The problem with cloud service providers and security SLAs

Will cloud service providers be forced to increase pricing in order to provide security guarantees?

security cloud lock

In recent discussions with several professional service providers including ViON (a Washington-based systems integrator), BRUNS-PAK (a data center deployment firm), Google (the search engine/cloud services provider), as well as conversations with former employees of professional services firms, I have developed some interesting new insights – particularly with respect to cloud security. I’m finding that these firms and individuals possess a wealth of information on industry trends – as well as deep insights into why information technology (IT) buyers are making certain decisions while discarding other ideas.


People sometimes ask where I get my technology market/trends information. And my response is: “from a number of sources.” These sources include:

  1. Client site visits – where I visit enterprise environments and talk with information technology (IT) and line-of-business executives.
  2. Trade shows, where I regularly talk to IT buyers, vendors and channel partners.
  3. Web sources including vendor websites, technical media, user forums and social media.
  4. Briefings from hardware and software vendors.

One important source that I’ve overlooked over the years, however, has been professional service providers. These are the people in the front ranks dealing directly with customer strategies, issues and implementations – and, as such, are an excellent source of trend information.

One Example – BRUNS-PAK

I recently had the opportunity to interview high-level executives at BRUNS-PAK, an Edison, New Jersey-based data center design/deployment organization. BRUNS-PAK has been in the business of designing, engineering, constructing and commissioning advanced computing and technology facilities for almost 35 years. In this time, BRUNS-PAK has implemented more than 5,500 projects in higher education, healthcare, banking/financial, industrial, pharmaceutical, public sector and retail – and has a 98% repeat customer base.

The company has a fully licensed staff of civil, electrical and mechanical engineers, and architects as well as construction project managers, systems specialists, Revit and CADD technicians, and other skilled professionals. The company understands business strategies; it knows how to work with clients to articulate those strategies – and then it builds data centers for its clients based upon present and future computing needs. With this broad customer base – as well as deep skills in technology design and deployment – BRUNS-PAK has excellent insight into enterprise technology decisions. So I asked BRUNS-PAK executives about the obstacles that they are seeing when it comes to cloud computing adoption.

Cloud Computing – My Observations

Before talking to BRUNS-PAK, my general view of the cloud computing market has been:

  • Cloud computing represents a great way to drive down the cost of computing through more efficient use of resources, which leads to better hardware utilization and lower software licensing costs.
  • Due to its very nature (the pooling of unused resources), cloud computing encourages the organization to share. And sharing resources can help break down organizational silos and barriers.
  • There remain two major problems with cloud architecture: 1) how to ensure security across the cloud; and, 2) how to efficiently manage resources (applications and infrastructure) within the cloud.
  • Due primarily to security concerns, most large enterprises have been loath to place mission critical data in public cloud environments.
    • From the data I’ve gathered, it seems that large enterprises believe that it is too risky to let other organizations (such as cloud service providers – or CSPs) handle their business critical and personally identifiable information (PII). Based on major intrusions within enterprise IT organizations at large enterprises including Home Depot, Target and Sony, this is becoming an even bigger issue.
    • There are exceptions. For instance IBM recently announced that several large enterprises, including Lufthansa and Thompson Reuters, have decided to take advantage of IBM cloud services to run key aspects of their businesses – see this press release[Disclosure: IBM is a client of Clabby Analytics.]
  • Small and mid-sized firms, however, appear to be more willing to partner with CSPs and more willing to allow those CSPs service their mission-critical and PII needs.
  • I believe that small and mid-sized firms are more willing to turn to service providers because they cannot find (and in some cases can’t afford) top security talent to run their own IT organizations.

BRUNS-PAK perspective on Cloud Computing

When I asked BRUNS-PAK executives for their view of the cloud market, they concurred with many of my findings - but also added some important new insights on this evolving market:

  • In the hybrid cloud market segment, enterprises large and small are willing to host some of their operations off-premise - particularly certain types of applications (for instance Software-as-a-Service environments such as and some SAP applications). These enterprises are also willing to use off-premise service providers to provide auxiliary computing infrastructure.
  • BRUNS-PAK clients and prospects are concerned with cloud data security and the impact of attacks. These customers worry about the "legal repercussions" of hosting data off-site under the control of a CSP rather than hosting in-house. In late 2014, discussions have centered around "who is liable if the data is remote and is breached?" and, "What is the legal exposure and recovery process for companies that outsource data and applications?"
  • Third-party providers (such as CSPs) are positioning to be "not liable" in the event of a security breach and in many cases, are not willing to accept responsibility for damages. As a result, customers evaluating CSPs are grappling with issues related to legal exposure and are looking for security guarantees
  • BRUNS-PAK questions stockholders' reactions to a cloud service model where customers are exposed with no recourse for security breaches, potentially resulting in tens to hundreds of millions of dollars and significant risk for the company's CEO, Board of Directors and CIO.
  • The repercussions of cost, risk and potential loss will become a central issue in 2015. Current third-party providers are being asked to address security issues or risk losing current and potential customers. But providing security guarantees will dramatically change the CSP pricing model, forcing them to increase prices in order to enable them to take on the additional financial risk and legal exposure.

Clabby Analytics approach to research

As stated earlier, I get my market trends data from a number of sources. Formulating opinions then becomes a matter of connecting-the-dots. If I pick up vibes in my conversations with customers, business partners and vendors that indicate that enterprises are reluctant to work with CSPs due to security concerns, I will check with other sources to get more detail and to discover how these issues might be overcome. In this case, I obtained deeper insights from a data center design/deployment firm. This information coupled with my other research sources tells me that BRUNS-PAK's view is correct. I have identified a trend - and have provided analysis of that trend.

My next step will be to arrange interviews with other BRUNS-PAK executives to get their opinions on trends in business analytics, DevOps and mobile computing. I'll be back with more blogs as I complete those interviews. Meanwhile, if you found this helpful (or not), please join the discussion in the comments section. If you want to reach me in a non-public format, my email is


Copyright © 2015 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon