Half of companies struggle with
cloud cost, security, and governance
Companies like what cloud does but lack confidence in their ability to control or manage it.
More than half of companies struggle to monitor costs. One-third allows unilateral cloud decisions by IT staff or business leaders, despite abundant evidence that cloud works best as a techno-business collaboration. And four out of 10 companies do not have adequate policies to govern who gets to deploy cloud.
As cloud grows more sophisticated and more essential to enterprise operations, these management issues magnify the risks linked to cost, security, and governance.
Companies know what they spend in cloud. However, monitoring costs and forecasting future cloud costs are the most significant cloud management challenges companies face today. As companies contract more cloud services to scale infrastructure to meet the demands of new technologies, those cost challenges will only grow more significant.
This makes financial operations, or FinOps, more critical, says Rakhi Gupta, a partner in Infosys Consulting’s CIO advisory practice.
“Companies must shift toward a cost- conscious mindset and integrate new ways of working informed by objectives and key results,” Gupta says. “But the benefits are evident — improved financial accountability, accelerated business value, and a more cloud cost Agile organization.”
Figure 9. Cost management is a challenge in the new era of cloud
Source: Infosys Knowledge Institute
For example, Amazon’s Prime Video unit shocked the cloud developer community by describing how it reduced cloud costs by 90% by shifting a video quality monitoring tool from distributed microservices to a monolithic application.9
Amazon’s cloud overspending news was a treat for internet geeks. AWS alumnus Adrian Cockcroft mentioned that many added their comments, including some bad takes.10 Cockcroft argued that the Prime Video team showed good discipline by re-engineering many costly microservices into a more cost-efficient, super-sized, microservice (not a monolith).
Setting aside the microservices versus monolith debate, Amazon used technology in the best way businesses can use it: to solve business problems, a truism that can get lost in the push-and-pull between software engineering techniques.11
Analogous discussions about cloud have developed in business and finance domains as new managers must study cloud costs and potential changes. The distributed nature of cloud makes a holistic bill hard to read and comparisons difficult to divine.
Companies may soon have help in finding clarity on managing cloud costs. In May 2023, the FinOps Foundation, an affiliate of the Linux Foundation, launched a project to help companies make sense of their cloud spending. The FinOps Open Cost and Usage Specification (or FOCUS) project is working to standardize cloud costs and bring a common structure to how companies pay for cloud.12
Comerica’s Wei notes that coming innovations in cloud will also come with progress toward better cost clarity around cloud.
“As we move higher and higher in the value chain, the notion of pricing by transaction will become more tangible and real. The conversation in five years is going to be quite different,” he says.
In the past, cloud skeptics opposed migration because they feared losing control of cybersecurity. More recently, cloud advocates argued to put security in the hands of cloud providers, who have greater depth and experience in cloud security.
Neither case holds up — migration doesn’t mean handing security over to cloud providers. Moving to cloud creates new security challenges, and security chiefs are working to address known vulnerabilities, and seek out security blind spots, says Ankur Shah, a senior vice-president at cloud security firm Palo Alto Networks.13
“They have some controls in place, so it’s not completely wild west, but there are many blind spots,” he says.
IT departments and security chiefs must prepare for this, but so must all users with a system log-in. Companies generally require security training. Some 84% of companies surveyed for Cloud Radar 2023 say their training includes a focus on cloud security. But 43% of companies have lax policies regarding who is authorized to deploy cloud resources. This can create “shadow cloud” deployments, where developers spin up cloud instances, Shah says. Developers often create “shadow cloud” because the current process for cloud deployments is too arduous — or they are simply unaware there is even a process.
Figure 10. Cloud migration creates new security challenges
N = 2,523. 43% of respondents indicated that their company may allow more people than is necessary access to provisioning of new cloud services.
This further complicates the cost governance challenge and introduces governance challenges. While chief information security officers (CISOs) may have a good handle on which cloud service providers and application services the enterprise is using, they may not be able to track what is being used, how, and by whom, at a more granular level.
Security companies have developed a growing number of tools aimed at providing better visibility into cloud systems, but that’s only a partial solution, says Eyal Fingold, research and development vice-president at Check Point Software Technologies. It’s one step to gain visibility, but it’s a much larger challenge to systematically maintain visibility into larger and more complex cloud ecosystems.
“The fact is they now need to do the liability management not to 100 services but rather to thousands that are ever-changing,” Fingold says.
It’s a parallel challenge to getting ahead of cloud cost management, he says, adding: "People are looking to find some quick magic, but there’s no quick magic. There’s still no good methodology to solve it.”
“What they don’t know is specifically what cloud services are being used, and what risks are introduced at every stage,” Shah explains. Ultimately, security is a shared responsibility among the security team, developers, cloud providers, and business leaders. “Cloud providers can take care of the physical security and have the infrastructure at an operating system level. But the stuff that goes into cloud infrastructure, your applications, your data, is not the cloud provider’s responsibility: it is the customer’s responsibility,” he adds.
Cloud usage and benefits span all enterprise functions. But cloud decisions are often made in isolation: 45% of our respondents reported that either the IT department or business leaders decide what cloud to deploy or how to manage cloud compliance.
Figure 11. Too many cloud decisions happen in isolation
N = 2,523. We asked who was responsible for four major tasks in cloud:
Compliance: Managing compliance in your cloud services
Deploy/retire: Deploying, retiring and terminating cloud services
Purchasing: Cloud purchasing decisions
Security: Security in your cloud services
Options included the IT department and CIO office, CISO office, CFO office, COO office, head of cloud or similar position, and outsourced cloud management vendor.
When cloud decisions are made in isolation, finances and security become difficult to govern. IT excels at deployment, management, and security governance, but may lack a full view of business value, ownership, or success factors of cloud initiatives. Without this knowledge, it becomes difficult for companies to track whether cloud initiatives effectively meet business objectives.
Business units have a good grasp of how cloud can impact business value, performance metrics, and customer needs. However, they often lack insight into the technical requirements and security decisions required to bring cloud initiatives safely to fruition. This gap can create service downtime, or worse, risks related to data privacy, leakage, or cyberattacks.
IT and business must collaborate for successful cloud initiatives that meet business objectives and mitigate risks. Cloud started as a solution that primarily required IT expertise, but modern cloud touches every function of a business and customers.
“I think the hardest part of cloud is getting the organization mobilized and marching toward a shared mission,” says Comerica’s Wei. Wei describes the complexity further: “Think about a diagram with technology on the horizontal axis and value on the vertical axis. The relationship between technology and value is a bell curve, and you want your company to be at the pinnacle of that curve. You do not want to be at either end of the curve, where value is low. On one end, with minimal technology, it’s hard to generate any value. And on the other end, if you have too much technology, you have too much complexity, and eventually the value will drop to zero, because all your time is spent on just managing that complexity. So you want to be in the middle of the bell curve, at the pinnacle, with just the right amount of technology, which delivers the most value — but the trick is that it’s difficult to find where that spot is.”
IT alone
Business alone
IT and business jointly
