedforevaluation.12481249

12501251TheHigh-Availabilityusecaseisbyfarthemostattractiveone.12521253Q27 CloudServiceCategory:PaaS(PlatformasaService) 1254

151answers-ýýý12551256TwoinstantiationsofPaaSapplicationsareproposedforevaluation.12571258

12591260Q28 CloudServiceCategory:SaaS(SoftwareasaService) 1261

158answers-ýýý12621263AlargenumberofinstantiationsofSaaSapplicationsareproposedforevaluation.12641265

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 39

12661267Thenumbercandidateis"Generaldatastorage"withtheotheratadistance.Ontheothersideofthescale,thevery1268lowscoreof"Processingsensitivedata,includingPII"reflectstheoverwhelmingconcernabout"Security"and"Privacy1269andIntegrity".12701271Q29 Doyouhaveinterestintheemergingcategories:CaaS,CompaaS,NaaS,DsaaS? 1272

177answers-ýý☐12731274Thisquestionhasadoubleintention:1275

• TomeasurethedegreeofinterestoftherespondentsforsomenewServicecategoriescurrentlyemerging(in1276particularinstandardization).1277

• Toskipthefollowingsectionincasetheansweris"No".127812791280

12811282

A.8 Emerging Cloud Service Categories 1283

Thepurposeofthissurveysectionistounderstandtherespondents'viewsonnewServicecategoriesthatarestarting1284tobeconsidered(inparticularinstandardization).Foreachofthesecategories,thequestiontargetssometypical1285instantiationsofapplications.12861287

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 40

Q30 CloudServiceCategory:CaaS(CommunicationasaService) 128883answers-ýý☐1289

1290TwospecificapplicationshavebeenevaluatedforthisnewServicecategory.12911292

12931294Q31 CloudServiceCategory:CompaaS(ComputingasaService) 1295

79answers-ýý☐12961297ThreespecificapplicationshavebeenevaluatedforthisnewServicecategory.12981299

13001301Q32 CloudServiceCategory:NaaS(NetworkasaService) 1302

81answers-ýý☐13031304OnlyoneapplicationhasbeenevaluatedforthisnewServicecategory.13051306

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 41

13071308InternetofThingsmaybeseenasaverypromisingapplication,andmaybeareasonfortheinterestinthisnew1309Servicecategory.13101311Q33 CloudServiceCategory:DsaaS(StorageasaService) 1312

86answers-ýý☐13131314TwospecificapplicationshavebeenevaluatedforthisnewServicecategory.13151316

13171318Bothapplicationshavebeenreceivingsignificantagreement.BigDatamaybeseenasthemostpromisingapplication,1319andmaybeareasonfortheinterestinthisnewServicecategory.13201321

A.9 Cloud Computing and Standards 1322

Thepurposeofthissectionistocaptureahigh-levelviewonCloudComputingstandards,beitgoodand/orbad. 13231324

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 42

Q34 WhichimpactcanCloudComputingStandardshaveonyourorganization'sconcerns? 1325153answers-ýýý1326

1327Thepurposeofthisquestionistomeasurethesupportfromstandardizationexpectedbytherespondents'1328organizationwhentheyfacesomemajor(businessortechnical)challenges.13291330

13311332Formostofthedomains,thesumof"Medium"and"High"answersisinmostcaseabove75%.Thetopthreedomains1333are"Security","Privacyandintegrity"and"Interoperability".Thisiscoherentwiththefindingintheprevious1334questionsrelatedtochallenges.Thefollowingquestionsaddresstheseexpectationstowardsstandardsinmore1335details.13361337Q35 TowhichdegreeareCloudComputingStandardsconsideredorusedinyourorganization? 1338

151answers-ýýý13391340Thisquestionintendstomeasurethedegreeofinvestmentonstandards(fromsimpleknowledgetoactualusage).13411342

13431344

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 43

Whenaskedabouttheactualplaceofstandardsintheirorganization,therespondentsarealsogivingthesignalthat,1345inmorethan75%ofthecases,standardsare"considered"or"used".Thisshowsaconcreteinvestmentonstandards,1346togetherwetheexpressedneedtohaveabetterknowledge.13471348Q36 Areyouwilling/abletogivefeedbackindetailonCloudComputingStandards? 1349

165answers-ýý☐13501351Thisquestionhasadoubleintention1352

• TomeasurethedegreeofinterestoftherespondentsforsomeparticularCloudComputingstandards.1353• Toskipthefollowingsectionincasetheansweris"No".1354

13551356

13571358Notfarfromhalfoftherespondentseemedinterestedbydetailedfeedbackonspecificstandards,whichcameasa1359relativesurprise.However,itshouldbenotedthattherateofactualanswersinthefollowingsectioniswellbelowthe1360numberofrespondentsthathavechosentovisitthatsectionofthesurvey.13611362

A.10 Cloud Computing Standards: a detailed view 1363

Thepurposeofthissectionistoevaluatetherespondents'perceptionofstandardsgapsandtomeasurethevisibility1364ofsomemajorCloudComputingstandardsclassifiedacrossseveraltechnicaldomains. 13651366Q37 InwhichdomainhaveyoubeenconfrontedwiththelackofCloudComputingstandards? 1367

62answers-ýý☐13681369ThepurposeofthisquestionistogettheviewontherespondentsontechnicaldomainsofCloudComputingwere1370theyperceivealackofapplicablestandards.Thisquestionisaskedtotherespondentsthathavechosentoprovide1371detailedfeedbackonspecificstandards.13721373

1374

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 44

1375Mostofthedifferentdomainsreceiveasignificantscore,withthesameusualtopones.Thehighscoreof"Service1376LevelAgreement"mustbenoted:thisquestionreceivesmoreattentionfromatechnicalstandpointthaninthe1377previousquestionsregardingchallengesoradoptionofCloudComputing.13781379Itshouldalsobesaidthat,unfortunately,thisquestionshouldhavebeenpositionedintheprevioussection,together1380withtheotherglobalquestionsonstandards.However,thiswasdiscoveredonlyoncethesurveyhadstartedandno1381waytochangethiswaspossiblewithoutdisruptingthecollectofinformation.13821383Q38 Yourorganization'sadoptionanduseofCCstandards:Generalpurpose 1384

60answers-ýý☐13851386Alistof"generalpurpose"standards(e.g.applicabletoalargepartoftheCloudComputingtechnicalspace)is1387proposedforevaluationoftherespondents'knowledgeaboutand,inthebestcase,usageofthesestandards.13881389

13901391Inallcases,thelevelofknowledgeand/orusageonthesestandardsislow.WiththeexceptionofthetwoISO/IEC1392standardsrelatedtobasicelementssuchasvocabularyandreferencearchitecture,theotheronesarelargelystillin1393anevaluationphase.13941395Q39 Yourorganization'sadoptionanduseofCCstandards:Security 1396

59answers-ýý☐13971398Alistof"security"standardsisproposedforevaluationoftherespondents'knowledgeaboutand,inthebestcase,1399usageofthesestandards.14001401

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 45

14021403Theremarksmadeforthepreviousquestionapplyalsohere.14041405Q40 Yourorganization'sadoptionanduseofCCstandards:Dataprotection 1406

59answers-ýý☐14071408Alistof"dataprotection"standards(actuallylimitedtoone)isproposedforevaluationoftherespondents'1409knowledgeaboutand,inthebestcase,usageofthesestandards.14101411

14121413ThevisibilityofISO/IEC27018[i.11](relatedtoCodeofPracticeforPII)isbelowwhatwecouldhaveexpectedthough1414itaddressesasubjectofconcernandisverymuchcurrentlyatthecenterofattention.Awarenessanduptakeof1415ISO/IEC27018[i.11]needstobemonitored.14161417Q41 Yourorganization'sadoptionanduseofCCstandards:Management 1418

58answers-ýý☐14191420Alistof"management"standardsisproposedforevaluationoftherespondents'knowledgeaboutand,inthebest1421case,usageofthesestandards.14221423

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 46

14241425Similarobservationscanbemadethanforquestions38or39.14261427Q42 Yourorganization'sadoptionanduseofCCstandards:ServiceLevelAgreement 1428

57answers-ýý☐14291430Alistof"servicelevelagreement"(SLA)standardsisproposedforevaluationoftherespondents'knowledgeabout1431and,inthebestcase,usageofthesestandards.14321433

14341435Allthesestandardsarenotknowbythemajorityofrespondents.Thishasalsotobeputinperspectivewiththe1436relativelyhighfigure(65%asthetotalof"Critical"and"VeryCritical"answers)regardingSLAasachallengeinQ11.It1437maybeseenasthesignalthatthesestandardsarenotperceivedasprovidingasignificantanswertotheSLAcomplex1438question.14391440Q43 Yourorganization'sadoptionanduseofCCstandards:Portability 1441

58answers-ýý☐1442

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 47

1443Alistof"Portability"standardsisproposedforevaluationoftherespondents'knowledgeaboutand,inthebestcase,1444usageofthesestandards.14451446

14471448Thesamepatternofstandardsvisibilityappliesalsoforthisdomain.14491450Q44 Yourorganization'sadoptionanduseofCCstandards:Multi-cloud,Cloudfederation 1451

57answers-ýý☐14521453

1454

14551456TheremarksmadeinQuestion40aboutISO/IEC27018[i.11]arealsolargelyvalidforthisstandard.14571458

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 48

Q45 Yourorganization'sadoptionanduseofCCstandards:Application 145958answers-ýý☐1460

1461

14621463Thepatternofstandardsawarenessidentifiedinthepreviousquestionsappliesalsoforthisdomain.14641465Q46 Anyotherstandardnotlistedherethatyourorganizationknowsaboutandisconsidering1466(oneormore)? 1467

9answers-ý☐☐14681469Thiswasanopenquestion.Someoftheanswersreceivedinclude:1470

• DeFactoStandardse.g.,ApacheDeltaAPIs1471• LEETSECURITYratingguide1472• Thislistisfartoonumerousandtoocomplex.Wejustneedtwostandards:1)sufficientsecurity;2)Compliant1473

withtheEuropeanlaws(Directive1995).1474• ISO/IEC19086(drafts)1475

1476SAML2,CDMI,OCCIanddefactostandardssuchasApacheDeltaAPIsarementionedasadditionalstandardsthatcan1477beapplicableintheCloudComputingspace.14781479

A.11 Cloud Computing Certification Standards 1480

1481Thepurposeofthissectionistochecktherespondents'intentionsregardingcertificationandhowstandardscan1482supportthem.14831484Itissupportedbythefollowingtextinthesurvey: 1485

Certificationisawaytoindicatetocustomersthatacompanyfollowscertainrulesandprocesses(definedinthe1486contextofcertification)andconsequentlytodisburdenthemfromregularlycheckingthecertifiedcompany. 1487 1488CloudCustomersareencouraged–orevenobligedbynationallawinsomeEuropeancountries–toverifythe1489reliabilityofa(Cloud)providerbeforesigningacontract.CloudComputingCertificationStandardsmayappear1490helpfulasdecisionsupport,specificallyasfarastheCertificationscopecoversthemainareasofinterestsandis1491fullytransparent. 1492

1493Q47 WouldyouconsiderCloudCertificationasapossibilitytoimproveconfidenceinCloud? 1494

143answers-ýýý14951496

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 49

14971498Thefeedbackfromtherespondentsontheroleofcertificationisclear:itisaveryusefulwaytoimproveconfidencein1499CloudComputingforaverylargemajority(over80%).15001501Q48 PleaserankthefollowingCloudCertificationareasaccordingtheirimportance 1502

243answers-ýýý15031504Regardingthescopeofcertification,alistof12domainshasbeenproposedinthisquestion.15051506

15071508ThenumberonecandidateforcertificationisDatastoragelocation.Thisisreflectingtheconcernalreadyidentifiedin1509theprevioussectionsofthesurvey(e.g.adoptionofCloud)onlegalandtechnicalsupporttotheprotectionofthe1510organization'sdata.Certificationisseenasapotentialenabler.15111512Thenextthreedomainsintherespondents'rankingareregardingtechnicalconcerns:CloudDatacenterinfrastructure,1513CloudProvisioningprocessesandInteroperability/Reversibility.Hereagainthequestionofdata(integrity,1514reversibility)canbeseenasamajorconcern.15151516Q49 WhichfurtherareaswouldyouconsiderasrelevantforaCloudCertification?1517

19answers-ý☐☐15181519Thiswasanopenquestion.Amongsttheanswersreceived:1520

• Cloudserviceinsurance1521

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 50

• Greendatacenterinfrastructure1522• ITILProcessesAPIinteractionsFinancialControl1523• Wejustneedtwocertifications:1)sufficientsecurity;2)CompliantwiththeEuropeanlaws(Directive1995)1524

andeventualnationaladditions.ButthesecertificationsshouldbevalidatedbytheWP29as“Enoughtobe1525fullycompliantwiththeEuropeanandnationallaws”.1526

• Accountability1527• Governance1528

1529Additionalcertificationareasmentionedinclude“jurisdictionandlegalsystemgoverningtheprovider”,“capacity1530management”,“greendatacenterinfrastructure”,“securityrating”,“Cloudserviceinsurance”and“multi-vendors1531scheme”.15321533Q50 Canyouratetheimportanceofthefollowingtypesofcertificationforyourorganization?1534

134answers-ýýý15351536Severaltypesofcertificationareproposedforevaluation.15371538Thequestionissupportedbythefollowingtext:1539

CloudProviderCertification:Certificationofindividualenterprises,whoareproviding–oneorseveralcloud1540services–tothemarket. 1541CloudServiceCertification:Certificationofindividualcloudservicesandacrossallpartnersinvolvedintheservice1542provisioningprocess. 1543SelfCertification:CertificationProcessconductedbythecloudserviceproviderhimself. 1544Certificationbyaccreditedauditors: 1545CertificationProcessconductedbyindependentandaccreditedauditors. 1546CertificationStandardsreflectingEuropeanrequirements: 1547TheCertificationScopecoversCloudSecurity&Privacy,operationalandcontractualaspectsinreferencetolegal1548Europeanrequirements.CertificationStandardsreflectingGlobalrequirements: 1549TheCertificationScopecoversCloudSecurity&PrivacyaspectsinreferencetoGlobalrequirements. 1550UniqueCertificationScope: 1551AdefinedCertificationScopeforalltypesofCloudServicesorCloudProviders(seeabove). 1552GradedCertificationScope: 1553Asetofgraduatedcertificationsreflectingdifferentqualitylevelstoallowcertificationalsoformedium-sizedcloud1554providers. 1555

1556

15571558Withtheexceptionofself-certification,andtosomedegreeofthe"one-size-fits-all"one,allotherschemesareseen1559ashavingsomemerit.15601561Q51 AreyouawareoftheCloudCertificationSchemesList(CCSL)? 1562

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 51

136answers-ýýý15631564

15651566WhenfacingtheselectionofCloudCertificationschemes,anorganizationisofferedalargesetofsuchschemes.The1567CloudCertificationSchemeList(CCSL)isanattempttomakeaselectionofsuchschemes.Thesurveyshowsthatonly156831%ofrespondentsareawareofthislist.15691570Q52 WhichofthefollowingCloudCertificationSchemeslistedinCCSLareyouareawareof? 1571

114answers-ýýý15721573Thisquestionwasmeantformorepreciseanswersforthe(31%-asseeninQ51–of)respondentsthatareawareof1574theCCSLlistregarding12certificationschemesreferenced.15751576

15771578ThemostsignificantresultisthespecificappealofISO/IEC27001,thoughitisnotaCloudComputingspecific1579standard.Theothercertificationschemesarelargelybehind,maybebecausetheyallarecountryandregionspecific1580anddonothavetheglobalrecognitionthatISO/IEChasworldwide.15811582Q53 AsaCloudCustomer,doyouplantoincludeoneoftheseCertificationsinyourCloud1583

Purchasingprocesses? 1584136answers-ýýý1585

1586

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 52

15871588Thereisaclearmajorityof"Yes".15891590Q54 Ifnot,whatarethemainreasons? 1591

27answers-ý☐☐15921593Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1594

• Notyetneeded1595• Notfamiliarwiththem1596• Wearesatisfiedwithpresentlevelanddeliveryofservices1597• Nomoney1598• Toocomplex,wedon'tknowwhatdotheyreallymean,whatdotheyreallycover,whohaselaboratedthem1599

inwho'sinterest,whethertheyarecompliantwithEuropeanorWP29obligations,andISO27001and1600SOC1&2notCloudspecific.Wejustneed2certificationsstampedbytheEC&WP29tobesurethatourdatais1601protectedandthatwearecompliantwithEuropeanlaws1602

• LackofinformationregardingCloudCertificationSchemes;insufficienttrustintheircapabilitiesto1603adequatelyassess/certifyprivacy/securityaspects1604

• We only shop from major providers and have no position of negotiation.16051606ManyrespondentsthatbelongtotheCloudCustomercategoriesthatareNOTinterestedincertificationprogramsare1607lackinginsightintothevalueofthecertificationprogramsoraresimplynotawareofthecertificationprograms.Lack1608ofbudgetanduncertaintiesonthevaluearealsopresentedasreasonsfornotusingcertificationschemes.16091610Q55 AsaCloudProvider,doyouplantocertifyyourCloudserviceoffering? 1611

123answers-ýýý16121613

16141615Thereisaclearmajorityof"Yes".16161617Q56 Ifnot,whatarethemainreasons? 1618

20answers-ý☐☐16191620Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1621

• Wewillonlycertifyaccordingtolegaldemand1622• Notinplannow,butifmarketwillaskforit,thenwe'llreconsider1623

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 53

• Notdemandedbycustomers1624• OnlyISO27001,asthishasnamerecognitionwithcustomers1625• Lackoftimeandknowledge1626

1627Amongsttheproviderswhohavenotbeenyetusinganycertificationprogram,“costandtime”,“notrequestedby1628customers”andnoperceivedrelevancearesomeofthemotivesfornotusingcertificationprogram16291630

A.12 Information on the person replying to the survey 1631

Thepurposeofthissectionistocollectadditionalinformationfromtherespondents.Noneofthisinformationisfor1632publicdisclosureaccordingtotheprivacypolicyannouncedinthefirstsectionofthesurvey.Someaggregationofthe1633answersispossible.16341635Q57 Whatisyourroleinyourorganization?1636

110answers-ý☐☐16371638Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1639

• CXOpositions(41%).1640• ProjectManagers,Architects,Datacenteradministrators,…(36%)1641• Researchers1642• Consultants1643• …1644

1645Q58 WhatisyourexperienceinCloudComputing?(length,expertise,etc.)1646

104answers-ý☐☐16471648Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.16491650RespondentsansweringtothequestionaboutCloudpastexperienceshaveingeneral4-10yearsofexperience,with1651onaverage4-5yearsexperiencedominatingamongtherespondents.Experiencesspanovermanyareas,with1652expertisespanningoverprocurement,SaaSdevelopment,Security,businessprocessmodelingandmore.16531654Q59 Youcanalsoleaveusyouremail 1655

34answers-☐☐☐1656Accordingtotheprivacypolicy,theseanswersarenotdisclosed.16571658 1659

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 54

1660

Annex B: List of the survey distribution channels 1661

Over100organizations,stakeholdersand/orcompanieshavebeencontactedfortheirsupporttothesurvey(many1662timestwiceormore).Dependingontheirabilities,theannouncementofthesurveyhasbeenrelayedtopartorall1663membersofthecontact(e.g.acompany,aLinkedIngroup,aStandardsSettingOrganization,etc.).16641665Thelistcanbeconsultedbelow.16661667Organization/Company/Stakeholder Channel Firstdate andagainAFNOR Telephone/email 13/04/15 CloudCatalyst Web/Newsletter 13/04/15 CloudComputing LinkedIn 30/03/15 15/05/15CloudComputingAssociation LinkedIn 30/03/15 15/05/15CloudComputingBestPractices LinkedInGroup,6000+contacts 30/05/15 CloudComputingStandardsForum LinkedIn 30/03/15 15/05/15CloudComputingStandardsForum LinkedInGroup,4000+contacts 30/05/15 CloudNetworking LinkedIn 02/04/15 15/05/15CloudPier LinkedIn 02/04/15 15/05/15CloudPSI LinkedIn 02/04/15 15/05/15CloudSecurityAlliance LinkedIn 02/04/15 15/05/15CloudSecurityAllianceGermanChapter LinkedIn 02/04/15 15/05/15CloudSpecialIndustryGrouponSLA e-mail 12/04/15 CloudSweden e-mail 30/03/15 Cloud4Europe e-mail 02/04/15 15/05/15CloudforEurope Twitter 18/05/15 CloudInterop Twitter 18/05/15 CloudingSME Web/Newsletter 13.04.15 CloudScape e-mail 30/03/15 Cloudwatch e-mail 30/03/15 02/04/15Cloudwatch LinkedIn 15/05/15 ConversationsonCloudComputing LinkedInGroup10.000+contacts 30/05/15 CoreGRID LinkedIn 02/04/15 15/05/15CSCphase1participants email 14/04/15 DGCONNECT(EC) email/telephone/Website 31/03/15 05/05/15DGDIGIT(EC) e-mail 01/04/15 DIFI(theNorwegianICTauthority) e-mail 30/03/15 DigitalAgendaforEurope2010-2020 LinkedIn 02/04/15 15/05/15DIGITALTRANSFORMATION(CloudComputing,Virtualization,Social,MobileandBigData)

LinkedIn 30/03/15 14/04/15

DIGITALTRANSFORMATION(CloudComputing,Virtualization,Social,MobileandBigData)

LinkedIn 15/05/15

DIGST(theDanishICTauthority) e-mail 31/03/15 DMTF e-mail 01/04/15 Ecoe.V.(Germany/International) Web/Newsletter,Twitter,LinkedIn 13.04.15 EGI e-mail 30/03/15

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 55

Organization/Company/Stakeholder Channel Firstdate andagainEGI,CloudWatchHub e-mail 15/05/15 ETSI CollectiveLetter 03/04/15 05/05/15ETSIpeople LinkedIn 22/05/15 EU-ChinaCooperationonICTResearch LinkedIn 02/04/15 15/05/15EuroCIO email/telephone 13/04/15 15/05/15EurocloudAustria Web/Newsletter 03.04.15 EurocloudBelgium Web/Newsletter 03.04.15 EurocloudDenmark Web/Newsletter 03.04.15 EurocloudEurope Web/Newsletter/Twitter/LinkedIn 03.04.15 EurocloudEuropeGroup LinkedInGroup,2200+contacts 30/05/15 EurocloudFrance LinkedInGroup,600+contacts 30/05/15 EurocloudFrance Web/Newsletter 03.04.15 EurocloudGermany LinkedInGroup,400+contacts 30/05/15 EurocloudGermany Web/Newsletter 03.04.15 EurocloudHungary Web/Newsletter 03.04.15 EurocloudItaly Web/Newsletter 03.04.15 EurocloudLuxembourg LinkedInGroup,130+contacts 30/05/15 EurocloudLuxembourg Web/Newsletter 03.04.15 EurocloudMalta Web/Newsletter 03.04.15 EurocloudNetherlands LinkedInGroup,200+contacts 30/05/15 EurocloudNetherlands Web/Newsletter 03.04.15 EurocloudPoland Web/Newsletter 03.04.15 EurocloudPortugal Web/Newsletter 03.04.15 EurocloudRomania Web/Newsletter 03.04.15 EurocloudRussia Web/Newsletter 03.04.15 EurocloudSerbia Web/Newsletter 03.04.15 EurocloudSlovakia Web/Newsletter 03.04.15 EurocloudSlovenia ECSILinkedIn 03.04.15 EurocloudSlovenia/ZITex LinkedInGroup,600+contacts 30/05/15 EurocloudSpain Web/Newsletter 03.04.15 EurocloudSweden Web/Newsletter 03.04.15 EurocloudSwedenGroup LinkedInGroup,150+contacts 30/05/15 EurocloudSwiss Web/Newsletter 03.04.15 EurocloudUK Web/Newsletter 03.04.15 EurocloudUKGroup LinkedInGroup,500+contacts 30/05/15 FraunhoferCloudAlliance e-mail 30/03/15 15/05/15FraunhoferCloudAlliance e-mail 15/05/15 FrenchMinistryofEconomy email 15/04/15 GI-Radar e-mail 12/04/15 HPC&BigData LinkedIn 14/04/15 15/05/15HPCcloud LinkedIn 02/04/15 15/05/15I4MS LinkedIn 02/04/15 15/05/15IAMCPSweden e-mail 30/03/15 IBMSweden e-mail 30/03/15 IEEE2301 e-mail 15/05/15 IEEE2302 e-mail 15/05/15

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 56

Organization/Company/Stakeholder Channel Firstdate andagainIEEECloudComputing LinkedIn 02/04/15 15/05/15IEEEComputerSocietyMembers LinkedIn 02/04/15 15/05/15ISOJTC1SC38 e-mail 01/04/15 LinkedInpulse LinkedInpulse 21/05/15 NEA(networkfore-BusinessinSweden) e-mail 01/04/15 NIST e-mail 01/04/15 OASIS e-mail 01/04/15 OGF e-mail 02/04/15 OGFStandards Twitter 01/04/15 OpenCloudComputingInterface LinkedIn 02/04/15 15/05/15OpenGroup e-mail 01/04/15 OpenNebulafortheEnterprise LinkedIn 02/04/15 15/05/15OpenNebulaOpenSourceCloudCommunity

LinkedIn 02/04/15 15/05/15

OpenStack LinkedIn 13/04/15 15/05/15OPTIMIS LinkedIn 02/04/15 15/05/15ORBITEUFP7Project LinkedIn 02/04/15 ScientificCloudComputing(ScienceCloud) LinkedIn 02/04/15 15/05/15Scout2Cloud LinkedInPulse,500+personal

contacts30/05/15

SienaInitiative LinkedIn 02/04/15 15/05/15SoftwareasaService LinkedInGroup,68000+contacts 30/05/15 SwedishFinancialManagementAuthority(ESV)

e-mail 30/03/15

SwedishICTandTelecomorganization e-mail 30/03/15 SwedishMinistryofEnterprise e-mail 30/03/15 SwedishMinistryofPension e-mail 30/03/15 SwedishStandardsOrganization e-mail 30/03/15 TeleManagementForum e-mail 02/04/15 TrustedCloudCompetenceCentre e-mail 30/03/15 UberCloud e-mail 06/04/15 UEAPME email 13/04/15 1668 1669

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 57

1670

Annex C: Full text of the survey 1671

Thefulltextoftheon-linesurveycanbefoundbelow.16721673Thedifferentsectionsareprintedwithoutpagebreaks.Intheon-linesurvey,theyareseparatedbyalinewith1674"Previous"and"Next"buttons.1675

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 58

1676

Cloud Standards Coordination (CSC)

CSC is a collaboration initiative between the European Commission and ETSI (the European

Telecommunications Standards Institute). CSC Phase 1 took place in 2013 and addressed primarily

the standards roadmaps. CSC Phase 2, launched in February 2015, addresses the needs and

priorities of Cloud Computing users, assesses the maturity of Cloud Computing standards, and

evaluates how standards can support the Cloud users priorities.

Some background information on this survey

Purpose of this survey

This survey intends to collect feedback from the Cloud Computing community about needs, objectives,

areas of concerns, and typical scenarios. It also intends to evaluate the perceived maturity of Cloud

standards.

Target audience

This survey targets end users (“Cloud Service Customers”) from the private or public sector, from the

SMEs as well as large organizations, in all vertical sectors. Other stakeholders (e.g. Cloud Service

Providers) are fully welcome to answer.

Who is in charge?

This survey has been created and will be analyzed by the CSC Phase 2 project, under the responsibility of

ETSI.

Contact: ETSI CSC Phase 2 ( survey.stf486@etsi.org)

Privacy/Confidentiality

No details of companies and/or individuals participating will be released to the general public in any form

that allows identification of the respondent. Answers to this survey will be shared and used only amongst

the ETSI experts. Only aggregated results will be published.

Please TAKE THE SURVEY, answering the following questions to the best of your knowledge.

It will take 20 minutes of your time and you will provide valuable input to the ongoing effort to develop

relevant standards for use in Cloud Computing.

A few questions with an asterisk before the question number (e.g. *4. Size of your organization) require an

answer.

1. Are you familiar with Cloud Standards Coordination?

Yes Somehow No

2. Are you familiar with ETSI?

Yes Somehow No

Some information to position your organization in the global landscape.

General purpose information

1

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 59

1677

3. Name of your organization (not mandatory)

* 4. Size of your organization

Micro (up to 9 employees)

Small (up to 49 employees)

Medium-sized (up to 249 employees)

Large (over 249 employees)

* 5. Sector in which your organization operates

Agriculture, Forestry and Fishing

Mining and Quarrying

Manufacturing

Electricity, gas, steam and air conditioning

Water Supply; Sewerage, Waste Management

Construction

Wholesale and Retail Trade; Repair of Motor Vehicles

Transportation and Storage

Accommodation and Food Service Activities

Information and Communication

Financial and Insurance Activities

Real Estate Activities

Professional, Scientific and Technical Activities

Administrative and Support Service Activities

Public Administration and Defense; Social Security

Education

Human Health and Social Work Activities

Arts, Entertainment and Recreation

Other Service Activities

Activities of Households as Employers

Activities of Extraterritorial Organisations and Bodies

Other (please specify)

Based on “Statistical Classification of Economic Activities in the European Community, Rev. 2 (2008)”, see here.

* 6. Region/Country in which your organization mainly operates?

Africa

Asia

Central America

Europe (Eastern and/or non EU)

Middle East

North America

Oceania

South America

The Caribbean

European Union (please specify)

Moving to Cloud Computing: expect benefits and challenges to face

2

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 60

1678

7. How high are your expectations on potential Cloud Computing benefits?

None Low Medium High Very high

Reduction of infrastructure investments (CAPEX)

Reduction of operational costs (OPEX)

Faster Time-to-Market

Faster Return on Investment

Improved compliance with regulation

Improved business agility

Increased focus on the core mission of our

organization

Reduced need for ICT expertise

Reduced risk from own ICT operations

Support for organizational growth

Green ICT

8. If there are other benefits highly expected by your organization, please specify

We would now like to understand which risks you see associated with Cloud Computing from two angles. On the one hand, there

are challenges that your organization is facing before considering a migration to Cloud Computing and associated actions to be

undertaken upfront. On the other hand, Cloud Computing itself may be mature enough or not depending on the expectations of

your organization.

9. Maturity of your organization: how critical are the following challenges?

Not critical Somehow critical Critical Very critical

Lack of experience in Cloud Computing

Lack of external Cloud Computing skills

Organizational resistance to change

Current legacy investments

Compatibility with in-house systems

Security

Privacy and integrity

Legal issues, laws, regulations

10. If there are other critical challenges to your organization, please specify

3

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 61

1679

11. Maturity of Cloud Computing: how critical are the following issues for your organization?

Not critical Somehow critical Critical Very critical

Performance and efficiency

Lack of standards and standard APIs

Lack of Open Source solutions

Portability across vendor solutions

Interoperability across vendor solutions

Security

Privacy and integrity

Service Level Agreement

Governance

Auditability

Resiliency

Vendor or data lock-in

12. If there are other critical issues with Cloud Computing, please specify

* 13. Has your organization started to adopt Cloud Computing?

No Somehow Yes

If your answer is "No", the section on adoption of Cloud Computing will be skipped.

Please describe your Cloud Computing adoption strategy and your role.

Adoption of Cloud Computing in your organization

14. Scope of your Cloud Computing usage in the near term

Migration of supporting business processes

Migration of core business systems (legacy)

Cloud Computing as the platform for your ICT resources

Other (please specify)

15. Stage of Cloud Computing Adoption

Consider adoption in the near future

On-going pilot experiment(s)

On-going deployment of solutions

Solutions already deployed on the Cloud

Entire ICT on the Cloud

4

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 62

1680

16. Role of your organization in Cloud Computing

Cloud Service Customer

Cloud Service Provider

Cloud Service Developer

Cloud Service Broker

Cloud Auditor

Other (please specify)

17. Level of your resources and support to Cloud Computing

No specific resources

Adequate support from the IT team

Dedicated Cloud support team

Other (please specify)

Some typical aspects need to be considered and some conditions must be met in order to make

the transition to the Cloud in a secure and reliable way. We are going to address some of them

below.

Cloud Computing adoption: preparing your organization

18. Data Categorization in your organization

None Started On-going Done Unknown

Data Categorization describes data on the basis of how it is transferred, processed and used. Examples of Data Categories are

customer data/content, derived data, cloud service provider data and account data. Please indicate above where you currently are

in this process.

19. Data Classification in your organization

None Started On-going Done Unknown

Data Classification typically refers to a way to specify how the information can be shared, from “openly” to “non-disclosed”

(secret). Examples of Data Classification taxonomies are: “Public, Internal Use, Confidential and Regulatory Handling”. Data

Protection levels are associated with examples such as "Ranging from 0 (unrestricted use) to 3 (extreme confidentiality)". They

require measures in order to enforce the levels, such as encryption, limited distribution, etc. Please indicate above where you

currently are in this process.

20. Data Security in your organization

Low Medium High Unknown

In order to move securely to the Cloud, many different aspects of Data Security such as information security, information integrity,

access and identity management, contingency, and Personally Identifiable Information (PII) have to be addressed and should be

well defined and understood. Please state above your organization’s level of control and awareness in the data security domain.

5

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 63

1681

21. Business Processes identification, description and alignment in your organization

Low Medium High Unknown

In order to ensure a transition to the Cloud based on the needs of the organization, it is considered as best practice that the core

and supporting processes of the organization be clearly defined and supported, where relevant, by ICT solutions. Well controlled

processes make the transition easier and allow the organization to move to the Cloud on the basis of prioritized transition plans.

Please state above your organization’s level of business process situation in terms of identification, description and alignment.

22. Service Oriented Architecture in your organization

None Started On-going Done Unknown

Architectures based on loosely coupled services, Service Oriented Architectures (SOA), facilitate the migration to the Cloud.

Systems based on SOA may be progressively transitioned to the Cloud, based on priorities and any policies in terms of data

distribution or security in place. Please state above your organization’s level of service orientation .

23. Software Licences in your organization

Not needed (e.g. no commercial software used)

On-going negotiation

Negotiation completed successfully

Not feasible (e.g. too expensive)

Unknown

If your company is working with commercial software, it has typically acquired software licenses that allow using this software on-

site. When there is a plan to use this software in the Cloud, your company usually has to negotiate with the independent software

vendor about using licenses for running the software in the Cloud. Please indicate above where you currently are in this process .

24. Ensuring Software Suitability in your organization

Not needed (e.g; Software already runs in a virtualized environment)

On-going evaluation

Evaluation and necessary modifications completed successfully

Not feasible (e.g. no appropriate environment available, porting too expensive)

Unknown

If you plan to use software in the Cloud that you used on-site until now, additional efforts (besides resolving software licensing

issues) might be needed. Examples of required efforts are: checking whether the software can be run in the VMs of the Cloud;

adapting the software if needed to make use of the selected Cloud platform’s features; investigating how to distribute the software

across serveral VMs to maintain or increase performance; evaluating whether all prerequisites for the operation are in place,

etc. Please indicate above where you currently are in this process.

We would would like to understand which Deployment models and which Service categories are of

major interest to your organization.

Cloud Computing: Deployment models and Service categories

6

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 64

1682

25. Which Cloud deployment model seems best fit to your needs?

On-premises Private Cloud

Off-premises Private Cloud

Community Cloud

Public Cloud

Hybrid Cloud

Other (please specify)

26. Cloud Service Category: IaaS (Infrastructure as a Service)

E-Delivery

High Availability in the event of a disaster or a large-scale

failure

Internet of Things

Peak Load Management including Cloud bursting across

multiple clouds

None or Other (please specify)

27. Cloud Service Category: PaaS (Platform as a Service)

Internet of Things Software Development

None or Other (please specify)

28. Cloud Service Category: SaaS (Software as a Service)

General data storage

Customer Relationship Management (CRM)

Enterprise Resource Planning (ERP)

E-Invoicing

E-Business

Profiling (Social media, web presence)

Human Resources

Business Intelligence

Internet of Things

Open Data

Project Management

Software Development

Supply Chain Management

Process sensitive data, including Personally Identifiable

Information (PII)

None or Other (please specify)

* 29. Do you have interest in the emerging categories: CaaS, CompaaS, NaaS, DSaaS?

Yes No

If you answer "No", those categories will be skipped.

To specify your categories (and examples of instantiations in each category) of interest

Emerging Cloud Service Categories

7

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 65

1683

30. Cloud Service Category: CaaS (Communication as a Service)

VoIP Teleconferencing

None or Other (please specify)

31. Cloud Service Category: CompaaS (Computing as a Service)

Forecasting

Modeling

Simulation

None or Other (please specify)

32. Cloud Service Category: NaaS (Network as a Service)

Internet of Things

None or Other (please specify)

33. Cloud Service Category: DSaaS (Storage as a Service)

Big Data Back-up

None or Other (please specify)

Your high-level view on Cloud Computing standards, good and/or bad.

Cloud Computing and Standards

34. Which impact can Cloud Computing Standards have on your organization's concerns?

None Low Medium High

Do not

know

Performance and efficiency

Lack of Open Source solutions

Portability across vendor solutions

Interoperability across vendor solutions

Security

Privacy and integrity

Service Level Agreement

Governance

Auditability

Resiliency

Vendor or data lock-in

8

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 66

1684

35. To which degree are Cloud Computing Standards considered or used in your organization?

Standards are used

Standards are considered

Standards are not well known

Standards will require too much effort

Standards will have little impact on business

Unaware of Cloud Computing standards

Other (please specify)

* 36. Are you willing/able to give feedback in detail on Cloud Computing Standards?

Yes No

If you answer "No", the section related to the evaluation of standards will be skipped.

Here, we would like to evaluate your perception of standards gaps and to measure the notoriety of

some major Cloud Computing standards.

Cloud Computing Standards: a detailed view

37. In which domain have you been confronted with the lack of Cloud Computing standards?

Security

Service Level Agreement

Data protection

Interoperability

Portability

Management

Identity Management

Application Programming Interfaces (API)

None or Other (please specify)

38. Your organization's adoption and use of CC standards: General purpose

No knowledge

Under

evaluation Well known

Used &

referenced

ITU-T Y.3500 | ISO/IEC 17788: Cloud Computing – Overview

and vocabulary

ITU-T Y.3502 | ISO/IEC 17789: Cloud computing reference

architecture

ITU-T Y.3501: Cloud Computing Framework and High-level

Requirements

ITU-T Y.3510: Cloud Computing Infrastructure requirements

ITU-T Y.3520: Cloud computing framework for end-to-end

resource management

ISO/IEC 20000-1: Service management system requirements

TIA ANSI/TIA-942-A: Telecommunications Infrastructure

Standards for Data Centers

9

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 67

1685

39. Your organization's adoption and use of CC standards: Security

No knowledge

Under

evaluation Well known

Used &

referenced

ISO/IEC 27001: Information security management systems –

Requirements

ISO/IEC 27002: Code of practice for information security

controls

ISO/IEC 27017: Guidelines on Information security controls for

the use of cloud computing services

ITU-T X.1601: Security framework for cloud computing

CSA CCM 3.0: Cloud Control Matrix (Specification)

CSA CTP: Cloud Trust Protocol (Specification)

CSA A6: Cloud Audit (Specification)

CSA PLA: Privacy Level Agreement (Specification)

CSA TCI Reference Architecture: Trusted Cloud Initiative

(Specification)

CSA OCF: Open Certification Framework (Specification)

40. Your organization's adoption and use of CC standards: Data protection

No knowledge

Under

evaluation Well known

Used &

referenced

ISO/IEC 27018: Code of practice for protection of personally

identifiable information (PII) in public clouds acting as PII

processors

41. Your organization's adoption and use of CC standards: Management

No knowledge

Under

evaluation Well known

Used &

referenced

DMTF DSP0263: Cloud Infrastructure Management Interface

(CIMI) Model and REST Interface over HTTP Specification

ISO/IEC 19831: Cloud Infrastructure Management Interface

DMTF DSP0264: Cloud Infrastructure Management Interface -

Common Information Model (CIMI-CIM)

SNIA CDMI: Cloud Data Management Interface

ISO/IEC 17826: Cloud Data Management Interface

ISO 19099: Virtualization Management

OGF GFD.183: Open Cloud Computing Interface - Core

(Specification)

OGF GFD.184: Open Cloud Computing Interface - Infrastructure

(Specification)

OGF GFD.185: Open Cloud Computing Interface - RESTful

HTTP Rendering (Specification)

10

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 68

16861687

42. Your organization's adoption and use of CC standards: Service Level Agreement No knowledgeUnderevaluationWell knownUsed &referencedTMF TR178v2: Enabling End-to-End Cloud SLA ManagementOGF GFD.192: Web Services Agreement (WS-Agreement)OGF GFD.193: WS-Agreement Negotiation (Specification)QuEST Forum TL9000: TL 9000 Measurements Handbook43. Your organization's adoption and use of CC standards: Portability No knowledgeUnderevaluationWell knownUsed &referencedDMTF DSP0243: Open Virtualization Format Specification V2ISO/IEC 17203: Open Virtualization Format SpecificationOASIS TOSCA: Topology and Orchestration Specification forCloud ApplicationsOASIS CAMP: Cloud Application Management for Platforms44. Your organization's adoption and use of CC standards: Multi-cloud, Cloud federation No knowledgeUnderevaluationWell knownUsed &referencedITU-T Y.3511: Framework of Inter- cloud computing45. Your organization's adoption and use of CC standards: Application No knowledgeUnderevaluationWell knownUsed &referencedITU-T Y.3503: Requirements for desktop as a service46. Any other standard not listed here that your organization knows about and is considering (one ormore)?Checking your intentions regarding certification and how standards can support them.Cloud Computing Certification StandardsCertification is a way to indicate to customers that a company follows certain rules and processes (defined in the context ofcertification) and consequently to disburden them from regularly checking the certified company.Cloud Customers are encouraged - or even obliged by national law in some European countries - to verify the reliability of a (Cloud)provider before signing a contract. Cloud Computing Certification Standards may appear helpful as decision support, specifically asfar as the Certification scope covers the main areas of interests and is fully transparent.11

42. Your organization's adoption and use of CC standards: Service Level Agreement

No knowledge

Under

evaluation Well known

Used &

referenced

TMF TR178v2: Enabling End-to-End Cloud SLA Management

OGF GFD.192: Web Services Agreement (WS-Agreement)

OGF GFD.193: WS-Agreement Negotiation (Specification)

QuEST Forum TL9000: TL 9000 Measurements Handbook

43. Your organization's adoption and use of CC standards: Portability

No knowledge

Under

evaluation Well known

Used &

referenced

DMTF DSP0243: Open Virtualization Format Specification V2

ISO/IEC 17203: Open Virtualization Format Specification

OASIS TOSCA: Topology and Orchestration Specification for

Cloud Applications

OASIS CAMP: Cloud Application Management for Platforms

44. Your organization's adoption and use of CC standards: Multi-cloud, Cloud federation

No knowledge

Under

evaluation Well known

Used &

referenced

ITU-T Y.3511: Framework of Inter- cloud computing

45. Your organization's adoption and use of CC standards: Application

No knowledge

Under

evaluation Well known

Used &

referenced

ITU-T Y.3503: Requirements for desktop as a service

46. Any other standard not listed here that your organization knows about and is considering (one or

more)?

Checking your intentions regarding certification and how standards can support them.

Cloud Computing Certification Standards

Certification is a way to indicate to customers that a company follows certain rules and processes (defined in the context of

certification) and consequently to disburden them from regularly checking the certified company.

Cloud Customers are encouraged - or even obliged by national law in some European countries - to verify the reliability of a (Cloud)

provider before signing a contract. Cloud Computing Certification Standards may appear helpful as decision support, specifically as

far as the Certification scope covers the main areas of interests and is fully transparent.

11

47. Would you consider Cloud Certification as a possibility to improve confidence in Cloud?YesNo48. Please rank the following Cloud Certification areas according their importance: Less importantImportantVery importantCompliance / legal aspectsContract and Service Level AgreementData SecurityData PrivacyData storage locationCloud Datacenter infrastructureCloud Provisioning ProcessesInteroperability/ReversibilityData PortabilityBackup/RecoveryIdentity and Access ManagementFinancial health of the Cloud providers involved in the service provision49. Which further areas would you consider as relevant for a Cloud Certification?50. Can you rate the importance of the following types of certification for your organization? ExcellentGoodNeutralAcceptablePoorCloud Provider Certification (per Cloud provider)Cloud Service Certification (per Cloud service, covering allaspects/partners involved in its provision)Self CertificationCertification by accredited auditorsCertification Standard reflecting European requirements(legal/contractual aspects)Certification Standard reflecting Global requirementsUnique certification scope (one fits all)Graded certification scopes (affordable for SME based Cloudproviders)12

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 69

16881689

47. Would you consider Cloud Certification as a possibility to improve confidence in Cloud?

Yes No

48. Please rank the following Cloud Certification areas according their importance:

Less important Important Very important

Compliance / legal aspects

Contract and Service Level Agreement

Data Security

Data Privacy

Data storage location

Cloud Datacenter infrastructure

Cloud Provisioning Processes

Interoperability/Reversibility

Data Portability

Backup/Recovery

Identity and Access Management

Financial health of the Cloud providers involved in the service provision

49. Which further areas would you consider as relevant for a Cloud Certification?

50. Can you rate the importance of the following types of certification for your organization?

Excellent Good Neutral Acceptable Poor

Cloud Provider Certification (per Cloud provider)

Cloud Service Certification (per Cloud service, covering all

aspects/partners involved in its provision)

Self Certification

Certification by accredited auditors

Certification Standard reflecting European requirements

(legal/contractual aspects)

Certification Standard reflecting Global requirements

Unique certification scope (one fits all)

Graded certification scopes (affordable for SME based Cloud

providers)

12

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 70

16901691

Cloud Provider Certification:

Certification of individual enterprises, who are providing - one or several cloud services - to the market.

Cloud Service Certification:

Certification of individual cloud services and across all partners involved in the service provisioning process.

Self Certification:

Certification Process conducted by the cloud service provider himself.

Certification by accredited auditors:

Certification Process conducted by independent and accredited auditors.

Certification Standards reflecting European requirements:

The Certification Scope covers Cloud Security & Privacy, operational and contractual aspects in reference to legal European

requirements.

Certification Standards reflecting Global requirements:

The Certification Scope covers Cloud Security & Privacy aspects in reference to Global requirements.

Unique Certification Scope:

A defined Certification Scope for all types of Cloud Services or Cloud Providers (see above).

Graded Certification Scope:

A set of graduated certifications reflecting different quality levels to allow certification also for medium-sized cloud providers.

51. Are you aware of the Cloud Certification Schemes List (CCSL)?

Yes No

ENISA (the European Union Agency for Network and Information Security) has defined CCSL, the Cloud Certification Schemes

List (see https://resilience.enisa.europa.eu/cloud-computing-certification)

52. Which of the following Cloud Certification Schemes listed in CCSL are you are aware of?

Certified Cloud Service TÜV Rheinland

CSA Attestation – OCF Level 2

CSA Certification – OCF Level 2

CSA Self Assessment – OCF Level 1

Eurocloud Self Assessment

Eurocloud Star Audit Certification

ISO/IEC 27001 Certification

Payment Card Industry Data Security Standard v3

Leet Security Rating Guide

AICPA Service Organization Control (SOC) 1

AICPA Service Organization Control (SOC) 2

AICPA Service Organization Control (SOC) 3

53. As a Cloud Customer, do you plan to include one of these Certifications in your Cloud Purchasing

processes?

Yes No

54. If not, what are the main reasons?

55. As a Cloud Provider, do you plan to certify your Cloud service offering?

Yes No

56. If not, what are the main reasons?

13

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 71

16921693

1694

This is the last page of the survey. We finally would like some (anonymous) information on you.

Information on the person replying to this survey

57. What is your role in your organization?

58. What is your experience in Cloud Computing? (length, expertise, etc.)

Many thanks for the time you have spent with this survey.

If you want to receive the results,

you can visit our site after June 15th at: http://csc.etsi.org/CSC2_survey

or

59. You can also leave us your email:

14

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 72

1695

ETSI

ETSI SR 003 381 V2.0.0 (2015-11) 73

1696

Annex D: Change History 1697

1698Date Version Information about changes

June2015 1.0.0 FirstpublicationoftheSRforcomments

November2015 2.0.0

Finalpublicationbasedonthechangesprovidedby:-CommentsfromtheNTECHTechnicalCommitteereview-Commentsfromthepublicreviewgatheredonhttp://csc.etsi.org-AdditionalchangesproposedduringthefinalreviewworkshoponOctober1-2

1699

1700

History 1701

Documenthistory

V0.9.0 15/06/2015 DraftforSTFreview.IncorporatesallthecontentalreadydevelopedwithintheSTFintotheappropriatetemplate.

V0.9.3 15/06/2015 Statusofdocumentafterthereviewmeeting

V0.9.5 22/06/2015 Statusofthedocumentbeforethe22/06/2015reviewmeeting

V0.9.6 23/06/2015 Statusofthedocumentbeforethe24/06/2015finalreviewmeeting

V0.9.99 24/06/2015 Statusofthedocumentafterthe24/06/2015finalreviewmeeting,forfinal"sanitycheck"

V1.0.1 4/10/2015 Introductionofagreeduponcommentsafterreviewworkshop

V1.9.0 13/10/2015 AdditionalchangesandcleaningbeforereviewbytheSTFteam

V1.9.1 15/10/2025 Changesafterinclusionofthefinalsurveyresults

V1.9.8 15/10/2015 For"sanitycheck"(nofurthercommentsallowed)bythereviewersandtheSTFteam

V1.9.9 11/11/2015 Lastversionbeforepublicationincludingthechangesafterthe"sanitycheck"andafinaleditorialproofreading.

1702 1703