In Cloud We Trust

The adoption and utilization of cloud technology is rapidly changing the IT landscape. We think this technology provides the democratization of immense computing power to everybody because it gives every user the same access to powerful computing without having to set up costly data centers.

May 21, 2019

Dr. Patrick Kolb

Fund Manager, Credit Suisse Asset Management

The trend in cloud computing has allowed start-ups and new companies to grow at explosive rates. As a result, a digital transformation within companies will be necessary to keep up in the environment of disruption and rapid change. And as companies engage in digital transformation, they will become increasingly more dependent on the cloud infrastructure. But in a world where security breaches dominate the headlines, the ambiguity that surrounds cloud computing can make securing the corporate network seem daunting. These concerns have led some Chief Information Officers (CIOs) to inhibit their organizational use of public cloud services.

"The cloud services companies of all sizes…The cloud is for everyone. The cloud is a democracy." Marc Benioff, Founder & CEO of Salesforce

Data explosion

The data explosion is the rapid increase in the amount of published information or data and the effects of this abundance. As the amount of available data grows, the problem of managing the information becomes more difficult, which can lead to information overload. Some interesting statistical facts are described as below1,2:

  • Between 1990 and 2005 the capacity of hard disks increased a thousand fold, and it continues to increase today.
  • We produce the same amount of content as stored in the Library of Congress, the largest library in the world, more than 8’500 times per day.
  • Today, the US National Security Agency (NSA) collects as much information as held in the entire Library of Congress every six hours.
  • 2.5 quintillion bytes (2’500’000’000’000’000’000 bytes) of data are created every day.
  • 40 zettabytes (1 zettabyte = 1’000’000’000’000 Gigabytes) of data will be created by 2020.
  • Most companies in the US have at least 100 Terabytes (= 100’000 Gigabytes) of stored data.

These high volumes of data present a challenge. How can we manage and secure the essence of this data rather than just stacking it?

Prior to the cloud technology, software was traditionally sold as a perpetual and on-premise solution where the customer buys from the software vendor. Under this model a customer buys an upfront perpetual license and pays an annual maintenance and service fee for support. This on-premise software model began to break down around a decade ago as the first cloud computing model was introduced. This new approach allows customers to subscribe to a service in a vendor-based model, which is accessible over the internet. With the advent of the cloud the investment in on-premise software, along with maintenance and support costs, were removed at a stroke. A cloud services platform offers customers rapid access to flexible and low-cost IT resources and they only have to pay for what they use.

According to Market Research Future this transition from on-premise solution to the cloud is happening quickly, driving the global cloud computing market an impressive compounded annual growth rate (CAGR) of 15%.


As mentioned in the beginning, one of the key drivers of cloud computing is the data explosion, in this context especially the growth of unstructured data3. Enterprises are digitizing an increasing number of business activities, leading to significant growth in unstructured data. According to Oracle and IDC, a provider of market intelligence and advisory services, unstructured data accounts for almost 80% of total enterprise data and is growing 42% p.a. versus just 22% growth in structured data as shown in Fig. 2 below.


Unstructured data is typically stored outside of the corporate network in a cloud storage environment, usually in form of applications in digital archives. On the other hand structured data is stored on-premise in a database as a backup (usually the data is stored at the same place where the company is located, e.g. in a local server down in the cellar). With more data is expected to reside outside of the corporate network (and very often even in another country with a different legal system), we believe enterprises will have to increase spending on IT security in order to provide secure data access.

Privacy and identity in the cloud

Cloud computing poses privacy concerns because the service provider can access the data that is in the cloud at any time. It could accidentally or deliberately alter or delete information. Many cloud providers can share information with third parties if necessary for purposes of law and order without a warrant. According to the Cloud Security Alliance, the top threats in the cloud are insecure interfaces and API's (application programming interface), data loss and leakages as well as hardware failure4.

Going forward we believe organizations will have to evaluate alternative emerging tools in the field of cloud security. For the most part traditional vendors have taken care of securing the IT infrastructure, including network perimeter, hypervisors and host access control. However, when it comes to protecting the data traffic between different interfaces and applications outside of the corporate network combined with implementing anti-malware solutions and ensuring compliance with current policy requirements, the complexity will dramatically increase. Very often the responsibility of the protection shifts from the cloud providers to the customers.

In the world of cloud computing the traditional “castle and moats” approach to network security has limitations in terms of scale, latency and costs. Organizations are starting to evaluate IT security applications that inspect the data traffic to protect against potential threats. We therefore think companies whose products and tools are located in the cloud between the users and cloud applications itself and are able to deliver cloud firewalls, intrusion prevention systems (IPS), sandboxing and data loss prevention systems are in an interesting competitive position. Many new use cases evolve around installations of internet connections for mobile and remote branch office employees to cloud and data center applications. We think traditional legacy network and endpoint security vendors have to reposition itself for this opportunity or they are at risk of getting disrupted by cloud security pure players.

Another challenge in securing the cloud is identity and access management. When sensitive data are stored outside of a corporate network, it is crucial to identify who has access to it, how they are using it and with which tools.

Thematic Investments

Our investment teams identify and aim to invest in exciting and attractively valued companies that are on the cutting edge of innovation. Join us and invest in tomorrow’s winners.

Before the rise of cloud computing most organizations exclusively used Microsoft’s Active Directory to manage identity profiles. However, this on-premise approach was challenged when authenticating users for cloud applications. Active Directory was designed to authenticate application access within the firewall, while cloud applications sit outside the firewall. Therefore the need for a cloud-based directory has quickly materialized in the identity market. In general, given the large number of enterprise workload that are expected to shift to the cloud, we believe that cloud security services will become significantly relevant over time than traditional on-premise security controls.

An additional driver for identity and access management is the General Data Protection Regulation (GDPR). This regulation is designed to standardize data privacy laws in Europe and went into effect on May 25th 2018. Failure to comply with this regulation can result in fines of EUR 20 million or 4% of total revenues, whichever is greater. In our opinion this regulation has created a “culture of compliance” in Europe, which we believe will drive spending on identity and access management tools that can help corporations to remain compliant with this regulation. Going forward we wouldn’t be surprised that this data privacy framework (or a similar version) will be implemented in other countries.


As traditional network barriers break down with the proliferation of the cloud, we think new companies with cutting edge technologies are well positioned to capture market share from the established incumbents. We would therefore expect that these trends highlight the need for a best of breed approach. Very often the providers of such products and tools are young and innovative companies in the small and mid cap world.

We think the theme of security & safety is becoming increasingly omnipresent in our daily lives and the implications for the automation of data management as well as data infrastructure (such as data centers) are also becoming more critical. As a result the relationship between security and automation (robotics) is symbiotic, with more regulation requiring more security and controls to be put in place, and in turn more automated systems are needed to manage and maintain these checks and controls efficiently.

As long-term oriented investors we think IT security and more broadly speaking security and safety in general are compelling long term secular growth themes for patient investors. Based on these convictions we are shareholders of a number of innovative and young companies which provide solutions for data loss prevention, email and data archiving as well as identity and access management.

Credit Suisse Asset Management has designed strategies to provide clients with “pure-play” exposure to these compelling and complementary long term secular growth themes: Robotics & Automation, Security & Safety, Digital Health, and Infrastructure. For further information please click here.

1 Source: Brett King (2016): Augmented: Life in the Smart Lane, Marshall Cavendish International, Singapore.
2 Source: Bid Data Made Simple (2017): Big data and cloud computing – challenges and opportunities, June 2nd 2017, URL:
3 Unstructured data (or unstructured information) is information that either does not have a pre-defined data model or is not organized in a pre-defined manner. Unstructured information is typically text-heavy, but may contain data such as dates, numbers, and facts as well. This results in irregularities and ambiguities that make it difficult to understand using traditional programs as compared to data stored in fielded form in databases or annotated (semantically tagged) in documents. The Computerworld magazine states that unstructured information might account for more than 70%–80% of all data in organizations (source: Computerworld (2011): World's data will grow by 50X in next decade, Computerworld, June 28th 2011).
4 Source: Cloud Security Alliance (2010): Top Threats to Cloud Computing V1.0, March 2010.

Fee Disclosure
Where permitted by law, we may receive fees, commissions or other monetary benefits in connection with this product from third parties. For details please refer to your Fee Schedule or contact your Relationship Manager.

If you are not a client of Credit Suisse UK Ltd
If you are not a client of Credit Suisse, please note that this document has been provided to you for information purposes only as an example of the type of products we are able to offer to you should you become a client of Credit Suisse. The provision to you of this document does not constitute an invitation or inducement to buy or sell any security or other financial investment, nor does it constitute an advice or personal recommendation. Should you wish to invest in any products, you will have to go through our account opening process which involves providing us with details of your personal and financial circumstances, risk appetite and investment objectives as well as selecting the most appropriate portfolio mandate for you. We can thereafter work with you to determine which investments are suitable or appropriate for you.

Marketing Disclaimer
This document is provided to you for your information and discussion only. It is not a solicitation or an offer to buy or sell any security or other financial instrument. Any information including facts, opinions or quotations, may be condensed or summarised and is expressed as of the date of writing. The information may change without notice and Credit Suisse (UK) Limited (“Credit Suisse”) is under no obligation to ensure that such updates are brought to your attention.
The price and value of investments mentioned and any income that might accrue could fall or rise or fluctuate. Past performance is not a guide to future performance. If an investment is denominated in a currency other than your base currency consult with such advisor(s) as you consider necessary to assist you in making these determinations. Nothing in this document constitutes legal, accounting or tax advice. Credit Suisse does not advise on the tax consequences of investments and you are advised to contact a tax advisor should you have any questions in this regard. Thek levels and basis of taxation are dependent on individual circumstances and are subject to change.
This document has been prepared from sources Credit Suisse believes to be reliable but we do not guarantee its accuracy or completeness and do not accept liability for any loss arising from its use. Credit Suisse reserves the right to remedy any errors that may be present in this document.
Credit Suisse its affiliates and/or their employees may have a position or holding, or other material interest or effect transactions in any securities mentioned or options thereon, or other investments related thereto and from time to time may add to or dispose of such investments. Credit Suisse may be providing, or have provided within the previous 12 months, significant advice or investment services in relation to the investment concerned or a related investment to any company or issuer mentioned. Some investments referred to in this document will be offered by a single entity or an associate of Credit Suisse or Credit Suisse may be the only market maker in such investments. This document is intended only for the person to whom it is issued by Credit Suisse. It may not be reproduced either in whole, or in part, without our written permission. The distribution of this document and the offer and sale of the investment in certain jurisdictions may be forbidden or restricted by law or regulation.
Investments may have no public market or only a restricted secondary market. Where a secondary market exists, it is not possible to predict the price at which investments will trade in the market or whether such market will be liquid or illiquid. Where such investments will not be listed or traded on any exchange, pricing information may be more difficult to obtain and the liquidity of the investments may be adversely affected. A holder may be able to realise value prior to an investment’s maturity date only at a price in an available secondary market. The Issuer of the investment may have entered into contracts with third parties to create the indicated returns and/or any applicable capital protection (in part or in full). The investment instrument's retention of value is dependent not only on the development of the value of the underlying asset, but also on the creditworthiness of the Issuer and/or Guarantor (as applicable), which may change over the term of the investment instrument. In the event of default by the Issuer and/or Guarantor of the investment and/or any third party, the investment or any income derived from such contracts is not guaranteed and you may get back none of, or less than, what was originally invested. Parties other than the Issuer or Guarantor (as appropriate) mentioned in this document (for instance the Lead Manager, Co-structurer, Calculation Agent or Paying Agent) do neither guarantee repayment of the invested capital nor financial return on the investment product, if nothing is indicated to the contrary.
You may have to accept smaller returns on an investment relative to a direct investment in the underlying index, basket, etc. because of the costs involved in providing the capital protection. Such capital protection normally only applies if the investment is held until maturity. The amount of initial capital to be repaid may be geared, which means that a fall in the underlying index or securities may result in a larger reduction in the amount repaid to investors. Where this document relates to packaged products (such as regulated collective investment schemes), any advice offered to retail clients is based on a selection of products from the whole of the market. Where this document relates to emerging markets you should refer to the Risk Disclosures section of the Credit Suisse Terms of Business. Additional information is, subject to duties of confidentiality, available from Credit Suisse upon request.
Hedge Fund strategies may include the use of leverage (borrowing) and derivative instruments resulting in certain risks, some of which are as follows: leveraged investments, by their nature, increase the potential loss to investors resulting from any depreciation in the value of such investments. Consequently, a relatively small price movement in a leveraged instrument may result in a substantially greater loss to the Hedge Fund. The market in some of the investments made as part of a Fund’s strategy may be relatively illiquid, giving rise to potential difficulties in valuing and disposing of such investments.
Information for determining the value of investments held by a Fund may not be readily available which has corresponding implications for the overall valuation of a Fund. Accurate risk profiling of the Fund
holdings may also not be readily available. Always refer to the Fund’s Prospectus and/or the Key Investor Information Document before making an investment.
Your personal data will be processed in accordance with the Credit Suisse Privacy Policy published at
Credit Suisse (UK) Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority for the conduct of investment business in the United Kingdom. The registered address of Credit Suisse (UK) Limited is Five Cabot Square, London, E14 4QR.
If you have any questions regarding the document, please contact your Relationship Manager.
© Credit Suisse (UK) Limited 2019.