The question of whether to move on-premises software to the cloud has been relevant for several years. In the past, every year a few more enterprises migrated to the cloud, but that changed significantly in 2020 when organizations faced the effects of the COVID-19 pandemic. Many enterprises decided to transform their IT landscape from on-premises to cloud- based software, accelerated by the pandemic. Understanding this transition through the lens of the technology acceptance model provides insights for all IT professionals and comes with implications for IT security and auditing.
Background
On-premises software is software “located within the physical confines of an enterprise often in the company’s data center.”1 This implies that everything related to the software, such as the data center and server infrastructure, is housed and maintained by the enterprise, even though software support may come from vendors outside of the enterprise.
Some enterprises purchase on-premises software, often incurring high initial costs due to both the software license and the required infrastructure.2 Software providers also charge additional fees for support and services. In the past, some enterprises calculated that the total cost of on-premises software ownership was lower than using cloud-based software. This was often the case for enterprises that customized their software, which is not as easy to do in the cloud.3
In cloud-based software, the alternative to on- premises software, software is provided as a service. According to the Institute of Electrical and Electronics Engineers (IEEE), cloud computing empowers “service providers by facilitating efficient resource management in data centers.”4 Software as a Service (SaaS) enables the consumer to access the software without having to host or support it. The consumer (or enterprise) connects to the software application via the Internet. The platform layer and the infrastructure layers required to host and service the software are invisible to the consumer.5
Only 20 percent of EU enterprises used cloud-based services in 2014 through 2016. This increased slightly to 25 percent in 2018, but it still means that only one in four EU enterprises reported using the cloud (figure 1).6
One explanation for this slow movement toward cloud services is provided by the technology acceptance model (figure 2).7 People and enterprises consider external variables (e.g., risk of outages, recovery costs) to determine a technology’s perceived usefulness and perceived ease of use. These perceptions influence their attitudes toward the technology and their intentions to use that technology. The final outcome is that either they use the technology or they do not. The key to the acceptance of cloud services may, therefore, lie in external variables and how people view the usefulness and ease of use of those services.
Cloud Service Pros and Cons
The benefits and costs associated with moving software services to the cloud have been discussed by many.8 Figure 3 summarizes the pros and cons of this migration.
Payment Options
Cloud service (i.e., SaaS, Desktop as a Service [DaaS], Infrastructure as a Service [IaaS], Platform as a Service [PaaS]) offerings often take the form of subscription models, with regular payments. Sometimes this allows enterprises to bill these payments as operational expenditures rather than capital expenditures (as required for on-premises software purchases). This may lead to tax benefits. In addition, enterprises can save money by not investing in infrastructure and maintenance, which are usually included in the subscription price.
Elasticity
The cloud’s elasticity can also result in cost savings, as enterprises can turn virtual machines on and off as needed. In the cloud, it is possible to pay only for what is used. In contrast, with on-premises software, the enterprise must pay for the infrastructure and pay the rent where that infrastructure is located. It can be extremely difficult to move on-premises software applications to the cloud because cloud applications have different architectures that enable the software’s elasticity. Enterprises can save money by choosing the cloud9 when using the correct techniques and tools to provide elasticity in services. However, this is not guaranteed, especially if the administrator executing the transfer is not a cloud expert.
Deployment
Cloud deployment can be private, community, public or hybrid. In a private cloud, only one enterprise has access to a defined space of infrastructure. The private cloud is managed either by the enterprise or by a third party.10 A private cloud is often used by enterprises or business units that do not fully trust the vendor’s security models.
A community cloud is a deployment model in which two or more enterprises with common interests share infrastructure. The infrastructure is managed either by a member of the community or by a third party that every community member trusts.
In a public cloud, infrastructure is offered to the general public. It is managed and maintained by the vendor and is available only on the vendor’s premises.
A hybrid cloud consists of an arrangement of cloud-based and on-premises infrastructures that can communicate with each other. In a hybrid cloud, any of the other cloud models can be used.
The ability to select the type of cloud deployment can be seen as a positive variable in terms of perceived usefulness. However, the need to choose a deployment option can also be viewed as a detriment because it means making decisions that change what is already in place.
Integration and Extension
Cloud integration and extension possibilities for on- premises software are highly dependent on the platform the software is running on, which determines run times and software deployments. On-premises software’s ability to integrate is limited because it is only partially possible to scale in an onsite data center (e.g., the capacity for inquiries is limited). Platforms hosted in the cloud can handle thousands of inquiries due to their hyperscaling technologies, which means they are more communicative, even with other foreign systems.11 It is possible for both on-premises and cloud-based software to integrate and extend, but the cloud has an advantage.
With a hybrid cloud model, an enterprise can store its information in an on-premises database, while performing data processing and calculations in the cloud. This arrangement can offer the best of both worlds.
On-premises software’s ability to integrate is limited because it is only partially possible to scale in an onsite data center.
Security
Security has become more important due to the high costs associated with data leaks and hacks in recent years. Because of these attacks, cybersecurity has become a highly visible topic, and enterprises now recognize the importance of protecting themselves through investments in security. On-premises software and the cloud have very different architectures, and when it comes to security, there are many different opinions. According to a chief technology officer at Microsoft, huge security costs need to be calculated for both cloud and on-premises data centers, and “having a data center on premise has little to do with securing against cybersecurity threats.”12
Another aspect regarding security in the cloud is the data’s residency, which is:
[T]he set of issues and practices related to the location of data and metadata, the movement of (meta)data across geographies and jurisdictions, and the protection of that (meta)data against unintended access and other location-related risks.13
Cloud vendors, enterprises and end users are affected by data residency requirements. Cloud vendors and enterprises that are buying the cloud services must adapt to local regulations and constraints. They can get into legal trouble by using cloud services for processing and storing data in another geographical region because local laws may conflict with regard to individual and organization privacy. For many enterprises, it gets complicated to understand and to be compliant with other countries’ laws regarding data.14 Cloud vendors such as Amazon Web Services and Microsoft Azure provide transparent information about how customers can handle the data residency regulations by using their offered services.15, 16
On-premises software needs to be as well protected as the cloud is, but this is difficult to achieve because many enterprises fail to invest much money in cybersecurity. The economies of scale play a big role in cloud security. Enterprises providing cloud services can invest more in security. Enterprises that run their software in the cloud assign the responsibility for security to the vendor. Innovations in cybersecurity can be adopted much faster in the cloud, and “with their huge scale, the larger platforms are much better able to maintain state of art capabilities and invest in costly cybersecurity operations centers equipped with high-end, real-time data analytics.”17
For on-premises software, data residency regulations are not as important because many enterprises do not have multiple data centers in different geographic locations, and most of their data are not processed in other countries with different laws. Internationally distributed enterprises still need to care about the different policies from different countries.
Security can be seen as either a pro or a con, based on the perceived usefulness of cloud security or the perception of how easy it is to move security functions to the cloud. Because cloud vendors offer the newest technologies, they may include security threats that have not evolved or have not been discovered. These security threats need to be considered by any enterprise thinking about moving its software to the cloud. Transferring information systems to another infrastructure is risky, and many security analyses need to be done before deciding to migrate.18 When storing data internationally, enterprises must consider data residency requirements, both for using the cloud and on-premises software.
The economies of scale play a big role in cloud security.
Migration
Migration to the cloud is a highly complex and often unique process, as organizational data are usually very specific to the enterprise. There are often no standard cloud migration processes, and the procedure is dependent on the knowledge of the expert leading the migration.19
Migration to the cloud comes with risk. For example, additional latency due to a distant data center where the cloud service is hosted may lead to poor performance and greater costs caused by lost time. Another factor to consider before migrating is the possibility of data loss due to missing data backups or transferring data incorrectly.20 These risk factors are some of the most common arguments against using the cloud.
Using the technology acceptance model to explain the slow migration to the cloud has revealed that although there appear to be financial and scalability benefits that add to the cloud’s perceived usefulness, the difficulty of migration and loss of control may be seen as detriments. At least this was the case before 2020. Recent reports show that 37 percent of EU enterprises used cloud services in 2020—an increase of 12 percentage points from 2018. Corroborating this increase in cloud service usage is the revenue growth of cloud vendors. Figure 4 presents the revenue numbers from SAP,21 Amazon Web Services (AWS),22 Rackspace,23 Microsoft Intelligent Cloud,24 Google25 and Salesforce,26 based on their annual reports.
Synergy Research Group’s 2020 report supports these findings by showing that enterprise spending on cloud infrastructure services jumped 35 percent in 2020 to reach US$130 billion. In contrast, enterprise spending on data center hardware and software dropped 6 percent, to less than US$90 billion during the same period.27 Understanding why these changes occurred may be beneficial.
COVID-19’s Influence on Cloud Migration
The COVID-19 pandemic forced many enterprises to allow their employees to work from home. It could be argued that this increased the use of cloud services, as more people needed to access software over the Internet. Because this happened spontaneously and unexpectedly, many enterprises likely decided to buy cloud services rather than invest in internal infrastructure that their employees could access from home,28 which may have heavily influenced the perceived usefulness of the cloud.
In a survey of 750 organizations, 90 percent reported that their cloud usage was higher than planned during the pandemic, and 29 percent stated that it was significantly higher than expected (figure 5). This trend was similar among all enterprises and small and medium-sized businesses (SMBs).29
Another potential factor in increased cloud usage was a shortage of computer hardware, which made it difficult for enterprises dependent on those supply chains to maintain their on-premises software’s infrastructure.30 Migration to the cloud could solve this problem because the provider guarantees availability, which could also impact the cloud’s perceived usefulness.
Furthermore, the use of cloud-based applications for virtual meetings increased significantly during the pandemic. For example, Zoom had 10 million daily meeting participants in 2019. That number increased to 200 million in March 2020 and to 300 million in April 2020. By the end of 2020, Zoom had 350 million daily meeting participants.31 Zoom’s business customers increased from 82,000 in 2019 to 470,100 in 2020. Microsoft saw a similar increase in the use of its product Microsoft Teams, which is also available as a SaaS.32 These numbers indicate that the cloud’s perceived ease of use was positively impacted.
The COVID-19 pandemic has certainly acted as an enabler for cloud migration. Although the risk of migrating to the cloud was the same in 2020 as it was in previous years, cloud migrations and adoptions increased. The pandemic caused individuals to change their perception of the cloud’s usefulness and ease of use.
Cloud service providers (CSPs) could mitigate many concerns about migration if they were able to demonstrate to new users a process that facilitates such migration.
What Next?
It is important to determine what cloud migration means from an information security and audit standpoint, as it appears that more enterprises will be migrating to the cloud in the near future. Enterprises contemplating the use of cloud services and SaaS providers should follow the technology acceptance model to focus on two major areas: cloud services’ perceived ease of use and perceived usefulness.
In the past, cloud services’ perceived ease of use has encountered two major stumbling blocks: migration issues and security concerns. Concerns regarding cybersecurity risk could already be mitigated by system and organization controls and system and organization controls for cybersecurity. These audits are performed by certified public accountants (CPAs).33 By providing cybersecurity audits, cloud vendors offer transparent overviews about the security of their services. The system and organization controls and system and organization controls for cybersecurity also help offer a framework to measure, address and monitor cybersecurity risk.34
It is hoped that as more enterprises migrate to the cloud, more stable and reliable migration processes will be developed. Cloud service providers (CSPs) could mitigate many concerns about migration if they were able to demonstrate to new users a process that facilitates such migration. The use of artificial intelligence (AI) could be especially beneficial if common problems and pitfalls could be identified as routine issues rather than unique anomalies that only the brightest and cleverest programmers can solve.
Similarly, CSPs could strive to make security a benefit rather than a concern. Solving security issues at the macro level and then sharing that information with potential clients could encourage them to see the cloud as a security provider.
The cloud’s perceived usefulness also suffers in two areas: security and auditing. Although it is true that cloud security will never be able to protect all on-premises devices, it can be used to protect the most valuable parts of the system (i.e, data). CSPs should continue to demonstrate the security benefits of storing information and processing transactions in the cloud.
As the COVID-19 pandemic rapidly disrupted organization and processes, flexibility and scalability seemed to be the key arguments for migrating to the cloud.
Many of those who have delayed migrating to the cloud believe that it does not allow systems to be easily audited. This may be a fallacy that cloud CSPs can readily address. CSPs should either develop or strengthen their processes to facilitate audits, and they should be very transparent about these processes to ensure that customers do not see the service as a magic black box. Just as security can often be managed more efficiently due to the scale of operations in the cloud, audit procedures and interfaces can be developed and marketed as benefits to potential users, especially if they understand the service’s internal processes and procedures.
One final factor in the acceptance of the cloud is that it is an individual and organizational decision. Just because the organization decides to implement a cloud-based solution does not guarantee that every individual in the organization is going to accept the change and fully use the new technology. There may be reluctant users who drag their feet and others who refuse, to the greatest extent that they are allowed, to accept the new technology. This can make the implementation of cloud-based services problematic. Developing a culture that encourages the acceptance of technology is difficult. Creating open procedures for implementation, listening to concerns about perceived usefulness and ease of use, supporting the movement to use new systems, and providing training will provide support to members of the enterprise and boost their proficiency in using the service.
Conclusion
Migrating to the cloud seems to be the future for most software services, and the COVID-19 pandemic may have been the impetus needed to push these services into a self-sustaining orbit. The coming months and years will certainly bring many more problems and roadblocks; therefore, it is more important than ever to stop treating each migration as a unique event that can be accomplished only by the cleverest programmers. Migration to the cloud must be easy, seamless and transparent to overcome its past lack of acceptance.
The cloud offers many deployment possibilities. Enterprises that want to store their data on their own infrastructure can do so, while processing those data in the cloud. As the COVID-19 pandemic rapidly disrupted organization and processes, flexibility and scalability seemed to be the key arguments for migrating to the cloud.
The COVID-19 pandemic has accelerated the move toward the cloud. It is now up to implementers and CSPs to establish processes that allow easier implementation, supported by stronger security, and audit portals to increase the cloud’s perceived usefulness and ease of use.
Endnotes
1 Stroud, F.; “On-Premises,” Webopedia, 22 September 2021, https://www.webopedia.com/definitions/on-premises/
2 Harvey, C.; “Cloud vs. On-Premise Software: The Cloud Debate,” Datamation, 8 March 2018, https://www.datamation.com/cloud/cloud-vs-on-premise-software-the-cloud-debate/
3 Ibid.
4 Ray, P. P.; “An Introduction to Dew Computing: Definition, Concept and Implications,” IEEE Access, vol. 6, 2018, https://ieeexplore.ieee.org/document/8114187
5 Mell, P.; T. Grance; The NIST Definition of Cloud Computing, National Institute of Standards and Technology (NIST), USA, 2011
6 Eurostat, “Cloud Computing Services,” 23 September 2021, https://ec.europa.eu/eurostat/databrowser/view/isoc_cicce_use/default/table?lang=en
7 Davis, F. D.; “Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology,” MIS Quarterly, vol. 13, iss. 3, 1989
8 Op cit Harvey
9 Wray, J.; “Where’s the Rub: Cloud Computing’s Hidden Costs,” Forbes, 27 February 2014, https://www.forbes.com/sites/centurylink/2014/02/27/wheres-the-rub-cloud-computings-hidden-costs/?sh=1192ba915f00
10 Op cit Mell and Grance
11 Troup, E. G.; “Growing Role of Platforms in Cybersecurity,” Cyber Defense Review, vol. 2, iss. 1, 2017, https://www.jstor.org/stable/26267401?seq=1#metadata_info_tab_contents
12 Ibid.
13 Baudoin, C. R.; "The Impact of Data Residency on Cloud Computing," 32nd International Conference on Advanced Information Networking and Applications Workshops (WAINA), 2018
14 Ibid.
15 Azure, “Enabling Data Residency and Data Protection in Microsoft Azure Regions”, 28 October 2021, https://azure.microsoft.com/en-us/resources/achieving-compliant-data-residency-and-security-with-azure/
16 Amazon Web Services, “Data Residency AWS Policy Perspectives”, 28 October 2021, https://d1.awsstatic.com/whitepapers/compliance/Data_Residency_Whitepaper.pdf
17 Ibid.
18 Douligeris, C.; N. Polemi; A. Karantjias; W. Lamersdorf; Collaborative, Trusted and Privacy-Aware e/m-Services, 12th IFIP WG 6.11 Conference on e-Business, e-Services, e-Society 13E 2013, Springer-Verlag, Greece, 2013
19 Pahl, C.; H. Xiong; R. Walshe; A Comparison of On- Premise to Cloud Migration Approaches, Dublin City University, Ireland, 2013
20 Malvi, K.; “Cloud Migration—Benefits, Risks and How to Avoid Them,” Mind Inventory, 2021, https://www.mindinventory.com/blog/cloud-migration-benefits-and-risks/
21 SAP, SAP Financial Reports and Presentations, 2021, https://www.sap.com/investors/en/reports.html?sort=latest_desc&tab=reports
22 Amazon, Annual Reports, Proxies and Shareholder Letters, 2021, https://ir.aboutamazon.com/annual-reports-proxies-and-shareholder-letters/default.aspx
23 Rackspace Technology, Investor Relations, https://ir.rackspace.com/
24 Microsoft, Annual Reports, 2021, https://www.microsoft.com/en-us/Investor/annual-reports.aspx
25 Alphabet, Alphabet Investor Relations, 2021, https://abc.xyz/investor/
26 Salesforce, Financial Reports, 2021, https://investor.salesforce.com/financials/default.aspx
27 Synergy Research Group, “2020—The Year That Cloud Service Revenues Finally Dwarfed Enterprise Spending on Data Centers,” 18 March 2021, https://www.srgresearch.com/articles/2020-the-year-that-cloud-service-revenues-finally-dwarfed-enterprise-spending-on-data-centers
28 Alashhab, Z. R.; M. Anbar; M. M. Singh; Y. Leau; Z. A. Al-Sai; S. A. Alhayja’a; “Impact of Coronavirus Pandemic Crisis on Technologies and Cloudcomputing Applications,” Journal of Electronic Science and Technology, vol. 19, iss. 1, 2021, https://www.sciencedirect.com/science/article/pii/S1674862X20300665
29 Flexera, 2021 State of the Cloud Report, USA, 2021, https://info.flexera.com/CM-REPORT-State-of-the-Cloud?lead_source=Website%20Visitor&id=Blog#download
30 Segal, E.; “Worsening Computer Chip Crisis Shows Supply Chains Are Still at Risk,” Forbes, 12 July 2021, https://www.forbes.com/sites/edwardsegal/2021/07/12/worsening-computer-chip-crisis-shows-supply-chains-are-still-at-risk/
31 Iqbal, M.; “Zoom Revenue and Usage Statistics (2021),” Business of Apps, 2 September 2021, https://www.businessofapps.com/data/zoom-statistics/
32 Curry, D.; “Microsoft Teams Revenue and Usage Statistics (2021),” Business of Apps, 29 July 2021, https://www.businessofapps.com/data/microsoft-teams-statistics/
33 Aulakh, M., “SOC1, 2, and 3 Audit Reports, and Why You Need One,” Infosecurity Magazine, 2019, https://www.infosecurity-magazine.com/opinions/soc-audit-reports/
34 Al-Moshaigeh, A.; D. Dickins; J. Higgs; “Cybersecurity Risks and Controls: Is the AICPA’s SOC for Cybersecurity a Solution?” The CPA Journal, July 2019, https://www.cpajournal.com/2019/07/08/cybersecurity-risks-and-controls/
Lukas Werner
Is a vocational training student at SAP SE, the market leader for enterprise resource planning (ERP) software, in Walldorf, Germany. He has completed several internships in the consulting and development departments there, including the Customer Office for the SAP Business Technology Platform, where he worked on enterprise transformations to the cloud.
Gerald F. Burch, PH.D.
Is a visiting professor at the University of West Florida (Pensacola, Florida, USA). His primary areas of teaching are in operations management and information systems at both the undergraduate and graduate levels.