Lack of credible local providers, knowledge hinder APAC cloud adoption

The unwillingness of some Asian businesses to move to the cloud is the result of unwarranted fear and confusion, and governments should start working together to create better synergies between different local regulations.

The lack of "local cloud-experienced talent" and third-party service providers to help enterprises with their deployment has hindered greater deployment of cloud services within the region, said Bob Hayward, managing director for KPMG's Asia-Pacific Centre of Excellence for IT Leaders.

There is also resistance by IT departments that view the cloud as a threat to their responsibilities and control within the organization, he noted.

And then there are concerns about the cloud that have emerged from pure confusion.

For instance, there are misplaced fears over regulatory requirements and misinterpretation of regulatory concerns, said Hayward, who noted that most regulatory bodies actually accept the use of cloud services if the associated risks are explained and mitigated.

Sean Middleton, COO of emerging business accelerator Cognizant, also pointed to existing investments and contractual commitments with IT vendors as other key barriers to cloud adoption.

Across the region, there are further challenges where some countries have been more proactive than others in providing the underlying support and ecosystem for cloud services.

"Key areas lacking are the quality of internet bandwidth, intellectual property protection, regulatory requirements and policies set by governments, and the availability of power," Middleton noted. "These factors contribute toward the economic feasibility for a cloud vendor to run its business in that country or region."

More 'harmony' needed around cloud policies

Microsoft's Asia-Pacific vice president Alvaro Celis called for countries to "harmonize" cloud-related policies and regulatory frameworks "instead of creating walled gardens", especially around data sovereignty. This, he said, is a critical enabler of public cloud adoption in the region.

Celis also noted that security and privacy will continue to be key concerns about the cloud in 2015.

"People do not use technology they do not trust. Cloud is no exception to this rule," he said, referring to a Microsoft CIO survey that revealed 79 percent of respondents in this region deemed security, privacy, and other "trust"-related concerns as the key barriers to cloud adoption.

"What we foresee in 2015 is for organizations and consumers to have more active dialogue about concerns such as security and privacy, to better understand if their cloud providers have the right levels of 'trust' built into their cloud services," he said.

He added that clear principles, policies, and statements on privacy must be established to ensure responsible and transparent data usage.

According to Hayward, there is insufficient comprehension among organizations about the different risk profiles between private and public cloud platforms -- although this is starting to improve, and there are more case studies now from which to learn.

He added that the Asia-Pacific region has seen growing numbers of credible cloud vendors with local presence that are beefing up their services with enhanced management and security capabilities. There are now offerings, for instance, to replace sensitive data with tokens as information moves across clouds in multiple locations, which may help address security concerns, he noted.

Enterprises looking to move some of their applications to the cloud should first evaluate the appropriate platform on which to deploy them, said Anshuman Singh, director of product management for application security at Barracuda Network. He pointed to security as an important criterion.

Singh said the level of security should be governed by the risk profile of that specific application.

Middleton also recommended that organizations run a thorough assessment of their required workloads before deciding whether a cloud solution is suitable for their business. These, he said, should include technical parameters such as architectural complexity, performance and availability requirements, and integration requirements, as well as business parameters including licensing and costs, stakeholder alignments, and risks and availability.

Asked whether there are business processes or applications that should never be deployed over a public cloud, Middleton said that this would typically depend on regulatory and compliance requirements governing that business in that geographical location. Also, it is uncommon for business requirements and applications based on highly specialised technologies to be offered via standard public cloud offerings, he added.

Hayward also noted that it is still rare for organizations to run core, transactional enterprise systems that support high volumes of activity over public clouds, such as core banking or ERP transactions.

"The reason is not so much the risks involved, but more about the costs -- switching such complex and core systems to the cloud can be prohibitively expensive, while running them in clouds can also be costly," he explained. "And in any case, most large enterprises already run these core systems reasonably well on infrastructure that is leased, outsourced, or depreciated on the balance sheet."