Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
ETSI SR 003 381 V2.0.0 (2015-11)
Cloud Computing Users Needs
Analysis, conclusions and recommendations from a public survey by
Cloud Standards Coordination Phase 2
CAUTION: This document is provided for information and is for approval within the ETSI Technical Committee NTECH only.
ETSI and its Members accept no liability for any further use/implementation of this Special Report.
Approved and published specifications and reports shall be obtained exclusively via the ETSI Documentation Service at
http://pda.etsi.org/pda/queryform.asp
<
SPECIAL REPORT
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 2
0
1
ReferenceDSR/NTECH-00030
Keywordscertification, cloud, Cloud Computing, standards,
users
ETSI
650 Route des Lucioles F-06921 Sophia Antipolis Cedex – FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 – NAF 742 C
Association à but non lucratif enregistrée à la Sous-préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from: http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 2015.
All rights reserved.
DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners. GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 3
2
Contents 3
4
Intel lectual Property Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 6
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7
- Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 8
2 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 92.1 Normativereferences..............................................................................................................................6102.2 Informativereferences............................................................................................................................611
3 Definit ions, symbols and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 123.1 Abbreviations...........................................................................................................................................713
4 The rationale for the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 144.1 Surveygoalsandobjectives.....................................................................................................................8154.2 Contentofthereport..............................................................................................................................816
5 Survey presentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 175.1 Surveygoalandstructure........................................................................................................................9185.2 Surveymethodology&maintargetareas...............................................................................................9195.3 Surveydistribution..................................................................................................................................9205.4 Surveyachievementsandlimitations....................................................................................................10215.5 Otherlessonslearned............................................................................................................................1022
6 Survey analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 236.1 Significantfindings.................................................................................................................................10246.2 Trendsandpatterns..............................................................................................................................12256.3 Detailedfindings....................................................................................................................................12266.3.1 AdoptionofCloudComputing.........................................................................................................12276.3.2 Interoperability................................................................................................................................14286.3.3 Security–PrivacyandIntegrity.......................................................................................................14296.3.4 Standards........................................................................................................................................16306.3.5 Certification.....................................................................................................................................1731
6.4 ImpactonotherCloudStandardsCoordinationPhase2reports...........................................................19326.5 Relationshiptootheractivities..............................................................................................................2033
7 Conclusions and recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 34
8 Areas for further study . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 35
Annex A: Survey Responses and Charts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 36A.1 Presentationofresults..........................................................................................................................2437A.2 Backgroundinformation.......................................................................................................................2438A.3 Generalpurposeinformation...............................................................................................................2539A.4 MovingtoCloudComputing:expectedbenefitsandchallengestoface.............................................2740A.5 AdoptionofCloudComputinginyourorganization.............................................................................3041A.6 CloudComputingadoption:preparingyourorganization....................................................................3242A.7 CloudComputing:DeploymentmodelsandServicecategories...........................................................3743
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 4
A.8 EmergingCloudServiceCategories......................................................................................................3944A.9 CloudComputingandStandards..........................................................................................................4145A.10 CloudComputingStandards:adetailedview....................................................................................4346A.11 CloudComputingCertificationStandards..........................................................................................4847A.12 Informationonthepersonreplyingtothesurvey.............................................................................5348
Annex B: List of the survey distribution channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 49
Annex C: Full text of the survey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 50
Annex D: Change History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 51
History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 5253
Figures 54
55FIGURE1-EXPECTATIONSONPOTENTIALCLOUDCOMPUTINGBENEFITS(QUESTION7)......................................................................1356FIGURE2-MATURITYOFCLOUDCOMPUTING:CRITICALISSUES(QUESTION11)...............................................................................1457FIGURE3-MATURITYOFYOURORGANIZATION:CRITICALCHALLENGES(QUESTION9)........................................................................1558FIGURE4-CLOUDCOMPUTINGSTANDARDSIMPACTONORGANIZATIONCONCERNS(QUESTION34).....................................................1659FIGURE5-TOWHICHDEGREEARECLOUDCOMPUTINGSTANDARDSCONSIDEREDORUSED(QUESTION35)...........................................1760FIGURE6-ADOPTIONANDUSEOFCCSTANDARDS:DATAPROTECTION(QUESTION40).....................................................................1761FIGURE7–ISCLOUDCERTIFICATIONAPOSSIBILITYTOIMPROVECONFIDENCEINCLOUD(QUESTION47)...............................................1862FIGURE8-RANKINGCLOUDCERTIFICATIONAREASACCORDINGTOTHEIRIMPORTANCE(QUESTION48)................................................1863FIGURE9-AWARENESSOFCCSL,THECLOUDCERTIFICATIONSCHEMESLIST(QUESTION51)..............................................................1964FIGURE10–AWARENESSOFSOMECLOUDCERTIFICATIONSCHEMESLISTEDINCCSL(QUESTION52)..................................................1965FIGURE11–ASUMMARYOFCLOUDUSERSCONCERNS................................................................................................................2166FIGURE12-USEOFCLOUDCOMPUTINGINENTERPRISESINEUROPE(SOURCE:EUROSTAT).................................................................226768
69
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 5
Intellectual Property Rights 70
IPRsessentialorpotentiallyessentialtothepresentdocumentmayhavebeendeclaredtoETSI.Theinformation71pertainingtotheseessentialIPRs,ifany,ispubliclyavailableforETSImembersandnon-members,andcanbefound72inETSISR000314:"IntellectualPropertyRights(IPRs);Essential,orpotentiallyEssential,IPRsnotifiedtoETSIin73respectofETSIstandards",whichisavailablefromtheETSISecretariat.LatestupdatesareavailableontheETSIWeb74server(http://ipr.etsi.org).7576PursuanttotheETSIIPRPolicy,noinvestigation,includingIPRsearches,hasbeencarriedoutbyETSI.Noguarantee77canbegivenastotheexistenceofotherIPRsnotreferencedinETSISR000314(ortheupdatesontheETSIWeb78server)whichare,ormaybe,ormaybecome,essentialtothepresentdocument.79
Foreword 80
ThisSpecialReport(SR)hasbeenproducedbyETSISpecialistTaskForce486"CloudStandardsCoordinationPhase2"81astheresultofWorkItemNTECH(15)000006"STF486WIonIdentificationofCloudComputinguserneeds".82InthispresentRelease,itisproposedtotheNTECHTechnicalCommitteeforinternalreviewandtotheCloud83StandardsCoordinationwebsite(http://csc.etsi.org)forpubliccomments.8485ThepresentreportisoneoffourspecialreportsthatformtheoutputofSTF486:86
WP1: ETSISR003381:"CloudComputingUsersNeeds";87WP2: ETSISR003382:"CloudComputingStandardsandOpenSource";88WP3: ETSISR003391:"InteroperabilityandSecurityinCloudComputing";89WP4 ETSISR003392:"CloudComputingStandardsMaturityAssessment".9091
ThepresentreportwasthefirstoneproducedbySTF486andwasusedasbaseforthedevelopmentoftheother92threereports.9394InthispresentRelease,itisproposedtotheNTECHTechnicalCommitteeforapprovalandforpublicationoftheCloud95StandardsCoordinationwebsite(http://csc.etsi.org).9697
Introduction 98
CloudComputingisincreasinglyusedastheplatformforICTinfrastructureprovisioning,application/systems99developmentandendusersupportofawiderangeofcoreservicesandapplicationsforbusinessesandorganizations.100101CloudComputingisdrasticallychangingthewayICTisdeliveredandused.However,manychallengesremaintobe102tackled.Concernssuchassecurity,vendorlock-in,interoperabilityandaccessibility,servicelevelagreementsmore103orientedtowardsusersareexamplesofissuesthatneedtobeaddressed.Thesurveydiscussedinthepresentreport104aimsatcollectinginformationontherespondents'awarenessofthoseconcerns.105106StandardsandcertificationprogramsplayanimportantroleintermsofincreasingthemarketconfidenceinCloud107Computing.ThepromotionofCloudComputingstandardsandcertificationschemesthataddresscurrentconcernsis108necessaryinordertoensurethatbothcustomers/usersaswellasproviderswillregardCloudComputingwiththe109samelevelofreliability,trustandmaturityastraditionalICT.110111InFebruary2015,theCloudStandardsCoordinationPhase2(CSC-2)waslaunchedbyETSItoaddressissuesleftopen112aftertheinitialCloudStandardsCoordinationworkwascompletedattheendof2013.CloudStandardsCoordination113Phase2isinvestigatingsomespecificaspectsoftheCloudComputingstandardizationlandscape,inparticularfrom114thepointofviewoftheCloudComputingusers(e.g.,SMEs,Administrations).Itwillalsogenerateanewsnapshot115regardingthestateofstandardsandinvestigatetheinteractionandrelationbetweenstandardizationandopen116sourcebasedsoftwareandsolutions.117118ThepresentreportpresentstheresultsofthewebsurveyconductedinApril–September2015.119120 121
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 6
122
- Scope 123
InFebruary2015,theCloudStandardsCoordinationPhase2(CSC-2)waslaunchedbyETSItoaddressissuesleftopen124aftertheinitialCloudStandardsCoordinationworkwascompletedattheendof2013.CloudStandardsCoordination125Phase2isinvestigatingsomespecificaspectsoftheCloudComputingstandardizationlandscape,inparticularfrom126thepointofviewoftheCloudComputingusers(e.g.,SMEs,Administrations).Itwillalsogenerateanewsnapshot127regardingthestateofstandardsandinvestigatetheinteractionandrelationbetweenstandardizationandopen128sourcebasedsoftwareandsolutions.129130ThepresentreportpresentstheresultsofthewebsurveyconductedinApril–September2015.131132
2 References 133
2.1 Normative references 134
Thefollowingreferenceddocumentsarenecessaryfortheapplicationofthepresentdocument.135Notapplicable.136
2.2 Informative references 137
Referencesareeitherspecific(identifiedbydateofpublicationand/oreditionnumberorversionnumber)or138non-specific.Forspecificreferences,onlythecitedversionapplies.Fornon-specificreferences,thelatestversionof139thereferenceddocument(includinganyamendments)applies.140
NOTE: Whileanyhyperlinksincludedinthisclausewerevalidatthetimeofpublication,ETSIcannotguarantee141theirlongtermvalidity.142
143Thefollowingreferenceddocumentsarenotnecessaryfortheapplicationofthepresentdocumentbuttheyassistthe144userwithregardtoaparticularsubjectarea.145
[i.1] ITU-TY.3500,"Informationtechnology–Cloudcomputing–Overviewandvocabulary".146Sameas[i.5]147
[i.2] Gartner,G00271282“BudgetingfortheSaaSSecurityGap”,January28,2015.148[i.3] Skyhigh,“CloudAdoption&RiskReport",Q12015.149[i.4] StatisticalClassificationofEconomicActivitiesintheEuropeanCommunity,Rev.2(2008),see:150
http://ec.europa.eu/eurostat/ramon/nomenclatures/index.cfm?TargetUrl=LST_NOM_DTL&StrNom=NA151CE_REV2152
[i.5] ISO/IEC17788:"Informationtechnology—Cloudcomputing—Overviewandvocabulary".153[i.6] ISO/IEC17789:"Informationtechnology—Cloudcomputing—Referencearchitecture".154[i.7] ITU-TY.3502:"Informationtechnology—Cloudcomputing—Referencearchitecture".155
Sameas[i.6]156[i.8] ISO/IEC27001:"Informationtechnology—Securitytechniques—Informationsecuritymanagement157
systems—Requirements".158[i.9] ISO/IEC19086:"Informationtechnology–Cloudcomputing–Servicelevelagreement(SLA)framework159
andtechnologyPart1:Overviewandconcepts"160[i.10] ISO/IEC19941:"CloudComputingInteroperability&Portability"161[i.11] ISO/IEC27018"Informationtechnology–Securitytechniques–Codeofpracticeforprotectionof162
personallyidentifiableinformation(PII)inpubliccloudsactingasPIIprocessors"163[i.12] ETSISR003382:"CloudComputingStandardsandOpenSource"164[i.13] ETSISR003391:"InteroperabilityandSecurityinCloudComputing"165[i.14] ETSISR003392:"CloudComputingStandardsMaturityAssessment"166167
168
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 7
3 Definitions, symbols and abbreviations 169
3.1 Abbreviations 170
Forthepurposesofthepresentdocument,the[following]abbreviations[givenin...andthefollowing]apply:171AICPA AmericanInstituteofCertifiedPublicAccountants172CaaS CommunicationsasaService173CAPEX CAPitalExpenditures174CC CloudComputing175CCSL CloudCertificationSchemesList176CEF ConnectingEuropeFacility177CompaaS ComputeasaService 178CRM CustomerRelationshipManagement 179CSA CloudSecurityAlliance 180CSC CloudServiceCustomer181CSC-1 CloudStandardsCoordinationPhase1182CSC-2 CloudStandardsCoordinationPhase2183DsaaS DataStorageasaService 184ENISA EuropeanUnionAgencyforNetworkandInformationSecurity 185ERP EnterpriseResourcePlanning 186HR HumanResources 187IaaS InfrastructureasaService 188ICT InformationandCommunicationsTechnology189IEC InternationalElectrotechnicalCommission 190ISO InternationalOrganizationforStandardization 191ITU InternationalTelecommunicationUnion 192ITU-T ITUTelecommunicationStandardizationSector 193NaaS NetworkasaService194NIST NationalInstituteofScienceandTechnology 195OCF OpenCertificationFramework 196PaaS PlatformasaService 197SaaS SoftwareasaService 198SDO StandardsDevelopmentOrganization199SLA ServiceLevelAgreement200SME SmallorMediumEnterprise201SOA ServiceOrientedArchitecture 202SSO StandardsSettingOrganization203STF SpecialistTaskForce(anETSIstructureforinternalprojects)204205
206
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 8
4 The rationale for the survey 207
4.1 Survey goals and objectives 208
TheCloudStandardsCoordinationproject(CSC)209210Cloud Standards Coordination Phase1 (CSC-1) took place in 2013 as a community effort supported by ETSI and211primarilyaddressedtheCloudComputingstandardsroadmap.InDecember2013theresultswerepubliclypresented212inaworkshoporganizedbytheEuropeanCommission(EC),theCSC-1FinalReportbeingavailableat:213
http://ec.europa.eu/digital-agenda/en/news/cloud-standards-coordination-final-report214215Thereportprovidedamaturityassessment"snapshot"ontheCloudComputingstandardizationlandscapeattheend216of 2013. Important gaps in the Cloud Computing standards landscape were identified such as in the domains of217interoperability,security,privacy,servicelevelagreementandregulation,legalandgovernanceaspects.218219CloudStandardsCoordinationPhase2220221GiventhedynamicsoftheCloudComputingmarketandstandardization,CloudStandardsCoordinationPhase2(CSC-2222)waslaunchedinFebruary2015withtheobjectiveofproducinganupdatedversionofthe"snapshot"oftheCloud223Computingstandardizationlandscape.224225ThemaininvolvedstakeholdersforthepreparationoftheCSC-1snapshotwerefromtheCloudComputingindustry,in226particularCloudComputingproviders.Ontheotherhand,CSC-2aimstobettertakeintoaccounttheneedsofCloud227ComputingcustomersontheirCloudrelatedrequirementsandpriorities.ThishashelpedCSC-2tofurtherassessthe228maturity of Cloud Computing standards and evaluate how standards can support the Cloud Computing customers’229priorities.230231CloudStandardsCoordinationPhase2survey232233Tosupporttheseobjectives,CSC-2hascreatedasurveyforcollectingfeedbackfromtheCloudComputingcommunity234in terms of needs, benefits, challenges and areas of concerns regarding the adoption of Cloud Computing. The235outcome of the survey will be the primary material for evaluating the perceived maturity of Cloud Computing236standards.The resultswill alsohelp tounderstand the interestand requirementsofCloudComputingstakeholders237regardingcertification.238239ThesurveyisthereforetargetingcurrentandfutureCloudCustomersintheprivateandpublicsectors,SMEsaswellas240largeorganizationsinallverticalsectors.OtherstakeholdersfromtheentireCloudComputingeco-system(e.g.Cloud241Computingproviders)werealsoinvitedtoanswer.242
4.2 Content of the report 243
Section5ofthisreportpresentsthecontentofthesurvey,themethodologyusedforitspreparationanddistribution,244informationaboutthecollectedfeedbackaswellaslessonslearntthroughtheexecutionofthesurvey.245246Section 6 provides details resulting from the analysis of the collected survey feedback allowing to understand the247needs of the Cloud Computing community on amore granular scale and to derivemain trends and patterns as a248result.249250Section7highlightsconclusionsandrecommendationsfromthesurvey.Thisincludesanidentificationofthecloud251stakeholders'highestprioritiesleadingtopossiblerefinementsoftheCSCPhase1reportconclusions.252253Section8suggestssomeareasforfurtherwork.254255AnnexAcontainsadetailedpresentationofthesurveyresults,includingchartsandtables.256257AnnexBliststhechannelsthroughwhichthesurveyhasbeendistributed.258259
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 9
AnnexCshowsthesurveyasithasbeenproposedontheCSCwebsite(athttp://csc.etsi.org).260261
5 Survey presentation 262
5.1 Survey goal and structure 263
Tocreatethebasisfortheanalysis,asurveyhasbeendesignedandconductedfromApriltoSeptember2015.Even264thoughthesurveyistargetingaspecificsetofusers(SMEs,etc.),itisalsousingtheinputfromlargeractors.The265surveyhasalsobeendistributedtoasmanyindustrysectorsaspossible,inordertoidentifyanyindustryspecific266aspectsandconcernsthatmightexist.267268Thesurveycomprises59questionsgroupedin14pagesstretchingfromgeneralquestionsregardingtherespondent’s269companyandCloudComputingexperience,throughincreasinglyspecializedquestionsregardingCloudComputing270standards,toafinalblockofquestionsregardingcertification.Takingtheentiresurveywouldapproximatelyrequire27120-30minutes.Apartfromanumberofcorequestionsformostquestionsanswerswerenotmandatory.The272individualanswersaretreatedconfidentiallyandonlyaggregatedresultswillbepublished.273274PerSeptember25th2015,attheclosureofthewebsurvey,376respondentshavecompletedit.275276
5.2 Survey methodology & main target areas 277
Thesurveycollectsresponsestoquestionssuchas:278• Whatarethetypicalusecasesthatuserswanttoimplementintheshorttomediumterm;279• WhataretheirexpectationsandperceivedconcernsthatlimitstheadoptionofCloudComputing;280• WhataretheassetsandpossibleinvestmentsmadeinCloudComputing;281• Howaretheygoingtodealwithexistinginvestments(legacy);282• WhichrolearetheyexpectingtoplayintheCloudComputingvaluechain;283• TowhichextentindividualCloudComputingstandardsareknownandhavealreadybeenused;284• Whatsupportfromstandardsaretheyexpecting;285• Whatisthesignificanceofcertificationschemesandwhatistheintendeduse.286
287
5.3 Survey distribution 288
ThemaintargetgroupforthesurveyisendusersinSMEsintheprivatesector,butanypotentialandexistingcloud289customeriswelcometocompletethesurvey.290291ThesurveywaslaunchedonMarch30th,2015.Adistributionletterhasbeenmadeavailabletoallorganizationsthat292werewillingandabletouseitforpromotingthesurvey.Over120differentchannelshavebeencontactedtorelaythe293surveyandhavedistributedthesurveyURL.294295Awiderangeofdifferentdistributionchannelshavebeenusedlike:296
• EuropeanCommissionDGswebsitesanddistributionlist(emails,Twitter,etc.)297• StandardsSettingOrganizations,global,regionalornational298• ETSImembership(750organizationsfromvariousindustrysectors).299• IndustryAssociations(e.g.Eurocloud)300• PublicAdministrations(acrossEurope,butpredominantlyincountrieswheretheexpertsoftheCSCreside)301• LinkedIngroups302• OpenSourceprojects303• Europeanprojects(e.g.,CloudWatch,Cloud4Europe,CloudingSME)304• Cloudscape305• EuropeanGridInfrastructure(EGI)306
307
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 10
Toensurethelargestpossiblenumberofanswers,thesurveyhasbeenleftopenaslongaspossible,i.e.upto308September25th,thelastdayofthepubliccommentingphaseforthefourCSC-2reports.309310AlistofcontactedindividualsandorganizationsispresentedinAnnexB.311312
5.4 Survey achievements and limitations 313
Aspointedoutearlierinthisreport,thenumberofresponses(376per25/09/2015)isdeemedsufficientenoughin314ordertoidentifyhigh-leveltrendsandpatterns.Theresultsarealsoassessedassufficientinordertodohigh-level315comparisonsbetweenCSC-1andCSC-2.Inthisrespect,itcanbearguedthattheoutputresultingfromtheWork316Package1ofSTF486(thewebsurveyandrelatedactivities)isconsideredsuccessful.Aspresentedinthebelow317sections,responsesinmanypartsofthesurveyareencouragingintermsofawarenessoftheimportanceofstandards318andcertificationschemesamongmanyofthesurveyrespondents.319320However,thepresentsurveyisbasedonthevoluntarycontributionofasampleofrespondentsonwhichthe321promotersofthesurveyhadlittlecapacitytoanticipateandnocontrol.Onlybesteffortattemptshavebeenmadeto322collectthelargestnumberofanswerspossible,withthelargestpossiblespanoforganizationsizes,countries,sectors,323etc.Therefore,thenumberofresponsesmaynotbesignificantenoughtoallowin-depthandconclusiveanalysisata324detailedlevelforallofthequestionsofthesurvey.Anyreaderofthisreportshouldthereforebecautiousabout325makinganydecisiveconclusionbasedonthematerialsofthisreport.326327Anotheraspectwhenassessingtheresultsofthesurveythatneedstobeacknowledgedisthatthebenefits,concerns328andchallengeschosenbytherespondentsmightvarybasedontheorganization(intermsofsize),onthesector329(privateorpublic)inwhichitoperates,etc.Itisimportanttokeepinmindthatsomeoftheissuespresentedasmajor330inacertainusercategorymightverywellbeseenasinsignificantorevennon-existentinanother:thismaybe331addressedinsomesignificantcases(seesection8).332333
5.5 Other lessons learned 334
Designingasurveyisacomplextask.Themainobjectivehasbeentocoveranumberofdifferenttopicsinorderto335encompassthetargetareasidentifiedasrelevantforthequery,whileattemptingtokeepthesurvey’slengthand336complexityataminimum.Keepingthequestionsrelevantandunambiguoushasbeenanotherimportanttask.337DependingontheroleoftherespondentintheCloudComputingeco-system,thequestionsmightinsome338circumstancebeinterpreteddifferently.Toovercometheidentifiedchallenges,twoimportantelementshavebeen339helpful.Themostimportantelementtomitigatetheissuesidentifiedwasthefeedbackfromreviewersofthedraft340surveytext.AnotherpositiveelementwastheexistenceanduseofcleardefinitionsoftherolesinCloudComputing:a341significantmaturationfromtheCSC-1toCSC-2wasrecognizedinthisrespect.Whereapplicableinthesurvey,the342vocabularyprovidedinthestandard"ISO/IEC17788andITU-TY.3500–Informationtechnology—Cloudcomputing343—Overviewandvocabulary"[i.1]hasbeenused.344345
6 Survey analysis 346
6.1 Significant findings 347
General-purposeinformationregardingrespondents’organizations:Respondentsarenearlyequallyrepresenting348SMEorganizations(upto249employees)andlargeorganizations(morethan249employees).TheICTsectoris349dominating(43%)followedbyAcademiaandPublicAdministrations.Someindustrysectorsarenotrepresentedatall.350351Benefitsandchallenges:“ReductionofCAPEX”,“improvedbusinessagility”and“fastertimetomarket”areseenas352themajorpositivefactorsforadoptingCloudComputingwhilecompatibilitywithin-housesystems,security,353privacy/integrity,areviewedasthemostcriticalchallengeswithSLA,performanceandefficiency,resiliency,vendoror354datalock-inandinteroperabilityacrossvendorsolutionsrankedamongthehighestconcerns.Itcanbenotedthatthe355lackofOpenSourcesolutionsisnotseenasamajorCloudComputingchallenge(seeETSISR003382[i.12]forfurther356informationonCloudComputingstandardsandOpenSourcesolutions).357
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 11
358Adoptionandscope:Amajorityoftherespondents(58%-2015-06-04))havealreadystartedtoadoptCloud359ComputingprobablyreflectingthefactthattherespondentsaremainlyfromtheICTsector.Itshouldalsobenoted360thatnone(0%)oftherespondentsstatedthattheyareNOTplanningtoadoptCloudComputing.Themainusagearea361forCloudComputingisIaaSasthemostprominentstartingpoint.40%oftherespondentsareplayingtheroleofthe362CloudServiceCustomerintheirrespectiveorganizations.RegardingthelevelofresourcesandsupporttoCloud363Computing,nearlyhalfofrespondentsclaimthattheyarereceivinganadequatesupportfromtheirICTteamanda364thirdofthemhaveadedicatedcloudsupportteam.365366CloudComputingadoption:preparingyourorganization367TomakethetransitiontotheCloudinasecureandreliablewaysomeaspectsneedtobeconsideredandsome368conditionsmustbemet;theorganizationmakingtheleaptotheCloudmustbeprepared.Nearlyhalfofrespondents369claimthateffortsrelatedtodatacategorization(43%)anddataclassification(35%)areon-goingintheirorganizations.370Datasecurityawarenessandlevelcontrolisseenasahighlyimportantaspectthatneedstobetackledbyamajority371oftherespondents.Regardingsoftwarelicenses,37%oftherespondentsindicatethatnegotiationsareon-goingwith372thesoftwarevendorsprovidingCloudComputingsoftware&serviceswhile21%ofthemmentionthatnoactionis373deemednecessary1.374375CloudDeploymentModelsandCloudServiceCategories:PrivateClouddeploymentmodelsclearlydominate376followedbyHybridCloudandPublicClouddeployments.ConcerningCloudServiceCategories,high-availabilityisseen377asthetopusageareaforIaaSwhilesoftwaredevelopmentisalsoseenasthetopcapabilityforPaaS.ConcerningSaaS,378thegeneraldatastoragetypeofapplicationisrankedhighwhilespecializedapplicationssupportingforexample379supplychainservices,HR,ERPorCRMarelessfrequentlymentioned.Notably,54%oftherespondentsindicatean380interestinemergingCloudServiceCategoriessuchasCaaS,NaaS,DsaaSandCompaaS.381382Cloudcomputingandstandards:Security,privacyandintegrity,performanceandportabilityacrossvendorsolutions383arerankedhighregardingtheimpactthatstandardshaveontheconcernsoforganizations.Intermsofhowstandards384areconsideredintheorganizationsoftherespondents,38%indicatethatstandardsareusedwhile27%thattheyare385considered.Thisshowsapromisinginsightintothevalueandimportanceofstandards.386387Inlinewiththeresponsesregardingimpactofstandards,interoperability,security,servicelevelagreements,388portabilityandAPIsarementionedastoppriorities.Thefeedbackalsoindicatesthatrecentlypublishedstandardsare389nowbecomingknownbyasmallnumberofrespondents.ExamplesofstandardsusedorconsideredareISO/IEC39017788–ITU-TY.3500"Cloudcomputing–Overviewandvocabulary"[i.5],[i.1]andISO/IEC17789–ITU-TY.3502391"Cloudcomputing–Referencearchitecture"[i.6],[i.7].However,thenumberofanswersistooinsignificanttoclaim392thattheCloudComputingspecificstandardsarenowpartoftheCloudstrategyformostorganizations.393394Cloudcomputingcertifications:Almost75%oftherespondentsseecertificationschemesasapositivewayof395increasingconfidenceinCloudServiceProviders.Amongstthecross-cuttingaspects,thetwo(security,privacyand396integrity)seenasbothmostcriticalforthematurityofcloudcomputing[Q11]andasaspectswherestandardsare397expectedtohavehighestimpact[Q34],certificationsfortheseaspectsareactuallyrankedasclosetotheleast398important[Q48].Themostimportantissuesforcertificationare:datastoragelocation(oneaspectofprivacy),cloud399datacentreinfrastructure,cloudprovisioningprocessandinteroperability/reversibility.Amoredetailedanalysisis400foundinsectionA.11ofthepresentreport.AmajorityoftherespondentsareunawareoftheCloudCertification401SchemesList(CCSL)definedbyENISAwhileinthislist,thewell-knownISO/IEC27001[i.8]comesfirstasaschemefor402Cloudcertification.AmajorityoftheCloudServiceCustomersindicatesthattheyplantoincludeoneofthese403certificationschemesintheirCloudComputingprocuringprocesses.AmajorityofCloudServiceProvidersalsoplans404tocertifytheirCloudServiceofferings.405
1Furtheranalysisisneededonthispoint;itisnotentirelyclearifanswersinthiscategoryindicatethatactionsarenotneededorifnecessarymeasureshavealreadybeentaken.
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 12
406
6.2 Trends and patterns 407
Basedontheresponsesreceived,itispossibletomakesometentativeandhigh-levelanalysis.Fromthisanalysis,408somepatternsemergethatwillhavetobeclarifiedandconfirmedbyafinalanalysismadeattheconclusionofthe409survey.410411Thetrendsthatareassessedasthemostsignificantarepresentedbelow.412413Security,IntegrityandDataPrivacy:thesetopicsareseenasmajorconcerns forcloudmaturityandforstandards414impact,althoughnotforcertification.Thisisnotanewfinding,butthefactthatitisstillverymuchpresentisaclear415indicationontheperceivedchallengeaheadforsecuritystandardsandCloudcertificationinparticular.416417InteroperabilityandPortability:theseareasarerankedhigh.Concerninthisareaismostlikelylinkedtotheissueof418vendorlock-in,theunclearcapabilitiesofindividualcloudserviceofferingsabilitytomovedatafromoneserviceto419anotherandthelackofportabilitystandardsforcross-Cloudscenariosingeneral.420421MovingtotheCloud:thereisahighperceptionfromtherespondentsthatthetransitiontoCloudComputingshould422becarefullyplannedandorganized,inparticularinareaspertinenttodata(classification,storage,etc.),processesand423security.424425Standards:ingeneral,theroleofstandardsisseenasimportantandthereisagrowinglevelofawareness,evenin426termsofknowledgeoftheexistingsetofstandards.Itistobenotedthat,inthisperspective,thebenefitfrom427standardsrelatedtoCloudComputingisseenasmorecriticalthanOpenSource:thisfindingishoweversubjectto428furtheranalysis.ThistopicisfurtherexploredinETSISR003382[i.12]429430Certification:averylargemajority(over80%)oftherespondentsconfirmtheroleofcertificationasaveryusefulway431toimproveconfidenceinCloudComputing.HowevertheselectionofCloudCertificationschemesiscomplex:the432CloudCertificationSchemeList(CCSL)isanattempttomakeaselectionofsuchschemesbutthesurveyshowsthat433only31%ofrespondentsareawareofthislist.ThisisclearlyshowinganeedforincreasingtheawarenessoftheCloud434ComputingcommunityonCCSLandallthemeanstohaveaccesstoapre-analyzedandrecommendedlistof435certificationschemes.436437
6.3 Detailed findings 438
6.3.1 Adoption of Cloud Computing 439
ThewebsurveyclearlyindicateswhichCloudComputingServiceCategories(SaaS,PaaS,IaaSetc.)andCloud440ComputingDeploymentModels(Public,Community,PrivateorHybrid)aremostcommonintermsofusage;IaaSand441provisioninginfrastructureaswellasgeneraldatastorageconstitutethemostpopularServiceCategoriesandusage442areaswherethePrivateCloudDeploymentModelscomeoutfirstastheDeploymentModel.TheadoptionofCloud443ComputingandCloudComputingbasedservicescontinuestogrowacrossEurope.444445StudiesalsoshowthattheuseofCloudComputingservicesissteadilygrowingworldwide.Inarecentstudypublished446bySkyhigh“CloudAdoption&RiskReport”[i.3],theuseofCloudservicescontinuestoincreasequitesignificantly.447However,ouranalysiswillpointoutlaterthatthisadoptionisnotuniform.448449BasedonhowtheresultofquestionsrelatedtotheadoptionanduseofCloudComputingisinterpreted,theanswers450receivedmightshowsomediscrepancies.Considerthischart:451452
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 13
453Figure1–ExpectationsonpotentialCloudComputingbenefits(Question7)454
TheabovechartshowsasignificantinterestinusingCloudComputingtoimprovebusinessagilityandtoobtaina455fastertime-to-marketforproduct&servicesprovided.However,whenlookingattheactual,currentusageofCloud456Computing,thefullpotentialofCloudComputingisstilllargelyunexplored,basedontheanswerscollectedthrough457thewebsurvey.458459Someparticularobservationsaremadebelow.460461Supportingtheorganization462463Asmentionedabove,usingthecloudtoaddICTresourcesisthecurrentmainusageareas.Somewhatsurprisingisthe464relativelyhighnumberofresponsesthatshowCloudComputingastheplatformforsupportingBusinessProcesses.465466Cloudtransformation467468Amongmanyrespondents,thereisasignificantinsightintotheneedofunderstandinghowdatacontrol,classification469andtaxonomyimpactandpotentiallyrestrictthemovetotheCloud.Securityisseenasamajorblockerinthe470migrationtotheCloudwheredatasecurity,integrityandprivacyareparticularissueareas.Businessprocess471alignmentandidentificationisanothercloudtransformationareathatreceivesattention.Inordertomakethe472transitiontotheCloudbasedonthebestpossiblebusinesscase,theorganization’scoreandsupportingbusiness473processesmustbeunderstoodbeforetherationaleforCloudComputingsimplywill“makesense”.Well-controlled474andfullyalignedprocessesmakethecloudtransitioneasierandwillallowtheorganizationtomovetotheCloudon475thebasisofprioritizedtransitionplans.Inordertoprovisionand/oruseCloudComputingbasedservices,the476preferredarchitectureisbasedonSOA(orsimilarserviceorientedarchitectureprinciples)as74%oftherespondents477havestarted,areintheprogressorhavefinishedtheprocedurebasedonthatprinciple.SOAisseenasanimportant478cornerstoneinmanyorganizations’enterprisearchitecturestrategyandpotentiallyalsoanelementoftheCloud479transitionprogramformanyorganizations.480481SoftwareLicenses482483Manyorganizationsarenegotiatingthetermswithindependentsoftwarevendorsregardingusing/runningsoftware484intheCloud.Theresponsesreceivedsuggestthatmanyorganizationsareeitherinvolvedinorhavecompleted485negotiationspertinenttothenewtermsrelatedtoCloudusageofsoftware/applications/services.Many486organizationsarealsoworkingon“EnsuringSoftwareSuitability”,whichentailstheactivitiesmentionedabovebut487alsotomakingnecessaryadjustmentsto–forexample–theenterprisearchitecture,existingvendorcontractsand488SLAs,and–again–addressingtheconcernsandanyoutstandingworkrelatedtodata,security,integrityand489interoperabilitybetweeninternal,external,on-siteandcloudbasedsystemsandapplications.490491“Goingallin”withCloudComputing,tappingintothefullbenefitsofthePublicCloud,e.g.lowercostandaflexible492useofCloudservicesforinstance,willrequirethattheoutstandingconcernsarefullyaddressed.493
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 14
TherepliesreceivedontheadoptionanduseofCloudComputingclearlyindicatethatCloudComputingingeneral494remainsan“untappedresource”.However,theassessmentisthattheearlyadoptersandthosealreadyusingCloud495Computingareworkingtowardsexpandingtheuseonceinitialworkandnecessaryremainingeffortsarecompleted.496497
6.3.2 Interoperability 498
Oneoftherecurringconcernsraisedbythewebsurveyrespondentsconcerns“interoperability”,or–rather–thelack499thereof.Forfurtherdetailsoninteroperability,seeETSISR003391[i.13].500501AnswerstothefollowingquestionsindicateorsupporttheclaimthatInteroperabilityisoneofthetopconcerns502amongtherespondents.503504Somehighlightedaspectsofinteroperabilityinclude:505
• Interoperabilityisakeysuccessfactortoensure“Increasedbusinessagility”.Unlessahighlevelof506interoperabilityinsolutionsinternaltotheorganizationaswellasinteroperabilitywithexternalstakeholders507(collaborators,customers,suppliers,subsidiariesetc.)issecured,itwillbedifficulttoobtainahighlevelof508businessagility.509
• Interoperabilityisalsoseenasmainconcernamongmanyoftherespondents,bothintermsofageneralissue510fortheorganizationoftherespondentandintermsoflackofsupportforinteroperabilitystandards.511
512
513Figure2–MaturityofCloudComputing:criticalissues(Question11)514
Interoperability(andPortability)acrossvendorsolutionsisalsoseenasamajorconcernformanyorganizations,515illustratedbytheabovechart.516517ThewebsurveystronglysuggeststhatSDOsprovidinginteroperabilitystandardsforCloudComputingmustaccelerate518theirefforts.TheongoingworkinISO/IEConprovidingguidanceforthisdomain(ISO/IEC19041:"CloudComputing519Interoperability&Portabilityconcepts"[i.10])isanexampleofanactivitythatislikelytoprovidevaluableinformation520inthisrespect.521522
6.3.3 Security – Privacy and Integrity 523
“Security”and“Privacyandintegrity”arerecurringconcernsinthewebsurvey.Theseareasrankhighbothintermsof524aspectsseenasimportantfortherespondentanditsorganizationandalsowhenitcomestorelatedstandardsthat525areseenasmostcriticalforCloudComputing.Inseveralquestions,securityoraparticulartypeofsecurity(“data526security”)andPrivacyandintegritycomeoutattop(pleaserefertoAnnexA).527
528
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 15
529Figure3–Maturityofyourorganization:criticalchallenges(Question9)530
531Theabovefigureillustrateshow“security”,“privacyandintegrity”areconsistentlyrankedasthehighestconcerns532throughoutthewebsurvey formattersotherthancertification.533534Someobservationsthatcanbemade:535
• TheuseofSaaSforprocessingsensitivedata(incl.personaldata)rankslowintermsofusageareas.This536observationisconsistentwithhowSecurityranksasaconcern;theconclusionmightbethatthereissimply537notyetsufficientconfidenceinCloudComputingfortheuserstoprovisionandprocesssensitivedatainthe538cloudcomputingspace.Itisrecommendedtofurtherinvestigatethereasons(suchassecurityconcerns,539regulatory,etc.)fortheslowadoptionofSaaSforsensitivedataneeds.540
• TherearedifferentlegalbarriersacrossEuropeandnoup-to-dateEuropeanDataProtectionRegulationyet.541• Amongthelownumberofrespondents,ISO/IEC27001[i.8]isthestandardmostknownandused.542• “Security”isacomplex,slightlyambiguousandimpreciseconcept.Itcanbeandprobablyisinterpretedin543
manydifferentways.Securitycanforinstancemaptoandconcernoneormoreofthefollowingareas:544○ Dataprotection(andinformationclassification,dataencryptionetc.)545○ Dataaccess546○ Identitymanagement547○ Authorization548○ Authentication549○ Dataprivacy550○ Dataintegrity551○ Accessibility552○ Operations553
andprobablysomeadditionaldomains/areas.Itislikelythat“Security”and“Privacyandintegrity”arein554factgroupedtogetherandseenasasingleconcernbytherespondents.555
556“Security”ingeneraliswithoutdoubtamajorconcernformostusers,customersandprovidersalike,inparticularina557Cloudsetting,astheresourcestypicallyaresharedandthedataintegrityasaconsequenceneedsadditionalattention558toensurearetainedconfidenceintheownershipofdataaspects.Manyusersareconcernedabout“losingthecontrol559ofdata”,inmanycasesprobablyjustifiablyso.UnlessSecurity–allrelevantaspectsofSecurityrelatedtoCloud560Computing–isfullyaddressedandtheusersaremadeawareofavailableoptionsandexistingprotocolsand561standardsthatcanbeusedtobuildreliableCloudComputingofferings,theadoptionofCloudComputingislikelyto562continuetogrowslowly.563564ItcaninthiscontextbenotedthatarecentstudymadebytheGartnerGroup“BudgetingfortheSaaSSecurityGap”565[i.2]indicatesthattheorganizationsinvestinginSaaSarenotmakingthenecessaryinvestmentstoaddressCloud566ComputingSecurity.SomeofkeychallengeslistedbyGartnerarethelackofspendingonSaaSsecurityandthelackof567
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 16
fullknowledgeaboutthenewsecuritychallengescreatedwhenmovingtoSaaSastheICTplatform.Therefore568educationandawarenessofresponsibilitiesarekeyfactorshere.569570TheconclusionsmadebyGartnersupportthecaseforstandardsintheSecurityspace.Theirreportechoesthe571findingsmadeinthewebsurveyintermsofaddressingtheSecurityconcernsraisedbymanyrespondentsoftheweb572survey,anditalsoconfirmstheremarkabovethatmanyusersneedtoobtainabetterunderstandingonSecurityand573itsvariouselements,andhowtheseelementsarerelatedandcometogethertoformthenecessaryleveloftrustand574confidenceinCloudComputing.575576Thecurrentdevelopmentofa“DigitalServiceInfrastructure”andconstituentBuildingBlocksaspartoftheEC577program“ConnectingEuropeFacility”(CEF)shouldalsobereferencedandconsideredinordertounderstandthe578implicationsonCloudComputingresultingfromthepan-Europeane-IDandcertificationsolutionsnowbeing579provisioned.2580581
6.3.4 Standards 582
Standardswereoneofthemainaspectsofusers'needsforwhichthesurveywasdesigned.ThefirstphaseofCSChas583addressedinparticulartheevaluationofthematurityofCloudComputingstandards.Oneofthegoalsofthesurvey584wastoaddresstheneedsofusers,theirexpectationsvis-à-visstandardsandtheirperceptionregardingtheactual585possibilityforstandardstosupporttheirneeds.586587Anumberofquestionswereaskedmostlyintwoways:588
• Asetofquestionsrelatedtostandardsingeneral(Questions34to36);589• Adetailed(andoptional)sectionwithquestionsspecifictosomespecificStandardsdocuments(Questions37590
to46).591
Regardingthegeneralquestionsonstandards,animportantonewastheevaluationoftheimpactofCloudComputing592standardsontherespondents'organization,whoseresultsaresummarizedbelow:593
594
595Figure4–CloudComputingStandardsimpactonorganizationconcerns(Question34)596
597
2TheCEFbuildingblocksareprovidedinordertoensureareliableandinteroperablemechanismforserviceandinformationexchangecross-borderintheEC.TheongoingworkintheLargeScalePilots(LSPs)STORKande-SENSisalsoofinterestinthisrespectandcreatesinputtotheDSIande-IDandcertificationBuildingBlocks.Formoreinformation,seehttps://joinup.ec.europa.eu/community/cef/og_page/catalogue-building-blocks.
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 17
Formostofthedomains,thesumof"Medium"and"High"answersisinmostcaseabove75%withdomainswhere598theexpectationsareparticularlyhigh:Security,Interoperability,PrivacyandIntegrity.Theusers'concernsregarding599thesedomainsarenotnew,butthelevelofexpectedsupportfromstandardsisveryencouraging.600601Inadditiontothis,whenaskedabouttheactualplaceofstandardsintheirorganization,therespondentsarealso602givingthesignalthat,inmorethan75%ofthecases,standardsare"considered"or"used".603
604
605Figure5–TowhichdegreeareCloudComputingStandardsconsideredorused(Question35)606
607Regardingthedetailedstandardsproposedforevaluation,thelevelofknowledgeoftherespondentscanvary608significantly,withsomeexamplesofstandardswhosevisibilityisbelowwhatwecouldhaveexpected.Anexampleis609givenbelowwithISO/IEC27018[i.11](relatedtoCodeofPracticeforPII):610
611
612Figure6–AdoptionanduseofCCstandards:Dataprotection(Question40)613
614OneoftherecommendationsthatmaystemfromthisanalysisisthatStandardsSettingOrganizationsneedto615intensifytheirpromotionandeducationeffortstowardstheCloudComputingcommunity.616617MoredetailswillbefoundinsectionsA.9andA.10.618
6.3.5 Certification 619
ThequestionoftrustiscentraltotheadoptionofCloudComputing.Buildingtrustisacomplexissueandseveralways620havebeenaddressedinthesurvey:preparationoftheorganizationfortheadoptionofcloud(seesectionA.6),useof621standardsandalsocertification.Theyallneedtobeaddressedtogether.622623Thefirstfeedbackfromtherespondentsontheroleofcertificationisclear:itisaveryusefulwaytoimprove624confidenceinCloudComputingforaverylargemajority(over80%).625
626
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 18
627
Figure7–IsCloudCertificationapossibilitytoimproveconfidenceinCloud(Question47)628
629Oncethisagreed,thentwoquestionshavetobeaddressedbytheorganizations:1/thescopeofcertificationand2/630thecertificationscheme(s)tobeused.631632Regardingthescopeofcertification,alistof12domainshasbeenproposedwiththefollowingresults:633
634
635Figure8–RankingCloudCertificationareasaccordingtotheirimportance(Question48)636
637ThenumberonecandidateforcertificationisDatastoragelocation.Thisisreflectingtheconcernalreadyidentifiedin638theprevioussectionsofthesurvey(e.g.adoptionofCloud)onlegalandtechnicalsupporttotheprotectionofthe639organization'sdata.Certificationisseenasapotentialenabler.640641Thenextthreedomainsintherespondents'rankingareregardingtechnicalconcerns:CloudDatacenterinfrastructure,642CloudProvisioningprocessesandInteroperability/Reversibility.Hereagainthequestionofdata(integrity,643reversibility)canbeseenasamajorconcern.644645WhenfacingtheselectionofCloudCertificationschemes,anorganizationisofferedalargesetofsuchschemes.The646CloudCertificationSchemeList(CCSL)isanattempttomakeaselectionofsuchschemes.Thesurveyshowsthatonly64737%ofrespondentsareawareofthislist.648
649
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 19
650
Figure9–AwarenessofCCSL,theCloudCertificationSchemesList(Question51)651
652ThisisclearlyshowinganeedforincreasingtheawarenessoftheCloudComputingcommunityonCCSLandallthe653meanstohaveaccesstoapre-analyzedandrecommendedlistofcertificationschemes.However,itisrecommendto654furtherstudycertificationschemes,especiallytoexplorewhethertheISO27000familyofcertificationisdeemed655sufficient.656657ThisisalsoconfirmedbytheanalysisiftheawarenessofsomeoftheschemesofCCSLasshownbelow:658
659
660Figure10–AwarenessofsomeCloudCertificationSchemeslistedinCCSL(Question52)661
662Thefirstschemeinthislist(morethantwotimesnotoriousthanthenextone)isISO/IEC27001.ThisisnotaCloud663Computingspecificschemebutitisalsoaglobalworldwideone.664665MorecanbefoundinsectionA.11.666
6.4 Impact on other Cloud Standards Coordination Phase2 667
reports 668
ThewholescopeandworkprogramofCloudStandardsCoordinationPhase2hasbeendefinedwiththeintentionto669understandatbesttheexpectationsoftheusersregardingCloudComputing.Fromthisstandpoint,somefindingsof670thesurveyaredirectlyimpactingtheotherWorkPackagesofCSC-2andhavebeentakenintoaccountinthewritingof671thecorrespondingreports.672673WP2 OpenSourceandstandards674675ThemainfindingofthisreportregardingOpenSourceisthatOpenSourceisnotseenasamajorCloudComputing676challenge.Thiscanbeseenintwoquestions:677
• Q11.MaturityofCloudComputing:howcriticalarethefollowingissuesforyourorganization?The"Lackof678OpenSourcesolutions"isseenascriticalorverycriticalonlyby31%orrespondentwhereasthesamefigure679for"LackofstandardsandstandardsAPIs"is49%.FurtherconsiderationsonOpenSourcesolutionsare680discussedinETSISR003382[i.12].681
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 20
• Q34.WhichimpactcanCloudComputingStandardshaveonyourorganization'sconcerns?Itappearsthat682standardshaveamediumorhighimpactforabout75%ofrespondents.683
684TheWP2report(ETSISR003382[i.12])addressestherelationshipbetweenStandardsandOpenSource.Fromthis685standpoint,thoughtheusualwaytoapproachthisistoanalyzethewayOpenSourcemaymakeuseofstandards686(existingorindevelopment),itisalsousefultoaddresstheotherwayround,inparticularhowstandardscan687contributetothetrustthatusersorganizationsmayputinOpenSourcesolutions.688689
WP3 Security,StandardsandCertification690691Alotofemphasisisputbythesurveyrespondentsontheissuesofsecurity,andontheroleofstandardsor692certificationregardingtheresolutionofsecurityissues.TheworkofWP3revolvesaroundstrategiestoaddressallthis693aspectsinacoherentmanner,andontherecommendationsthatcanbedrawn.694695Inparticular,thequestionofcertificationiskey.Somefindingsofthesurveypointtotherelativelackofknowledgeof696therespondingorganizationsonthecertificationschemesthemselvesaswellasonthebestwaytousethem.A697clarificationofthisquestionandassociatedrecommendationsareamajorobjectiveoftheWP3report.698699WP4 StandardsMaturityLandscape700701Oneoftheobjectivesofthe"snapshot2"istoassessthematurityoftheCloudComputingstandardizationandto702evaluatetheprocessbetweenthe"snapshot1"ofCloudStandardsCoordinationPhase1(availableinNovember7032013)andthe"snapshot2"availableinSeptember2015,almosttwoyearsafter.704705Whenthe2013StandardsMaturityAssessment("snapshot1")resultshavebeenpublishedbyCSC-1,somegapshad706beenidentified(e.g.security,ServiceLevelAgreement).Thepersistenceofthesegaps–atleastfromthepointofview707ofusers'perception–issomehowconfirmedbythesurvey.708709Anumberofstandardshavebeendevelopedinbetweenthetwo"snapshots".Fromthisstandpoint,thelistof710relevantstandardsislargerthantheoneofNovember2013.Theanalysisofthestandardsfromthislisthastakeninto711accountsomeofthefindingsofthesurveyandpaidspecialattentionatleastto:712
• SecurityStandardsandCertificationschemes713• InteroperabilityandDataPortabilitystandards714• Service-Level-Agreementstandards715
716
6.5 Relationship to other activities 717
CloudSIGonSLA718TheCloudSpecialIndustryGrouponSLAwasinitiatedbytheECtoaddressCloudStandardisationforServiceLevel719Agreement.SeveralmembersofthisgroupalreadycontributedtoCSC-1.ThegroupwasinformedabouttheCSC-2720activitiesandinvitedtoparticipateinthesurveythroughtheirDGCNECTcontact.721722ItshouldbenotedthatthegroupisnotcurrentlyactiveafterhavingdeliveredtheirCloudServiceLevelAgreement723StandardizationGuidelinestotheECin2014andtotheISOSC38/WG3tobeconsideredinISO/IEC19086-1:"724Informationtechnology–Cloudcomputing–Servicelevelagreement(SLA)frameworkandtechnologyPart1:725Overviewandconcepts"[i.9].726727EuroCIO728CSC-2hasbeeninpermanentcontactwithEuroCIOsinceitsbeginningandhasparticipatedandcontributedtothe729twoWorkshopsorganizedbyEuroCIOonCloudComputing.In2015,EuroCIOhasbeentaskedbytheECtoreviewthe7304ECstrategicactionsinsupportofitsCloudComputingstrategyofwhichCSC-2ispart.731732ItshouldbenotedthatafewquestionsoftheCSC-2surveyquestionshavebeenincludedintheEuroCIOsurveyin733supportoftheirabove-mentionedaction.Theanswerscollectedhavegivenmorevaluetotheconcernedquestions734(e.g.oncertification).735736
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 21
NIST737Toalargedegree,NISTandCSC-2shareacommonapproachtoCloudComputingstandardization:theybothhavea738contributiontothestandardizationframework(thoughNISTalsocontributestostandardswhereasCSC-2doesnot).739Fromthisstandpoint,itappearedimportanttoinvestigatethepossiblecommonactionsthatwouldresultfromthis740situation.741742Tothisextent,afteracommonmeeting,wehaveunderstoodthatthecurrentsurveymatcheswellwiththe10743recommendationsforCloudComputingthatNISThaspublishedin2011.AcontributionofCloudStandards744CoordinationPhase2ontheanalysisofthe2011and2015situationshasbeenpresentedattheNISTCloud745ComputingWorkshopVIIIinJuly2015.ThispresentationisavailableontheCSCwebsiteinthe"Sharing"sectionat746http://csc.etsi.org/phase2/dissemination.html.747748
7 Conclusions and recommendations 749
ThepresentreportindicatesthatrunningawebsurveyonCloudstandardsmayyieldrelevantfindingseventhough750thenumberofrespondentsislimitedandthecompositionoftherespondentsresultingfromtheinvitationtoselected751stakeholdersisrepresentativeoftheoverallpopulationonlytoanunknownextent.752753Thefindingsmadeduringtheanalysisofthesurveysupportthecontinuedstrivetowardsclosingtheidentifiedgapsin754termsofsupportforCloudComputingstandards.Italsoshowsagrowingawarenessoftheimportanceofstandards,755ingeneralandforCloudComputinginparticular.756757
758Figure11–AsummaryofCloudUsersconcerns759
Source:CSCphase2760761Basedontheprincipalareasofconcern,illustratedintheabovefigure,theCloudStandardsCoordinationPhase2762expertshavelistedsomerecommendationsfollowingthefindingsinthewebsurvey.Theserecommendationsare763listedbelow:764765CollaborationacrosskeyCloudComputingstakeholders766EncourageandincreasecollaborationsacrossthevariousrelevantinitiativesinEuropeaswellacrossstandards767developmentorganizations(formal,dejureanddefacto)toavoidandminimizefragmentationandoverlapinthe768CloudComputingrelatedstandardizationefforts.DuringtheCSC-2,contactshavebeenmadewiththeUS769standardizationagency,NISTaswellasforexampletheEuroCIOorganization.Bothcontactshaveresultedinfollow-770upactivitiesthatwilladdfurthervaluetotheCSC-2resultsaswellassecuringawarenessoftheCSCwork.771772Disseminationandmarketing773
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 22
MakesurethatCloudComputingstakeholders(users,customersandproviders)aremadeawareofexistingstandards774andcertificationprograms.Therelativelylowresponseandawarenessfoundamongtherespondentsoftheweb775surveystronglysuggeststhattheimportanceandpotentialbenefitsofstandardsandcertificationschemesneedtobe776furtheradvocatedandmarketedbyusingintherelevantchannelsthroughtheappropriateEUagenciesandalsoby777theSDOs.778779ConducttheCloudWebSurveyregularly780KeepingtrackoftheendusersperceptionofCloudComputingbenefitsandchallengesprovidesanexcellentbackdrop781forongoingaswellasfutureeffortstoclosetheidentifiedgapsandaddressthechallengesdisclosedbytheweb782survey.TheSTF486expertsseethewebsurveyasagoodtooltogaugetheprogressandstate-of-affairsintheCloud783Computingspaceandrecommendthatthewebsurveyisreopenedandrunonaregularbasis,tentativelyonan784annuallybasis.785786Securityaspects–akeyconcern787“Security”,asaconcept,iswithoutdoubtamajorconcernformostusers,customersandprovidersalike,inparticular788inaCloudsetting,astheresourcestypicallyaresharedanddataintegrity confidentialityandavailability,asa789consequenceneedadditionalattentiontoensurearetainedconfidenceintheownershipofdata.Manyusersare790concernedabout“losingthecontrolofdata”,inmanycasesprobablyjustifiablyso.UnlessSecurity–allrelevant791aspectsofSecurityrelatedtoCloudComputing–isfullyaddressedandtheusersmadeawareofavailableoptionsand792existingprotocolsandstandardsthatcanbeusedtobuildreliableCloudComputingofferings,theadoptionofCloud793Computingislikelytocontinuetogrowslowly.Forfurtherdetails,seeETSISR003391[i.13].794795Certificationaddsconfidence796Theanalysissupportstheprovisioningofcertificationschemes,wherecertificationofvendorsandthecrosscutting797aspectsdatastoragelocation(oneaspectofprivacy),clouddatacentreinfrastructure,cloudprovisioningprocessand798interoperability/reversibilityaretoppriorities.Theseaspectsaregeneralconcernsthatneedtobeaddressedto799acceleratetheadoptionofCloudComputing.TheCSC-2willusetheresultsofthewebsurveyasinputtotheother800tasksandworkitemsoftheCSC(asdescribedin6.4and6.5).801802Insummary,theCloudStandardsCoordinationPhase2expertsseethestandardscoordinationeffortaswellfunded803andhighlyrelevant.Itisrecommendedthatthestandardscoordinationresultsbethoroughlydisseminatedandthat804theindustryandStandardsDevelopmentOrganizationcontactsandcollaborationsmadeaspartoftheCloud805StandardsCoordinationinitiativecontinue.806807808
8 Areas for further study 809
Someareasforfurtherstudyareforinstance:810• Specializationofresults.Inthisversionofthereport,theresultsforaquestionaretakenglobally,onthe811
totalityoftherespondents.Onsomequestions,amorein-depthanalysismaybeuseful,providedthatthe812numberofresponsesishighenoughtokeepsomerelevance.Anexampleofsuchanalysiscouldbeto813differentiatetheanswersbycountryoftherespondent:largedifferencesintherateofadoptioninEU814countries(asshowninthefigurebelow)mayalsobevisibleinthesurveyresults.Thelimitedtimeand815resourcesdevotedtoCSC-2madethisanalysisdifficulttoundertake.816
817Figure12–UseofCloudComputinginenterprisesinEurope(source:Eurostat).818
819
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 23
• AviewthattargetsSMEsspecifically.SlightlymorethanhalfoftherespondentsarefromSMEs.Considering820thatSMEsareamajortargetoftheworkofCloudStandardsCoordinationPhase2,ananalysisfocusedon821thispartoftherespondentswillbeuseful,providedthesizeofthesampleissufficientfordrawing822conclusions,whichwillbethecaseforsomebutmaybenotallofthequestions.823
• Validationoftrends.Someofthetrendsidentifiedinsection6.2maybefurthervalidatedbyadditional824analysis(possiblybyrunningthesurveyagainaftersometime).Inparticular,itmightbepossibletoidentify825newtrendsanddrawmorefirmconclusions.Anexamplemayberegardingsomeofthespecificstandards826addressedinquestions38to45.827
• IssueanewversionoftheUserSurveywithamodifiedstructureandpresentationofcoreconceptsbasedon828findingsmadeduringthecreationoftheotherCSC-2reportsandonthecommentsreceivedduringthe829reviewperiod.830
831832 833
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 24
834
Annex A: Survey Responses and Charts 835
A.1 Presentation of results 836
Theresultsofthesurveyarepresentedbelowintheformofchartsandcomments.Theyaregroupedbysub-section837thatcorrespondtothedivisionbypagesintheon-linesurveyitself.838839TheresultspresentedcorrespondtothesituationatSeptember25th,2015with376responsescollected.Thesurvey840willcontinuetobeavailableon-lineforacertainperiodoftime.Moreresultswillbeavailableforthefinalversionof841thereport.842843Thecompletesetofquestionsastheyappearon-linecanbefoundinAnnexC.844845Eachquestionisintroducedbyaheaderthathasthefollowingform:846847
Qn Textofthequestion848<#answers>answers-<indicator>849
example:125answers-ýý☐850where:851
• Qn representsQuestionnumbern852• <#answers> isthenumberofanswersreceivedforquestionQn853• <indicator> representstheviewoftheexpertsontheanswers.Itisasubjectiveindicationofhowfarthe854
resultscanbeinterpreted.Itcantakeoneofthefollowingforms:855856
ýýý theanswerstothisquestionaresubjecttoareliableinterpretation857ýý☐ theanswerstothisquestioncanbeusedforidentifyingtrends858ý☐☐ theanswerstothisquestioncanbeusedforinformation859☐☐☐ theanswerstothisquestionarenotmeantforanyinterpretation860
861Note: The<#answers>and<indicator>arenotcorrelated:theindicatorisbasedonmuchmoreinformation(and862
experts'discussion)thanjustthenumberofanswers.863864Thetypicalpresentationoftheresultsis:865
• Thepurposeofthequestion;866• Asummarychartwiththeanswerspresentedbypercentageofrespondents;867• Aninterpretationbytheexpertsofsomespecificpoints.868
A.2 Background information 869
Thisfirstsectionofthesurveywasusedforthepresentationofthesurveytogetherwithexplanationsonthewaythe870resultswillbestored,distributedandused.871872Q1 AreyoufamiliarwithCloudStandardsCoordination?873
366answers-ýýý874875SomeknowledgeoftheCloudStandardsCoordinationactivities(i.e.whatisnowcalledCloudStandardsCoordination876Phase1)isconsideredhelpfultobetterunderstandthecontextofthefollowingquestions.877878
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 25
879TheanswersindicatethatroughlytwothirdoftherespondentshavesomeknowledgeofCSC.880881Q2 AreyoufamiliarwithETSI?882
363answers-ýýý883884AcertainfamiliarityoftherespondentswithETSIisthesignthatonecouldexpectthattheyhaveacertainaffinity885withstandardizationprocessesandthusmaybetterunderstandthefollowingquestions.886887
888Almost80%oftherespondentsshowthisfamiliarityaboutETSI.889890
A.3 General purpose information 891
892Q3 Nameofyourorganization(notmandatory)893
115answers-☐☐☐894895ThoughthesurveywasanonymousanswerstothisquestionwouldallowtheCSCexpertstogetanimpressionofthe896compositionofthesetofrespondents.About28%providedthenamesoftheircompanies.Thisinformationisused897forinternalanalysisandisnot(assaidintheintroductionoftheon-linesurvey)meanttobemadepublic.898899Q4 Sizeofyourorganization900
307answers-ýýý901902ThemotivationforthisquestionissimilartotheoneforQ3.903904
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 26
905906
Alittlemorethanhalfoftherespondentscomefromdifferent-sizedSMEs,therestcomingfromorganizationswith907morethan249employees(e.g.companies,administrations,etc.).908909Q5 Sectorinwhichyourorganizationoperates910
307answers-ýýý911912ThisquestionisintendedtoshowtowhichextentCloudcomputingisusedindifferenteconomicalandsocietal913sectors.914915Theclassificationusedisbasedon“StatisticalClassificationofEconomicActivitiesintheEuropeanCommunity"[i.4]. 916917
918919TheICTsectorleadswith43%ofresponsesfollowedbyProfessional,ScientificandTechnicalActivitieswith14%and920Educationwith13%.Theothersectorsremainbelow3%.921922Q6 Region/Countryinwhichyourorganizationmainlyoperates 923
307answers-ýýý924925Thelocalizationoftherespondentsisanindicationofthegeographicaldistributionoftherespondents'organizations.926927
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 27
Itistobenotedthatthetotalofanswersisabove100%,whichshowsthatsomeoftheanswerscomefrom928organizationsthatoperateacrossseveralofthegeographicalzones.929930
931932
933Asanticipated,avastmajorityoftheanswersiscomingfromEurope,beittheEuropeanUnionortheotherEuropean934countries.ThisisinlinewithourexpectationssincethestudywasfirsttargetingtheEuropeansituation.935
A.4 Moving to Cloud Computing: expected benefits and 936
challenges to face 937
938Q7 HowhighareyourexpectationsonpotentialCloudComputingbenefits? 939
193answers-ýýý940941Thisquestionintendstoevaluatetheperceptionoftherespondentsonthebenefitsthattheirorganizationis942expectingfromtheadoptionofCloudComputing.943944
945946Mostcriteriareceived“Medium”,“High”and“VeryHigh”ratingsoftogether70%ormoreshowingthatthe947expectationsincloudcomputingbenefitsaresignificant.Inotherterms,theexpectationsarehigh.948949
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 28
Ifthehighestexpectationison"Improvedbusinessagility",theimportanceof"ReductionofCAPEX"isalsosignificant:950evenifitmaynotbeasessentialforlargeorganizations,thisimportanceofthisfactormaybehigherfortheSMEs951thatconstitutemorethanhalfoftherespondents.952953Q8 Ifthereareotherbenefitshighlyexpectedbyyourorganization,pleasespecify 954
38answers-ý☐☐955956Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:957
• Newbusinessmodels958• Serviceopportunities959• ScalabilityandCostcontrol960• Jointprocurementofresources961• SimplificationofICTprocesses962• Improvedresilience963• …964
965Insummary,Flexibility,Resourcesharing,Businessflexibility&innovation,Improvedsecurity,Peakdemand966managementarethemostsignificantbenefitsaddedbytherepliesreceived.967968Q9 Maturityofyourorganization:howcriticalarethefollowingchallenges? 969
197answers-ýýý970971Thisquestionintendstogetaself-assessmentbytherespondentsonthematurityoftheirorganizationregardingthe972challengesitmustfaceifitoptsfortheadoptionofCloudComputing.973974
975976Thetwomajorconcerns,notsurprisingly,are"Security"and"Privacyandintegrity".Onthesetwoaspects,theprofiles977ofanswersarealmostidentical,thusgivingthesignalthattherespondentsdonotdissociatebothaspects.These978issuesarestillextremelysensitive,despitesomeprogressintherecentyears.ItisnoticeablethatLegalissues,laws979andregulations(thirdinthelistwith20%)arealsoseenasmoreimportantthanothertechnicalchallenges.980981982Q10 Ifthereareothercriticalchallengestoyourorganization,pleasespecify 983
17answers-ý☐☐984985Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:986
• InternalgovernanceofCloudComputingdeployment987• Dataportabilitystandards;SLAstandards;integrationstandards988
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 29
• Culturalnorms989• Contractualobligations990• Lackoftransparencyofcloudproviders991• “ShadowICT”isseenasariskfollowingtheproliferationofCloudComputing–“SaaSsprawl”isincreasingly992
beingusedasthetermfortheincreaseduseofCloudComputingwithouttheretainedcontroloftheICT993department.Severalrespondentsraisethisasaconcernwherelackofgovernanceandlegalcompliance994mightcreatedifficultiesinorganizations.Lackoftherightknowledgeisalsobroughtupasanadditional995concern.996
• …997998999Q11 MaturityofCloudComputing:howcriticalarethefollowingissuesforyourorganization? 1000
194answers-ýýý10011002Thisquestionintendstogetaself-assessmentbytherespondentsonthematurityofCloudComputingitselfandhow1003thesechallengesmayimpacttheadoptionofCloudComputingbytheirorganization.10041005
10061007Notsosurprisingly,themajorityofrespondentsidentifySecurity(44%),PrivacyandIntegrity(43%)asmostcritical1008challengeswellbeforetheotherones.AsitwasforQ9,thisisanindicationthattheseissuesarestillextremely1009sensitive,despitesomeprogressintherecentyears.ItisnoticeablethatVendoranddatalock-in(thirdinthelistwith101028%)arealsoseenasamajorissuewiththeCloudComputingofferings.10111012Q12 IfthereareothercriticalissueswithCloudComputing,pleasespecify 1013
15answers-ý☐☐10141015Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1016
• Businessprocesscontinuity1017• Identityandaccessmanagement[CSCexpertscomment:maybeseenasapartofsecurity]1018• Greendatacenters1019• …1020
1021RespondentsbringupIAMandPrivacyasCloudComputingconcernsbutalsoaccesstothe“topography”ofCloud1022Serviceoffersbasedonastandardizedprofiling(alsorelatedtohowtheSLAisdefined).1023
1024Q13 HasyourorganizationstartedtoadoptCloudComputing? 1025
211answers-ýýý1026
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 30
1027ThepurposeofthequestionistoevaluatethestateofCloudComputingadoptionintherespondents’organizations.10281029
10301031Notsurprisingly,aclearmajorityoftheorganizationsalreadystartedadoptingCloudComputing.Thefactthatnoneof1032therespondentsindicatedthattherearenoplansforadoptionmaysimplyindicatethatthosewhohavenosuchplans1033areprobablynoteagertofillthiskindofsurvey.10341035
A.5 Adoption of Cloud Computing in your organization 1036
Thissectionaddressestherespondent'sorganizationadoptionstrategyandintendedroleforCloudComputing.10371038Q14 ScopeofyourCloudComputingusageinthenearterm 1039
167answers-ýýý10401041ThepurposeofthequestionistocollecttheintentionsregardingthescopeofCloudComputingfortherespondent's1042organization.Itshouldbenotedthatthetotalofanswersisgreaterthan100%,severalchoicesbeingpossible.10431044
10451046ThoughthehighestfigureisregardingCloudComputingastheICTplatformofchoice,thehighvalueofthemigration1047ofsupportingbusinessprocessesisanencouragingsign.Thisiscorroboratedbytheresultsofthenextsectiononthe1048preparationoftheorganizationforCloudComputing.10491050Q15 StageofCloudComputingAdoption 1051
169answers-ýýý1052
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 31
1053ThisquestionaddressesthematurityofCloudComputingadoptionfortherespondent'sorganization.10541055
10561057Theproportionofrespondents'thathavenotyetservicesontheCloudisbelowonethird.Itisthesignofagood1058penetrationofCloudComputingamongsttherespondents'organizations.Consideringthat43%ofthemcomefrom1059theICTindustry,thisdoesnotcomeasenentiresurprise.Itmaybeusefultoanalyzetheanswersinmoredetails1060(whataboutthenon-ICTsectors,whatabouttheSMEs,…).10611062Q16 RoleofyourorganizationinCloudComputing 1063
169answers-ýýý10641065Thisquestionintendtogathertherolesoftherespondents''organizationinCloudComputing.Itisinparticulartrying1066tomeasuretherespectiveimportanceofCloudServiceCustomers(whicharetoalargeextentthetargetofthestudy)1067andCloudServiceProviders(whohadbeenthemajorforceinCSCphase1).10681069
10701071ThoughtthepercentageofCloudServiceProviderislow,thetotalamountofanswersrelatedtoroleinvolvedinthe1072CloudServicesdevelopmentanddeployment(Auditor,Develop,Provider)isonlyslightlybelowtotheoneofthe1073CloudServiceCustomers.10741075TherelativeimportanceofCloudBrokerisalsotobenoted.Sincethisisarelativelynewrole,notalreadyvery1076developedintheCloudComputingindustry,thereisprobablyaneedtoanalyzetheresultsinmoredepthto1077understandtheprofileofthecorrespondingrespondents.1078
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 32
1079Q17 LevelofyourresourcesandsupporttoCloudComputing 1080
169answers-ýýý10811082ThepurposeofthequestionistoevaluatetheamountandadequacyofICTresourcesdevotedtoCloudComputingin1083therespondents'organization.10841085
1086
10871088Inthevastmajority(almost80%)oforganizations,supportofCloudComputingcomesfromeitheradedicatedoran1089all-purposeICTsupportteam.Inthisgroup,theresourcesdedicatedtoCloudComputingaredeemedenoughto1090satisfytheneeds.Onlyathirdofthem(32%)haveresourcesspecificallydedicatedtoCloud.10911092
A.6 Cloud Computing adoption: preparing your organization 1093
Sometypicalaspectsneedtobeconsideredandsomeconditionsmustbemetinordertomakethetransitiontothe1094Cloudinasecureandreliableway.Thisisthepurposeofthissection. 10951096Q18 DataCategorizationinyourorganization 1097
171answers-ýýý10981099Thisquestionaddressestheway"DataCategorization"ishandledintherespondents'organizationsinpreparationfor1100theadoptionofCloudComputing.11011102Thequestionissupportedbythefollowingtextinthesurvey:1103
DataCategorizationdescribesdataonthebasisofhowitistransferred,processedandused.ExamplesofData1104Categoriesarecustomerdata/content,deriveddata,cloudserviceproviderdataandaccountdata.Pleaseindicate1105abovewhereyoucurrentlyareinthisprocess. 1106
1107
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 33
11081109About80%oftherespondentsareawareofdatacategorizationandhaveatleaststartedtheprocessrelatedtoit.1110SincethisisamajorenablertoCloudComputing(andoneofthefirstactivitiestoundertake),thisisaverypositive1111signalofprogress.11121113Q19 DataClassificationinyourorganization1114
170answers-ýýý11151116Thisquestionaddressestheway"DataClassification"ishandledintherespondents'organizationsinpreparationfor1117theadoptionofCloudComputing.11181119Thequestionissupportedbythefollowingtextinthesurvey:1120
DataClassificationtypicallyreferstoawaytospecifyhowtheinformationcanbeshared,from“openly”to“non-1121disclosed”(secret).ExamplesofDataClassificationtaxonomiesare:“Public,InternalUse,Confidentialand1122RegulatoryHandling”.DataProtectionlevelsareassociatedwithexamplessuchas"Rangingfrom0(unrestricted1123use)to3(extremeconfidentiality)".Theyrequiremeasuresinordertoenforcethelevels,suchasencryption,1124limiteddistribution,etc.Pleaseindicateabovewhereyoucurrentlyareinthisprocess. 1125
1126
11271128Aforthepreviousquestion,about80%oftherespondentsareawareofdataclassificationandhaveatleaststarted1129theprocessrelatedtoit.Hereagain,thisisaverypositivesignalofprogress.11301131
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 34
Q20 DataSecurityinyourorganization1132171answers-ýýý1133
1134Thisquestionaddressestheway"DataSecurity"ishandledintherespondents'organizationsinpreparationforthe1135adoptionofCloudComputing.11361137Thequestionissupportedbythefollowingtextinthesurvey:1138
InordertomovesecurelytotheCloud,manydifferentaspectsofDataSecuritysuchasinformationsecurity,1139informationintegrity,accessandidentitymanagement,contingency,andPersonallyIdentifiableInformation(PII)1140havetobeaddressedandshouldbewelldefinedandunderstood.Pleasestateaboveyourorganization’slevelof1141controlandawarenessinthedatasecuritydomain. 1142
11431144
11451146Theresultisencouragingashalftherespondentsclaima"high"andanotherthirda"medium"datasecuritylevel1147withintheirorganizations.11481149Q21 BusinessProcessesidentification,descriptionandalignmentinyourorganization 1150
169answers-ýýý11511152Thisquestionaddressestheway"BusinessProcessesidentification,descriptionandalignment"ishandledinthe1153respondents'organizationsinpreparationfortheadoptionofCloudComputing.11541155Thequestionissupportedbythefollowingtextinthesurvey:1156
InordertoensureatransitiontotheCloudbasedontheneedsoftheorganization,itisconsideredasbestpractice1157thatthecoreandsupportingprocessesoftheorganizationbeclearlydefinedandsupported,whererelevant,by1158ICTsolutions.Well-controlledprocessesmakethetransitioneasierandallowtheorganizationtomovetothe1159Cloudonthebasisofprioritizedtransitionplans.Pleasestateaboveyourorganization’slevelofbusinessprocess1160situationintermsofidentification,descriptionandalignment. 1161
1162
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 35
11631164Roughly¾oftherespondentsindicatethattheirorganizationhasa(relatively)well-controlledprocessunderway.1165However,theproportionof"high"controlandawarenessislowerthanforthepreviousquestionsrelatedtohandling1166ofdata.Thismaybethesignthetaskathandismorecomplexandoveralllessadvanced.Thisisinlinewiththe1167previousfindingsabout"security"asthemajorconcernoforganizations.11681169Q22 ServiceOrientedArchitectureinyourorganization 1170
169answers-ýýý11711172Thisquestionaddressestheway"ServiceOrientedArchitecture"ishandledintherespondents'organizationsin1173preparationfortheadoptionofCloudComputing.11741175Thequestionissupportedbythefollowingtextinthesurvey:1176
Architecturesbasedonlooselycoupledservices,ServiceOrientedArchitectures(SOA),facilitatethemigrationto1177theCloud.SystemsbasedonSOAmaybeprogressivelytransitionedtotheCloud,basedonprioritiesandany1178policiesintermsofdatadistributionorsecurityinplace.Pleasestateaboveyourorganization’slevelofservice1179orientation. 1180
1181
1182
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 36
1183Aboutthreequartersoftherespondentsclaimthattheirorganizationhasatleaststartedserviceorientedprocedures.1184Buttheproportionofthosewhoconsiderthework"done"isstilllow.Thereasonmayberelatedtotheperceived1185challengeofBusinessProcessesadaptationtoCloudComputing:SOAisoneelementoftheglobalproblem.11861187Q23 SoftwareLicensesinyourorganization 1188
171answers-ýýý11891190Thisquestionaddressestheway"SoftwareLicenses"arehandledintherespondents'organizationsinpreparationfor1191theadoptionofCloudComputing.11921193Thequestionissupportedbythefollowingtextinthesurvey:1194
Ifyourcompanyisworkingwithcommercialsoftware,ithastypicallyacquiredsoftwarelicensesthatallowusing1195thissoftwareon-site.WhenthereisaplantousethissoftwareintheCloud,yourcompanyusuallyhasto1196negotiatewiththeindependentsoftwarevendoraboutusinglicensesforrunningthesoftwareintheCloud.Please1197indicateabovewhereyoucurrentlyareinthisprocess. 1198
1199
12001201Onlyslightlymorethanhalf(58%)oftheorganizationsthatusecommercialsoftwarehavestartednegotiationswith1202theirprovidersonthemigrationofsoftwarelicensesintotheCloud.Andonlyonethirdofthem(36%)havefinalized1203thesenegotiations.Somesignificanteffortsstillneedtobedone.12041205Q24 EnsuringSoftwareSuitabilityinyourorganization 1206
170answers-ýýý12071208Thisquestionaddressestheway"SoftwareSuitability"ishandledintherespondents'organizationsinpreparationfor1209theadoptionofCloudComputing.12101211Thequestionissupportedbythefollowingtextinthesurvey:1212
IfyouplantousesoftwareintheCloudthatyouusedon-siteuntilnow,additionalefforts(besidesresolving1213softwarelicensingissues)mightbeneeded.Examplesofrequiredeffortsare:checkingwhetherthesoftware1214canberunintheVMsoftheCloud;adaptingthesoftwareifneededtomakeuseoftheselectedCloud1215platform’sfeatures;investigatinghowtodistributethesoftwareacrossseveralVMstomaintainorincrease1216performance;evaluatingwhetherallprerequisitesfortheoperationareinplace,etc.Pleaseindicateabove1217whereyoucurrentlyareinthisprocess. 1218
1219
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 37
12201221Roughly60%oftherespondentshaveatleaststartedthesoftwaremigrationwithonlyaround25%ofthisgroupthat1222hasalreadyfinished.Thisisanothersignofthecomplexityofthetaskathand.12231224Another26%ofrespondentsindicatetheyhavenoneedtogothroughthisprocess,whichiscoherentwiththeresults1225ofthepreviousquestion.12261227
A.7 Cloud Computing: Deployment models and Service 1228
categories 1229
1230ThepurposeofthissurveysectionistounderstandwhichDeploymentmodelsandwhichServicecategoriesareof1231majorinteresttotherespondent'sorganization. 12321233Q25 WhichClouddeploymentmodelseemsbestfittoyourneeds? 1234
163answers-ýýý12351236ThepurposeofthisquestionwastoinvestigatetheintentionsoftherespondentregardingdifferentoptionsofCloud1237deploymentmodel.Privatecloudwassplitintwodifferentquestionitems.12381239
12401241PrivateCloud(underitstwoforms:on-premisesandoff-premises)isthepreferredmodel.Hybridandpublicarenot1242far.ThescoreofCommunityCloudcanbeaslowbutaswellasrelativelyencouragingforthismodel.12431244
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 38
Q26 CloudServiceCategory:IaaS(InfrastructureasaService) 1245158answers-ýýý1246
1247FourinstantiationsofIaaSapplicationsareproposedforevaluation.12481249
12501251TheHigh-Availabilityusecaseisbyfarthemostattractiveone.12521253Q27 CloudServiceCategory:PaaS(PlatformasaService) 1254
151answers-ýýý12551256TwoinstantiationsofPaaSapplicationsareproposedforevaluation.12571258
12591260Q28 CloudServiceCategory:SaaS(SoftwareasaService) 1261
158answers-ýýý12621263AlargenumberofinstantiationsofSaaSapplicationsareproposedforevaluation.12641265
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 39
12661267Thenumbercandidateis"Generaldatastorage"withtheotheratadistance.Ontheothersideofthescale,thevery1268lowscoreof"Processingsensitivedata,includingPII"reflectstheoverwhelmingconcernabout"Security"and"Privacy1269andIntegrity".12701271Q29 Doyouhaveinterestintheemergingcategories:CaaS,CompaaS,NaaS,DsaaS? 1272
177answers-ýý☐12731274Thisquestionhasadoubleintention:1275
• TomeasurethedegreeofinterestoftherespondentsforsomenewServicecategoriescurrentlyemerging(in1276particularinstandardization).1277
• Toskipthefollowingsectionincasetheansweris"No".127812791280
12811282
A.8 Emerging Cloud Service Categories 1283
Thepurposeofthissurveysectionistounderstandtherespondents'viewsonnewServicecategoriesthatarestarting1284tobeconsidered(inparticularinstandardization).Foreachofthesecategories,thequestiontargetssometypical1285instantiationsofapplications.12861287
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 40
Q30 CloudServiceCategory:CaaS(CommunicationasaService) 128883answers-ýý☐1289
1290TwospecificapplicationshavebeenevaluatedforthisnewServicecategory.12911292
12931294Q31 CloudServiceCategory:CompaaS(ComputingasaService) 1295
79answers-ýý☐12961297ThreespecificapplicationshavebeenevaluatedforthisnewServicecategory.12981299
13001301Q32 CloudServiceCategory:NaaS(NetworkasaService) 1302
81answers-ýý☐13031304OnlyoneapplicationhasbeenevaluatedforthisnewServicecategory.13051306
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 41
13071308InternetofThingsmaybeseenasaverypromisingapplication,andmaybeareasonfortheinterestinthisnew1309Servicecategory.13101311Q33 CloudServiceCategory:DsaaS(StorageasaService) 1312
86answers-ýý☐13131314TwospecificapplicationshavebeenevaluatedforthisnewServicecategory.13151316
13171318Bothapplicationshavebeenreceivingsignificantagreement.BigDatamaybeseenasthemostpromisingapplication,1319andmaybeareasonfortheinterestinthisnewServicecategory.13201321
A.9 Cloud Computing and Standards 1322
Thepurposeofthissectionistocaptureahigh-levelviewonCloudComputingstandards,beitgoodand/orbad. 13231324
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 42
Q34 WhichimpactcanCloudComputingStandardshaveonyourorganization'sconcerns? 1325153answers-ýýý1326
1327Thepurposeofthisquestionistomeasurethesupportfromstandardizationexpectedbytherespondents'1328organizationwhentheyfacesomemajor(businessortechnical)challenges.13291330
13311332Formostofthedomains,thesumof"Medium"and"High"answersisinmostcaseabove75%.Thetopthreedomains1333are"Security","Privacyandintegrity"and"Interoperability".Thisiscoherentwiththefindingintheprevious1334questionsrelatedtochallenges.Thefollowingquestionsaddresstheseexpectationstowardsstandardsinmore1335details.13361337Q35 TowhichdegreeareCloudComputingStandardsconsideredorusedinyourorganization? 1338
151answers-ýýý13391340Thisquestionintendstomeasurethedegreeofinvestmentonstandards(fromsimpleknowledgetoactualusage).13411342
13431344
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 43
Whenaskedabouttheactualplaceofstandardsintheirorganization,therespondentsarealsogivingthesignalthat,1345inmorethan75%ofthecases,standardsare"considered"or"used".Thisshowsaconcreteinvestmentonstandards,1346togetherwetheexpressedneedtohaveabetterknowledge.13471348Q36 Areyouwilling/abletogivefeedbackindetailonCloudComputingStandards? 1349
165answers-ýý☐13501351Thisquestionhasadoubleintention1352
• TomeasurethedegreeofinterestoftherespondentsforsomeparticularCloudComputingstandards.1353• Toskipthefollowingsectionincasetheansweris"No".1354
13551356
13571358Notfarfromhalfoftherespondentseemedinterestedbydetailedfeedbackonspecificstandards,whichcameasa1359relativesurprise.However,itshouldbenotedthattherateofactualanswersinthefollowingsectioniswellbelowthe1360numberofrespondentsthathavechosentovisitthatsectionofthesurvey.13611362
A.10 Cloud Computing Standards: a detailed view 1363
Thepurposeofthissectionistoevaluatetherespondents'perceptionofstandardsgapsandtomeasurethevisibility1364ofsomemajorCloudComputingstandardsclassifiedacrossseveraltechnicaldomains. 13651366Q37 InwhichdomainhaveyoubeenconfrontedwiththelackofCloudComputingstandards? 1367
62answers-ýý☐13681369ThepurposeofthisquestionistogettheviewontherespondentsontechnicaldomainsofCloudComputingwere1370theyperceivealackofapplicablestandards.Thisquestionisaskedtotherespondentsthathavechosentoprovide1371detailedfeedbackonspecificstandards.13721373
1374
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 44
1375Mostofthedifferentdomainsreceiveasignificantscore,withthesameusualtopones.Thehighscoreof"Service1376LevelAgreement"mustbenoted:thisquestionreceivesmoreattentionfromatechnicalstandpointthaninthe1377previousquestionsregardingchallengesoradoptionofCloudComputing.13781379Itshouldalsobesaidthat,unfortunately,thisquestionshouldhavebeenpositionedintheprevioussection,together1380withtheotherglobalquestionsonstandards.However,thiswasdiscoveredonlyoncethesurveyhadstartedandno1381waytochangethiswaspossiblewithoutdisruptingthecollectofinformation.13821383Q38 Yourorganization'sadoptionanduseofCCstandards:Generalpurpose 1384
60answers-ýý☐13851386Alistof"generalpurpose"standards(e.g.applicabletoalargepartoftheCloudComputingtechnicalspace)is1387proposedforevaluationoftherespondents'knowledgeaboutand,inthebestcase,usageofthesestandards.13881389
13901391Inallcases,thelevelofknowledgeand/orusageonthesestandardsislow.WiththeexceptionofthetwoISO/IEC1392standardsrelatedtobasicelementssuchasvocabularyandreferencearchitecture,theotheronesarelargelystillin1393anevaluationphase.13941395Q39 Yourorganization'sadoptionanduseofCCstandards:Security 1396
59answers-ýý☐13971398Alistof"security"standardsisproposedforevaluationoftherespondents'knowledgeaboutand,inthebestcase,1399usageofthesestandards.14001401
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 45
14021403Theremarksmadeforthepreviousquestionapplyalsohere.14041405Q40 Yourorganization'sadoptionanduseofCCstandards:Dataprotection 1406
59answers-ýý☐14071408Alistof"dataprotection"standards(actuallylimitedtoone)isproposedforevaluationoftherespondents'1409knowledgeaboutand,inthebestcase,usageofthesestandards.14101411
14121413ThevisibilityofISO/IEC27018[i.11](relatedtoCodeofPracticeforPII)isbelowwhatwecouldhaveexpectedthough1414itaddressesasubjectofconcernandisverymuchcurrentlyatthecenterofattention.Awarenessanduptakeof1415ISO/IEC27018[i.11]needstobemonitored.14161417Q41 Yourorganization'sadoptionanduseofCCstandards:Management 1418
58answers-ýý☐14191420Alistof"management"standardsisproposedforevaluationoftherespondents'knowledgeaboutand,inthebest1421case,usageofthesestandards.14221423
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 46
14241425Similarobservationscanbemadethanforquestions38or39.14261427Q42 Yourorganization'sadoptionanduseofCCstandards:ServiceLevelAgreement 1428
57answers-ýý☐14291430Alistof"servicelevelagreement"(SLA)standardsisproposedforevaluationoftherespondents'knowledgeabout1431and,inthebestcase,usageofthesestandards.14321433
14341435Allthesestandardsarenotknowbythemajorityofrespondents.Thishasalsotobeputinperspectivewiththe1436relativelyhighfigure(65%asthetotalof"Critical"and"VeryCritical"answers)regardingSLAasachallengeinQ11.It1437maybeseenasthesignalthatthesestandardsarenotperceivedasprovidingasignificantanswertotheSLAcomplex1438question.14391440Q43 Yourorganization'sadoptionanduseofCCstandards:Portability 1441
58answers-ýý☐1442
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 47
1443Alistof"Portability"standardsisproposedforevaluationoftherespondents'knowledgeaboutand,inthebestcase,1444usageofthesestandards.14451446
14471448Thesamepatternofstandardsvisibilityappliesalsoforthisdomain.14491450Q44 Yourorganization'sadoptionanduseofCCstandards:Multi-cloud,Cloudfederation 1451
57answers-ýý☐14521453
1454
14551456TheremarksmadeinQuestion40aboutISO/IEC27018[i.11]arealsolargelyvalidforthisstandard.14571458
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 48
Q45 Yourorganization'sadoptionanduseofCCstandards:Application 145958answers-ýý☐1460
1461
14621463Thepatternofstandardsawarenessidentifiedinthepreviousquestionsappliesalsoforthisdomain.14641465Q46 Anyotherstandardnotlistedherethatyourorganizationknowsaboutandisconsidering1466(oneormore)? 1467
9answers-ý☐☐14681469Thiswasanopenquestion.Someoftheanswersreceivedinclude:1470
• DeFactoStandardse.g.,ApacheDeltaAPIs1471• LEETSECURITYratingguide1472• Thislistisfartoonumerousandtoocomplex.Wejustneedtwostandards:1)sufficientsecurity;2)Compliant1473
withtheEuropeanlaws(Directive1995).1474• ISO/IEC19086(drafts)1475
1476SAML2,CDMI,OCCIanddefactostandardssuchasApacheDeltaAPIsarementionedasadditionalstandardsthatcan1477beapplicableintheCloudComputingspace.14781479
A.11 Cloud Computing Certification Standards 1480
1481Thepurposeofthissectionistochecktherespondents'intentionsregardingcertificationandhowstandardscan1482supportthem.14831484Itissupportedbythefollowingtextinthesurvey: 1485
Certificationisawaytoindicatetocustomersthatacompanyfollowscertainrulesandprocesses(definedinthe1486contextofcertification)andconsequentlytodisburdenthemfromregularlycheckingthecertifiedcompany. 1487 1488CloudCustomersareencouraged–orevenobligedbynationallawinsomeEuropeancountries–toverifythe1489reliabilityofa(Cloud)providerbeforesigningacontract.CloudComputingCertificationStandardsmayappear1490helpfulasdecisionsupport,specificallyasfarastheCertificationscopecoversthemainareasofinterestsandis1491fullytransparent. 1492
1493Q47 WouldyouconsiderCloudCertificationasapossibilitytoimproveconfidenceinCloud? 1494
143answers-ýýý14951496
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 49
14971498Thefeedbackfromtherespondentsontheroleofcertificationisclear:itisaveryusefulwaytoimproveconfidencein1499CloudComputingforaverylargemajority(over80%).15001501Q48 PleaserankthefollowingCloudCertificationareasaccordingtheirimportance 1502
243answers-ýýý15031504Regardingthescopeofcertification,alistof12domainshasbeenproposedinthisquestion.15051506
15071508ThenumberonecandidateforcertificationisDatastoragelocation.Thisisreflectingtheconcernalreadyidentifiedin1509theprevioussectionsofthesurvey(e.g.adoptionofCloud)onlegalandtechnicalsupporttotheprotectionofthe1510organization'sdata.Certificationisseenasapotentialenabler.15111512Thenextthreedomainsintherespondents'rankingareregardingtechnicalconcerns:CloudDatacenterinfrastructure,1513CloudProvisioningprocessesandInteroperability/Reversibility.Hereagainthequestionofdata(integrity,1514reversibility)canbeseenasamajorconcern.15151516Q49 WhichfurtherareaswouldyouconsiderasrelevantforaCloudCertification?1517
19answers-ý☐☐15181519Thiswasanopenquestion.Amongsttheanswersreceived:1520
• Cloudserviceinsurance1521
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 50
• Greendatacenterinfrastructure1522• ITILProcessesAPIinteractionsFinancialControl1523• Wejustneedtwocertifications:1)sufficientsecurity;2)CompliantwiththeEuropeanlaws(Directive1995)1524
andeventualnationaladditions.ButthesecertificationsshouldbevalidatedbytheWP29as“Enoughtobe1525fullycompliantwiththeEuropeanandnationallaws”.1526
• Accountability1527• Governance1528
1529Additionalcertificationareasmentionedinclude“jurisdictionandlegalsystemgoverningtheprovider”,“capacity1530management”,“greendatacenterinfrastructure”,“securityrating”,“Cloudserviceinsurance”and“multi-vendors1531scheme”.15321533Q50 Canyouratetheimportanceofthefollowingtypesofcertificationforyourorganization?1534
134answers-ýýý15351536Severaltypesofcertificationareproposedforevaluation.15371538Thequestionissupportedbythefollowingtext:1539
CloudProviderCertification:Certificationofindividualenterprises,whoareproviding–oneorseveralcloud1540services–tothemarket. 1541CloudServiceCertification:Certificationofindividualcloudservicesandacrossallpartnersinvolvedintheservice1542provisioningprocess. 1543SelfCertification:CertificationProcessconductedbythecloudserviceproviderhimself. 1544Certificationbyaccreditedauditors: 1545CertificationProcessconductedbyindependentandaccreditedauditors. 1546CertificationStandardsreflectingEuropeanrequirements: 1547TheCertificationScopecoversCloudSecurity&Privacy,operationalandcontractualaspectsinreferencetolegal1548Europeanrequirements.CertificationStandardsreflectingGlobalrequirements: 1549TheCertificationScopecoversCloudSecurity&PrivacyaspectsinreferencetoGlobalrequirements. 1550UniqueCertificationScope: 1551AdefinedCertificationScopeforalltypesofCloudServicesorCloudProviders(seeabove). 1552GradedCertificationScope: 1553Asetofgraduatedcertificationsreflectingdifferentqualitylevelstoallowcertificationalsoformedium-sizedcloud1554providers. 1555
1556
15571558Withtheexceptionofself-certification,andtosomedegreeofthe"one-size-fits-all"one,allotherschemesareseen1559ashavingsomemerit.15601561Q51 AreyouawareoftheCloudCertificationSchemesList(CCSL)? 1562
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 51
136answers-ýýý15631564
15651566WhenfacingtheselectionofCloudCertificationschemes,anorganizationisofferedalargesetofsuchschemes.The1567CloudCertificationSchemeList(CCSL)isanattempttomakeaselectionofsuchschemes.Thesurveyshowsthatonly156831%ofrespondentsareawareofthislist.15691570Q52 WhichofthefollowingCloudCertificationSchemeslistedinCCSLareyouareawareof? 1571
114answers-ýýý15721573Thisquestionwasmeantformorepreciseanswersforthe(31%-asseeninQ51–of)respondentsthatareawareof1574theCCSLlistregarding12certificationschemesreferenced.15751576
15771578ThemostsignificantresultisthespecificappealofISO/IEC27001,thoughitisnotaCloudComputingspecific1579standard.Theothercertificationschemesarelargelybehind,maybebecausetheyallarecountryandregionspecific1580anddonothavetheglobalrecognitionthatISO/IEChasworldwide.15811582Q53 AsaCloudCustomer,doyouplantoincludeoneoftheseCertificationsinyourCloud1583
Purchasingprocesses? 1584136answers-ýýý1585
1586
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 52
15871588Thereisaclearmajorityof"Yes".15891590Q54 Ifnot,whatarethemainreasons? 1591
27answers-ý☐☐15921593Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1594
• Notyetneeded1595• Notfamiliarwiththem1596• Wearesatisfiedwithpresentlevelanddeliveryofservices1597• Nomoney1598• Toocomplex,wedon'tknowwhatdotheyreallymean,whatdotheyreallycover,whohaselaboratedthem1599
inwho'sinterest,whethertheyarecompliantwithEuropeanorWP29obligations,andISO27001and1600SOC1&2notCloudspecific.Wejustneed2certificationsstampedbytheEC&WP29tobesurethatourdatais1601protectedandthatwearecompliantwithEuropeanlaws1602
• LackofinformationregardingCloudCertificationSchemes;insufficienttrustintheircapabilitiesto1603adequatelyassess/certifyprivacy/securityaspects1604
• We only shop from major providers and have no position of negotiation.16051606ManyrespondentsthatbelongtotheCloudCustomercategoriesthatareNOTinterestedincertificationprogramsare1607lackinginsightintothevalueofthecertificationprogramsoraresimplynotawareofthecertificationprograms.Lack1608ofbudgetanduncertaintiesonthevaluearealsopresentedasreasonsfornotusingcertificationschemes.16091610Q55 AsaCloudProvider,doyouplantocertifyyourCloudserviceoffering? 1611
123answers-ýýý16121613
16141615Thereisaclearmajorityof"Yes".16161617Q56 Ifnot,whatarethemainreasons? 1618
20answers-ý☐☐16191620Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1621
• Wewillonlycertifyaccordingtolegaldemand1622• Notinplannow,butifmarketwillaskforit,thenwe'llreconsider1623
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 53
• Notdemandedbycustomers1624• OnlyISO27001,asthishasnamerecognitionwithcustomers1625• Lackoftimeandknowledge1626
1627Amongsttheproviderswhohavenotbeenyetusinganycertificationprogram,“costandtime”,“notrequestedby1628customers”andnoperceivedrelevancearesomeofthemotivesfornotusingcertificationprogram16291630
A.12 Information on the person replying to the survey 1631
Thepurposeofthissectionistocollectadditionalinformationfromtherespondents.Noneofthisinformationisfor1632publicdisclosureaccordingtotheprivacypolicyannouncedinthefirstsectionofthesurvey.Someaggregationofthe1633answersispossible.16341635Q57 Whatisyourroleinyourorganization?1636
110answers-ý☐☐16371638Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.Amongsttheanswersreceived:1639
• CXOpositions(41%).1640• ProjectManagers,Architects,Datacenteradministrators,…(36%)1641• Researchers1642• Consultants1643• …1644
1645Q58 WhatisyourexperienceinCloudComputing?(length,expertise,etc.)1646
104answers-ý☐☐16471648Thisquestionwasopenquestionandonlyafewvoluntaryanswersexpected.16491650RespondentsansweringtothequestionaboutCloudpastexperienceshaveingeneral4-10yearsofexperience,with1651onaverage4-5yearsexperiencedominatingamongtherespondents.Experiencesspanovermanyareas,with1652expertisespanningoverprocurement,SaaSdevelopment,Security,businessprocessmodelingandmore.16531654Q59 Youcanalsoleaveusyouremail 1655
34answers-☐☐☐1656Accordingtotheprivacypolicy,theseanswersarenotdisclosed.16571658 1659
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 54
1660
Annex B: List of the survey distribution channels 1661
Over100organizations,stakeholdersand/orcompanieshavebeencontactedfortheirsupporttothesurvey(many1662timestwiceormore).Dependingontheirabilities,theannouncementofthesurveyhasbeenrelayedtopartorall1663membersofthecontact(e.g.acompany,aLinkedIngroup,aStandardsSettingOrganization,etc.).16641665Thelistcanbeconsultedbelow.16661667Organization/Company/Stakeholder Channel Firstdate andagainAFNOR Telephone/email 13/04/15 CloudCatalyst Web/Newsletter 13/04/15 CloudComputing LinkedIn 30/03/15 15/05/15CloudComputingAssociation LinkedIn 30/03/15 15/05/15CloudComputingBestPractices LinkedInGroup,6000+contacts 30/05/15 CloudComputingStandardsForum LinkedIn 30/03/15 15/05/15CloudComputingStandardsForum LinkedInGroup,4000+contacts 30/05/15 CloudNetworking LinkedIn 02/04/15 15/05/15CloudPier LinkedIn 02/04/15 15/05/15CloudPSI LinkedIn 02/04/15 15/05/15CloudSecurityAlliance LinkedIn 02/04/15 15/05/15CloudSecurityAllianceGermanChapter LinkedIn 02/04/15 15/05/15CloudSpecialIndustryGrouponSLA e-mail 12/04/15 CloudSweden e-mail 30/03/15 Cloud4Europe e-mail 02/04/15 15/05/15CloudforEurope Twitter 18/05/15 CloudInterop Twitter 18/05/15 CloudingSME Web/Newsletter 13.04.15 CloudScape e-mail 30/03/15 Cloudwatch e-mail 30/03/15 02/04/15Cloudwatch LinkedIn 15/05/15 ConversationsonCloudComputing LinkedInGroup10.000+contacts 30/05/15 CoreGRID LinkedIn 02/04/15 15/05/15CSCphase1participants email 14/04/15 DGCONNECT(EC) email/telephone/Website 31/03/15 05/05/15DGDIGIT(EC) e-mail 01/04/15 DIFI(theNorwegianICTauthority) e-mail 30/03/15 DigitalAgendaforEurope2010-2020 LinkedIn 02/04/15 15/05/15DIGITALTRANSFORMATION(CloudComputing,Virtualization,Social,MobileandBigData)
LinkedIn 30/03/15 14/04/15
DIGITALTRANSFORMATION(CloudComputing,Virtualization,Social,MobileandBigData)
LinkedIn 15/05/15
DIGST(theDanishICTauthority) e-mail 31/03/15 DMTF e-mail 01/04/15 Ecoe.V.(Germany/International) Web/Newsletter,Twitter,LinkedIn 13.04.15 EGI e-mail 30/03/15
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 55
Organization/Company/Stakeholder Channel Firstdate andagainEGI,CloudWatchHub e-mail 15/05/15 ETSI CollectiveLetter 03/04/15 05/05/15ETSIpeople LinkedIn 22/05/15 EU-ChinaCooperationonICTResearch LinkedIn 02/04/15 15/05/15EuroCIO email/telephone 13/04/15 15/05/15EurocloudAustria Web/Newsletter 03.04.15 EurocloudBelgium Web/Newsletter 03.04.15 EurocloudDenmark Web/Newsletter 03.04.15 EurocloudEurope Web/Newsletter/Twitter/LinkedIn 03.04.15 EurocloudEuropeGroup LinkedInGroup,2200+contacts 30/05/15 EurocloudFrance LinkedInGroup,600+contacts 30/05/15 EurocloudFrance Web/Newsletter 03.04.15 EurocloudGermany LinkedInGroup,400+contacts 30/05/15 EurocloudGermany Web/Newsletter 03.04.15 EurocloudHungary Web/Newsletter 03.04.15 EurocloudItaly Web/Newsletter 03.04.15 EurocloudLuxembourg LinkedInGroup,130+contacts 30/05/15 EurocloudLuxembourg Web/Newsletter 03.04.15 EurocloudMalta Web/Newsletter 03.04.15 EurocloudNetherlands LinkedInGroup,200+contacts 30/05/15 EurocloudNetherlands Web/Newsletter 03.04.15 EurocloudPoland Web/Newsletter 03.04.15 EurocloudPortugal Web/Newsletter 03.04.15 EurocloudRomania Web/Newsletter 03.04.15 EurocloudRussia Web/Newsletter 03.04.15 EurocloudSerbia Web/Newsletter 03.04.15 EurocloudSlovakia Web/Newsletter 03.04.15 EurocloudSlovenia ECSILinkedIn 03.04.15 EurocloudSlovenia/ZITex LinkedInGroup,600+contacts 30/05/15 EurocloudSpain Web/Newsletter 03.04.15 EurocloudSweden Web/Newsletter 03.04.15 EurocloudSwedenGroup LinkedInGroup,150+contacts 30/05/15 EurocloudSwiss Web/Newsletter 03.04.15 EurocloudUK Web/Newsletter 03.04.15 EurocloudUKGroup LinkedInGroup,500+contacts 30/05/15 FraunhoferCloudAlliance e-mail 30/03/15 15/05/15FraunhoferCloudAlliance e-mail 15/05/15 FrenchMinistryofEconomy email 15/04/15 GI-Radar e-mail 12/04/15 HPC&BigData LinkedIn 14/04/15 15/05/15HPCcloud LinkedIn 02/04/15 15/05/15I4MS LinkedIn 02/04/15 15/05/15IAMCPSweden e-mail 30/03/15 IBMSweden e-mail 30/03/15 IEEE2301 e-mail 15/05/15 IEEE2302 e-mail 15/05/15
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 56
Organization/Company/Stakeholder Channel Firstdate andagainIEEECloudComputing LinkedIn 02/04/15 15/05/15IEEEComputerSocietyMembers LinkedIn 02/04/15 15/05/15ISOJTC1SC38 e-mail 01/04/15 LinkedInpulse LinkedInpulse 21/05/15 NEA(networkfore-BusinessinSweden) e-mail 01/04/15 NIST e-mail 01/04/15 OASIS e-mail 01/04/15 OGF e-mail 02/04/15 OGFStandards Twitter 01/04/15 OpenCloudComputingInterface LinkedIn 02/04/15 15/05/15OpenGroup e-mail 01/04/15 OpenNebulafortheEnterprise LinkedIn 02/04/15 15/05/15OpenNebulaOpenSourceCloudCommunity
LinkedIn 02/04/15 15/05/15
OpenStack LinkedIn 13/04/15 15/05/15OPTIMIS LinkedIn 02/04/15 15/05/15ORBITEUFP7Project LinkedIn 02/04/15 ScientificCloudComputing(ScienceCloud) LinkedIn 02/04/15 15/05/15Scout2Cloud LinkedInPulse,500+personal
contacts30/05/15
SienaInitiative LinkedIn 02/04/15 15/05/15SoftwareasaService LinkedInGroup,68000+contacts 30/05/15 SwedishFinancialManagementAuthority(ESV)
e-mail 30/03/15
SwedishICTandTelecomorganization e-mail 30/03/15 SwedishMinistryofEnterprise e-mail 30/03/15 SwedishMinistryofPension e-mail 30/03/15 SwedishStandardsOrganization e-mail 30/03/15 TeleManagementForum e-mail 02/04/15 TrustedCloudCompetenceCentre e-mail 30/03/15 UberCloud e-mail 06/04/15 UEAPME email 13/04/15 1668 1669
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 57
1670
Annex C: Full text of the survey 1671
Thefulltextoftheon-linesurveycanbefoundbelow.16721673Thedifferentsectionsareprintedwithoutpagebreaks.Intheon-linesurvey,theyareseparatedbyalinewith1674"Previous"and"Next"buttons.1675
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 58
1676
Cloud Standards Coordination (CSC)
CSC is a collaboration initiative between the European Commission and ETSI (the European
Telecommunications Standards Institute). CSC Phase 1 took place in 2013 and addressed primarily
the standards roadmaps. CSC Phase 2, launched in February 2015, addresses the needs and
priorities of Cloud Computing users, assesses the maturity of Cloud Computing standards, and
evaluates how standards can support the Cloud users priorities.
Some background information on this survey
Purpose of this survey
This survey intends to collect feedback from the Cloud Computing community about needs, objectives,
areas of concerns, and typical scenarios. It also intends to evaluate the perceived maturity of Cloud
standards.
Target audience
This survey targets end users (“Cloud Service Customers”) from the private or public sector, from the
SMEs as well as large organizations, in all vertical sectors. Other stakeholders (e.g. Cloud Service
Providers) are fully welcome to answer.
Who is in charge?
This survey has been created and will be analyzed by the CSC Phase 2 project, under the responsibility of
ETSI.
Contact: ETSI CSC Phase 2 ( [email protected])
Privacy/Confidentiality
No details of companies and/or individuals participating will be released to the general public in any form
that allows identification of the respondent. Answers to this survey will be shared and used only amongst
the ETSI experts. Only aggregated results will be published.
Please TAKE THE SURVEY, answering the following questions to the best of your knowledge.
It will take 20 minutes of your time and you will provide valuable input to the ongoing effort to develop
relevant standards for use in Cloud Computing.
A few questions with an asterisk before the question number (e.g. *4. Size of your organization) require an
answer.
1. Are you familiar with Cloud Standards Coordination?
Yes Somehow No
2. Are you familiar with ETSI?
Yes Somehow No
Some information to position your organization in the global landscape.
General purpose information
1
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 59
1677
3. Name of your organization (not mandatory)
* 4. Size of your organization
Micro (up to 9 employees)
Small (up to 49 employees)
Medium-sized (up to 249 employees)
Large (over 249 employees)
* 5. Sector in which your organization operates
Agriculture, Forestry and Fishing
Mining and Quarrying
Manufacturing
Electricity, gas, steam and air conditioning
Water Supply; Sewerage, Waste Management
Construction
Wholesale and Retail Trade; Repair of Motor Vehicles
Transportation and Storage
Accommodation and Food Service Activities
Information and Communication
Financial and Insurance Activities
Real Estate Activities
Professional, Scientific and Technical Activities
Administrative and Support Service Activities
Public Administration and Defense; Social Security
Education
Human Health and Social Work Activities
Arts, Entertainment and Recreation
Other Service Activities
Activities of Households as Employers
Activities of Extraterritorial Organisations and Bodies
Other (please specify)
Based on “Statistical Classification of Economic Activities in the European Community, Rev. 2 (2008)”, see here.
* 6. Region/Country in which your organization mainly operates?
Africa
Asia
Central America
Europe (Eastern and/or non EU)
Middle East
North America
Oceania
South America
The Caribbean
European Union (please specify)
Moving to Cloud Computing: expect benefits and challenges to face
2
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 60
1678
7. How high are your expectations on potential Cloud Computing benefits?
None Low Medium High Very high
Reduction of infrastructure investments (CAPEX)
Reduction of operational costs (OPEX)
Faster Time-to-Market
Faster Return on Investment
Improved compliance with regulation
Improved business agility
Increased focus on the core mission of our
organization
Reduced need for ICT expertise
Reduced risk from own ICT operations
Support for organizational growth
Green ICT
8. If there are other benefits highly expected by your organization, please specify
We would now like to understand which risks you see associated with Cloud Computing from two angles. On the one hand, there
are challenges that your organization is facing before considering a migration to Cloud Computing and associated actions to be
undertaken upfront. On the other hand, Cloud Computing itself may be mature enough or not depending on the expectations of
your organization.
9. Maturity of your organization: how critical are the following challenges?
Not critical Somehow critical Critical Very critical
Lack of experience in Cloud Computing
Lack of external Cloud Computing skills
Organizational resistance to change
Current legacy investments
Compatibility with in-house systems
Security
Privacy and integrity
Legal issues, laws, regulations
10. If there are other critical challenges to your organization, please specify
3
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 61
1679
11. Maturity of Cloud Computing: how critical are the following issues for your organization?
Not critical Somehow critical Critical Very critical
Performance and efficiency
Lack of standards and standard APIs
Lack of Open Source solutions
Portability across vendor solutions
Interoperability across vendor solutions
Security
Privacy and integrity
Service Level Agreement
Governance
Auditability
Resiliency
Vendor or data lock-in
12. If there are other critical issues with Cloud Computing, please specify
* 13. Has your organization started to adopt Cloud Computing?
No Somehow Yes
If your answer is "No", the section on adoption of Cloud Computing will be skipped.
Please describe your Cloud Computing adoption strategy and your role.
Adoption of Cloud Computing in your organization
14. Scope of your Cloud Computing usage in the near term
Migration of supporting business processes
Migration of core business systems (legacy)
Cloud Computing as the platform for your ICT resources
Other (please specify)
15. Stage of Cloud Computing Adoption
Consider adoption in the near future
On-going pilot experiment(s)
On-going deployment of solutions
Solutions already deployed on the Cloud
Entire ICT on the Cloud
4
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 62
1680
16. Role of your organization in Cloud Computing
Cloud Service Customer
Cloud Service Provider
Cloud Service Developer
Cloud Service Broker
Cloud Auditor
Other (please specify)
17. Level of your resources and support to Cloud Computing
No specific resources
Adequate support from the IT team
Dedicated Cloud support team
Other (please specify)
Some typical aspects need to be considered and some conditions must be met in order to make
the transition to the Cloud in a secure and reliable way. We are going to address some of them
below.
Cloud Computing adoption: preparing your organization
18. Data Categorization in your organization
None Started On-going Done Unknown
Data Categorization describes data on the basis of how it is transferred, processed and used. Examples of Data Categories are
customer data/content, derived data, cloud service provider data and account data. Please indicate above where you currently are
in this process.
19. Data Classification in your organization
None Started On-going Done Unknown
Data Classification typically refers to a way to specify how the information can be shared, from “openly” to “non-disclosed”
(secret). Examples of Data Classification taxonomies are: “Public, Internal Use, Confidential and Regulatory Handling”. Data
Protection levels are associated with examples such as "Ranging from 0 (unrestricted use) to 3 (extreme confidentiality)". They
require measures in order to enforce the levels, such as encryption, limited distribution, etc. Please indicate above where you
currently are in this process.
20. Data Security in your organization
Low Medium High Unknown
In order to move securely to the Cloud, many different aspects of Data Security such as information security, information integrity,
access and identity management, contingency, and Personally Identifiable Information (PII) have to be addressed and should be
well defined and understood. Please state above your organization’s level of control and awareness in the data security domain.
5
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 63
1681
21. Business Processes identification, description and alignment in your organization
Low Medium High Unknown
In order to ensure a transition to the Cloud based on the needs of the organization, it is considered as best practice that the core
and supporting processes of the organization be clearly defined and supported, where relevant, by ICT solutions. Well controlled
processes make the transition easier and allow the organization to move to the Cloud on the basis of prioritized transition plans.
Please state above your organization’s level of business process situation in terms of identification, description and alignment.
22. Service Oriented Architecture in your organization
None Started On-going Done Unknown
Architectures based on loosely coupled services, Service Oriented Architectures (SOA), facilitate the migration to the Cloud.
Systems based on SOA may be progressively transitioned to the Cloud, based on priorities and any policies in terms of data
distribution or security in place. Please state above your organization’s level of service orientation .
23. Software Licences in your organization
Not needed (e.g. no commercial software used)
On-going negotiation
Negotiation completed successfully
Not feasible (e.g. too expensive)
Unknown
If your company is working with commercial software, it has typically acquired software licenses that allow using this software on-
site. When there is a plan to use this software in the Cloud, your company usually has to negotiate with the independent software
vendor about using licenses for running the software in the Cloud. Please indicate above where you currently are in this process .
24. Ensuring Software Suitability in your organization
Not needed (e.g; Software already runs in a virtualized environment)
On-going evaluation
Evaluation and necessary modifications completed successfully
Not feasible (e.g. no appropriate environment available, porting too expensive)
Unknown
If you plan to use software in the Cloud that you used on-site until now, additional efforts (besides resolving software licensing
issues) might be needed. Examples of required efforts are: checking whether the software can be run in the VMs of the Cloud;
adapting the software if needed to make use of the selected Cloud platform’s features; investigating how to distribute the software
across serveral VMs to maintain or increase performance; evaluating whether all prerequisites for the operation are in place,
etc. Please indicate above where you currently are in this process.
We would would like to understand which Deployment models and which Service categories are of
major interest to your organization.
Cloud Computing: Deployment models and Service categories
6
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 64
1682
25. Which Cloud deployment model seems best fit to your needs?
On-premises Private Cloud
Off-premises Private Cloud
Community Cloud
Public Cloud
Hybrid Cloud
Other (please specify)
26. Cloud Service Category: IaaS (Infrastructure as a Service)
E-Delivery
High Availability in the event of a disaster or a large-scale
failure
Internet of Things
Peak Load Management including Cloud bursting across
multiple clouds
None or Other (please specify)
27. Cloud Service Category: PaaS (Platform as a Service)
Internet of Things Software Development
None or Other (please specify)
28. Cloud Service Category: SaaS (Software as a Service)
General data storage
Customer Relationship Management (CRM)
Enterprise Resource Planning (ERP)
E-Invoicing
E-Business
Profiling (Social media, web presence)
Human Resources
Business Intelligence
Internet of Things
Open Data
Project Management
Software Development
Supply Chain Management
Process sensitive data, including Personally Identifiable
Information (PII)
None or Other (please specify)
* 29. Do you have interest in the emerging categories: CaaS, CompaaS, NaaS, DSaaS?
Yes No
If you answer "No", those categories will be skipped.
To specify your categories (and examples of instantiations in each category) of interest
Emerging Cloud Service Categories
7
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 65
1683
30. Cloud Service Category: CaaS (Communication as a Service)
VoIP Teleconferencing
None or Other (please specify)
31. Cloud Service Category: CompaaS (Computing as a Service)
Forecasting
Modeling
Simulation
None or Other (please specify)
32. Cloud Service Category: NaaS (Network as a Service)
Internet of Things
None or Other (please specify)
33. Cloud Service Category: DSaaS (Storage as a Service)
Big Data Back-up
None or Other (please specify)
Your high-level view on Cloud Computing standards, good and/or bad.
Cloud Computing and Standards
34. Which impact can Cloud Computing Standards have on your organization's concerns?
None Low Medium High
Do not
know
Performance and efficiency
Lack of Open Source solutions
Portability across vendor solutions
Interoperability across vendor solutions
Security
Privacy and integrity
Service Level Agreement
Governance
Auditability
Resiliency
Vendor or data lock-in
8
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 66
1684
35. To which degree are Cloud Computing Standards considered or used in your organization?
Standards are used
Standards are considered
Standards are not well known
Standards will require too much effort
Standards will have little impact on business
Unaware of Cloud Computing standards
Other (please specify)
* 36. Are you willing/able to give feedback in detail on Cloud Computing Standards?
Yes No
If you answer "No", the section related to the evaluation of standards will be skipped.
Here, we would like to evaluate your perception of standards gaps and to measure the notoriety of
some major Cloud Computing standards.
Cloud Computing Standards: a detailed view
37. In which domain have you been confronted with the lack of Cloud Computing standards?
Security
Service Level Agreement
Data protection
Interoperability
Portability
Management
Identity Management
Application Programming Interfaces (API)
None or Other (please specify)
38. Your organization's adoption and use of CC standards: General purpose
No knowledge
Under
evaluation Well known
Used &
referenced
ITU-T Y.3500 | ISO/IEC 17788: Cloud Computing – Overview
and vocabulary
ITU-T Y.3502 | ISO/IEC 17789: Cloud computing reference
architecture
ITU-T Y.3501: Cloud Computing Framework and High-level
Requirements
ITU-T Y.3510: Cloud Computing Infrastructure requirements
ITU-T Y.3520: Cloud computing framework for end-to-end
resource management
ISO/IEC 20000-1: Service management system requirements
TIA ANSI/TIA-942-A: Telecommunications Infrastructure
Standards for Data Centers
9
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 67
1685
39. Your organization's adoption and use of CC standards: Security
No knowledge
Under
evaluation Well known
Used &
referenced
ISO/IEC 27001: Information security management systems –
Requirements
ISO/IEC 27002: Code of practice for information security
controls
ISO/IEC 27017: Guidelines on Information security controls for
the use of cloud computing services
ITU-T X.1601: Security framework for cloud computing
CSA CCM 3.0: Cloud Control Matrix (Specification)
CSA CTP: Cloud Trust Protocol (Specification)
CSA A6: Cloud Audit (Specification)
CSA PLA: Privacy Level Agreement (Specification)
CSA TCI Reference Architecture: Trusted Cloud Initiative
(Specification)
CSA OCF: Open Certification Framework (Specification)
40. Your organization's adoption and use of CC standards: Data protection
No knowledge
Under
evaluation Well known
Used &
referenced
ISO/IEC 27018: Code of practice for protection of personally
identifiable information (PII) in public clouds acting as PII
processors
41. Your organization's adoption and use of CC standards: Management
No knowledge
Under
evaluation Well known
Used &
referenced
DMTF DSP0263: Cloud Infrastructure Management Interface
(CIMI) Model and REST Interface over HTTP Specification
ISO/IEC 19831: Cloud Infrastructure Management Interface
DMTF DSP0264: Cloud Infrastructure Management Interface -
Common Information Model (CIMI-CIM)
SNIA CDMI: Cloud Data Management Interface
ISO/IEC 17826: Cloud Data Management Interface
ISO 19099: Virtualization Management
OGF GFD.183: Open Cloud Computing Interface - Core
(Specification)
OGF GFD.184: Open Cloud Computing Interface - Infrastructure
(Specification)
OGF GFD.185: Open Cloud Computing Interface - RESTful
HTTP Rendering (Specification)
10
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 68
16861687
42. Your organization's adoption and use of CC standards: Service Level Agreement No knowledgeUnderevaluationWell knownUsed &referencedTMF TR178v2: Enabling End-to-End Cloud SLA ManagementOGF GFD.192: Web Services Agreement (WS-Agreement)OGF GFD.193: WS-Agreement Negotiation (Specification)QuEST Forum TL9000: TL 9000 Measurements Handbook43. Your organization's adoption and use of CC standards: Portability No knowledgeUnderevaluationWell knownUsed &referencedDMTF DSP0243: Open Virtualization Format Specification V2ISO/IEC 17203: Open Virtualization Format SpecificationOASIS TOSCA: Topology and Orchestration Specification forCloud ApplicationsOASIS CAMP: Cloud Application Management for Platforms44. Your organization's adoption and use of CC standards: Multi-cloud, Cloud federation No knowledgeUnderevaluationWell knownUsed &referencedITU-T Y.3511: Framework of Inter- cloud computing45. Your organization's adoption and use of CC standards: Application No knowledgeUnderevaluationWell knownUsed &referencedITU-T Y.3503: Requirements for desktop as a service46. Any other standard not listed here that your organization knows about and is considering (one ormore)?Checking your intentions regarding certification and how standards can support them.Cloud Computing Certification StandardsCertification is a way to indicate to customers that a company follows certain rules and processes (defined in the context ofcertification) and consequently to disburden them from regularly checking the certified company.Cloud Customers are encouraged - or even obliged by national law in some European countries - to verify the reliability of a (Cloud)provider before signing a contract. Cloud Computing Certification Standards may appear helpful as decision support, specifically asfar as the Certification scope covers the main areas of interests and is fully transparent.11
42. Your organization's adoption and use of CC standards: Service Level Agreement
No knowledge
Under
evaluation Well known
Used &
referenced
TMF TR178v2: Enabling End-to-End Cloud SLA Management
OGF GFD.192: Web Services Agreement (WS-Agreement)
OGF GFD.193: WS-Agreement Negotiation (Specification)
QuEST Forum TL9000: TL 9000 Measurements Handbook
43. Your organization's adoption and use of CC standards: Portability
No knowledge
Under
evaluation Well known
Used &
referenced
DMTF DSP0243: Open Virtualization Format Specification V2
ISO/IEC 17203: Open Virtualization Format Specification
OASIS TOSCA: Topology and Orchestration Specification for
Cloud Applications
OASIS CAMP: Cloud Application Management for Platforms
44. Your organization's adoption and use of CC standards: Multi-cloud, Cloud federation
No knowledge
Under
evaluation Well known
Used &
referenced
ITU-T Y.3511: Framework of Inter- cloud computing
45. Your organization's adoption and use of CC standards: Application
No knowledge
Under
evaluation Well known
Used &
referenced
ITU-T Y.3503: Requirements for desktop as a service
46. Any other standard not listed here that your organization knows about and is considering (one or
more)?
Checking your intentions regarding certification and how standards can support them.
Cloud Computing Certification Standards
Certification is a way to indicate to customers that a company follows certain rules and processes (defined in the context of
certification) and consequently to disburden them from regularly checking the certified company.
Cloud Customers are encouraged - or even obliged by national law in some European countries - to verify the reliability of a (Cloud)
provider before signing a contract. Cloud Computing Certification Standards may appear helpful as decision support, specifically as
far as the Certification scope covers the main areas of interests and is fully transparent.
11
47. Would you consider Cloud Certification as a possibility to improve confidence in Cloud?YesNo48. Please rank the following Cloud Certification areas according their importance: Less importantImportantVery importantCompliance / legal aspectsContract and Service Level AgreementData SecurityData PrivacyData storage locationCloud Datacenter infrastructureCloud Provisioning ProcessesInteroperability/ReversibilityData PortabilityBackup/RecoveryIdentity and Access ManagementFinancial health of the Cloud providers involved in the service provision49. Which further areas would you consider as relevant for a Cloud Certification?50. Can you rate the importance of the following types of certification for your organization? ExcellentGoodNeutralAcceptablePoorCloud Provider Certification (per Cloud provider)Cloud Service Certification (per Cloud service, covering allaspects/partners involved in its provision)Self CertificationCertification by accredited auditorsCertification Standard reflecting European requirements(legal/contractual aspects)Certification Standard reflecting Global requirementsUnique certification scope (one fits all)Graded certification scopes (affordable for SME based Cloudproviders)12
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 69
16881689
47. Would you consider Cloud Certification as a possibility to improve confidence in Cloud?
Yes No
48. Please rank the following Cloud Certification areas according their importance:
Less important Important Very important
Compliance / legal aspects
Contract and Service Level Agreement
Data Security
Data Privacy
Data storage location
Cloud Datacenter infrastructure
Cloud Provisioning Processes
Interoperability/Reversibility
Data Portability
Backup/Recovery
Identity and Access Management
Financial health of the Cloud providers involved in the service provision
49. Which further areas would you consider as relevant for a Cloud Certification?
50. Can you rate the importance of the following types of certification for your organization?
Excellent Good Neutral Acceptable Poor
Cloud Provider Certification (per Cloud provider)
Cloud Service Certification (per Cloud service, covering all
aspects/partners involved in its provision)
Self Certification
Certification by accredited auditors
Certification Standard reflecting European requirements
(legal/contractual aspects)
Certification Standard reflecting Global requirements
Unique certification scope (one fits all)
Graded certification scopes (affordable for SME based Cloud
providers)
12
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 70
16901691
Cloud Provider Certification:
Certification of individual enterprises, who are providing - one or several cloud services - to the market.
Cloud Service Certification:
Certification of individual cloud services and across all partners involved in the service provisioning process.
Self Certification:
Certification Process conducted by the cloud service provider himself.
Certification by accredited auditors:
Certification Process conducted by independent and accredited auditors.
Certification Standards reflecting European requirements:
The Certification Scope covers Cloud Security & Privacy, operational and contractual aspects in reference to legal European
requirements.
Certification Standards reflecting Global requirements:
The Certification Scope covers Cloud Security & Privacy aspects in reference to Global requirements.
Unique Certification Scope:
A defined Certification Scope for all types of Cloud Services or Cloud Providers (see above).
Graded Certification Scope:
A set of graduated certifications reflecting different quality levels to allow certification also for medium-sized cloud providers.
51. Are you aware of the Cloud Certification Schemes List (CCSL)?
Yes No
ENISA (the European Union Agency for Network and Information Security) has defined CCSL, the Cloud Certification Schemes
List (see https://resilience.enisa.europa.eu/cloud-computing-certification)
52. Which of the following Cloud Certification Schemes listed in CCSL are you are aware of?
Certified Cloud Service TÜV Rheinland
CSA Attestation – OCF Level 2
CSA Certification – OCF Level 2
CSA Self Assessment – OCF Level 1
Eurocloud Self Assessment
Eurocloud Star Audit Certification
ISO/IEC 27001 Certification
Payment Card Industry Data Security Standard v3
Leet Security Rating Guide
AICPA Service Organization Control (SOC) 1
AICPA Service Organization Control (SOC) 2
AICPA Service Organization Control (SOC) 3
53. As a Cloud Customer, do you plan to include one of these Certifications in your Cloud Purchasing
processes?
Yes No
54. If not, what are the main reasons?
55. As a Cloud Provider, do you plan to certify your Cloud service offering?
Yes No
56. If not, what are the main reasons?
13
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 71
16921693
1694
This is the last page of the survey. We finally would like some (anonymous) information on you.
Information on the person replying to this survey
57. What is your role in your organization?
58. What is your experience in Cloud Computing? (length, expertise, etc.)
Many thanks for the time you have spent with this survey.
If you want to receive the results,
you can visit our site after June 15th at: http://csc.etsi.org/CSC2_survey
or
59. You can also leave us your email:
14
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 72
1695
ETSI
ETSI SR 003 381 V2.0.0 (2015-11) 73
1696
Annex D: Change History 1697
1698Date Version Information about changes
June2015 1.0.0 FirstpublicationoftheSRforcomments
November2015 2.0.0
Finalpublicationbasedonthechangesprovidedby:-CommentsfromtheNTECHTechnicalCommitteereview-Commentsfromthepublicreviewgatheredonhttp://csc.etsi.org-AdditionalchangesproposedduringthefinalreviewworkshoponOctober1-2
1699
1700
History 1701
Documenthistory
V0.9.0 15/06/2015 DraftforSTFreview.IncorporatesallthecontentalreadydevelopedwithintheSTFintotheappropriatetemplate.
V0.9.3 15/06/2015 Statusofdocumentafterthereviewmeeting
V0.9.5 22/06/2015 Statusofthedocumentbeforethe22/06/2015reviewmeeting
V0.9.6 23/06/2015 Statusofthedocumentbeforethe24/06/2015finalreviewmeeting
V0.9.99 24/06/2015 Statusofthedocumentafterthe24/06/2015finalreviewmeeting,forfinal"sanitycheck"
V1.0.1 4/10/2015 Introductionofagreeduponcommentsafterreviewworkshop
V1.9.0 13/10/2015 AdditionalchangesandcleaningbeforereviewbytheSTFteam
V1.9.1 15/10/2025 Changesafterinclusionofthefinalsurveyresults
V1.9.8 15/10/2015 For"sanitycheck"(nofurthercommentsallowed)bythereviewersandtheSTFteam
V1.9.9 11/11/2015 Lastversionbeforepublicationincludingthechangesafterthe"sanitycheck"andafinaleditorialproofreading.
1702 1703