SaaS Cloud computing presentation KPMG - opportunities, implications and practices

  • 8,544 views
Uploaded on

What are the opportunities, implications and practices of Software-as-a-service?

What are the opportunities, implications and practices of Software-as-a-service?

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
  • Lees reviews, tips, interviews en nieuws over online software (SaaS) op: http://www.cloudtools.nl
    Are you sure you want to
    Your message goes here
  • Great overview. Thanks
    Are you sure you want to
    Your message goes here
No Downloads

Views

Total Views
8,544
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
1,529
Comments
2
Likes
10

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Software-as-a-service Opportunities, implications and practices Mike Chung ADVISORY
  • 2. Contents • Introduction • Definition of SaaS • Opportunities of SaaS • Points of consideration • Risks of SaaS • Overview of main risk areas • SaaS life cycle methodology • KPMG’s reference model for SaaS • Conclusion • Contact details © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 2
  • 3. Introduction • Software-as-a-Service (SaaS) has evolved from limited on-line software delivery of the late 1990s to a fully matured “direct-sourcing” business model for enterprise application services • SaaS is one of the fastest growing ICT service concepts: more than 10 million companies will be using SaaS in the next 5 - 10 years; more than 50% of all Fortune 500 companies are already using SaaS for one or more application services • According to influential IT institutes, SaaS is the leading business model of choice for 2008/2009 • Virtually all big software/service vendors (Microsoft, Oracle, IBM, Cisco) are investing heavily in SaaS while the ‘traditional’ SaaS/ASP vendors such as Salesforce.com and Google are expanding their business application services steadily • With the continuously increasing bandwidth and reliability of the internet, using web services over the (public) internet has become a viable option for many companies • Increasing number of SaaS vendors and SaaS aggregators are offering customized, market-specific solutions © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 3
  • 4. Definition of SaaS • Software provided as a service by a software vendor to ‘On-premise’ ‘On-demand’ (SaaS) multiple customers with the following main characteristics: Customer Customer – Standardisation of software – eventually customized for specific customers and markets – License based on usage (subscription or “pay-as-you- User User go”) Software services Software services – Service including maintenance, support and upgrades Internet ‘Pay-as-you-go’ – Data storage at the SaaS vendor Software + data – Web based – usage over the (public) internet Software licenses & Operational costs Software + data Software vendor Software vendor © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 4
  • 5. Opportunities of SaaS 1/3 SaaS offers potential for lowering the Total Cost of Ownership • Lower operational ICT costs – No large scale, costly, high risk implementations of applications – Fewer operational resources for application management – No platform and hardware (maintenance) costs for application servers – Reduced operational complexity: software delivered as a transparent service through the web • Minimized software development costs – No lengthy software development and testing cycles • Lower costs for software use – No software license and annual maintenance fees – No expensive software upgrades – Lower application consultancy and support costs – Efficient use of software without paying for unused/unnecessary software and software modules – Financial benefits by the Economies of Scale of the vendor © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 5
  • 6. Opportunities of SaaS 2/3 SaaS offers potential for corporate’s business focus • Focus on core business activities and responsibilities – Transparent overview and usage of electronic data and information – Automation of iterative, manual tasks – Faster Time to Market – easy to scale software – More flexibility in changing and modifying application services for business needs – Full-scale integration of business processes • Control over ICT – Minimized ICT Service Management efforts mainly focused on availability – Well-defined SLAs between the corporation and the ICT vendor – More predictable cash flow – easier licensing based on access/usage of software • Increased productivity and improved user satisfaction – Shorter implementation times for ICT services and changes – Single point of entrance to business applications provided via the web – Automatic software upgrades with minimal outage © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 6
  • 7. Opportunities of SaaS 3/3 SaaS offers potential for utilizing advanced ICT technology • Enhanced level of security – Less locally stored data and very limited locally installed software – Monitoring and logging at one (vendor’s) location – Benefits from the high security levels at SaaS vendors with centralised security expertise and experience – Centralised redundancy and fall-back measures – Integrated approach of security • State-of-the art technology – Deployment of state-of-the-art technology by SaaS vendors investing for multiple customers – Usage of energy-efficient technology – Usage of technology that is scalable and flexible © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 7
  • 8. Points of consideration • Outsourcing of software services and (business critical) data • Depreciation of existing software and software servers • Integration/alignment of existing Service Management processes and the processes of the SaaS vendor(s) • Single or multi-vendor solutions • Standardized or customized services • Several pricing models possible • Identity & Access Management • Direct contact with the software vendor or via SaaS resellers/aggregators • The rate of “outsourcing” • Logging and monitoring © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 8
  • 9. Risks of SaaS (1/5) Data confidentiality/integrity • By using SaaS, the business (critical) data is stored at remote location outside the corporate’s controlled/owned range. It may well lead to extreme dependency on vendor’s integrity and expertise concerning the corporate’s valuable and/or confidential data. Risks: – Loss of business data due to inadequate ICT operations by the vendor (redundancy, back-ups, storage) – Abuse/misuse/theft of business data due to insufficient security measures including Identity & Access Management – Abuse/misuse/theft of business data by vendor’s personnel – Abuse/misuse/theft of business data by unauthorised external parties such as other SaaS customers – Abuse/misuse/theft of business data by unauthorised internal parties causing breaches in the Segregation of Duties – Non-compliance due to poor auditability – Non-compliance due to lack of Segregation of Duties – Uncontrolled data management caused by inadequate separation of data between different SaaS customers – Privacy issues due to insufficient assurance to protect confidential and/or personal data © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 9
  • 10. Risks of SaaS (2/5) Service continuity & availability • SaaS relies on the availability and the performance of the (public) internet. Any outage or performance degradation may well lead to loss of business. Moreover, since no one really “owns” the internet, it is exceptionally difficult to appoint responsible/accountable parties. Risks: – Discontinuity/unavailability of services in case there is no connectivity to the (public) internet – Poor performance due to geographic limitations – Difficulties in planning and forecasting when the performance of the internet fluctuates – Loss of business data due to poor connectivity or unanticipated activities on the internet – Loss/abuse/misuse/theft of business data caused by poor data protection when traversing unsecured networks – Non-repudiation issues caused by insufficient authentication and verification mechanisms © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 10
  • 11. Risks of SaaS (3/5) Service integration • Most SaaS vendors and aggregators/integrators offer a limited service catalogue, often focused on one market segment and/or functionality. Integration between SaaS with existing (legacy) services as well as service integration between different SaaS vendors may well lead to loss of functionalities as well as complex and potentially vulnerable IT environment. Risks: – Loss of software functionalities due to constraints in integrating different services – Poor performance due to interface limitations – Complexity of the IT environment due to many and/or customized interfaces and connections – Difficulties in executing IT changes – Complex root-cause analysis – Security breaches caused by unclear perimeterisation and unclear demarcation of security responsibilities © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 11
  • 12. Risks of SaaS (4/5) Performance and support • SaaS cannot guarantee better performance and support in principle. Operational issues may have been transferred to the vendor, it does not reduce the risk levels. Complexity of the ICT may have been outsourced, it does not take away the complexity itself. Risks: – Poor performance of the serviced software due to constraints and limitations at the vendor (too many customers, insufficient capacity) – Less flexibility and longer Time-to-market due to too standardised software or inadequate development and testing processes – Difficulties in receiving support due to poor ICT governance at the vendor – Poorly defined SLAs – Difficulties in receiving support due to unclear agreements – Imbalance between the customer’s service requirements/expectations and the vendor’s service delivery due to unrealistic expectations and/or inadequate mapping of services and requirements – Long-lasting incidents and change requests due to complex root-cause analysis – Complex service management due to multiple SaaS vendors and aggregators – Loss of productivity by unannounced software/interface changes (Frankenstein Switch) © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 12
  • 13. Risks of SaaS (5/5) Legal and contractual • Due to the relatively recent nature of the SaaS concept, legal and contractual issues are yet to be elaborated. Risks: – Difficulties in appointing responsible and accountable parties due to poorly defined contracts and agreements – Increased ICT costs by choosing the wrong costs/pricing models – Complex contract management due to contracts with multiple SaaS vendors and aggregators – Difficulties in data restoration when changing vendors due to unclear contractual demands and lack of control from the customer’s perspective © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 13
  • 14. Overview of main risk areas for SaaS © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 14
  • 15. KPMG’s SaaS life cycle methodology (1/4) Vision Strategic Reviews Strategy New Contracts Negotiation Feasibility Assessment Performance Improvement Business Case Evolve Strategy Current Architecture SaaS Delivery Future Architecture Benefits Realization Deliver Outline Project Plan Monitoring Scope & Risk Analysis Risk and Controls Plan Refined Business Case Assessment Transition Design & Selection Criteria Select RFI / RFP Pilot Vendor Evaluation Detailed Project Plan & Selection and Contract Approach Migration/Implementation © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 15
  • 16. KPMG’s SaaS life cycle methodology (2/4) 1. Strategy 2. Scope and Plan • Defining vision • Assessing current architecture – Drivers and objectives – Business/Enterprise architecture – Outline scope of services to be purchased as SaaS – Technical architecture • Defining strategy • Building future architecture – Principles and standards – Requirements and limitations – Outline approach – Processes (service design) – Tranches/plateaus – Technology • Performing feasibility assessment • Producing outline project plan – Organisation and processes – Sourcing (HR and finances) – Technology – Governance and project management – Legal and contractual subjects – Outline risk analysis • Performing risk analysis – Project risks including migration/implementation risks • Building the Business Case – SaaS-related risks – Drivers and objectives – Alternatives and options • Refining the Business Case – Cost and benefits © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 16
  • 17. KPMG’s SaaS life cycle methodology (3/4) 3. Design and Select 4. Transition • Defining selection criteria • Setting up pilot – Functional – Pilot migration – Service Management – Functional/technical implementation – Migration/implementation strategy – Service management – Risk mitigation • Publishing RFI/RFP – Evaluation – Market research and analysis – Tender strategy • Producing detailed, updated transition project plan and approach • Evaluating vendors – Assessment • Executing migration – Proof of Concept – Data – Selection – Service (functional/technical) – Due diligence – Service (governance/processes) • Signing contract(s) – SLAs including KPIs – OLAs – Legal agreements © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 17
  • 18. KPMG’s SaaS life cycle methodology (4/4) 5. Deliver 6. Evolve • Delivering SaaS • Performing strategic reviews – Functional/technical – Functional/technical – Governance/processes – Financial – Service delivery • Realizing benefits – Risk assessment – Financial – Pre/post SaaS impact – Business-wise – Benchmarking – Service oriented – Technological • Negotiating new contracts • Monitoring • Processing performance improvement – Remediation • Performing risk and controls assessment – Restructuring – Security – Optimization – Service and performance – Compliance – Legal and contractual © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 18
  • 19. KPMG’s reference model for SaaS Identity and Access Integral Security Management Management Federation Federation Federation © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 19
  • 20. Conclusion • As with opportunity comes danger, SaaS offers huge possibilities and poses serious risks • While the software and operational activities can be transferred to the SaaS vendor, SaaS will not reduce the risk levels in principal • To benefit optimally from SaaS, it is essential to take mitigating measures prior to implementation • Structured approach and ‘best practices’ are key success factors © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 20
  • 21. Contact details Mike Chung Manager +31 (0)6 1455 9916 chung.mike@kpmg.nl Office address: KPMG IT Advisory, Burg. Rijnderslaan 20 1185 MC Amstelveen, The Netherlands © 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908 21