Risk & ComplianceNew Paradigm of AutomationJanuary 2011, Rotterdamdrs. Mike Chung READVISORY
Introduction               © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserv...
Hypothesis   Paradigm shift in automation is in progress   Hybrid environment is the ‘future’ mode of operation   Orche...
Why this presentation?   We, auditors, see organizations taking irresponsible risks in an    increasingly complex technol...
Objectives   Understanding the context of the new paradigm   Addressing the considerations   Defining steps forward    ...
Assumptions & limitations   Assumptions          Participants have advanced (technical) knowledge of IT          Locall...
Understanding the context                © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All...
Current business challenges   Cost savings          Cost savings often necessary in order to maintain profit margins    ...
Old paradigm   Increasing expenditure          IT spending at up to 5% of revenue for Fortune500 enterprises and over   ...
Trend: centralization and commoditization   Centralization of IT assets          Economies of scale result in cost savin...
Various solution models (1/2)   Portfolio management          Management of IT purchases          Controlled use of exi...
Various solution models (2/2)   Outsourcing & offshoring          Shift of IT services to providers          Transfer o...
“I realised that what I was standing in was a prototype of a new kind of powerplant – a computing power plant that would c...
Old to new paradigm                                 Data                                                          Data    ...
Cloud computing                  © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights ...
Cloud computing: definition(s)   Too many definitions of cloud computing   “Cloud computing is storing your data on some...
On-premise vs cloud computing                                    ‘On-premise’                                         Clou...
Cloud computing: types and layers   Types of cloud computing          Public cloud          External private cloud    ...
Cloud computing: history   First computer: UNIVAC in 1940   Thomas Watson: “the world needs only five computers..”   Ha...
Cloud computing down-to-earth   Cloud computing is marginal          Current share of external types of cloud computing ...
Incidents and threats in practice   Incidents          Hackers stole credentials of Salesforce.com’s customers via phish...
Considerations                 © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights re...
New paradigm of automation: hybridenvironment   Given the position of cloud computing and ongoing wave of    sourcing, th...
New paradigm: hybrid environment   Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperati...
Characteristics impacting risk profile   Location of data storage and IT assets          Traditional IT: on-premise; wit...
Risk dimensions                                                                  Data               Technology            ...
Risk dimension: data   External IT operations          Inadequate and/or insufficient data security measures at provider...
Risk dimension: operations   External IT operations          Discontinuation of business critical services due to failin...
Risk dimension: compliance & legal   External IT operations          Compliance issues due to lack of assurance concerni...
Risk dimension: technology   External IT operations          Integration issues due to cross-vendor incompatibility    ...
Risk dimension: finance   External IT operations          Underestimated cost of migration          Inaccurate estimati...
Risk dimension: vendor   External IT operations          Vendor lock-in due to usage of proprietary standards          ...
Addressing the challenges                © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All...
New paradigm: hybrid environment   Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperati...
Orchestration   Orchestration of automation will be the critical success factor          Management of multiple provider...
Control & trust                                     Data                                                          Data    ...
Scope of audit/assurance and area of             difficulty                                    Data                       ...
Current audit standards   Localized IT as starting point (ITIL)   Strong focus on ‘traditional’, on-premise IT (ISO27001...
New audit ‘standards’   Abundance of ‘standards’        ENISA, Cloud Computing Benefits, risks and recommendations for i...
Compliance   Responsibility and risks are with the customer, not the cloud    service provider   Legislations versus the...
SAS70/ISAE 3402/3000: objections   Limited to processes relevant to financial statements   Free to choose the controls ...
SAS70/ISAE 3402/3000 in practice   Same standards used as for on-premise IT environments   Hardly any attention on multi...
Conclusion             © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. ...
New paradigm: hybrid environment   Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperati...
Our role   Understand   Participate   Keep your eyes open and keep your head cool    © 2011 KPMG ELLP, the member firm ...
Conclusion   Paradigm shift in automation is in progress from locally-    installed and maintained IT (on-premise IT) tow...
Literature   Above the Clouds: A Berkeley View of Cloud Computing, University of California at    Berkeley, 2009   Top T...
ContactDrs. Mike Chung REManagerKPMG Advisory N.V.E-mail: chung.mike@kpmg.nlMobile: +31 (0)6 1455 9916  © 2011 KPMG ELLP, ...
About the painter & painting   J.H. Weissenbruch was a famous 19th century Dutch painter    famed for his depiction of cl...
Upcoming SlideShare
Loading in...5
×

New paradigm of automation eur kpmg

1,393

Published on

How to orchestrate

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,393
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
68
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

New paradigm of automation eur kpmg

  1. 1. Risk & ComplianceNew Paradigm of AutomationJanuary 2011, Rotterdamdrs. Mike Chung READVISORY
  2. 2. Introduction © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 2 International, a Swiss cooperative.
  3. 3. Hypothesis Paradigm shift in automation is in progress Hybrid environment is the ‘future’ mode of operation Orchestration of this hybrid environment will be a critical success factor © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 3 International, a Swiss cooperative.
  4. 4. Why this presentation? We, auditors, see organizations taking irresponsible risks in an increasingly complex technology and business environment We strongly feel auditors are to provide clear and structured insight into risks and mitigations We believe in sharing this knowledge to benefit the community © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 4 International, a Swiss cooperative.
  5. 5. Objectives Understanding the context of the new paradigm Addressing the considerations Defining steps forward © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 5 International, a Swiss cooperative.
  6. 6. Assumptions & limitations Assumptions  Participants have advanced (technical) knowledge of IT  Locally-installed and managed IT as ‘traditional’, on-premise IT Limitations  Not an exhaustive overview  One-way communication © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 6 International, a Swiss cooperative.
  7. 7. Understanding the context © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 7 International, a Swiss cooperative.
  8. 8. Current business challenges Cost savings  Cost savings often necessary in order to maintain profit margins  In practice, difficult to enforce and cutting expenses is never a popular measure Time-to-market  Volatile consumer and employee demands  Short lifetime of products and services  Delay results in significant loss of opportunity and smaller market © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 8 International, a Swiss cooperative.
  9. 9. Old paradigm Increasing expenditure  IT spending at up to 5% of revenue for Fortune500 enterprises and over 5% of government’s budgets in most OECD countries  80% of these costs spent on maintenance of the existing IT  IT budgets show an upward trend Rigid and static  Bound to existing, local IT resources  Deployment of new services bear high risks, involves more time and effort  Never designed to facilitate mobile use © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 9 International, a Swiss cooperative.
  10. 10. Trend: centralization and commoditization Centralization of IT assets  Economies of scale result in cost savings  Centralized delivery of services facilitate volatile demand more effectively Commoditization  Standardized use of IT services lead to lower costs  Usage of turnkey solutions are easier to deploy © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 10 International, a Swiss cooperative.
  11. 11. Various solution models (1/2) Portfolio management  Management of IT purchases  Controlled use of existing IT assets  ‘Vendor/solution-X-unless’ policies Shared Service Centers  Centralization of scattered IT units and resources  Allocation of expertise and IT assets Hosting  Use of provider’s IT resources to host specific services (e.g. web sites)  Use of provider’s IT resources as additional IT capacity © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 11 International, a Swiss cooperative.
  12. 12. Various solution models (2/2) Outsourcing & offshoring  Shift of IT services to providers  Transfer of IT units and resources to providers Cloud computing  Use of standardized, shared services from providers (varying degrees of multi-tenancy)  IT service as a commodity Supporting technologies/infrastructure  Virtualization  Web services and ‘Service Oriented Architecture’  Broadband internet  Mobile networks © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 12 International, a Swiss cooperative.
  13. 13. “I realised that what I was standing in was a prototype of a new kind of powerplant – a computing power plant that would come to power our informationage the way great electric plants powered the industrial age.” Nicolas Carr,the Big Switch High Cloud computing Resource sharing Outsourcing & Offshoring Hosting SSC Locally installed IT Low High Outsourcing of IT resources and management Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 13 International, a Swiss cooperative.
  14. 14. Old to new paradigm Data Data DataManaged IT assets/resources IT assets/resources IT assets/resources IT management IT management IT managementPurchased Provider’s proprietary Provider’s proprietary Provider’s proprietary technology technology technology and processes and processes and processes Traditional IT Outsourcing Cloud computing © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 14 International, a Swiss cooperative.
  15. 15. Cloud computing © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 15 International, a Swiss cooperative.
  16. 16. Cloud computing: definition(s) Too many definitions of cloud computing “Cloud computing is storing your data on someone else’s hard disk and accessing it via a network” Hosted services from the (inter)net, metaphorically depicted as a cloud Utilization of Web 2.0 ‘ASP 2.0’ Characteristics:  Multi-tenancy (resource sharing)  Separation of use and ownership of IT assets  Subscription based  Elastic (upscale and downsize)  External data storage  Use of the internet © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 16 International, a Swiss cooperative.
  17. 17. On-premise vs cloud computing ‘On-premise’ Cloud computing Customer Customer Users Users IT services IT services Internet Subscription; pay-as-you-go Hardware, software + data Vendor Licences and support costs Vendor Hardware, software + data © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 17 International, a Swiss cooperative.
  18. 18. Cloud computing: types and layers Types of cloud computing  Public cloud  External private cloud  Internal private cloud Layers  Software-as-a-Service (Salesforce.com, Gmail, Office 365)  Platform-as-a-Service (Google AppEngine, Force.com, Azure)  Infrastructure-as-a-Service (Amazon EC2, Terremark Cloud) © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 18 International, a Swiss cooperative.
  19. 19. Cloud computing: history First computer: UNIVAC in 1940 Thomas Watson: “the world needs only five computers..” Hardware revolution 1960 - 1970 Mainframe era 1970 - 1990 Rise of the client computer 1980 - 1990 Rise of the client-server architecture 1990 - 1995 Rise of the network computer 1995 - 2000 Moore’s law Grove’s law By 2005:  Sufficient bandwidth  Matured virtualization technology  Matured web services technology  Salesforce.com © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 19 International, a Swiss cooperative.
  20. 20. Cloud computing down-to-earth Cloud computing is marginal  Current share of external types of cloud computing in IT is less than 5%  US are the leading outlet of cloud services (60%), the rest of the world can be considered as periphery  Internet platforms for collaborative/social purposes are yet to be adopted by business communities Cloud computing is considerable  The market of cloud computing is expected to grow between 20 and 40% per year (2010 – 2015)  According to a recent survey by KPMG, more than 40% of corporations are already using some form of cloud computing  Cloud computing is part of the paradigm shift in automation from locally installed/managed IT towards centralized delivery and shared use of services Sources: KPMG, OECD, IDC, Burton Group © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 20 International, a Swiss cooperative.
  21. 21. Incidents and threats in practice Incidents  Hackers stole credentials of Salesforce.com’s customers via phishing attacks (2007)  Thousands of customers lost their data in the cloud due to the ‘Sidekick disaster’ of Microsoft/T-Mobile (2009)  Botnet incident at Amazon EC2 infected customer’s computers and compromised their privacy (2009)  Thousands of hotmail accounts were hacked due to technical flaws in Microsoft’s software (2010) Threats  Botnets are increasingly threatening access to internet services  SPAM, excessive traffic of multimedia sites and P2P networks are clogging the internet’s arteries – internet traffic is growing by 40% per yearSources: KPMG, Cisco © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 21 International, a Swiss cooperative.
  22. 22. Considerations © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 22 International, a Swiss cooperative.
  23. 23. New paradigm of automation: hybridenvironment Given the position of cloud computing and ongoing wave of sourcing, the future mode will be a hybrid environment At large organizations, this hybrid environment will consist of on-premise IT, outsourced parts, parts on hosting providers, and parts in the cloud © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 23 International, a Swiss cooperative.
  24. 24. New paradigm: hybrid environment Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 24 International, a Swiss cooperative.
  25. 25. Characteristics impacting risk profile Location of data storage and IT assets  Traditional IT: on-premise; within the internal security domain of customer  Cloud computing: off-premise; outside the internal security domain of customer; hosted/located at cloud service provider or distributed/scattered over a multitude of (third party) providers Usage of (IT) resources  Traditional IT: exclusive for the customer  Cloud computing: varying degrees of multi-tenancy Principal infrastructure  Traditional IT: LAN, leased lines  Cloud computing: public internet © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 25 International, a Swiss cooperative.
  26. 26. Risk dimensions Data Technology Compliance & Risks Legal Provider Finance Operations Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 26 International, a Swiss cooperative.
  27. 27. Risk dimension: data External IT operations  Inadequate and/or insufficient data security measures at provider’s location(s) compromising data integrity and confidentiality  Issues with retracting data after termination of service Multi-tenancy  Inadequate data segregation and process isolation leading to data contamination and/or breach of confidentiality  Inadequate Identity & Access controls causing illegitimate access to sensitive data such as intellectual property Public internet  Unencrypted data getting lost of stolen in transfer  Clogged parts of the network causing unavailability of data © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 27 International, a Swiss cooperative.
  28. 28. Risk dimension: operations External IT operations  Discontinuation of business critical services due to failing disaster recovery at cloud service provider  Unclearly defined SLAs leading to unsatisfactory services Multi-tenancy  Restricted/limited services due to insufficient allocation of resources and/or capacity  Standardized functionalities not meeting business requirements Public internet  Dependency on internet access and availability for all cloud services  Uncontrolled access from unsecured/malware-infected client devices affecting services © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 28 International, a Swiss cooperative.
  29. 29. Risk dimension: compliance & legal External IT operations  Compliance issues due to lack of assurance concerning the physical location of data  Location of data in different jurisdictions conflicting with local legislations applicable to the customer Multi-tenancy  Complexity to ensure compliance due to ‘black box’ nature of shared resources (monitoring & logging)  Compliance issues due to complex or unclearly defined ecosystem of third-party cloud services Public internet  Public internet is exceptionally hard to audit and to monitor  Accountability and responsibilities on internet traffic are difficult to assign and even more difficult to enforce © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 29 International, a Swiss cooperative.
  30. 30. Risk dimension: technology External IT operations  Integration issues due to cross-vendor incompatibility  Divergent technical controls between internal and external IT resources causing inconsistent security levels Multi-tenancy  Standardized security controls not meeting the customer’s on-premise technical standards  Standardized functionalities not meeting the technical change control capabilities of the customer Public internet  Measures to secure internet traffic of valuable data leading to deviating company security standards  Lack of possibilities to influence technology on the internet © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 30 International, a Swiss cooperative.
  31. 31. Risk dimension: finance External IT operations  Underestimated cost of migration  Inaccurate estimation of cost for pay-as-you-go/subscriptions of cloud services versus on-premise cost  Underestimated cost of legal and risk management support  Capital destruction due to unused on-premise IT assets and unused potential of human resources  Additional cost in retrenchment of IT staff Public internet  Additional cost for leased lines and/or more bandwidth  Additional cost for measures to secure internet traffic © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 31 International, a Swiss cooperative.
  32. 32. Risk dimension: vendor External IT operations  Vendor lock-in due to usage of proprietary standards  Discontinuation of business critical services in case of bankruptcy of the cloud service provider  Cloud computing may be part of a ‘tech bubble’ – massive investments in an uncertain business model (one big incident at Google or Microsoft can push back months of progress) Multi-tenancy  Undesirable change of services or service levels in case of strategy alterations or take-over of the provider  Less customization due to shift of focus of the provider © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 32 International, a Swiss cooperative.
  33. 33. Addressing the challenges © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 33 International, a Swiss cooperative.
  34. 34. New paradigm: hybrid environment Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 34 International, a Swiss cooperative.
  35. 35. Orchestration Orchestration of automation will be the critical success factor  Management of multiple providers  Integration of different technologies  Risk control over various dimensions IT complexity will gradually reduce, but compliance challenges and legal complexity will increase  Continuous monitoring of compliance  Legal support as integral part of service management The key risk resides in the organization’s inability to orchestrate the new paradigm of automation  Dependency on static IT units  Proliferation of services © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 35 International, a Swiss cooperative.
  36. 36. Control & trust Data Data DataSpan of control IT assets/resources IT assets/resources IT assets/resources IT management IT management IT management Provider’s proprietary Provider’s proprietary Provider’s proprietaryTrust technology technology technology and processes and processes and processes Traditional IT Outsourcing Cloud computing © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 36 International, a Swiss cooperative.
  37. 37. Scope of audit/assurance and area of difficulty Data Data DataScope of audit IT assets/resources IT assets/resources IT assets/resources IT management IT management IT management Provider’s proprietary Provider’s proprietary Provider’s proprietaryTrust technology technology technology and processes and processes and processes Traditional IT Outsourcing Cloud computing © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 37 International, a Swiss cooperative.
  38. 38. Current audit standards Localized IT as starting point (ITIL) Strong focus on ‘traditional’, on-premise IT (ISO27001/2, PCI DSS) Static (Cobit) Strong focus on processes (SOx) © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 38 International, a Swiss cooperative.
  39. 39. New audit ‘standards’ Abundance of ‘standards’  ENISA, Cloud Computing Benefits, risks and recommendations for information security  ENISA, Cloud Computing Information Assurance Framework  Cloud Security Alliance (CSA), Top Threats to Cloud Computing V1.0  ISACA, Cloud Computing: Business Benefits With Security, Governance and Assurance Perspective  ISF, Security Implications of Cloud Computing  OWASP, Application Security Verification Standard 2009 – Web Application Standard, 2009  KPMG, Beveiligingraamwerk SaaS Limited scope, mainly focused on security Scarcely used, barely accepted by the market © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 39 International, a Swiss cooperative.
  40. 40. Compliance Responsibility and risks are with the customer, not the cloud service provider Legislations versus the current state of (technical) affairs Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..) SAS70/ISAE 3402/3000 as a way out? © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 40 International, a Swiss cooperative.
  41. 41. SAS70/ISAE 3402/3000: objections Limited to processes relevant to financial statements Free to choose the controls Dependent on the expertise and view point of the auditor Many variations on audit approach, set-out and level of (technical) detail Wide intervals between audits © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 41 International, a Swiss cooperative.
  42. 42. SAS70/ISAE 3402/3000 in practice Same standards used as for on-premise IT environments Hardly any attention on multi-tenancy, service integration and external data storage Superficially reviewed by (potential) customers and auditors Lacunas rarely raised © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 42 International, a Swiss cooperative.
  43. 43. Conclusion © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 43 International, a Swiss cooperative.
  44. 44. New paradigm: hybrid environment Source: KPMG © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 44 International, a Swiss cooperative.
  45. 45. Our role Understand Participate Keep your eyes open and keep your head cool © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 45 International, a Swiss cooperative.
  46. 46. Conclusion Paradigm shift in automation is in progress from locally- installed and maintained IT (on-premise IT) towards the centralization and commoditization of IT services Hybrid environment consisting of different service models is the ‘future’ mode of operation Orchestration of this hybrid environment will be a critical success factor © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 46 International, a Swiss cooperative.
  47. 47. Literature Above the Clouds: A Berkeley View of Cloud Computing, University of California at Berkeley, 2009 Top Threats to Cloud Computing V1.0, Cloud Security Alliance (CSA), 2010 Cloud Computing Benefits, risks and recommendations for information security, ENISA, 2009 Cloud Computing Information Assurance Framework, ENISA 2009 Cloud Computing: Business Benefits With Security, Governance and Assurance Perspective, ISACA, 2009 Security Implications of Cloud Computing, ISF, 2009 From Hype to Future, 2010 Cloud Computing Survey, KPMG, 2010 Clouds in the Forecast - Canadian perspectives on the promise of cloud computing services for businesses, KPMG, 2010 Executive Considerations When Building and Managing a Successful Cloud Service, KPMG, 2009 Application Security Verification Standard 2009 – Web Application Standard, OWASP, 2009 Mike Chung & Walter van Holst, Vendor lock-in in de cloud, Automatisering Gids, augustus 2010 Mike Chung, Audit in the Cloud, KPMG Nederland, 2010 Mike Chung, Data Lifecycle in the Cloud, KPMG, 2010 Mike Chung, Informatiebeveiliging versus SaaS, EDP-Auditor nummer 2, 2009 Abhijit Dubey & Dilip Wagle, Delivering Software as a Service, McKinsey Quarterly, mei 2007 © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 47 International, a Swiss cooperative.
  48. 48. ContactDrs. Mike Chung REManagerKPMG Advisory N.V.E-mail: chung.mike@kpmg.nlMobile: +31 (0)6 1455 9916 © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 48 International, a Swiss cooperative.
  49. 49. About the painter & painting J.H. Weissenbruch was a famous 19th century Dutch painter famed for his depiction of clouds His style of painting with various tones of grey and brown is typical for the so-called Hague School (Haagse School) Ever-changing ‘skyscape’ of clouds and sunlight above the Low Lands and the North Sea was a source of inspiration for the painters of the Hague School This painting is called Landschap met een boerderij bij een plas (Landscape with a farmhouse at a pond) © 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG 49 International, a Swiss cooperative.
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×