The Fear of the Cloud

www.pwc.ru/en The fear of the Cloud

PwC’s Analytical Survey October 2020 . Introduction

About the survey

This report is based on the data obtained during a survey of respondents from various industries in Russia.

The survey included five general questions to provide an overview of the respondents and 26 special questions divided into three sections:

▪ Perception of cloud technologies.

▪ Experience using cloud technologies.

▪ Factors that hinder the adoption of cloud technologies.

The survey objectives

▪ Explore what people consider to be the obstacles to the adoption of cloud technologies and potential ways to overcome the impediments.

▪ Identify the main fears different user categories have about using cloud technologies (by job position, business size and industry, degree of cloud adoption, etc.).

▪ Assess how aware market participants are of the various mechanisms available to build trust between cloud providers and users.

▪ Identify barriers to the development of cloud technologies in Russia.

PwC As companies migrate to cloud infrastructure, cloud security is becoming an important priority for a growing number of organisations. While many businesses are still cautious about the cloud technologies, they do see the advantages and understand the strengths of cloud solutions.

And yet many are afraid of taking the first step. They might be right to some extent — the cloud may not be the best solution for every business. It depends on a set of conditions and circumstances. However, if implemented properly, used smartly, and adopted in accordance with the correct cloud security principles, cloud technologies will help to drive and improve business performance.

We are delighted to present our new comprehensive survey that we describe the attitude of Russian companies towards cloud technologies and explore the main factors that hinder their adoption. Our survey focuses on an important phenomenon—the fear of the cloud—and its root causes.

I hope you enjoy reading it.

Vitaly Sokolov

Partner, Cybersecurity and BCM Leader PwC Russia

3 Respondent profile

Seniority level of respondents

The respondents were evenly spread in terms of seniority level. C-level, middle management, and specialists accounted for 29%, 39%, and 32% of the respondents respectively.

Management 39% Specialist 32% C-level 29%

What is your line of work?

From a functional perspective, people from IT departments dominated, making up around 52% of total respondents, while cybersecurity, sales and marketing, accounting, and finance were also well represented.

Other* Sales 21% 9%

Information Cybersecurity

technology 18% 52%

Other* Accounting and Finance, 4%; Internal Audit, 1%; Engineering, 1%; Cybersecurity and Security Operations, 2%; Logistics, 1%; Marketing, 3%; HR, 3%; Product Management, 5%; Legal, 1%.

4 Number of employees The survey participants were primarily from large organisations with more than 1,000 employees (54%), but there were significant amount of participants from small and medium-sized organisations (28% and 18% of respondents respectively).

100-999 people 18% Less than 100 people 28% 1,000 or more people 54% What is your main business area?

For the survey, we received information from respondents representing a variety of industries.

Other* Telecommunications 37% 8% Information technology, software and Financial services Internet 46% 9%

Other* Automotive, 1%; State and Municipal Management, 1%; Extraction and Transportation of Minerals, 5%; Healthcare, Pharmaceuticals and Biotechnology, 1%; Media and Entertainment, 3%; Real Estate and Construction, 2%; Education and Research, 1%; Wholesale and Distribution, 4%; Consumer Services, 3%; Manufacturing, 2%; Professional Services, 3%; Retail, 5%; Cybersecurity Systems, 1%; Insurance, 1%; Transport and Logistics, 4%.

5 The survey findings

PwC Perceptions of the cloud technologies

Stages of cloud adoption

Currently, most organisations are active users of the cloud technologies, with 66% being either leaders or followers in the cloud adoption.

Off-track Leaders 7% 33% Observers 13% Novices Followers 14% 33%

Description of the stages

▪ Off-track: Do not use or do not plan to use cloud technology.

▪ Observers: Have developed a cloud technology strategy, but do not use the technology.

▪ Novices: Are implementing or have implemented cloud technologies and used them in at least one project.

▪ Followers: Use cloud technologies to support one or more processes or systems and plan to scale up cloud technologies.

▪ Leaders: Use cloud technology for a significant part of their IT infrastructure and processes. What type of the cloud technologies are you using or going to use?

Most respondents are using or going to use hybrid or private clouds (30% and 29% respectively). This solution reflects the overall maturity level of the Russian cloud market and is in the line with Russian compliance requirements (the Federal Law on Personal Identifiable Information).

No plans to use Hybrid 7% cloud

Multi-cloud 30% 17% Private Public cloud cloud 17% 29%

Cloud types:

Public cloud refers to the infrastructure that is possible for public use. A public cloud can be owned, controlled, and operated by commercial, scientific or governmental organisations (or a combination of them). A public cloud exists physically in the jurisdiction of the owner/service provider (e.g. Azure, Amazon Web Services, Yandex.Cloud).

Private cloud means infrastructure intended for one organisation with several consumers (e.g. divisions of a company). It can also be accessed by clients and contractors of the organisation. A private cloud can be owned, controlled and operated by the organisation or by a third party (or a combination). It can physically be located inside or outside of the owner’s jurisdiction.

Hybrid cloud means a combination of two or more various cloud infrastructures (private or public) that remain unique but interrelated through standardised or private app and data transfer technologies (e.g. short-term use of public cloud resources for load balancing between clouds).

Multi-cloud strategy means utilisation of several cloud providers in a single heterogeneous architecture. In a typical multi-cloud architecture that uses two or more public clouds, as well as several private clouds, the multi- cloud environment is designed to eliminate dependence on a single cloud provider. How long have you been using cloud technologies at your company?

Given the overall maturity of IT technologies in Russia, companies, not surprisingly, started to use cloud solutions almost as soon as they emerged (30% of organisations have been using cloud technologies for more than five years).

One year or less From 1 to 3 years 7% 36%

From 3 to 5 More than 5 years years 28% 29%

What service provision model are you mainly using or going to use?*

Russian companies mostly use / plan to use cloud as SaaS.

Do not plan to use SaaS 8% 33%

PaaS IaaS 28% 31%

Service provision models*

IaaS: infrastructure as a service PaaS: platform as a service SaaS: software as a service 9 In your opinion, how do cloud technologies create value?

The survey shows that most organisations see the following value of a cloud adoption: ▪ Scalability as required (74%) ▪ Cost optimisation (67%) ▪ Access to locally unavailable technologies (48%)

Не дает преимуществNo value

TimeСокращение-to-market Time reduction-to-Market

Масштабируемость Scalabilityпо мере необходимости as required

Reliability improvement Увеличение надежности Performance enhancement Повышение производительности Access to locally unavailable Доступ к недоступным локальноtechnologies технологиям

ОптимизацияCost optimisation затрат

0% 10% 20% 30% 40% 50% 60% 70% 80%

Which cloud providers do you know?

A majority of respondents knows global market leaders (Big Three: Amazon, Microsoft, Google) and are quite familiar with local public cloud providers (Yandex.Cloud, Mail.ru)

0 Amazon Google Mail.ru SberCloud Rostelecom IBM % Microsoft Yandex Oracle MTS DataLine Salesforce What are the most critical factors that influence the selection of a cloud provider?

Functional and technological requirements are the most critical in selecting a cloud provider, with security and compliance taking a back seat: 41%: Reliable communication channels, modern DDoS mitigation features 38%: Data centres in Russia 34%: Low cost, transparent and flexible licensing

Low cost, transparentНизкая цена, and понятное flexible licensingи гибкое ценообразование

OpportunityНаличие to периода take services тестовой for the эксплуатации trial period

Возможность безболезненной миграции из Seamlessоблака migration провайдера between к другому cloud поставщику providers or или to на свою площадкуan in-house platform

Широкий спектрA wide предоставляемых range of the cloud сервисов services

Наличие в договоре на предоставление услуг A serviceпункта agreement о четком разделении that clearly сферsegregates responsibilitiesответственности of the заказчика provider иand поставщика, the client, a coherentпонятного SLA SLA and и штрафныхpenalties for санкций SLA breaches за его неисполнение

Reliable communicationsНаличие надежных channels, каналов modern связи, DDoS современных средств защитыmitigation от DDoS features-атак

НаличиеPartner партнерскихstatus with the статусов leading провайдера software and у ведущих поставщиковhardware аппаратных providers и программных средств

CertificatesНаличие ofсертификатов compliance withсоответствия international требованиям международныхstandards стандартов and laws и законодательства

CertificatesНаличие of compliance сертификатов with Russian соответствия legislation требованиям российского законодательства

Наличие датаData- центровcentres inв РоссииRussia

Наличие дата-центров, распределенных по Data centresмиру all over the world

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% Biggest challenges in the process of cloud migration

IT migration and adaptation of existing applications are the biggest challenges: 63%: IT systems’ migration to a cloud-based infrastructure 59%: Adaptation of cybersecurity controls 42%: Compliance with legal, regulatory and other requirements

ОптимизацияCosts optimization затрат

СогласованиеAlignment with с theруководством leadership

Cloud technologiesУправление применяемымиgovernance and облачными operations технологиями

Обучение сотрудников новомуEmployees’ функционалу trainings

Адаптация мер обеспечения информационной Adaptationбезопасности of cybersecurity controls

ВыполнениеCompliance законодательных, with legal, regulatory регуляторных and other и иных требований requirements

IT systemsМиграция migration ИТ to-систем a cloud в -облачнуюbased infrastructure структуру

0% 10% 20% 30% 40% 50% 60% 70% Experience of using cloud technologies

PwC Which services and workflows are deployed in the cloud at your organisation?

74% Storage (object storage, archives, backups, etc.)

67% Virtual servers

51% Databases (relational DB, NoSQL, caching, etc.)

Containers, 34%; Network interconnection and content delivery (virtual private cloud, CDN, DNS, etc.), 34%; Cybersecurity (identification management, access control, data protection, threat detection, use and resource monitoring, virus protection, etc.), 30%; Development/Applications for testing, 46%; Applications for communications (email, collaboration, instant messaging, etc.), 46%; Business applications (CRM, marketing automation, ERP, BI, project management, etc.), 52%; Virtual workstations and applications,16%; Applications for IT operations (administration, backups, IT infrastructure monitoring, etc.), 30%.

Which type of information do you store in the cloud? 56% 40% Email Clients data

46% 33% Marketing Employee information, news information and media

52% of companies use more than one cloud provider How do you protect data in the cloud? 48% We connect to the cloud via secure channels 41% We use encryption and tokens 39% We use cybersecurity services originally offered by the cloud provider

Не уверен Don’t know

Мы используем облако «как есть» We use the cloud ‘as-is’ Мы внедряем дополнительные услуги по обеспечению безопасности, предлагаемые We use additionalсторонними cybersecurity поставщиками services offered by third-party vendors Мы подключаемся к облаку через We connect toзащищенные the cloud via каналы secure связиchannels Мы используем службы безопасности, изначально предлагаемые облачным We use cybersecurityпровайдером services originally offered by the cloud provider Мы используем усиленный контроль We enhance accessдоступа control (MFA, (MFA, SSO, SSO,PAM) PAM) 0% 20% 40% 60%

Speaking of the cloud security, it is important to be able to use existing and well-known cybersecurity controls:

▪ For 34%, all features of their traditional cybersecurity controls and mechanisms work in the cloud.

▪ For 25%, existing cybersecurity controls work in the cloud with limited functionality. What stops companies from cloud migration?

PwC As part of the survey, we invited our respondents to name the main obstacles they face in migrating to the cloud. Three key difficulties are:

▪ Technical complexity or inability to migrate into the cloud: 38%

▪ Too complex or impossible to comply with legal requirements: 34%

▪ The cost of the cloud is high: 33%

58% have concerns about cloud security Most respondents selected “Don’t know” or “I rather do not” when were asked about their trust in public cloud security.

These concerns mainly rely on “external opinion”: 61%: Information about leaks from public clouds. 42%: Internal or external subject matter expert opinion.

Did your organisation face an incident related to public cloud security over the past year?

5% Yes 9% No, but there was an incident with local infrastructure 20% Don’t know

Main types on incidents: 36% Data leaks

45% Malware infections

27% Stolen accounts Which significant cybersecurity issue do you expect in the cloud? 57% Potential data leaks

51% Unauthorised use of the confidential data by providers or third parties 45% Potential data loss

In your opinion, what are the biggest cybersecurity threat in the cloud? 45% Unauthorised access

38% Incorrect cloud services configuration

36% Data theft

31% Inadequate cybersecurity measures taken by providers Respondents believe that cybersecurity risks in public clouds are higher than in the traditional local IT environments (36% consider the risk to be much higher and 13% to be somewhat higher). Thirty-four percent of respondents consider that cybersecurity risks are the same in the cloud and in their local IT environment. Only 10% believe that risks in the cloud are lower than in local IT environments.

The most significant risks associated with cloud technologies:

54% Critical data accessed by the cloud provider’s staff

38% Absence of assurance of a seamless migration between cloud providers or to an in-house platform

37% Lack of control of the business processes in the cloud

34% Multitenancy disruption considering the critical data of different cloud provider’s clients 32% Violation of legal, regulatory or other compliance requirements

29% Absence of assurance of secure, complete, and well-timed data removal by the cloud provider Cloud security challenges

What is the biggest cloud security challenge you face in your daily work?

▪ Compliance with legal, regulatory, and other requirements: 23%

▪ Transparent infrastructure security controls: 21%

▪ Our cybersecurity upgrade has outpaced by the changes in our applications: 20%

▪ We cannot integrate it with our existing local cybersecurity controls: 20%

▪ Absence of the automated threat detection and infrastructure security controls: 17%

Considering the cloud compliance process, what is the most complicated?

▪ Compliance monitoring of the policies and procedures: 37%

▪ Constant updates of the new/changing regulatory and legal requirements: 37%

▪ Monitoring of the new vulnerabilities in the cloud services: 34%

▪ Cloud environments risk assessment: 33%

What are the main deterrents of cloud implementation at your organisation?

▪ Risks of data loss and data leaks: 47%

▪ Loss of control: 24%

▪ Fear that a cloud provider will be blocked: 24%

▪ Lack of transparency and low quality of the documentation: 21%

▪ Internal resistance and inertia: 20%

▪ Compliance with legal, regulatory and other requirements: 18%

A significant share (51%) of respondents are ready to rely on “the documents”. “Open and complete documentation, and security” and “reports by external auditors” were among the most popular controls that our respondents thought would enhance their confidence in cloud security. Conclusions

PwC Summary

Companies want to adopt cloud technologies, but have certain concerns about cybersecurity.

While choosing the cloud provider, functional and technological needs prevail over the cybersecurity needs.

Companies are storing confidential data and personal identifiable information in the cloud.

According to the perceptions, cybersecurity risks in public cloud are higher than in a traditional local IT environment.

The main fear companies have about the process of cloud adoption is the possibility of unauthorized access by cloud providers or other third parties.

The key challenge related to the cloud security is to ensure compliance with legal and regulatory requirements.

Detailed and available documentation and external auditors reports are the most important controls that could enhance confidence in cloud security.

Organisations are actively migrating their infrastructure and applications in the cloud. Cloud technologies are fundamental in solving challenges related to remote work, critical business processes and access to key business systems. Many companies are struggling to deploy remote access services, secured communication channels and various collaboration services. They are implementing new processes to help them coordinate with their partners, set up new supply chains and process large amounts of data — and all of these processes must be secure. For this reason, enhanced cybersecurity standards for cloud computing have become a top business priority, not just a need, but a market requirement.

Cybersecurity departments are concerned that their organisations frequently fail to align the adoption of cloud technologies with them. To decrease risks associated with the cloud and make a company more secure, they want to have detailed information related to the security of their existing cloud environment.

Current challenges:

▪ Cloud initiatives are frequently owned by business which makes cybersecurity, confidentiality, risk management and compliance fall by the wayside.

▪ Existing corporate policies, standards and regulations, often outdated and incompatible with the cloud, impede the adoption of cloud technologies.

▪ Complying with legal, regulatory and contractual obligations is difficult due to industry-specific laws, regulations and requirements.

▪ Traditional cybersecurity controls can’t provide full-grade control over cloud technologies.

▪ To support the working approach to cybersecurity (people/management, infrastructure), companies have to integrate cloud technologies securely with both, business processes and IT infrastructure.

▪ It is tough to analyse all user roles, rights and accesses across various cloud providers. Your next steps

If you are going to adopt cloud technologies:

▪ Integrate cybersecurity, confidentiality and risk management into the overall business strategy and roadmap for the cloud migration or digital transformation.

▪ Update internal policies, procedures, and standards, as well as governance and operational models to support cloud adoption.

▪ Define and implement IAM requirements for the cloud environment. Expand or integrate the on-premise IAM to the cloud where applicable while eliminating identified gaps.

▪ Assess the cybersecurity of the cloud environment and its compliance with leading practices in cloud security (e.g. CIS or CSA standards) before implementation. Perform a comprehensive cybersecurity analysis of the cloud provider with recommendations on how to resolve issues that arise.

If you are already using cloud technologies:

▪ Carry out an external audit to identify the gaps in confidentiality, data protection, legal and regulatory compliance, as well as contractual and service level obligations that may apply.

▪ Embed cloud security controls into your general cybersecurity framework to reduce risks and accelerate the elimination of vulnerabilities.

▪ Identify and implement threat response processes; prepare response teams and incident response plans; analyse responses of clients and shareholders to threats and take actions to mitigate them.

▪ Manage third-party risks – group and classify third-parties and manage their accesses.

▪ Ensure that your cloud environment complies with industry standards (e.g. IST, ISO, HIPAA, PCI) and internal cybersecurity policies.

Global cloud security practices and standards in use:

• Center for Internet Security: CIS Controls Cloud Companion Guide • ISO: ISO/IEC 27017:2015 • Cloud Security Alliance: CSA Cloud Controls Matrix • NIST: SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing Contact us

Vitaly Sokolov Partner, Cybersecurity and BCM Leader, PwC Russia +7 (495) 967 6153 [email protected]

Mikhail Kurzin Director, Cybersecurity and BCM, PwC Russia +7 (495) 223 5040 [email protected]

Pavel Nikolaev Senior Manager, Cloud Security Leader, PwC Russia +7 (966) 062 3167 [email protected]

PwC Russia (www.pwc.ru) provides industry-focused assurance, tax, legal and advisory services. Over 2,700 people work in our offices in Moscow, St Petersburg, Ekaterinburg, Kazan, Novosibirsk, Rostov-on-Don, Krasnodar, Voronezh, Vladikavkaz, Ufa, Nizhny Novgorod and Perm. We share our thinking, experience and solutions to develop fresh perspectives and practical advice for our clients.PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Together, these firms form the PwC network, which includes over 250,000 employees in 158 countries. For more details, please visit http://www.pwc.ru/ru/about.html © PwC, 2020. All rights reserved.