How to avoid storms in the cloud The Australian experience and global trends

How to avoid storms
in the cloud
The Australian experience
and global trends
Discussion Topics
1. Understanding Cloud and Benefits
2. KPMG research – The Australian
Experience and Global Trends
3. Considerations for Operating in Cloud
4. Regulation and Compliance
5. Security and Privacy
6. Data and Technology
Understanding the Cloud Environment
Cloud Service Models
Software
as a Service
Platform
as a Service
Infrastructure
as a Service
“SaaS”
“PaaS”
“IaaS
Business
operations over
a network
Deploy customerRent storage,
created
processing,
applications to a
network and
cloud
other computing
resources
Cloud Environment
Characteristics:
On-Demand
Self-Service
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Cloud Deployment Models
Private
Operated for a single organisation
typically controlled, managed and hosted
in a private data centre
Public
Available to multiple organisations on a
shared basis and hosted/managed by a
third party
Community
Shared by several related organisations
Internet
Accessibility
Pooled
Resources
Elastic
Capacity
UsageBased
Billing
3
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
4
Cloud Adoption – Australian Information Industry Association
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
5
Cloud Adoption – Australian Information Industry Association
• Australian Cloud Market at early stages
• Private over Public
• KPMG’s analysis shows cost benefits:
• lower operating costs by 25%
• lower capital costs by 50%
• Productivity improvements (increased output per unit of cost)
• Innovation (Ability to deliver new and evolving products)
• Frost and Sullivan Survey 43% in Aus using Cloud up from 35% in 2010.
• In ASPAC 22% will budget more than 20% of annual IT expenditure on Cloud
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
6
Cloud Adoption – KPMG Global Study
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
7
Impact of Cloud on Business Operations
Financial Management and
Tax
Adopting cloud has a big impact on IT,
but it doesn’t stop there. Critical
business operations are also affected.
Security and Privacy
• Organisations need an enterprise-wide
approach that takes in the crossfunctional effects of cloud
• Your approach may vary, depending on
your cloud service model, your
deployment model, and the maturity of
existing business and IT processes
• Lessons learned from outsourcing
apply in the cloud
Operational
Business
Operations
Data & Technology
Regulatory and Compliance
Vendor Management
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
8
Regulatory and Compliance (Australian Focus)
APRA
Australian Government
• Outsourcing Policy
• Public Service Act 1999
• Off Shoring arrangements
• Risk Based approach
• Freedom of Information Act
1982
• Audit Arrangements
• Privacy Act 1988
• BCM Considerations
• Archives Act 1983
• Information security accountability
and audit trails
• Evidence Act 1995
• Copy Right Act 1968
• Electronic Transactions Act 1999
Information Privacy Principles
• Disclosure
• Storage and security
• Data segregation
“agencies may choose to use cloud
computing services where they
provide value for money and
adequate security”
• Data destruction
• Transborder data flow
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
9
Considerations for Operating in Cloud
Regulatory & Compliance
Regulatory and Compliance
Challenges/Implications
• Lack of visibility into the CSP’s operations
Breach and
Disclosure
inhibits analysis of its compliance with
pertinent laws and regulations
• Complexity of records
management/records retention creates
challenges
• Lack of industry standards and
certifications for cloud providers creates
risks
Data Location
E-Discovery
Assurance
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Collaborative
Risk
Assessment
10
Considerations for Operating in Cloud
Security & Privacy
Challenges/Implications
• Data may be stored in cloud (1) without
customer segregation, allowing accidental
or malicious disclosure to third parties
and/or (2) in a legal jurisdiction where the
data subject is not protected
• Loss of governance of critical security areas
• Weak logical access controls due to
cloud vendor’s IAM immaturity
Data Access
Data
Governance
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Privacy
Security and Privacy
Security
Risk
Assessment
Security
Requirements
11
Considerations for Operating in Cloud
Data & Technology
IT Solution
Delivery
Service Catalog
Challenges/Implications
• There is a risk of creating independent
silos of information and creating issues
with data integrity, quality, and insight
• Business can bypass the IT function to
implement cloud solutions, making IT
governance challenging
• Cloud dramatically changes how IT
delivers services
• Cloud adoption opens the four Data
Center walls, creating new risks
Data
Governance
© 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent
member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
Data & Technology
IT Service
Management
Technology
Strategy &
Architecture
12
Key Take-Aways
IT Professionals
Work closely with the business
Evaluate interoperability
Refine the role of the CIO
Risk and Internal Audit Professionals
Risk and controls in cloud selection
Traditional IT controls may not support
assurance programs
Determine how cloud impacts regulatory
and compliance requirements
Key Take-Aways (cont)
Considerations for moving to the cloud vary
by organisation. Make an informed decision.
Cloud is not about technology and affects all
aspects of business
Implement lessons learned from the IT
Outsourcing experience
Constantly monitor the marketplace
Thank you!
Angela Pak
Associate Director, IT Advisory
Tel: 9263 7202
Mob: 0403 326 790
apak@kpmg.com.au
•
•
•
All information provided is of a general nature and is not
intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide
accurate and timely information, there can be no
guarantee that such information is accurate as of the date
it is received or that it will continue to be accurate in the
future. No one should act upon such information without
appropriate professional advice after a thorough
examination of the particular situation.
© 2012 KPMG LLP, a Delaware limited liability partnership
and the U.S. member firm of the KPMG network of
independent member firms affiliated with KPMG
International Cooperative, a Swiss entity. All rights
reserved.
The KPMG name, logo and "cutting through complexity"
are registered trademarks or trademarks of KPMG
International Cooperative ("KPMG International").