There's no easy path to the cloud for large companies with decades of legacy IT investments.
Roughly 20 percent of Progressive Insurance's business applications run in a SaaS model, while 80 percent run on the company's own hardware. On the infrastructure side, Progressive uses IaaS, but mainly for experimentation.
It would be "a whole new ballgame" if Progressive were some medium-sized business that didn't have an extensive data center footprint, says CIO Ray Voelker, but "we already have assets we own that we can leverage."
Chris Drumgoole, chief operating officer for cloud at General Electric, says legacy is "where it's more interesting for us; we need to be more thoughtful there." Most new apps -- over 90 percent of those deployed so far this year -- have been in the cloud. "That's the de facto place to deploy apps for us," he says.
[Related: How to Explain the Cloud to End Users ]
But for a substantial number of the 9,000 apps GE has in its infrastructure, a decision will need to be made about whether to move the app, kill it, consolidate multiple apps or allow the software to stay on some sort of legacy system. "We're hoping by 2016 to have made all those decisions and started action" on whatever the decisions are, Drumgoole says.
The burden of legacy systems is just one challenge that adds to the complexity of cloud computing for large enterprises. CIOs and cloud leaders wrestle with many other common challenges, including security, vendor lock-in, and shadow IT.
Dow Chemical knows firsthand that it can be difficult to change cloud providers. The company is in the process of moving to a new human capital management provider, says David Day, director of WorkPlace Services at Dow.
But switching clouds isn't as easy as vendors lead people to believe. "Providers don't talk to each other. It's complicated," Day says. The market needs better "orchestration tools," as well as standards, to allow companies to move more easily from one supplier to another, he says.
That said, it is generally less expensive to switch providers in the cloud than it is to change on-premises vendors, Land O'Lakes has found. "There is a cost," says Mike Macrie, CIO. "But where it can cost $10 million to change on-premises ERP, it costs $2 million in the cloud. The barrier has come down."
Lock-in is always an issue, says GE's Drumgoole. "We're cognizant of the potential for lock-in" and are trying to mitigate that. For one thing, there are multiple cloud providers in each category of service GE deploys.
[Related: The Truth About Enterprises and the Public Cloud ]
The company has also developed a service rail, which provides a raft of services needed by just about every application -- from identity management to Domain Name Services and time and date. "You can use that GE service the same way whether you're on an Amazon, Azure on VMware cloud," Drumgoole says.
Security remains a universal concern -- though some CIOs are more bullish about cloud providers' handling of it.
"Security is one of the more complex problems to solve. To really put together an effective solution, you need to cobble together 5-6 solutions," says Randy Spratt, CIO and CTO at McKesson.
McKesson relies on a suite of tools, from antivirus and malware to secure web gateways. One of its more unique features is for data loss prevention: McKesson inspects data in motion, looking for transactions or records that contain protected health information, such as procedure codes and social security numbers. It halts any transaction that triggers a red flag, Spratt says.
Likewise, Humana relies on multiple tools and tactics to protect individuals' information. Before engaging with a cloud-services vendor, Humana assesses the provider's security framework -- what tools they use, the general approach to security, how encryption is handled, the ability to ensure information never leaves the continental U.S., and a whole host of other things, says Brian LeClaire, CIO at the health insurance provider.
On the positive side, cloud providers understand that legal and security issues are some of their biggest obstacles, so they've really concentrated on addressing those issues over the last several years, says Wayne Shurts, CTO at food distributor Sysco. "They have pretty good answers."
[Related: Is It Time to Move Your Databases to the Cloud? ]
Although some skeptics worry about security and risk in the cloud, Whirlpool CIO Michael Heim says those issues are improved by cloud computing because the vendors stay up to date on the latest technology. He points out that the infamous breach at retailer Target was a problem of internal systems, on premise. Security problems arise from "how you're managing, not where it is," Heim says.
Whirlpool today is much less conservative about using the cloud that it used to be. Amazon and Google have come a long way toward being enterprise-friendly, and corporate legal teams have come a long way in their understanding of cloud, Heim says. IT's role is to communicate and demonstrate how the cloud meets business requirements. "People worry about risk and security -- [but] you improve security and de-risk your environment with cloud. I also believe you improve your ability to compete," Heim says.
"The big challenge is that it's just different. You have people thinking in old models, not new ones."
Another challenge that IT teams seem to be getting a handle on is end users purchasing unauthorized cloud services.
Shadow IT is less challenging than it was a few years ago, when cloud vendors would pitch that customers could be up and running without involving IT, says Steve Phillips, CIO at Avnet. Today Avent's IT group is more in step with the business. When business units want new tech, they will talk to IT first, Phillips says. "We rely on quality of relationships as governance."
Avent has found ways to relinquish some control without sacrificing security. If a cloud solution is easy to use and configure, Avent will turn that over to a business group. Workday, for instance, is a clearly controlled environment, but HR primarily manages it, Phillips says. "We don't need to be in the middle of that, if the tool is intuitive enough and secure enough."
Still, rogue cloud purchases remain a concern. "Shadow IT these days is only a credit card swipe away," Phillips says.
One way Progressive Insurance has helped manage the issue of shadow IT and give its employees access to public cloud resources is through a program called BIG, which stands for the "Business Innovation Garage." It's a software application that acts as a portal for members of the Progressive team to request services.
If the request involves using sensitive customer or mission critical data, then usually those resources will be provided from the company's own data center. If it is a non-sensitive issue, then the software can help users provision resources in a public cloud setting. There are a couple of "mechanics" who help users navigate and provision resources in the Garage, says Progressive Insurance CIO Ray Voelker.
Voelker raises another concern: the "transfer of brand risk." If Progressive were to suffer an outage because of a service provider, then Progressive would bear the brunt of the blame for the outage, even if it were the service provider's fault. Voelker cites the example of a Netflix outage on Christmas Eve in 2012. It was an Amazon Cloud outage, but disgruntled viewers blamed Netflix. "In that scenario, I'm Netflix," Voelker says.
Similarly, SAIC raises the issues of cloud providers' lack of shared liability. "If there's a $4 billion bid, and it's not available at the one moment I need to bid, that's a problem," says Charles Onstott, CTO at the systems integrator and technology services provider. A vendor's $3 credit for downtime won't make up for the loss, Onstott says.
For Campbell Soup, one of the biggest challenges of cloud is limited choice. Customization can detract from the appeal of cloud, since it necessitates developing and maintaining custom code. If you want choice, you're creating complexity that doesn't add value, warns Joe Spagnoletti, CIO at Campbell's.
Related to that issue, some CIOs question the enterprise-readiness of certain cloud offerings.
[Related: Cloud Wars Heating Up in 2014 ]
Nationwide CIO Greg Moran is surprised how immature some first-generation cloud solutions are when they're launched into major enterprises. "We're finding solutions aren't as mature as we're used to," Moran says.
"I'm surprised at how flat-footed traditional large scale IT vendors have been on the topic," Moran adds. Oracle, HP, IBM, Microsoft, "pick your company," he says. There are a lot of solutions from small, innovative companies, but Nationwide isn't keen on working with dozens of smaller players. "It's just not really practical for us to have 50 relationships; we need deep partnerships with quality partners."
SAIC, too, is aware of the shortcomings of some cloud services, but it's not stopping the services company from diving into the cloud.
"None of the apps are all the way there, certainly not for a $4 billion company," says Bob Fecteau, CIO at SAIC. For example, he knows ServiceNow, a cloud-based IT service management platform, may be taxed as SAIC puts it in more employers' hands (via its commercial cloud line of business). But for SAIC, working with the vendor is an opportunity to guide that investment into a better future, Fecteau says. "Cloud still needs to evolve."
In the mean time, enterprises can wait and, ideally, remain in a position to influence the cloud providers' R&D lifecycles, Fecteau says.