How to avoid storms in the cloud The Australian experience and global trends Discussion Topics 1. Understanding Cloud and Benefits 2. KPMG research – The Australian Experience and Global Trends 3. Considerations for Operating in Cloud 4. Regulation and Compliance 5. Security and Privacy 6. Data and Technology Understanding the Cloud Environment Cloud Service Models Software as a Service Platform as a Service Infrastructure as a Service “SaaS” “PaaS” “IaaS Business operations over a network Deploy customerRent storage, created processing, applications to a network and cloud other computing resources Cloud Environment Characteristics: On-Demand Self-Service © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Cloud Deployment Models Private Operated for a single organisation typically controlled, managed and hosted in a private data centre Public Available to multiple organisations on a shared basis and hosted/managed by a third party Community Shared by several related organisations Internet Accessibility Pooled Resources Elastic Capacity UsageBased Billing 3 © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 4 Cloud Adoption – Australian Information Industry Association © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 5 Cloud Adoption – Australian Information Industry Association • Australian Cloud Market at early stages • Private over Public • KPMG’s analysis shows cost benefits: • lower operating costs by 25% • lower capital costs by 50% • Productivity improvements (increased output per unit of cost) • Innovation (Ability to deliver new and evolving products) • Frost and Sullivan Survey 43% in Aus using Cloud up from 35% in 2010. • In ASPAC 22% will budget more than 20% of annual IT expenditure on Cloud © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 6 Cloud Adoption – KPMG Global Study © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 7 Impact of Cloud on Business Operations Financial Management and Tax Adopting cloud has a big impact on IT, but it doesn’t stop there. Critical business operations are also affected. Security and Privacy • Organisations need an enterprise-wide approach that takes in the crossfunctional effects of cloud • Your approach may vary, depending on your cloud service model, your deployment model, and the maturity of existing business and IT processes • Lessons learned from outsourcing apply in the cloud Operational Business Operations Data & Technology Regulatory and Compliance Vendor Management © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 8 Regulatory and Compliance (Australian Focus) APRA Australian Government • Outsourcing Policy • Public Service Act 1999 • Off Shoring arrangements • Risk Based approach • Freedom of Information Act 1982 • Audit Arrangements • Privacy Act 1988 • BCM Considerations • Archives Act 1983 • Information security accountability and audit trails • Evidence Act 1995 • Copy Right Act 1968 • Electronic Transactions Act 1999 Information Privacy Principles • Disclosure • Storage and security • Data segregation “agencies may choose to use cloud computing services where they provide value for money and adequate security” • Data destruction • Transborder data flow © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. 9 Considerations for Operating in Cloud Regulatory & Compliance Regulatory and Compliance Challenges/Implications • Lack of visibility into the CSP’s operations Breach and Disclosure inhibits analysis of its compliance with pertinent laws and regulations • Complexity of records management/records retention creates challenges • Lack of industry standards and certifications for cloud providers creates risks Data Location E-Discovery Assurance © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Collaborative Risk Assessment 10 Considerations for Operating in Cloud Security & Privacy Challenges/Implications • Data may be stored in cloud (1) without customer segregation, allowing accidental or malicious disclosure to third parties and/or (2) in a legal jurisdiction where the data subject is not protected • Loss of governance of critical security areas • Weak logical access controls due to cloud vendor’s IAM immaturity Data Access Data Governance © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Privacy Security and Privacy Security Risk Assessment Security Requirements 11 Considerations for Operating in Cloud Data & Technology IT Solution Delivery Service Catalog Challenges/Implications • There is a risk of creating independent silos of information and creating issues with data integrity, quality, and insight • Business can bypass the IT function to implement cloud solutions, making IT governance challenging • Cloud dramatically changes how IT delivers services • Cloud adoption opens the four Data Center walls, creating new risks Data Governance © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. Data & Technology IT Service Management Technology Strategy & Architecture 12 Key Take-Aways IT Professionals Work closely with the business Evaluate interoperability Refine the role of the CIO Risk and Internal Audit Professionals Risk and controls in cloud selection Traditional IT controls may not support assurance programs Determine how cloud impacts regulatory and compliance requirements Key Take-Aways (cont) Considerations for moving to the cloud vary by organisation. Make an informed decision. Cloud is not about technology and affects all aspects of business Implement lessons learned from the IT Outsourcing experience Constantly monitor the marketplace Thank you! Angela Pak Associate Director, IT Advisory Tel: 9263 7202 Mob: 0403 326 790 [email protected] • • • All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. © 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").