McKinsey research shows how to leverage the public cloud, securely

An interview with McKinsey's James Kaplan on the path to a secure public cloud.

In understanding trade-offs and benefits of any business opportunity, McKinsey frameworks are often considered the gold standard. The Firm’s “C level” global reach, their insightful questions, analysis and development of objective frameworks is unparalleled.  

Recently, McKinsey released a 70 page report on “Making a secure transition to the public cloud” – where the authors conducted multiple interviews with ~100 organizations, 56 of which have revenues ranging from $4bn to upwards of $70bn. The study can help a CISO understand where they stand. And more importantly how they can plan the transition to public cloud.

James Kaplan, a partner at McKinsey co-leads the firm’s global practices in IT infrastructure and cybersecurity. In over 15 years at McKinsey, James has assisted clients set technology strategies, prioritize risks and manage multi-year cybersecurity programs. He also assists private equity firms in making investments in the enterprise technology and cybersecurity markets.

James is co-author of the book, Beyond Cybersecurity: Protecting Your Digital Business, in which the McKinsey team interviewed over 200 executives, regulators, and security experts to share insights and observations on creating a secure digital enterprise. James has published on enterprise infrastructure and cybersecurity issues in the McKinsey Quarterly, the Financial Times, the Wall Street Journal, the HBR blog network and other periodicals. He holds an MBA from the Wharton School of the University of Pennsylvania and a BA from Brown University.

James and I traded emails on a late Saturday night to discuss his team’s insights on the path to a secure public cloud.

Your report shows 61% of respondents have less than 10% workloads in the cloud.  What are the ongoing sources of friction in transition to the public cloud? Is it security, budget, recovery of legacy costs, or cloud cost runoffs?

James: A number of barriers exist to cloud adoption. Historically, large companies had been skeptical about how serious the cloud service providers (CSPs) were in terms of meeting enterprise requirements for security, resilience and compliance. That has changed dramatically over the past couple of years, as CSPs have gotten much more serious about the enterprise. However, there are still what I would call demand side barriers in place.

The biggest barrier is application architecture – most current applications are not designed to run efficiently or securely on public cloud infrastructure. Outdated application architectures complicate the business case for cloud adoption. Not being able to take advantage of auto-scaling, for example, means that some applications may be more expensive to run off-prem than on-prem.

Finally, security continues to be a major consideration – most companies have not figured out how to protect applications running on cloud infrastructure in a scalable and efficient way.

Can you share more about the three security architecture models discussed in your report.

James: Our teams studied various attempts to secure cloud architecture and distilled it down to three options as follows:

  • Back hauling: All public cloud access is through private infrastructure with external gateway. This is best suited for enterprises that lack cloud expertise nor have a multi-vendor strategy. We saw 20% to 30% higher OpEx, poor user experience and higher latency in such models.
  • CSP default controls: As the name suggests, some companies rely on CSP controls for public cloud while maintaining separate private security controls. Enterprises with workloads in multiple CSPs find this option suitable. However, CSP controls and risks thereof need to be fully understood. For example, risk of misconfiguration can be a challenge.
  • Clean sheeting: This is a combination of 3rd party security controls for public and private cloud, which is ideal for cloud-first companies. A variety of 3rd party tools can be integrated, and this requires deep in-house expertise, often calling for MSSP support.

Over time, we believe that backhauling will become less and less of a relevant strategy, except for companies with very small cloud environments. Backhauling implies additional bandwidth costs, additional latency and probably is not as effective from a protection standpoint.

What creates a sense of urgency to facilitate a transition to public cloud?

James: More than anything else, developer insistence on the ability to leverage the cloud service providers speed, scalability and investments in innovations seems to be driving cloud adoption.

Your study shows that as much as $5 million / year can be saved by organizations if they rely on CSP security controls. What more, a CISO need not worry about tech stack, management and refresh. But how best do organizations evaluate a CSP's security offerings?

James: CSP security controls and tools may be less expensive, but that does not necessarily mean they are right for large enterprises. Many CISOs we spoke to (especially from larger companies) told us they didn’t believe CSP security tools matched the functionality of third party offerings and that that using third party security tools made it easier to run a multi-cloud environment.

For established organizations, defaulting to CSP controls is a temporary measure will drop form 36% today to 27% in 3 years. Can you share some insights as to why trend is occurring? 

James: We think using CSP controls will be most relevant for a specific part of the marketplace. Smaller companies who are most cost conscious, have fewer resources to integrate third party controls and who may have perceived themselves as least at risk, will be the core users of CSP securities controls. We expect fraction of the market to be relatively stable over the next few years.
78% of the enterprises migrate applications without re-architecting them for public cloud. Should we be worried? 

James: Yes, 78% of enterprises migrate applications without re-architecting them. This is an issue along multiple-dimensions – cost, resilience and security. However, this may be a point in time. The more a company plans to migrate to the cloud aggressively, the more likely it is to change development practices and application architectures.

In redesigning controls, is there a role for startups? Or will AWS do it all?

James: I think all of the CSPs want a security ecosystem built up around them. In addition, the shift from on-prem security tools to cloud-based security tools is a tremendous disruption, which will create real opportunities for startups and new entrants.

This article is published as part of the IDG Contributor Network. Want to Join?

SUBSCRIBE! Get the best of CSO delivered to your email inbox.