For the past decade, information technology and cloud computing vendors have increasingly pushed the virtualization and abstraction of every possible part of IT infrastructure further and further, turning what used to be things you bought and paid for into services that you subscribe to. First there was software as a service, and then compute and infrastructure as a service, then platforms as a service, and now even storage and databases as a service. The "private cloud" brought the same models into enterprise data centers. And the "hybrid cloud" blew the data center walls out and mixed everything together. But managing each decoupled element of this brave new world of randomly distributed infrastructure has become increasingly complex. Arguably, it hasn't really changed the business of running enterprise IT as much as it has made things complex in new ways.

But what if there was an "as a service" to fix that, too?

Today's leading edge of enterprise IT pushes further toward automated deployment of everything from bare-metal servers to "containerized" workloads, juggling the networking and storage and system-management support through one portal or another, even internally, and cloud providers have started to drop not-so-little outposts of their infrastructure into their biggest customers' data centers. Even the definition of "cloud" versus "on-premises" has gotten foggy, thanks to such private cloud options as Microsoft's Azure Stack and Google's Anthos that let enterprise clients move cloud resources back into local data centers.

It's tempting to believe that all of these could be put behind one Web portal that makes everything just a service that can be managed like cloud instances—scaled up and down on demand with a monthly bill (or charge-back). So cloud providers and major enterprise IT vendors are starting to try to shape this vision to their particular strengths—and some vendors may actually succeed.

But, while sales pitches may anthropomorphize "The Cloud" into a sentient and unstoppable being, the reality of "everything as a service" offerings is not quite as tidy as that—yet. And, while a few brave companies with greenfield IT projects may be grabbing onto "almost everything as a service," not everyone is ready to follow them. As many of you told us, all of these new options increase the scope and complexity of a cloud migration. While moving email from local hosting to the cloud may have been obvious (yes, it really is past time to migrate off of Lotus Notes), the vote isn't nearly as automatic with each new level of "as a service" abstraction.

"We've kind of had a pendulum swing from an 'Oh my gosh, everything's going to go to the cloud,'" said Edward Parker, a director and data and cloud infrastructure analyst at BTIG Research. "This is not going to be a smooth, sweeping transition."

For almost 56% of respondents to our survey, that transition has yet to even start—they reported that their companies had not begun moving apps or services outside traditional centralized data centers.

With that number being as big as it is, there's plenty of opportunity for vendors selling the "everything as a service" model—and plenty of reasons why it can work well if implemented correctly. The work of cloud platform and major enterprise infrastructure vendors to build increasing amounts of intelligence into management systems for virtualized and "as a service" assets is nudging the industry down that path. And some (but not all) enterprise IT shops have been pushing the ball forward themselves for the past decade.

Connectivity and compatibility

The upsides to moving an app or process to the cloud should be obvious: no sunk cost in hardware, the ability to scale the service up or down to match your usage, and the assurance of leaving the everyday maintenance of its infrastructure to specialists.

Parker paraphrased a common line of thought among cloud clients: "We certainly don't have the overhead to stand up all these apps—let's just pay for it by the drip; it just makes my life easier." The biggest gotcha that many businesses will need to overcome with cloud services is the reliance on outside connectivity—so the connection between your business and the Internet needs to be more robust than it would otherwise be. It's tough to find a workplace where net connectivity isn't business-critical, but if you're sourcing your stuff to the cloud, that criticality is absolute.

"If you're going to be moving to a cloud service that expects always-on, how do you make it so that those who might not have an always-on world can function?" asked Tom Bridge, partner at the Washington-based IT consultancy Technolutionary and a host of the Mac Admins Podcast. For smaller businesses that lack assured and affordable bandwidth backed by a service-level agreement, this can argue against moving much beyond mail to services vendors. Less-full-featured services can also introduce employee headaches—businesses often need to deal with less obvious gotchas like different UXes between Web apps and synchronized desktop apps.

Having employees who aren't new to the cloud can help enormously with setting expectations. Bridge commented that, during mobile-device management rollouts, for example, his experience is that a good 25% of staff won't adopt without "their boss standing over them to do it"—and advised management not to brush off the concerns of those holdouts.

"If they're getting forced into a new system they see no value in, they will resist, and often I think that resistance is valid and valuable, because it can show you disconnects between management's choices and the choices of the people actually doing the work."

Companies that recognize this and make some effort to address employee concerns (instead of blowing them off with anodyne non-response statements) have a much clearer and easier path to service adoption. Dino Dai Zovi, staff security engineer at Square, offered a simple version of that advice in his Black Hat opening keynote: "It's all about cultivating empathy."

Privacy and regulatory compliance

For larger enterprise, the story is somewhat different. They may not lack for bandwidth, but they have other reasons to lean toward private-cloud service models that position cloud resources on their own data centers. And one of those reasons is the hammer of regulatory compliance.

Companies have long had to deal with industry-specific regulations, especially in the financial sector, along with the consequences of laws such as Sarbanes-Oxley on data retention and control over IT processes. Complying with privacy regulations has become a growing concern, thanks to the rise of such sweeping privacy rulesets as the European Union's General Data Protection Regulation (GDPR) and California's still-evolving California Consumer Privacy Act (CCPA). But the "as a service" approach offers advantages here as well, in that it provides a chance for cloud-service providers to leverage their scale to develop in-house compliance expertise that can be bundled with services.

"If they're getting forced into a new system they see no value in, they will resist"

"I think that many SMEs [small-to-medium enterprises] would struggle to dedicate the technical and legal resources to compliance with data protection laws that the largest cloud providers do," emailed John Verdi, vice president of policy at the Future of Privacy Forum, a Washington-based, industry-funded think tank. "At the same time, there is a perception among smaller firms—perhaps accurate, perhaps not—that cloud providers' data-use agreements prioritize data processors' compliance over that of data controllers."

It's certainly true that a cloud provider will not automatically save an enterprise customer from its own dimwitted data habits. "A cloud provider like AWS may offer tools that help enable GDPR-compliance, but it's still up to the company to use them effectively and to take whatever other measures they may need to ensure their own compliance," said Cathy Gellis, a California attorney who specializes in digital issues.

"In other words, GDPR compliance isn't contagious, where one company can catch it from another," she added. "But non-compliance sort of is, because if you do business with another company that's not itself on the ball with the GDPR, it may well make it hard for you to be."

What kind of cloud service you sign up for—from general-purpose storage providers like AWS or Google Cloud to customizable services like Salesforce's CRM to specialized cloud apps covering functions like employee benefits—can also weigh heavily on how much input you have over regulatory compliance. "The further down the continuum you go, the more control you give up in terms of being able to know and control the treatment of personal data," said Tennille Christensen, a technology transactions attorney in California who specializes in working with early-stage companies and entrepreneurs. "The more control you give up to your sub-processors, the more you have to trust them."

Christensen advised asking those more specialized providers to offer legal cover. But she added a good-luck-with-that caveat: "You can, if you like, ask your subprocessors (cloud-service providers) for an indemnity, to get you some legal coverage, but many of the larger providers (who are best equipped to meet the more difficult privacy obligations) won't offer one."

The CCPA promises to add further compliance complications when it goes into effect at the beginning of January 2020. But while that bundle of California regulations follows much of the broad outlines of the GDPR, it's also still being tweaked with amendments. "I put a notation in my calendar to check back in late September to see what the bill looked like and start doing the majority of my own education and preparation for clients at that time," Christensen said.