Cloud Adoption (Part I) — Survey Summary

12 min readApr 7, 2024

There are some interesting findings in the latest ‘2024 State of the Cloud Report’ published by Flexera.

As a consulting technologist and IT strategist, I have witnessed firsthand many of the challenges faced by organizations highlighted in this report. I was compelled to respond and felt the need to elaborate a little more to give better context on these challenges, so organization’s leaders can appreciate them better before they embark on their cloud journey.

The findings in the report really resonated with me given my recent experience with organizations on their cloud journeys. I am sharing my observations and perspective that I hope some will find useful.

I am drafting this article in two parts. In the first part (this post), I am giving a brief overview of the top cloud challenges listed in the report. In the second part, I will share my perspective on what usually goes wrong and why; and how organizations can prevent, or at least minimize the impact of these challenges.

Cloud Adoption Journey

In 2006, Amazon revolutionized the IT landscape with the launch of its Web Services offering and paved the way for industries worldwide to embrace an innovative ‘pay-as-you-go’ IT infrastructure as a service. Today many cloud service providers (CSPs), big and small, have since joined the fray competing in the cloud market around the world. Here are the leading CSPs in 2023/24.

The unrelenting march of the cloud adoption continues through 2024 and is expected to keep growing given the new demands on cloud infrastructure especially due to the explosive growth of generative AI. Just last year alone the global cloud market was about 620 billion USD, and conservatively, it is projected to cross 1.5 trillion USD by 2030.

Most businesses have already spent a lot of money on cloud and at least some, slowly but surely, are realizing the promised benefits, so its not surprising that the growth is expected to get stronger in the coming years. Regardless of their sizes, it is astonishing to note 21% increase YoY in organizations spending $1 million USD or more per month on cloud.

After all these years one would expect the cloud migration playbook is perfected and mass cloud migration programs are run efficiently in a “factory” mode. Unfortunately, what you may hear from the “experts”, the reality is far from it. Businesses still struggle a lot with their cloud migration programs. Almost all businesses still continue to experience challenges, as can be seen from the chart below.

Lets briefly look at each of these challenges.

Managing Cloud Spend

Predictably, at the top of the list is cost. For over a decade now, I have noticed that a very few organizations have real idea of total cost of ownership of cloud at the start of the program.

Public cloud has changed the cost model for IT infrastructure and technology spend from Capex to Op-ex. This was a big shift. It had significant impact on management of cashflow. And so invariably the cloud spend quickly bubbled up as a top line-item for CFOs. Depending on the magnitude of cloud adoption, the recurring cost vary significantly from one organization to other. It can range from as low as half a million USD to over 60 million USD per year, as per the chart below.

Most organizations do not estimate cloud program and operations costs properly during the planning. Although according to the following chart the cloud spend is expected to grow this year by almost 31%, the amount of overbudget in the current spend however remains at 15%. The cloud waste being the number one contributing factor.

Its only after the organizations get the sticker shock from the first bill, they start looking for cost optimization options; better late than never but that activity further adds to their already bloated spend.

Fortunately, the situation is improving in the recent years due to better awareness. According to the following chart over 51% companies have FinOps teams in place to manage their cloud cost. There are many ways to curtail unnecessary costs under FinOps capability.

Security:

Even in today’s day and age, most people would prefer to keep their valuables in their own family homes, protected in a private safe. They rarely consider other options, e.g., bank safety box, or hand it over for safe keeping to other family members or friends. I guess, its human nature. We feel more comfortable and in control when we ourselves manager our valuables, even though in reality it may be safer to use other available options.

Organizations are no different. Even after almost two decades where security provided on public clouds has improved significantly, organizations are still quite hesitant to move their valuable workloads out of self-managed private datacenters into public clouds. They will not admit it, but despite relatively lower quality of security controls within their own datacenters that are usually organically assembled over the years by their IT departments, they believe their valuables can be safer within the physical bounds of their own datacenters. Security controls available in public clouds today can easily surpass most privately managed datacenters, and yet, most privately hosted workloads are not going to go into public cloud anytime soon.

This is quite evident from the following chart, where in fact small medium businesses are actually reducing their data footprint in the public cloud.

Continued media coverage of high profile cyberattacks, and data breaches keep organizational leaders nervous about cloud. Cloud security will always remain at the top of the list of cloud challenges.

Lack of resources and expertise:

For every new technology adoption, organizations must hire right people to play various roles mainly in their IT departments, to develop, implement, and manage the solutions based on the new technology. Cloud is no exception; and to make matters worst, cloud is indeed a very complex ecosystem. And so, organizations need a zoo of new roles necessary for implementing and operationalizing large-scale cloud programs.

Besides IT leadership roles (e.g., CIO/CTO/Chief architect), here are just a few example roles that are essential -

Enterprise Architect, Cloud program manager, Cloud project manager/scrum master, Cloud change manager, Cloud platform architect, Cloud platform engineer, Cloud DevOps architect, Cloud DevOps engineer, Cloud application architect, Cloud software engineer, Cloud reliability engineer, Cloud data architect, Cloud data engineer, Cloud security architect, Cloud security engineer, Cloud network architect, Cloud network engineer, Cloud infrastructure architect, Cloud infrastructure engineer, Cloud storage engineer, Cloud database expert/administrator, Cloud systems administrator/engineer, Cloud integration architect, Cloud integration engineer, Cloud quality engineer, Cloud FinOps expert, Cloud compliance expert, etc.

You get the idea. This is like creating entirely a new IT organization to operate cloud similarly to the existing traditional IT organization supporting on-premises workloads. If you still think that cloud adoption eliminates IT jobs, then think again.

Depending on the type of CSPs usually organizations require people with very specialized skillsets specific to that CSP. The number of people playing various roles can easily exceed a few hundred persons in a large organization. Cloud is a complex technology requiring people with specialized skills which is in a short supply. This is another reason for organizations increasingly seeking out the outsourcing or managed service provider (MSP) option.

Attracting and retaining skilled and sufficiently experienced resources continues to be one of the top challenges for the organizations on their cloud adoption journey.

Managing software licenses:

Cloud costs are impacted significantly if software licenses are not managed properly. In some instances, specific licenses can be more than four-times the costs of the cloud infrastructure on which the applications run. Organizations need to not only factor in cloud costs but also consider the associated software licensing costs.

Most organizations have come to this realization and have begun to monitor licensing costs judiciously. According to the following chart over 84% companies track their licenses, which is quite encouraging. That said, license management remains one of the top challenges for organizations.

Governance:

Cloud governance is an extension of business governance, where senior leadership continues to provide oversight for cloud program. Governance is critical; without it, the alignment of the cloud program with business goals and objectives can go off track making it very difficult to steer it back on course later.

Before planning for the cloud adoption program, the organization should define its vision, goals and objectives carefully considering applicable laws, regulations, policies, and contracts. Under the cloud governance the leadership at all levels is responsible for making important decisions and therefore they should define appropriate guiding principles that provide direction to their staff in achieving those goals and objectives.

Cloud makes it very convenient to develop and deploy assets with few clicks. While this promotes innovation and productivity, this flexibility can also give rise to several issues such as,

· Cost overruns

· Poor integration between systems

· Duplication of functionality

· Duplication of data

· Lack of alignment between cloud systems and business goals

· Number of new security risks

Having the right cloud governance can ensure asset deployment, system integration, data security, and other aspects of cloud computing are properly planned and managed. Cloud is highly dynamic ecosystem as workloads can be created almost instantly by various groups within the organization or even by outside vendors and can as quickly be torn down. Cloud governance ensures such a complex ecosystem adheres to organizational policies, security best practices, and compliance obligations.

Failing to stand up a proper cloud governance is like driving blindfolded. This is one area where not enough attention is given. And so, many organizations still find it extremely challenging to conduct proper governance that meets their needs.

Compliance:

Organizations should be concerned with how CSPs will help them remain in compliance with the mandated industry specific regulations and laws, including data privacy laws such as Europe’s General Data Protection Regulation (GDPR) or HIPAA in the U.S. Unfortunately, these discussions with CSPs do not start at the planning stages of cloud adoption.

Organizations should check beforehand, by consulting their legal and compliance teams, whether any contracts with CSPs outline what they can or cannot do with the cloud, so they are prepared for any negative consequences. Organizations must also comply with standards such as ISO 27001 or NIST SP 800–53 as a foundation for implementing security controls. ISO has isolated the controls that are specific to the cloud and addressed them under ISO 27017. The organization must train employees, so the proper controls are in place, practiced, and enforced.

To ensure compliance is to conduct routine audits. Audits can be conducted internally or by external entity. An internal audit, completed by the organizations themselves provides a self-assessment to determine their level of compliance. To provide a more objective opinion, organizations can choose to be audited by an independent third-party audit firm. Most CSPs do not allow organizations to do their own audit, so independent third-party audits become necessary.

The audit reports are standardized and convenient for review. For example, the SOC 2 audit reports for CSPs shows their compliance with controls defined in ISO 27017 or NIST Cybersecurity Framework (CSF), that are assessed against Security, Availability, Confidentiality, Processing integrity, and Privacy. These reports could be either a type 1 or a type 2. A type 1 report shows the status of the controls at a moment in time and that the controls are designed and installed at some level of suitability. A type 2 report shows the controls’ operational effectiveness over a period, for example, six months.

Usually, organizations fail to ask for these reports from CSPs (especially from SaaS providers) prior to signing the agreement. The CSPs may not be too keen on sharing them upfront because these reports may contain sensitive information about their business. So, another option is SOC 3 report, intended as a general use report. It contains very little information regarding the CSP’s business which may sometimes be sufficient to meet the auditor’s needs.

Meeting compliance is a challenge for organizations due to lack of preparations and awareness.

Managing responsibilities between central cloud team and business units:

According to the report almost 63% organizations have a Cloud Center of excellence (CCOE), a central cloud team usually temporarily created during the initial stages of cloud program planning to oversee and govern cloud and related technology decisions and implementation. Seventy percent of large enterprises have CCOE, whereas only 29% of SMBs do. Just over a quarter (26%) of SMBs plan to have a CCOE in the future.

It is good to have such a central team however, if not planned properly, it can create new conflicts. If CCOE has overlapping responsibilities with the existing business/IT units, then this can very quickly escalate and become a challenge to manage. CCOE must ensure organizational vs individual business unit’s interests are prioritized properly.

Managing multi-cloud:

Organizations in various stages of their lifecycle tend to adopt cloud differently. New startups may right away adopt native services on public clouds but more mature organizations, regardless of their size, tend to apply hybrid/multi cloud strategy as they gradually adopt cloud.

It should be clear from all the above charts that future of the organization’s IT infrastructure will continue to be hybrid/multi cloud for quite some time to come as they transition from their private datacenters to public/private clouds.

According to the report, applications siloed on different clouds and DR/failover between clouds remain the top two uses cases for multi-cloud implementations. Applications siloed on different clouds increased the most (up to 57% from 44% YoY). Data integration between clouds increased to 45% from 37% YoY as organizations look for the best fit for applications and data analysis.

Organizations continue to factor in cost and performance prior to deploying workloads in a specific CSP cloud as they continue to find the best CSP fit. It is beneficial to run applications in a single cloud, which simplifies configuration, maintenance, and security. That said, a growing number of organizations find use cases for data analysis in clouds separate from the one an application is running in.

Another challenge managing the hybrid/multi cloud is that to be able to monitor, manage, and operate the multi cloud holistically the CSP provided native tools sometimes are not sufficient and organizations must look for other third-party vendors.

According to the chart security tools remain in the top spot for all organizations, followed closely by cost optimization (FinOps) tools and management tools. A higher percentage of large enterprises use security tools (61%) and FinOps tools (57%).

It is challenging enough to implement and operate one cloud, having to orchestrate workload implementations in the hybrid/multi cloud environment is degrees of magnitude more complicated.

Cloud migration:

Selecting a CSP is relatively smaller hurdle; the real challenge begins when organizations have to plan and perform workload assessments and migrate application and data workloads into the multi cloud environments, especially they must do so while keeping the business running without disruption. Its like fixing a car while driving.

Clearly there are multitudes of ways for things to go wrong. Here are the key challenges according to the report that organizations have reported during migration of the workloads.