For channel partners selling public cloud services who’ve worked to overcome customers’ security and compliance fears, Intel Security has good news and bad news.

On the plus side, the company’s second annual cloud security report, released Monday, shows respondents overwhelmingly trust public cloud services and are moving aggressively away from purely on-premises IT — good news for resellers. The average time before respondents expect 80 percent of their IT budgets to be spent on cloud? Just 15 months.

“Twenty-five percent of respondents have all their sensitive corporate data in the cloud,” Raj Samani, Intel Security’s EMEA chief technology officer, told Channel Partners. “We’re really seeing a fundamental shift in how the cloud is perceived, the level of trust, and what they believe the benefits will be.”

Not so encouraging for the channel: Almost 40 percent of cloud services are now commissioned without the involvement of IT — bad news for partners that engage mainly with technology rather than line-of-business leaders.

“Look at one of the tenets of cloud: on demand self-service,” said Samani. “You have multiple departments now almost in competition with IT, saying ‘Well, you’re telling me that it’s going to take six weeks to get this server up, but I can get it up and running in Azure in 15 minutes.’”{ad}

The report, titled “Building Trust in a Cloudy Sky,” is based on responses from 1,400 senior technical professionals directly involved in decision-making for cloud security initiatives and/or working for companies that use cloud services. The survey is global, with 36 percent of respondents based in North America and 27 percent in Europe. Most are in organizations with between 1,001 and 5,000 employees; an additional 28 percent have 501 to 1,000 workers.

The report highlights channel opportunities.

Samani says an ongoing shortage of skilled security professionals is holding back cloud efforts and that, for partners, there’s a clear need for services around the security aspects of migrating data to cloud — no matter what line-of-business leads think.

“We have an industry that believes the fact you’re using a third-party provider means you don’t need as many security skills,” he says. “Actually, it’s the complete opposite. The lack of skills has slowed adoption.”

Samani says Intel Security sees a need for partners who can walk in and help customers classify data, do risk assessments to determine which controls are required and set up a process for secure migration.

“Do you have people who can support your customer in moving toward the cloud?” he asks. “And once they’re in the cloud, that will probably require …

{vpipagebreak}

… a new set of skills.”

Among them: access control, TCO analysis, even spinning up a CSP business.

Brokers Need Brokers

Sixty-five percent of respondents say the shadow IT phenomenon is interfering with their ability to keep data secure — a real problem considering that most store sensitive information in the cloud and that 52 percent have definitively tracked malware as coming from a SaaS application. Gartner predicts that, by 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources, and Intel Security says user credentials, especially for administrators, will be the most likely form of attack.

Given that, Samani says he expects cloud access security brokers (CASBs) to become more ubiquitous than firewalls thanks to their ability to restore control. CASB technology enforces a customer’s policies on cloud use by, for example, requiring two-factor authentication, checking a device for malware, enforcing encryption and more. CASBs may be hosted on premises or in the cloud.{ad}

Use of hybrid cloud among respondents increased from 19 percent to 57 percent, and on average, 52 percent of respondents’ servers are virtualized, 80 percent are using containers and most expect to convert to a fully software-defined data center within two years.  

“The fact that [hybrid use is] moving at such a rate is significant,” said Samani. “This has ramifications for everyone.”

He says VARs are especially on notice.

“In 12 months’ time, when 80 percent of your customers phone you up and say, ‘Thanks for providing us with all this hardware, all this equipment, but we won’t be coming back to you again,’ you can’t turn around and say you weren’t warned,” he said.

ABCs of TCO

Samani called out a seemingly conflicting finding: While 59 percent say a public cloud is more likely to deliver lower total costs, 25 percent say high costs and fees/poor value are a significant concern.

“There should not be sticker shock,” said Samani. “That should be part of the due diligence process — not just the security requirements or the availability requirements, but …

{vpipagebreak}

… also the financial requirements.” Customers should know what a given service will cost over three to five years in the cloud versus in-house, and partners can help with that analysis.

CSP: Room for Growth

We asked Samani, who recently launched the No More Ransom project on AWS, whether he sees setting up as a CSP, possibly offering a specialized or vertical-specific service, as a viable option today.

“Absolutely,” he said. “It’s a phenomenal business model. Even different departments within a company will have different compliance requirements. There is a business need, and there is a market, for you being a specialist.”{ad}

Don’t be dissuaded by the current dominance of the Big 3 cloud providers.

“If I said to you 15 years ago that the biggest cloud-technology companies would be someone who sells books, somebody that sells you a word processor, and somebody that’s a search engine, you’d have locked me up,” he said. “That’s the wonderful thing about our industry: It is fluid, it is changing, and there are opportunities for people who can think differently.”

If you’re at RSA today, Samani will present a session titled, “Security in the Cloud: Evolution or Revolution,” at 2 p.m. PT, at the Marriott Marquis.

Follow editor in chief @LornaGarey on Twitter.