As the “as-a-service” cloud model revolutionizes the way businesses of all sizes use technology, a study released by AppDirect reveals that SMBs are eagerly adopting infrastructure as a service (IaaS) and that they prefer to purchase solutions from resellers.
The report also found that 72% of SMBs already run most of their workloads in the cloud, and that eight out of 10 plan to increase their IaaS spend over the next three years.
SMBs inceasingly using IaaS solutions
For years, SMBs have been eager SaaS adopters. Now, as their understanding of—and comfort with—the public cloud has increased, many SMBs are adopting IaaS solutions to manage critical parts of their businesses.
Small businesses already spend more than $60 billion on IaaS, a figure that is set to reach more than $90 billion by 2023.
“As-a-service solutions have been a game-changer for SMBs, giving them access to enterprise-grade technology that levels the playing field, and IaaS is no different,” said Dan Saks, co-CEO of AppDirect.
“Our report shows that SMBs are eager to adopt IaaS, but they want trusted partners to help them scale the solutions that are best for their businesses. There’s a huge IaaS opportunity for IaaS resellers who offer the products and ease of use that SMBs want.”
SMB spending is on the rise
Just 20% of SMBs say they will hold spending at current levels, while 80% plan to increase IaaS purchasing over the next three years. Many are starting to shop around for the best products and deals, with 69% SMBs buying from multiple providers to get better pricing.
Others also pursue a multi-vendor strategy to diversify their technology (41%) or find the products that best suit their needs.
Resellers are valuable partners
Businesses have two main options to purchase IaaS services – going directly to a provider or working with a reseller. They prefer working with resellers by nearly a 20-point margin—59% vs 41%—primarily for the more personalized attention that resellers offer.
In fact, resellers have the edge in almost every area measured, including trust, support, understanding business needs, and flexibility. Providers came out ahead only on pricing and discounting options.
Challenges for resellers in gearing up to serve SMBs
SMBs prefer to purchase from multiple providers. However, resellers are experiencing significant obstacles to a multi-provider strategy. Lack of skilled staff (82%) is the biggest challenge, followed by provider exclusives (46%).
With most SMBs looking to spend more on IaaS, resellers who balance investing in additional personnel and platform technology that can streamline IaaS provider onboarding and management are likely to see a return on their efforts to reach SMBs.
Many resellers seem to recognize this fact. 56% of resellers plan to increase their investment in selling to SMBs over the next three years.
It was an accomplishment for the ages: within just a couple of days, IT departments hurriedly provided millions of newly homebound employees online access to the data and apps they needed to remain productive.
Some employees were handed laptops as they left the building, while others made do with their own machines. Most connected to their corporate services via VPNs. Other companies harnessed the cloud and software and infrastructure services (SaaS, IaaS).
Bravo, IT! Not only did it all work, businesses and employees both saw the very real benefits of remote life, and that egg is not going back into the shell. Many won’t return to those offices and will continue work from home.
But while immediate access challenges were answered, this was not a long-term solution.
Let’s face it, because of the pandemic a lot of companies were caught off guard with insufficient plans for data protection and disaster recovery (DR). That isn’t easy in the best of times, never mind during a pandemic. Even those with effective strategies now must revisit and update them. Employees have insufficient home security. VPNs are difficult to manage and provision, perform poorly and are hard to scale. And, IT’s domain is now stretched across the corporate data center, cloud (often more than one), user endpoints and multiple SaaS providers.
There’s a lot to do. A plan that fully covers DR, data protection and availability is a must.
There are several strategies for protecting endpoints. First off, if employees are using company-issued machines, there are many good mobile machine management products on the market. Sure, setting up clients for a volume of these will be a laborious task, but you’ll have peace of mind knowing data won’t go unprotected.
Another strategy is to create group policies that map the Desktop and My Documents folders directly to the cloud file storage of your choice, no matter if it’s Google Drive, OneDrive, Dropbox or some other solution. That can simplify file data protection but its success hinges on the employee storing documents in the right place. And if they keep them on their desktop, for example, they’re not going to be protected.
And right there is the rub with protecting employee machines – employees are going to store data on these devices. Often, insecure home Internet connections make these devices and data vulnerable. Further, if you add backup clients and/or software to employee-owned machines, you could encounter some privacy resistance.
Remote desktops can provide an elegant solution. We’ve heard “this is the year of virtual desktop infrastructure (VDI)” for over a decade. It’s something of a running joke in IT circles, but you know what? The current scenario could very well make this the year of remote desktops after all.
VDI performance in more sophisticated remote desktop solutions has greatly improved. With a robust platform configured properly, end-users can’t store data on their local machines – it’ll be safely kept behind a firewall with on-premises backup systems to protect and secure it.
Further, IT can set up virtual desktops to prevent cut and paste to the device. And because many solutions don’t require a client, it doesn’t matter what machine an employee uses – just make sure proper credentials are needed for access and include multi-factor authentication.
Pain in the SaaS
As if IT doesn’t have enough to worry about, there’s a potential SaaS issue that can cause a lot of pain. Most providers operate under the shared responsibility model. They secure infrastructure, ensure apps are available and data is safe in case of a large-scale disaster. But long-term, responsibility for granular protection of data rests on the shoulders of the customer.
Unfortunately, many organizations are unprepared. A January 2020 survey from OwnBackup of 2,000 Salesforce users found that 52% are not backing up their Salesforce data.
What happens if someone mistakenly deletes a Microsoft Office 365 document vital for a quarterly sales report and it’s not noticed for a while? Microsoft automatically empties recycle bins data after 30 days, so unless there’s backup in place, it’s gone for good.
Backup vendors provide products to protect data in most of the more common SaaS services, but if there’s not a data protection solution for one your organization is using, make data protection part of the service provider’s contract and insist they regularly send along copies of your data.
When it comes to a significant disaster, highly distributed environments can make recovery difficult. The cloud seems like a clear choice for storing DR and backup data, but while the commodity cloud providers make it easy and cheap to upload data, costs for retrieval are much higher. Also, remember that cloud recovery is different from on-prem, requiring expertise in areas like virtual machines and user access. And, if IT is handling cloud directly and has issues, keep in mind that it could be very difficult getting support.
During a disaster, you want to recover fast; you don’t want to be creating a backup and DR strategy as the leadership grits their teeth due to downtime. So, set your data protection strategy now, be sure each app is included, follow all dependencies and test over and over again. Employees and data may be in varied locations, so be sure you’re completely covered so your company can get back in the game faster.
While IT pulled off an amazing feat handling a rapid remote migration, to ensure your company’s future, you need to be certain it can protect data, even outside of the corporate firewall. With a backup and DR strategy for dispersed data in place, you’ll continue to be in a position to make history, instead of fading away.
After five months in beta, the GitHub Code Scanning security feature has been made generally available to all users: for free for public repositories, as a paid option for private ones.
“So much of the world’s development happens on GitHub that security is not just an opportunity for us, but our responsibility. To secure software at scale, we need to make a base-level impact that can drive the most change; and that starts with the code,” Grey Baker, GitHub’s Senior Director of Product Management, told Help Net Security.
“Everything we’ve built previously was about responding to security incidents (dependency scanning, secret scanning, Dependabot) — reacting in real time, quickly. Our future state is about fundamentally preventing vulnerabilities from ever happening, by moving security core into the developer workflow.”
GitHub Code Scanning
The Code Scanning feature is powered by CodeQL, a powerful static analysis engine built by Semmle, which was acquired by GitHub in September 2019.
“We want developers to be able to use their tools of choice, for any of their projects on GitHub, all within the native GitHub experience they love. We’ve partnered with more than a dozen open source and commercial security vendors to date and we’ll continue to integrate code scanning with other third-party vendors through GitHub Actions and Apps,” Baker noted.
“The major value add here is that developers can work, and stay within, the code development ecosystem in which they’re most accustomed to while using their preferred scanning tools,” explained James Brotsos, Senior Solutions Engineer at Checkmarx.
“GitHub is an immensely popular resource for developers, so having something that ensures the security of code without hindering agility is critical. Our ability to automate SAST and SCA scans directly within GitHub repos simplifies workflows and removes tedious steps for the development cycle that can traditionally stand in the way of achieving DevSecOps.”
Checkmarx’s SCA (software composition analysis) help developers discover and remedy vulnerabilities within open source components that are being included into the application and prioritizing them accordingly based on severity. Checkmarx SAST (static application security testing) scans proprietary code bases – even uncompiled – to detect new and existing vulnerabilities.
“This is all done in an automated fashion, so as soon as a pull request takes place, a scan is triggered, and results are embedded directly into GitHub. Together, these integrations paint a holistic picture of the entire application’s security posture to ensure all potential gaps are accounted for,” Brotsos added.
Leon Juranic, CTO at DefenseCode, said that they are very excited by this initiative, as it provides access to security analysis to over 50+ million Github users.
“Having the security analysis results displayed as code scanning alerts in GitHub provides an convenient way to triage and prioritize fixes, a process that could be cumbersome usually requiring scrolling through many pages of exported reports, going back and forth between your code and the reported results, or reviewing them in dashboards provided by the security tool. The ease of use now means you can initiate scans, view, fix, and close alerts for potential vulnerabilities in your project’s code in an environment that is already familiar and where most of your other workflows are done,” he noted.
A week ago, GitHub also announced additional support for container scanning and standards and configuration scanning for infrastructure as code, with integration by 42Crunch, Accurics, Bridgecrew, Snyk, Aqua Security, and Anchore.
The benefits and future plans
“We expect code scanning to prevent thousands of vulnerabilities from ever existing, by catching them at code review time. We envisage a world with fewer software vulnerabilities because security review is an automated part of the developer workflow,” Baker explained.
“During the code scanning beta, developers fixed 72% of the security errors found by CodeQL and reported in the code scanning pull request experience. Achieving such a high fix rate is the result of years of research, as well as an integration that makes it easy to understand each result.”
Over 12,000 repositories tried code scanning during the beta, and another 7,000 have enabled it since it became generally available, he says, and the reception has been really positive, with many highlighting valuable security finds.
“We’ll continue to iterate and focus on feedback from the community, including around access control and permissions, which are of high priority to our users,” he concluded.
The worldwide public cloud services market, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), grew 26% year over year in 2019 with revenues totaling $233.4 billion, according to IDC.
Spending continued to consolidate in 2019 with the combined revenue of the top 5 public cloud service providers (Amazon Web Services, Microsoft, Salesforce.com, Google, and Oracle) capturing more than one third of the worldwide total and growing 36% year over year.
“Cloud is expanding far beyond niche e-commerce and online ad-sponsored searches. It underpins all the digital activities that individuals and enterprises depend upon as we navigate and move beyond the pandemic,” said Rick Villars, group vice president, Worldwide Research at IDC.
“Enterprises talked about cloud journeys of up to ten years. Now they are looking to complete the shift in less than half that time.”
Public cloud services market has doubled since 2016
The public cloud services market has doubled in the three years since 2016. During this same period, the combined spending on IaaS and PaaS has nearly tripled. This highlights the increasing reliance on cloud infrastructure and platforms for application deployment for enterprise IT internal applications as well as SaaS and digital application delivery.
Spending on IaaS and PaaS is expected to continue growing at a higher rate than the overall cloud market over the next several years as resilience, flexibility, and agility guide IT platform decisions.
“Today’s economic uncertainty draws fresh attention to the core benefits of IaaS – low financial commitment, flexibility to support business agility, and operational resilience,” said Deepak Mohan, research director, Cloud Infrastructure Services.
“Cost optimization and business resilience have emerged as top drivers of IT investment decisions and IaaS offerings are designed to enable both. The COVID-19 disruption has accelerated cloud adoption with both traditional enterprise IT organizations and digital service providers increasing use of IaaS for their technology platforms.”
“Digitizing processes is being prioritized by enterprises in every industry segment and that is accelerating the demand for new applications as well as repurposing existing applications,” said Larry Carvalho, research director, Platform as a Service.
“Modern application platforms powered by containers and the serverless approach are providing the necessary tools for developers in meeting these needs. The growth in PaaS revenue reflects the need by enterprises for tools to accelerate and automate the development lifecycle.”
“SaaS applications remains the largest segment of public cloud spending with revenues of more than $122 billion in 2019. Although growth has slowed somewhat in recent years, the current crisis serves as an accelerator for SaaS adoption across primary and functional markets to address the exponential growth of remote workers,” said Frank Della Rosa, research director, SaaS and Cloud Software.
The combined IaaS and PaaS market
A combined view of IaaS and PaaS spending is relevant because it represents how end customers consume these services when deploying applications on public cloud. In the combined IaaS and PaaS market, Amazon Web Services and Microsoft captured more than half of global revenues.
But there continues to be a healthy long tail, representing over a third of the market. These are typically companies with targeted use case-specific PaaS offerings. The long tail is even more pronounced in SaaS, where nearly three quarters of the spending is captured outside the top 5.
67% of IT leaders say at least half of their spend is now controlled by individual business units, in a report from IDG Connect and Snow Software.
While most believe this is beneficial for their organization, it presents new challenges when combined with increased cloud usage – 56% of IT leaders are concerned with hidden cloud costs and nearly 90% worry about the prospect of vendor audits within cloud environments.
The survey, conducted to understand how the rise of infrastructure-as-a-service (IaaS) and democratized IT spending is impacting businesses, found that more than half of IT leaders expressed the need to gain better visibility of their IT assets and spending across their organization.
Business units control a large share of tech spend, which is a mixed bag
Traditionally, technology purchasing and management was controlled by IT departments. The cloud and as-a-service models shifted this dynamic, enabling employees throughout the organization to easily buy and use technology without IT’s involvement.
IT leaders are embracing this trend, with 78% reporting that the shift in technology spending is a positive for their organizations. But decentralized IT procurement also creates new complexities for organizations as they try to manage their increasingly diverse IT estates.
The IT leaders in the study voiced concern that the shift in spending to business units:
- Increases the risk to data security
- Increases the threat of non-compliance
- Leaves cloud spending spiraling out of control
- Makes audit preparation more time-consuming and complex
In fact, 78% said audit preparation is growing increasingly complex and time consuming.
Executives are justified in worrying about audits
Results suggest that annual audits are now the rule rather than the exception – 73% of those surveyed said they have been audited by at least one software vendor in the past 12 months.
When asked which vendors they had been audited by within the last year, 60% said Microsoft, 50% indicated IBM and 49% pointed to SAP. Such enterprise software audits can put a tremendous strain on internal resources and result in six, seven and even eight-figure settlement bills.
The vast majority of IT leaders surveyed said they are concerned about the looming possibility of audits, specifically when it comes to IaaS environments. When asked if the thought of software vendor audits for licensed usage on the IaaS front worries them, 60% responded “yes, very much so” and 29% said they are somewhat concerned.
The roles and requirements for IT have changed
Survey respondents also voiced concern that with decentralized IT spending within their organizations, they will be held responsible for something they currently can’t control. 59% said that in the next two years they need to gain better visibility of the IT estate.
Just slightly less than that (52%) said in that same timeframe, they would have to obtain an increased understanding of who is spending what on IT within the larger organization.
“As the research highlights, the shift to cloud services coupled with democratized technology spend is fundamentally changing the way businesses and IT leaders need to operate,” said Sanjay Castelino, Chief Product Officer at Snow Software.
“Empowering business units to get the technology they need is largely a positive development, but it creates challenges when it comes to visibility and control – and that can put organizations at risk of having problematic audits.
“It is more important than ever for organizations to have complete insight and manageability across all of their technology in the IT ecosystem.”
The report is based on a survey, conducted by IDG Connect, of 450 IT managers in Germany, the U.K. and the U.S. These individuals come from organizations with 1,000 or more employees in sectors such as financial services, computer services and retail businesses, and 65% of the survey group hold C-level positions.