Session at the European Identity & Cloud Conference 2013
May 16, 2013 17:00
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Session at the European Identity & Cloud Conference 2013
May 16, 2013 17:00
Session at the European Identity & Cloud Conference 2013
May 16, 2013 17:00
So we, we heard some very interesting presentations earlier on about the, the role of the EU and the, the development of the law in the EU about initiatives in Germany to do with ensuring compliance in hybrid clouds. And then we got two very, very interesting case studies, which showed how real businesses are actually are, are actually using the cloud. And what I'm hoping to do in this presentation is to simply go through some of the key points.
And it, it was interesting to see what the gentleman from Mars Nikita Reva from Mars had to say, because he, he represented the process that a large organization has had to go through in order to exploit the cloud. So what I'm gonna do is here are really our top 10 tips. And I guess the first tip is that you've gotta remember that the cloud is just another way of getting an it service and that it's really important that whatever, however, you do it, that you have a consistent way of governing it. And what what's important about this is what makes the cloud different from internal.
It is that that internal, it is kind of under your direct control, but the cloud is something that you have to remotely manage. You have to manage indirectly. And that indirect management process is really called governance. And here's an example of one of the kinds of things that can actually happen to you.
I'm, I'm not sure how many people here are from England, but there was in England, a, a hosted, a hosting provider called two E two. And they had quite a large number of important public service and other kinds of profit making organizations that were using their services. And they went bankrupt. And the first that these organizations that were using the service knew was they got an email, an email from the administrators saying, unless you agree to pay, it was four or 5,000 pounds, plus V a T by 5:00 PM this evening.
And you actually pay the money by 5:00 PM on Friday, your service is going to cease gone complete. So although it is tempting to consider that the only issue or the only issues around the cloud are technical ones.
In fact, if your cloud service provider went bust, you could be in that same kind of situation. So the issue that you need to concern yourself with is to look at all of the different aspects of the governance of the service, to make sure that you've thought about these kinds of things, and that you have some kind of plan if you will, to deal with them. So if you want to look at all of the areas that that need attention, then there are three different kinds of areas.
There are policy and organizational areas, and there, there are technical areas which perhaps we, as technical people are most happy with, and there are legal areas. And in a way, the, the, the, the example I just gave you kind of somewhere fits between policy and organization and legal.
Now, Mr. Reva from, from Mars talked about many of these, these issues. He talked about the issues of lock in, and he talked about the issues of data protection and so forth, but there are more issues that, that you can look at. And indeed the source of the majority of what I've put in that slide comes from a very interesting and useful document from ina. And it's free to download. They actually did.
As part of this activities of ina, they did a, a proper risk assessment of the cloud and came out with somewhere in the order of 49 or 50 risks associated with the cloud, which they have categorized in terms of their probability and their impact. And I've picked out some of the ones that are specifically to do with the cloud and which are the highest impact. So then we have, what can you do about all of this? And there is no shortage of advice.
In fact, there are several frameworks that you could be using yourself. There are a lot of standards, there are advisory sources and there's independent assessment. Now the major frameworks really apply to your organization and they apply to the cloud just as much as they apply to you. And we we'll look at that again in a minute as regards standards.
It, it's very interesting because standards, there are a large number of what are called standards, defining organizations in the, in the world, SDOs, as they are known. And they all seem to get the idea, goodness, me, the cloud is a hot topic, so we should be doing something about it. So there are as last count, I could see 35 standards initiatives around the cloud, which is interesting because the cloud does depend upon standards to some extent.
I mean, you know, if you didn't have HTTP and TCP, I P you wouldn't really be able to do it so easily, but what are the standards to watch and which ones are really going to be useful to you? Well, I wrote an executive note on that, and you can download it from the coven call website, where I pick out some of the standards that are most likely to be of interesting to you.
In addition to that, you have standards that are specific and maybe specific to your, to your, to your particular industry, like P C I DSS and so forth, but I'm not going to concentrate on those because they aren't specifically to do with the cloud. But nevertheless, they are things that you can concern yourself with if you need. There's a lot of documents and groups that have grown up that are giving you advice. And for example, there is the cloud security Alliance, which has been talked about in Issa in Germany.
There is this the German information security office, which is the BSI, and they have some very specific sets of advice around that in the us, you have missed and standards to do with this. And there are many of these and more of them growing. So you have to sort of decide which of those matter to you. And then we have the question of independent assessment and understanding what those mean.
And I'm going to talk a little bit about some of those later on now, it's it it's important that you should adopt best practice and that, that these best practices represent the knowledge, the best information, the combined knowledge of all the industry experts. And it's a good idea to use them.
Now, again, there was a study by, in Issa of local government in Europe, and they asked a number of questions of local government in Europe. And the first question was for your internal it, which governance, frameworks, and security standards are you using. And they got this answer, which was that actually quite a lot of them, nearly 70% were using if not certified to ISO 27,001, for example, and IEL was considered to be important, not so good for is ACA because co was down there, but there were other ones. So that was pretty convincing.
That standards were something that local government concerned themselves with. Then they asked the question, if you outsource, or when you outsource, which standards do you expect your provider to conform to? Did you expect them to conform to the same standards? And only 22% said that they expected that, which is an interesting observation, and I've not yet come to a, a, a complete and full understanding of why it is like that, but it doesn't seem to me to be right, that you should be more concerned about the standards that you are internal it processing conforms to.
Then you are about that, which you are going to outsource. In fact, I would've thought the reverse should be true, that I would be much more concerned if I was buying something externally, that it complied with some standard that I could understand. So if you want to use the cloud, it's really important to understand the business need.
And I, I think that's actually an important issue that if you listened to the two best practice presentations, both of those talked about what it was that was driving them, the business need that drove them towards it. And so I, I, I think it's, it's interesting that the, sort of this feeling of resistance and reluctance to go to the cloud, but there's actually a lot of organizations that are using the cloud and getting benefit from it. But the key thing is that they understood what they wanted. There is a large oil company that uses the cloud for agility.
They figured out that the issue that they wanted was to reduce the time that it took them to set up the development of new pieces of software, of, of business led software initiatives from what had become three to six months of procurement cycle before they could do anything. If they used, if, if they did it, in-house with in-house hardware down to less than 24 hours, by setting up a proper internal process for people being able to get hold of a web service. There was another organization that had just built a data center, and they had a brand new shiny data center. And this was really good.
And then the auditors rocked up and said, that's a really nice data center. What's your disaster recovery plan. And they couldn't afford another data center. So what did they do? They thought about this. And they went to the cloud. They actually have an agreement with a cloud service provider to give them a backup capability. And that was, you know, that was an understanding of what the need was. And they went through a very coherent process of getting approval from the legal people, from the auditors and various other people to make sure that that was in fact, correct.
And then then a third organization is a news and media organization that had previously been running websites that were effectively disseminating the stuff that they they produce. And they found that by going to the cloud, they could get a more reliable and less glitch, free, more glitch, free service by getting it from a cloud provider and that they could provide it internally. And then we had the two examples earlier on.
So understanding what the benefits are, is a really key thing, because it's understanding the need is what leads to what you need for compliance, but whatever it is the most important issue is to do with the applications and data that you are moving to the cloud. And to go back to the stories that I told you about these stories, the organizations that did that went through a process of understanding what the sensitivity of the data was.
So, for example, in terms of the old company, the, the global risk and compliance council set down some very simple rules, and they were that there had to be no business critical data put in the cloud, and that there had to be no breach of compliance rules through using the cloud. Very simple, very understandable rules. And that actually depends upon you being able to identify which applications and which data is business critical.
And so, although there is a lot of cell searching and hand ringing over personally identifiable information, there is a great deal of information that is held inside organizations that is very sensitive, but which isn't in fact necessarily regulated and understanding what the risks are of moving down to the cloud is important. Now it's very easy to get a cloud service.
In fact, the cloud service providers want to make it as frictionless as possible for you to click and get through to, to, to, to buy a cloud service. But what they don't do is highlight in great detail what the risks you are taking. And so we have had in the earlier examples discussion about getting your data back. And it's very interesting when you read some of the, the, the, the, the actual contracts, what it is that they mean. And there is a real organization in the UK that was using a cloud service for what is called marketing lead generation.
Now, if you're not, I'll give a simple explanation for this. You have almost certainly been the target of market lead generation because you receive these unsolicited emails saying, would you be interested in a report on this, or are you interested in information on a particular car or a particular mobile phone or something like that? And so this is an automated computer system, which sends out teaser leads. If you click on the link, then your identity is sort of moved or not shop in, in, in the probability that you might actually buy something.
And you'll probably get another email similarly. And if you click enough times, then your identity might get raised high enough for them to say, actually, there's a pretty good chance that Mike Small is going to buy this new Porsche, send someone round to see him and try and sell it. Now what they did this, this organization that was using that service, they changed their mind about which provider was going to provide it. So they said, we want to move to another provider. Can we have our data back to which the CSP, the cloud service provider said, you didn't read the contract.
It's not your data where upon the lawyers made a lot of money and the customer had to pay an excess sum to get their data back. And it, it may not have been in the form that they wanted in the first place. So knowing that you can get your data back is an example of the things that you can let yourself in for if you just click the end user license without reading it.
And again, there was a, an interesting paper which was published in the Stanford technology law review. So again, you can, you can download this it's about 70 odd pages long, but it's definitely worth reading. And this is a set of lawyers that were at queen Mary college, which is part of the university of London who did a detailed study of a number of cloud contracts. And they came out with a set of what were the most negotiated terms and the most common unfair terms.
And it's interesting that if you look at the unfair terms, if you will, what is the almost complete lack of liability in the standard contract that in general terms, cloud service providers say we have a standard service. We give it at a very good price because it is a standard service. We cannot afford to negotiate individual terms of contract with you. Therefore you take our standard contract or nothing. And the standard contract usually says that if the worst happens and we lose all your data, the service becomes unavailable.
Then we'll give you back a month's worth of rental, or, or they will limit the liability to being no more than the total amount that you have paid to them. Now, if you could, you could find yourself in a situation where you are fined by a regulator, a large amount of money because of a breach that the cloud service provided did, or you could find yourself having consequential damages. So that's an example, and I can't, we don't have the time to go through all of the, the common things, but that's one of the examples of the common, unfair terms and conditions.
And I'm now looking at organizational contracts. That's a, this is not the same as the individual problems that you, you find yourself with when you use LinkedIn or Facebook or, or Dropbox or whatever. Those are all separate. And you need to look at those as an individual thing. One of the key things is you really have to understand how responsibility is divided because often the cloud service provider sells the cloud service to the line of business on the basis of, well, just give us your money and we'll take care of it.
Here is an example in the UK of a hospital and this hospital received, what was the largest single monetary penalty from the information commissioner office and what actually happened? Well, what, what happened was this, that the hospital was very responsible. They had computer discs, which contained patient information, and they were now obsolete because they didn't need them anymore. They were at the end of their life. So they knew that they had to destroy that information completely.
So they gave those computer discs to a third party contractor with an instruction to destroy them, to physically destroy them. Now, the contractor employed a subcontractor who looked at this and thought, goodness, me, this is a little money making mine. I could sell these on the internet and nobody would know any better. So that's what he did. He sold them on an internet auction site.
Well, what kind of organization buys disks on an internet auction site? It turned out it was a data recovery program, pro company. One of these organizations that specializes in being able to find and recover your data when you've dropped your phone down the toilet or whatever. And of course, the first thing they did was to look what was on them. And they found patient records with records of people's diseases and all this kind of stuff. Now who got fined.
Well, it wasn't the contractor. It wasn't the subcontractor because they were data processes. And in EU law, it is the data controller who is liable. And so the hospital was fined 325,000 pounds for what was clearly something that was a breach by the subcontractor, the contractor who was doing this, whether they were able to recover any of that money comes from the contract that they had signed with the subcontractor.
So there's a legal implication as well, but the general, the general understanding that you need to take from this is that for everything that matters to you, you have to be sure that you understand what the cloud service provider is responsible for and what the, what you are remain responsible for. Because like I said, you can outsource the processing, but you can't outsource the responsibility. So here's an example of, of, of, of a division of responsibility where we we've actually looked at the area of privacy.
So you need, if you, if you, if you want to make sure that you are in a good state with the EU privacy rules, that you have classified the data, you've actually taken reasonable steps to ensure yourself that the provider is going to do, do the job properly, and you've given them a proper contract. And what you can expect of the provider is that they actually do implement the, the, the rules that, that you require. And there are a whole number of areas which are to do with that. Then we come to the question of certification and auditing.
And again, this has been, this has been talked about in the previous sessions, but not everybody understands what these different things mean. So I'm just going to have a, a quick run through some of the, the, the examples, the cloud security Alliance, the CSA cloud controls matrix is a spreadsheet, which is free to download. It actually contains 98 controls, which are associated with something like 198 questions. Those controls are actually mapped onto all of the imaginable, different standards like ISO 27,000 FIPs and HIPAA and, and all kinds of things like that.
And they also are mapped according to whether they apply for the different delivery models that we've talked about, like public, private and hybrid, and whether or not they apply to the different service models of infrastructure, platform and software. And that's a pretty good start. And what the cloud security Alliance is doing is they published about a year ago, a thing, which they called the CSA open certification framework of which this star registry is the beginning.
So the star registry contains a questionnaire, which vendors, which cloud security providers can fill in themselves and lodge their answers in this registry, which is publicly open. And they can say, we have comply with the CCM. And here are our responses to the questions which are posed by the CCM. And you can go onto that star registry and you can actually see what they said.
Now, the vision they have, that that is a reality today. The vision they have going forward is that they are going to have an independent certification scheme, and they are talking with the people that certify ISO 27,001 auditors to allow them to use, use this, this process to provide an independent certification of cloud service providers. So that's the CSA star registry. Then we have service organization control reports, and there's been a great deal of confusion over service organization control reports.
When I first started doing this people, they used to kick the sound in my face saying we've got an SAS 70 report. So I'm going to just step back a, a step and talk about what, what this was all about in 1992.
You, you can imagine back in the 1990s organizations were, were beginning to decide that it was not their core business. So they thought, ah, it'd be a really good idea if we just hyped off the it into an independent company, and then they run it and maybe one day we might be able to buy it cheaper from someone else. So that worked. And then the financial auditors rocked up at the end of the year and said, can we audit your reports, your, your finance? So they said, here's all our financial figures. And the guy the auditor said yes, but where are those processed?
And they said, well, by this other company, oh, can you prove to us that that other company is doing a good job? And that's where SAS 70 came from SAS. 70 statement on auditing standards. Number 70 was to allow the auditor of the company that ran the computers that processed people's financial reports to produce a report, which could be used by the auditors of the company whose financial information was being processed. So there was no standard for its format. It was audited to auditor. It was company confidential and all this kind of thing. Then you move forward to 20 11, 20 10.
When cloud service providers are trying to say, well, we are doing a good job. And we've got an independent assessment of that. And that's what led to this thing called service organization control reports, which come under a standard of SSAE 16 standard on attestation statement, statement, engagement, sorry, I can't say it. Number 16, because in America, you can only do an audit of figures. You can make an attestation about the service or there's is AE 3, 4 0 2, which is the European equivalent. But basically there are three types of report.
There's an S C one report, which is intended to be the equivalent of SAS 70. I is this company processing people's financial data appropriately, SOC two and three are about compliance with standards. And SOC two is a detailed report. SOC three is something which you can put on your website, which basically says, we, we we've, we we've got it. And these are these second two are against the trust services, principles, and criteria, again, defined by the American Institute of, of CPAs of public auditors. And there are five areas that they cover with this.
These are security, availability, confidentiality, privacy, and integrity. And so each one of those areas can have a plus a tick or just be emitted. And each one of those areas, the auditor auditor will look for for different areas. Is there a policy, if so, is that policy communicated are their procedures and processes that I can see that actually implement that if there are procedures and processes, then is there monitoring of their pro those processes occurring? And if there is monitoring, then when things are detected, is action taken to correct it.
And the reports, the more detailed reports that you can get will actually contain a list of the controls that were observed and the results that they got from those observations. Now it's important because if you look, if you look at what is published and many of the cloud service providers put statements on their, on their websites, that they have, one of these reports, you have to look at, which areas are covered, because it might just be security. I've not yet seen one that said they covered privacy.
And then of course there's ISO 27,001, which is really the, the gold standard to do with information security. And I'm sure everyone ne knows about that. So I'm not going to dwell upon that, but I am going to say that you need to understand that first of all, ISO 27,002 is under revision and a schedule to have a new version that will be put out later on this year. And that there is a new standard coming, which will be based on the new 27,002, which is going to specifically focus on hosted and cloud services. And that will come out somewhat later. So that's a kind of watch this space.
So if we, if we look here, what, what I'm basically saying is that if you are using a cloud service, then you, there is an inherent element of trust between you and the cloud service provider. And that's something you're never going to get away away from. But the issue is like president Reagan said, if you're going to trust someone, you need to verify that trust. So that really means what I've said.
You understand the business need, you have to have ideally a standard process for selecting a cloud service provider, a matrix, something that's quick, something that's fast enough and reliable enough that, that, that you can persuade the lines of business to follow it rather than to bypass it, that you have to do that based on an understanding of the value and the sensitivity and the business impact of the data and applications you have. Then from that, you can understand the business and compliance needs, and that leads you to what you need in terms of the key service parameters.
You may or may not be able to negotiate those with the, with the cloud service provider, but whatever the case is, you're then going to have to assess the risk about adopting them, whatever you do, make sure that you understand the service that you are buying.
I don't just do the click through and don't, you must involve your legal people if only to, to make sure that you understand the risks that you are taking and be absolutely clear about who is responsible for what, and one of the best ways of making sure that the service you get is a good one, is to look for some kind of independent certification. And that is trust verify. So that is in essence, is my, my presentation. This is a very small audience, so we we've got some time for, for questions. And indeed Nikita is, is here again.
And so if we've got any questions from the, the, the first session that you didn't have time for, then I'm sure we can give you a microphone and you can answer them. So let's so open the thing up to any questions. Yes. You've got microphone. Let's find you a microphone. Do you want to come up to the front Nikita? Yes.
This, this one's working. So perhaps you can join me on the stage and that mic. Thank you. 10 people into us, test Us.
Okay, great. So as, as Michael was mentioning there, the service organization reports are still being misused. So from what I've gathered from the 45 or so assessments that I've directly managed in the 90 or so, that I've seen as part of my work with Mars folks are still generally delivering SOC one reports as something that will attest to security controls, privacy controls, confidentiality controls.
And yet, again, these reports were not designed to do that. So SAS 70 was something that we had in the past. It somehow became a data center auditing standard for whatever reason, SOC one was supposed to potentially distinguish the difference between what a financially significant system review report should be, which a SOC one and what a SOC two should be, which has a different scope of the trust principles that we talked about. But from what I've seen industry almost nobody's doing SOC two, I've only seen two, perhaps three SOC twos from the 45 vendors that we've reviewed.
And most of them do have a, a SOC one. I think this is a problem. I think there's still confusion in the industry. I'm not sure how to solve it, but that's currently the dynamic that we're living with. So the attestations are being misused and there's not a clear focus of what they should be using. Unfortunately.
Yes, yes. Hold on to that. Yes.
That, that's, that's an important point. And so the, this is, this is the, the auditors have made a good step forward by trying to clearly define what it is that they are reporting on when they make these independent reports. Some of the CSPs dare I say, bless their cotton socks are in fact, shall we say, relying on your misunderstanding to give you a false sense of security by saying, Hey, we've got a, we've got a report. There's an independent order that says, it's great. And I've seen ones that have said, we've got P C I DSS compliance.
And then when you say to them, well, what does that mean? And what it actually means is that if you give them your credit card on the web, that your credit card data is processed, according to PSP C, IDSS absolutely nothing to do with the scope of the service that they provide. It just simply says that they will treat your credit card data that you are using to pay for the service in a correct way.
So that can give you a misleading sense of, of security, but I'd actually like to ask you you some questions, because there were questions that sort of led over from back from the last time you you've obviously done a lot of work. So what proportion, you know, can you give, give us an idea of the scale of the use of cloud inside Mars?
Sure, sure. Sure. So approximately three years ago, as I discussed in my presentation, Mars decided that for anything new, we are going to look at cloud as a first option, not for anything existing, but for anything new or things that we're replacing. So right now, from our application suite, we have maybe 400 applications overall, I would say maybe 20, 30% are, are SaaS right now. So that I think that that's a good percentage. So any of the common use cases that we've seen on the slides, we're pretty much doing.
So survey management, training, web services, email hosting, some financial type software, smaller business units are using SAP hosted in the cloud, very, very small business units, which is a high risk profile, but for a small business unit, it's it's, we felt it was acceptable. We, it all started with really office 365, B O S four years ago. We did this four years ago. I think we were one of the first large organizations to take on that type of a service back in 2009. And it really started from there, you know, further, further, further, further into it. So I think it's gonna continue.
I think we're gonna do more SaaS and our strategy is now evolving more towards infrastructure as a service on, on a bigger scale. So we've really stopped provisioning servers internally for any tactical type things. We're using Amazon web services for that, anything strategic in nature, we're still using our own data centers, but I think that's gonna change over time. And I think there will be more of a hybrid model going, going forward.
Yes, that, that, that's, that's very interesting. And I, I was fascinated by your statement that you, you, you started off with SaaS because that was exactly the opposite of what another organization had told me that they'd told me that they thought that it was relatively easy to understand the risk around IASS because that was, they felt that it was kind of under their control. They were running the things and they could evaluate one, one kind of notion of IAS and, and cover a whole series of different use cases.
But SAS software as a service was a lot of individual use cases and each one needed to be evaluated individually. Did you find that, or do, do you have to look at them individually or do you have a standard Route?
Well, in, in our organization it was driven by the business need, which again goes back to what we talked about. So the business need was we wanted to evolve techno our technologies platform to be more agile and be more modern and get with the time. So Mars is a larger organization. We didn't have the most modern technology before we started looking at cloud. We had Lotus node 6 0 3, which is from 2005. We were using this up to 2010 and this is very, very archaic. And it was, it was difficult to manage. And there was also an acquisition that was, that helped spur this.
So the acquisition Wrigley at the time that Mars acquired was already using B O S and there was proven success factors with using that. And so I think organizationally, there was a level of confidence and trust that this publicly held organization that Mars acquired Wrigley, which was publicly held, had a good level of con confidence in, in using B O S office 365.
So Mars felt well, let's do the due diligence, but if Wrigley is doing it in their public and they've attested to the controls that rather review the controls that B O S has in place, we can probably do it ourselves for a Mars larger organization. So regularly was about 18,000 people. Mars is about 50,000 individual users and that's kind of how it started. So I think it was the, the confidence building aspects of somebody else doing it, especially an acquisition that they just recently made. Thank you. Thank you.
So the other, the other question which comes with this is to understand the, the rewards. Did you, or have you been able to get any quantifiable view over the benefits against what you wanted, like financial or, or agility or whatever? Sure. So Mars has a strong focus on user satisfaction.
We, we spend a lot of time looking at how do individuals think about the it organization? Are we developing a quality service, this all stems back to the way it is delivered in Mars? It's really a, a, a, a service business. So we're called Mars information services because we are actually a service we're like internal consultants, if you will. And because of that, there's a large focus on constantly assessing is the business satisfied with it. And prior to cloud, the business was not satisfied with, with some of the large commodity type plays like email and, and sales platforms.
There was a large level of dissatisfaction and the business actually started looking at cloud independent of it because they were so dissatisfied with it. So we realized this, and then we, we felt that, well, we have to do something about it. So what have we got from a, our user satisfaction has gone up about 20% in some of the areas since we've started using some of these new platforms, which I think is substantial in about four years, our, our level of, of effort put forth in supporting has certainly gone down.
Our, our operating expenses have gone up because cloud is certainly more OPEX, heavy than CapEx heavy, but now we're, we're, we're seeing a lot of transparency with how people are using the service. So I'll give you an example. We actually look and monitor to see how many people are actively using BPAs or office 365 each month.
And we constantly try to determine, is it necessary for us to have a, a full user license where they have the full thick client access, or is it more appropriate to give them just a web browser based access for like a factory worker who may be standing on the line, making M and Ms. They don't really need a full, a full thick client to access email. They can do it through a browser.
And through that, we've been able to get some substantial cost savings and kind of renegotiate our, our seat count as we, as we continue our relationship with Microsoft, which I don't have the exact figures, but I know it's in the six figure range. That, that, that's very interesting because again, I've seen some, some, some other perspectives on this and, and it, it, it is a difficult, a difficult balance. And when you adopt the cloud, you change the way you pay for it, as you said, from CapEx to OPEX. And some people will say, well, yes, but in the end, you'll pay more and so forth.
And there are also problems with licensing where you have kind of ratchet licenses that if you've ever used over a certain amount, it's very hard to get back down. Did, did you find any of, of those things, or were you able to negotiate your way around that? Sure. Sure.
In, in some cases we have been with some of the larger providers. We constantly look at the license usage and we try to adopt to what our, our internal usage actually looks like to, to optimize those operating expenses, cuz the operating expenses for clutter high. When we went from, let's say Lotus notes to using office 365, we in the process, we re provisioned some individuals who are looking after that infrastructure, maybe six FTEs were put in different groups or some of them left the organization.
But now are that cost that we spent on salary now is spent on operating expenses in the form of large checks to Microsoft each month. So it's, it was really a, a readjustment, but we think it's well worth it because we were able to move in a much faster pace and, and improve user satisfaction. And ultimately our organization is not in the business of, of it. We make candy and pet food and, and pasta sauce. We don't make it. We have to deliver it to enable our business, to be agile, to win in the markets. That's a term that we commonly use and it definitely enables that.
So we feel even spending maybe a little bit more for it than a tra in a cloud model versus a traditional model is worth it. But in, in our experience, the, the cost end to end has actually been less because we have much more transparency to what we are actually doing. The tools that some of these cloud providers offer us are a lot better than our own tools. It would have to take a huge initiative to maybe audit seat counts for some of these things. Whereas the cloud providers do this in scale for thousands of customers.
In some cases, they already have these tools and it's not a big deal to run a report, to see how many concurrent Salesforce users do you have at a given time. Then you can adjust your, your license count accordingly to if we were using maybe an in-house system, that would be a more, more of an initiative for us because we just don't have those tools already and it would have to develop them. And there was a lot of costs in that. So I think the transparency that cloud gives you if you manage it well, you can really save on your operating expenses.
Yeah, that, that's an interesting point. And I think this, this business about transparency of costs is really quite important. And other users of the cloud have said the same thing to me. And it's been put in this kind of way that when we used the cloud, what we found we could do is we could show individual line of business, what their costs were and what they were using of this. And this was kind of revolutionary because previously it had not been possible to do that. And so in a way you then found yourself in a position of saying, well, we are the it department.
We're kind of enabling you, but this is what you are using. I, I, if, if you are you, if that cost is not that value to your, your business, then it's your problem effectively to, to, to manage it down and to understand why it's going, going above. It's not just that we are charging you for nothing. That's what you are actually using.
However, the other side of that is that a, another organization did a spot check over the Christmas, new year period and discovered that they found that this was the equivalent of, you never put the lights out when you leave a room that they had something like 10% of the VMs that they were using on one of these IAS services had no detectable owner and had not been used. So there was a feeling that, that, that, that removing service is something that you have to work hard at.
Is, is that your Absolutely Mike you're absolutely right. So we we've seen different extremes. One extreme is we have a lot of transparency and we can manage it well because the, again, the vendors have the tools for us to do so.
In fact, I was just thinking through some of the numbers as, as you were talking and while our it spend has went from about 1.9 of net sales value, that's how we assess our, it spend to about 1.7. So, you know, point 0.02 percentage points decrease in four years. And we think part of that is accredited to cloud. I don't have all the, all the numbers right now, but if my CIO was here, I'm sure he would going back to your initial question though, with AWS an example, we saw this, what we're calling cloud creep. We saw AMI get provision and it was outta control in the beginning.
So we decided we need a solution to better managers, even though it's quite easy and quite transparent. The, the tools that Amazon gives you at face value are maybe not as, as, as, as good as what we were hoping to, to, to leverage.
So we went and used a company called right scale, which allows us to have more of a, of a focus and a better control on how we provision those resources in AWS, of course, there's a cost associated with, with right scale, but that we felt there was savings because we would have better transparency to how our different teams were provisioning AWS services, rather than just relying on the, the builtin reporting that AWS provides you. So sometimes the tools are not enough. And sometimes you need another bolt on tool, like great scale to manage your consumption of cloud. Yeah. Yeah.
So AWS and, and, and sizing of VMs because the bigger the VM, the more expensive. And it's very interesting because this is the experience that another customer gave to me was they originally started to size VMs as though they were buying physical machines. And when you buy a machine, the mindset is it's gonna take me three months to get this. I'm going to have all the hassle of buying it. So I'm not gonna have to do this again. So I always buy the biggest machine that I think I'm going to get a budget for.
Now, if you take that philosophy with VMs, it's the wrong one, is that your Experience you're absolutely spot on again. So our experiences are similar here, here, as we can see folks.
So, yeah. So in, in a traditional consumption model, you would buy the biggest server that your budget allows for, because maybe that budget wouldn't be around next year. And if you don't spend enough money, they would take away the money.
Well, the cloud fundamentally challenges that whole mentality. It's, it's not about buying the biggest one. It's about sizing it and scaling it to what you need to use. So it's really taking an organizational adjustment. We're not exactly through that yet. There's still some of this spend the money or you won't see it next year, but that, that's kind of the next phase of our evolution. I feel with within our organization is getting our culture kind of ingrained to this agile mentality where you really spend the money that you need to spend.
And it's okay if you don't spend enough or you don't spend all of it because it'll still be there for you next year. So it's kind of a fundamental pendulum shift of, of really it spend. And that surprises some people, some of our contracting teams were challenged by this because they felt that well, we need to spend right now, otherwise we won't have it later. So it's really a quite dynamic shift in, in culture and mentality. And just really, it, it touches so many areas of the organization that you'll be surprised by what kind of influence you may have. Thank you.
Well, in, in five minutes, I guess people are going to start coming here for the next thing. But before we finish, if there was one key lesson that you've learned in Mars from adopting the cloud, what, what is it you would say was the, the most important thing you would tell your best friend about how, how to manage the cloud? So I think the biggest lesson that we've learned is do not reinvent the wheel. Do not try to do this on your own.
There's a lot of thought leadership and expertise that the industry has developed as, as Mike talked about, maybe even too much, there, there seems to be a lot of noise, but there are some strong organizations, especially in the security sense. I, again, CSA is, is one of my favorites. They've developed a lot of good quality material for you to consume really free material. That's very high quality built by industry experts. So don't reinvent the wheel, look to see what the industry's doing, and then really apply it to your strategy.
If your organization does have a strategy around cloud, great, adopt it to what you're, what the industry is saying. If your organization does not have a strategy, go to the industry, listen to the Analyst and adopt what they're saying. If it makes sense for your business model, but don't try to do this in a vacuum because there's, there's a lot of focus. And of course, business drive in, in promoting cloud services.
And, and therefore a lot of this has already been, been done by organizations like Mars and others. So, you know, talk to folks like me, talk to the industry, get involved and learn from them. And that will allow you, I think, to fast track your success with consuming cloud services effectively.
Well, thank you very much, indeed. And thank you for coming back afterwards, Nikita that's that's for you.
So if, if you're still interested in the cloud after this, then tomorrow, all day tomorrow, I will be running a workshop on how to do cloud selection, cloud assurance, and how to organize the cloud in, in, in your particular organization. So if, if there's no more questions, then what I'll say is thank you very much, everyone for attending this, this session. And I guess if you, if you you've got a good place now for the final closing session from Dr. Ser professor, Dr.
Ser Paul, thank you everyone.