Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cii-PwC Cloud Summit Report 2016

CII-PwC Report on Boosting Market Dynamics with Digital Technologies.

  • Be the first to comment

  • Be the first to like this

Cii-PwC Cloud Summit Report 2016

  1. 1. BOOSTING MARKET DYNAMICS WITH DIGITAL TECHNOLOGIES The cloud in healthcare and financial services
  2. 2. Lead Sponsor Principal Sponsor Gold Sponsor Technical Partner
  3. 3. Content 1 Foreword....................................................................................................................02 2 Introduction...............................................................................................................03 3 Rise of the New IT Platform.....................................................................................04 4 Word of caution .........................................................................................................06 5 Cloud computing: Laying the foundation for a global digital .............................07 ecosystem for a new form of business 6 Privacy and data security concerns........................................................................15 7 Addressing security, privacy and regulatory concerns in healthcare.................23 8 Addressing security, privacy and regulatory concerns in financial services.....26 9 State of data protection and privacy laws in India ...............................................30 10 Conclusion.................................................................................................................32 11 Appendix ..................................................................................................................34 01
  4. 4. The fact that today's business landscape is changing faster than ever has become a cliché. Things that were relevant a few years back or are relevant today will not be so in the near future. Digital technology has become the foundation of this transformation. It holds the key-right from strategy formulation to execution. Companies will need to adapt quickly to these changes to achieve growth, meet disparate consumer needs, reach out to markets, compete and succeed. With cloud computing being perceived as the platform for digital transformation, its adoption is fast transforming from hype to reality across industries. Two industries in particular- healthcare and financial services-where security is a key concern due to the sensitive nature of data that is transacted and which have traditionally been subjected to stringent regulations and compliances, are experiencing a rise in the adoption of cloud services. Yet, data privacy and security threats have always been the dark side of the cloud and remain a cause for concern among these industries. However, it is interesting that healthcare and financial services companies that have adopted cloud computing are finding that security and compliances delivered by cloud service providers exceed their needs. As cloud services continue to mature, companies as well as governments are placing trust in service providers and are migrating data and applications to the cloud. One of the best examples of this new-found trust is the US federal government's adoption of cloud-based solutions for cabinet- level agencies, including the Department of Homeland Security, which is pursuing both public and private cloud solutions. The Indian government has also published a comprehensive policy report for its adoption and usage of cloud services. This joint CII-PwC report covers the benefits and challenges faced in the adoption of cloud computing in the healthcare and financial services industry in India. It highlights the best practices being followed globally by companies in industries that have successfully adopted the cloud, and recommends an approach for future adoption. The report also assesses the current state of data protection and privacy laws in India and proposes an approach to formulate and enforce newer laws and regulations that are relevant to the current context. 1 Foreword S Premkumar Chairman, CII Sub-Committee on Cloud Computing and Executive Vice Chairman and Managing Director, HCL Infosystems Ltd Chandrajit Banerjee Director General Confederation of Indian Industry 02
  5. 5. 2 Introduction 1 A clipped compound of 'development' and 'operations’ Digital technologies are impacting industries and businesses alike. Social, mobile, analytics and cloud (SMAC), along with agile, continuous integration and 1 development practices like DevOps and Internet of things (IOT), are having an unforeseen impact as enablers of business. Businesses today are relying heavily on technology. With new-age start-ups changing the market dynamics with digital technologies, the message to incumbents is clear-either you innovate or you perish. Cloud computing in particular promises significant transformational benefits across industries and is seen as the foundation for digital business transformation. Though enterprises have been adopting the cloud at a rapid pace, concerns like data security and privacy continue to hinder the migration of the core business-critical workloads to cloud. Given the rapid changes in the current economic scenario and market structure in India, cloud computing assumes particular significance in multiple sectors, including technology, healthcare and financial services. With the launch of the Digital India programme by the government, cloud computing, along with other technologies like mobility, analytics and IoT, will be key to implementing the vision of transforming the country into a digitally empowered knowledge economy. However, before organisations can fully leverage the benefits of cloud technologies, they need to understand the impact of this shift on their business model. Moving the infrastructure to the cloud is not merely an IT change but also a total transformation that needs to be assessed across strategy, structure, people, process and technology. As cloud computing brings in business and financial benefits, it also needs to be addressed from the viewpoints of business strategy, finance, regulations, compliance, tax, enterprise architecture and, most importantly, culture. In order to understand the state of cloud adoption in the financial services and healthcare sectors, PwC and CII conducted a joint survey. This report identifies the adoption trends among Indian enterprises across the two sectors and highlights the factors that are driving cloud adoption and the key challenges or areas of concern. Finally, the report analyses the legal scenario with regard to data security and privacy globally vis-à-vis the Indian context, and defines a way forward for setting up a robust legal and regulatory structure in the country with regard to cloud adoption. Arnab Basu Partner, Technology Consulting and Digital PwC Dipankar Chakrabarti Executive Director, Advisory PwC 03
  6. 6. Rise of the New IT Platform The past one-and-a-half years have experienced tremendous advancement of technology, particularly in the digital space. This has been fuelled by the opportunities these technologies provide to change the traditional business and operating model through the development of more effective ways to engage with stakeholders, fine-tune operational effectiveness and strengthen risk management strategies. High on the agenda for any enterprise today is transforming the IT organisation to meet the needs of businesses today. In addition, with the advent of new age technology start-ups that are changing the market dynamics, the message to incumbents is loud and clear: disrupt or get disrupted! The convergence of digital technologies is leading to 2 the rise of what we call the New IT Platform, where the IT organisation within an enterprise is being transformed to meet the growing needs of the business and its stakeholders, including customers, employees, partners and suppliers. In this model, the IT organisation is no longer a centralised authority; rather, it is an orchestrator of business services. Further, the chief information officer (CIO) serves as a catalyst for digital conversations throughout the enterprise, and is responsible for creating a tightly integrated and secure environment that enables anyone to plug into the enterprise anytime and across any device. ‘Organisations that have been able to think differently about the role of IT and the use of technology to enable business are achieving higher performance compared to those organisations that are maintaining the IT status quo.' - Mike Pearl, PwC's Technology Consulting and Global Cloud Computing Leader 1 PwC. (2015, May). Reinventing information technology in the digital enterprise - PwC's new IT platform: Achieve high velocity IT in a digital world. Retrieved from 3 04 New IT Platform approach Professional and managed services Build Cloud services Consume Cloud services CIO / Broker Traditional IT Private cloud Virtual Private Cloud Public cloud Optimised workload placement, secure, tightly integrated and rapid delivery Applications, information, business processes
  7. 7. These developments are leading to a new trend-IT spend and IT resources are rapidly shifting outside the traditional IT organisation. According to our 6th Global Digital IQ Survey, 47% of the total enterprise IT spend is outside the CIO budget. Also, an 3 International Data Corporation (IDC) study shows that 8% of department personnel are now dedicated to IT. Needless to say, this is a clear deviation from what we have traditionally experienced. Implications for the IT organisation l The IT governance model must reflect this shift in technology decision rights. l Technology sourcing must mature to avoid duplication of costs and suboptimal vendor agreements. l Enterprise architecture and integration must become critical IT competencies to avoid silos. l IT must provide the foundation for enterprise data, master data, analytics and security. l IT must provide the foundation for enterprise PwC expects this trend to continue in the future as well, irrespective of industry, and we expect 4 that business units will get more involved in technology decisions. 3 Whalen, M., Anderson, C., & Smith, K. (2013). The six implications of the 3rd platform on IT staffing. Retrieved from 4 PwC. (2015). PwC's 6th Annual Digital IQ Survey. Retrieved from Total enterprise IT spend outside CIO budget 47% 8% Average departmental technical make-up Source: PwC’s 6th Annual Digital IQ Survey IT spending outside the CIO’s budget 43% 46% 48% 51% 52% 53% Energy and mining Automotive Healthcare Entertainment, media and communications Business and professional services Retail and consumer Industrial products Hospitality and leisure Power and utilities Technology Financial services Source: PwC’s 6th Annual Digital IQ Survey 47% overall 39% 39% 42% 42% 43% 05
  8. 8. As technology reshapes all industries, enterprises will continue to make sizeable investments. In order to understand whether increased technology spending leads to improved financial performance, we recently 5 analysed 250 global companies. Our results clearly show no direct correlation between technology investments and profitable growth; that is, spending more on technology does not necessarily lead to better financial performance. This by itself is not a revelation, but our research further shows a strong correlation between technology and profitable growth if the investments are focussed on targeted capabilities, and augmented with the right operating model and implementation skills. We believe successful IT organisations of the future will be those that evaluate new technologies with a discerning eye and cherry-pick those that will help solve their most important business problems. Those who merely jump on the technology bandwagon will quickly become mired in expensive gadgetry that only creates more complexity. Word of caution Four key steps for maximising value from IT investments are as follows: 1. Alignment between IT spending and business capabilities 2. The technological capacity to execute IT initiatives 3. The ability to assess the potential value from a particular IT initiative relative to its risk 4. An optimal IT operating model to sustain results from the new technology 5 Strategy &. (2015, November). Maximizing the value from technology investments: Spending smart instead of just spending big. Retrieved from 4 06
  9. 9. Cloud computing: Laying the foundation for a global digital ecosystem for a new form of business Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction. 5 Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction. Source: National Institute of Standards and Technology (NIST) 33 5 8 14 14 13 10 12 14 10 6 4 8 21 7 11 15 5 67 66 61 50 49 49 52 49 44 48 49 49 44 32 43 34 29 36 0 28 31 36 37 37 38 39 41 42 46 47 47 47 49 55 56 59 0 20 40 60 80 100 Other (please specify) Open source infrastructure Open source applications Virtual meeting and collaboration… Sensors, sensing technologies,… Social media for internal communication Simulation, scenario modelling tools Data visualisation Mobile technologies for employees Data mining and analysis Digital delivery of products/services Data security Social media for external communication Gamification Private cloud Public cloud applications Public cloud infrastructure Mobile technologies for customers Will invest less Will invest the same amount Will invest more Source: PwC’s 6th Annual Digital IQ Survey Which technologies are you planning to invest in? 07
  10. 10. The advent of high-speed network connectivity and the ability to deliver traditionally complex services on demand are contributing to increased cloud adoption. Businesses are moving to the cloud at a rapid pace in order to differentiate and compete. This rapid pace of cloud adoption presents both opportunities and challenges across the enterprise. These can be classified across three areas of technology, operations and services. Key area Opportunity Challenge Technology Companies can drive business growth through transforming their IT department/ organisations into a strategic driver of business services. As companies shift from legacy systems to the New IT Platform, executives need to adapt to this change to stay relevant. They need to manage hybrid architecture and adopt a services culture. They may run into key skills shortages for cloud management capabilities. Operations Companies can scale the business, decrease time to market and enhance collaboration with the cloud. Integration and migration of legacy systems with cloud- based solutions, together with the orchestration and governance of the entire landscape, can be daunting. Governance, risk management and compliance of data managed by cloud providers are also important. Services Companies can innovate and create new products and services to better engage their customers and communities, and generate new sources of revenue. Companies must adapt their business models, change their go-to-market strategies and shift to a services-based culture to leverage the true power of the cloud. Cloud market statistics update Cloud computing continues to be among the top investment priorities for organisations and is becoming increasingly integral to an enterprise's overall IT landscape. According to a Forbes 6 study conducted last year, globally, around 42% of IT decisions concern a planned increase in spending on cloud computing. Though private clouds continue to dominate in terms of overall installed workloads, public clouds are growing at a much faster rate. In addition, 74% of enterprises have a hybrid cloud 7 strategy and more than half of them are already using both public and private clouds. 6 Forbes. (2015). Roundup of cloud computing forecasts and market estimates, 2015. Retrieved from update-2015/#16a5a0416c7a 7 Right Scale. (2014). Cloud computing trends: 2014 State of the Cloud Survey. Retrieved from 08
  11. 11. With regard to the growth rate of cloud service models, at the aggregate level, though infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) initially accounted for the largest workload share, software-as-a-service (SaaS) workloads are growing at a much faster pace. By 2019, 59% and 11% of the total cloud workloads will be SaaS and PaaS workloads, up 8 from 45% and 13% respectively in 2014. 8 Cisco. (2015). Cisco Global Cloud Index: Forecast and methodology, 2014–2019. Retrieved from Source: Cisco Global Cloud Index, 2013-18 Public cloud workloads are going to grow at 33% CAGR from 2013 to 2018. Private clouds will grow at a slower rate of 21%. 33% 21% 180 160 140 120 100 80 60 40 20 0 Growth in Public vs. Private Cloud Workloads Source: Cisco Global Cloud Index, 2013-2018 Public Cloud Data Center (33% CAGR) Private Cloud Data Center 21% CAGR InstalledWorkloadsinMillions 31% 69%22% 78% 2013 2014 2015 2016 2017 2018 180 160 140 120 100 80 60 40 20 0 2014 2015 2016 2017 2018 Growth in cloud workloads by service model SaaS (33% CAGR) laas (13% CAGR) PaaS (21% CAGR) InstalledWorkloadsinMillions 2013 13% 28% 59%15% 44% 41% 09
  12. 12. Currently, cloud adoption in India is in a growth phase. The various initiatives launched by the government under the National e-Governance Plan (NeGP), such as the State Wide Area Network (SWAN), State Data Centres (SDC), State Service Delivery Gateway (SSDG) and e-Portal, have led to the buildout of ICT infrastructure both at the Centre and state level. In addition, other initiatives like the National Fibre Optics Network (NOFN) and launch of the National Cloud under the umbrella of the 9 MeghRaj initiative show the Indian government's commitment to promote cloud computing in both the public and private sector. Gartner's estimates are indicative of the potential of the cloud computing market in India. It predicts that the total market for public cloud services in India is expected to reach 1.7 billion 10 USD in 2018. Though SaaS will dominate public IT cloud services spending, followed by IaaS, PaaS will experience fast growth, primarily due to cloud adoption by the developer community 11 12 and big data driven solutions. Other estimates are equally upbeat -according to IDC, 3.5 billion USD will be spent on cloud services in India by 2016-a growth of over 400% from 2012. In addition, Forrester expects the SaaS market in particular to roughly double in value between 13 2014 and 2020, when it will be worth 1.2 billion USD. State of cloud adoption in the financial services and healthcare industry: PwC-CII joint survey In order to understand the state of cloud adoption in the financial services and healthcare industry, PwC and CII conducted a joint survey. This section highlights the survey findings. The fact that the cloud is increasingly being recognised as the platform of the future is clear, as almost a quarter of the organisations surveyed suggested that more than 15% of their IT budget- 21% for financial services and 23% for healthcare-was devoted towards cloud computing. 9 In order to enable governments (both at the Centre and states) to leverage cloud computing for the effective delivery of e- services, the Government of India embarked upon an ambitious and important initiative—GI Cloud, which has been named MeghRaj. Under this initiative, the Department of Electronics and Information Technology (DeitY) announced two cloud policy reports, which have been approved by the Minister of Communications and IT: the 'GI cloud strategic direction paper' and 'GI cloud adoption and implementation roadmap'. 10 Gartner. (2014). Forecast analysis: Public cloud services, worldwide, 2012-2018, 1Q14 update and forecast: Public cloud services, worldwide, 2012-2018, 1Q14 update. Retrieved from 11 Gens, F. (2014). Worldwide and regional public cloud IT services 2014-2018 forecast. Retrieved from 12 US Department of Commerce and Industry & Analysis (I&A). (2015). 2015 top markets report - cloud computing. Retrieved from 13 International Trade Administration. (2015). 2015 top markets report – cloud computing. Retrieved from With the aim of transforming the entire ecosystem of public services through the use of information technology, the Government of India recently launched the Digital India programme. The vision is to make India a digitally empowered society and knowledge economy. PwC believes cloud computing will be at the core of the Digital India programme and will provide a definite push towards cloud adoption in the country. 10
  13. 13. In terms of cloud adoption, more than half of the financial services organisations (57%) surveyed and almost two-third of the healthcare organisations (64%) surveyed stated that they have implemented cloud-based services. However, despite the positive outlook, concerns remain. Data security and trust, followed by legal and regulatory compliances, are the key issues. In addition, 50% and 36% of respondents from the financial services and healthcare industry respectively stated that lack of knowledge is one of their barriers to cloud adoption. Thus, there is further scope for this technology if the knowledge gaps are addressed suitably. 36% 29% 14% 0 21% 27% 27% 9% 14% 23% Less than 2% Between 2% and 5% Between 5% and 10% Between 10% and 15% More than 15% Financial services Healthcare Q. What percentage of your organisation’s IT budget is devoted towards the cloud? Source: PwC-CII joint survey, 2016 Financial services 57% 14% 29% We are at the discussion stage or currently evaluating the option of the cloud. We are in the process of implementing the cloud. We have implemented the cloud and are currently using the same. We are at a discussion stage or currently evaluating the option of the cloud. We are in the process of implementing the cloud. We have implemented the cloud and are currently using the same. Not applicable Healthcare 14% 14% 64% 8% Q. At what stage is your organisation vis-à-vis cloud adoption? Source: PwC-CII joint survey, 2016 11
  14. 14. Private cloud and SaaS are the most widely adopted deployment and service models in organisations in the financial services and healthcare industry. The cloud brings pricing flexibility. This, along with cost savings, infrastructure and application scalability, and speedier deployment of infrastructure and application, is the key driver for cloud adoption. 50% 29% 36% 50% 29% 36% 18% 36% 59% 45% Lack of knowledge Indecision about which apps to move into the cloud Lack of clarity on costing models Data security and trust Legal and regulatory compliance Financial services Healthcare Q. What do you think are the major barriers to adopting the cloud? Source: PwC-CII joint survey, 2016 14% 57% 36%36% 50% 27% Public cloud Private cloud Hybrid cloud Financial services Healthcare 7% 21% 50% 36% 14% 64% IaaS PaaS SaaS Financial services Healthcare Q. Which cloud deployment model(s) has your organisation adopted? Source: PwC-CII joint survey, 2016 Q. Which cloud service model(s) has your organisation adopted? Source: PwC-CII joint survey, 2016 12
  15. 15. While performance of the cloud platform or solutions and overall security are the key considerations for choosing the preferred cloud service provider, data ownership, backup, recoverability and service availability are the major considerations while negotiating a service- level agreement (SLA). 14% 36% 21% 21% 57% 57% 64% 18% 23% 32% 23% 59% 68% 73% Ability for IT department to focus on innovation and core business issues rather than operational aspects Increased IT efficiency and utilisation Improved business agility Robust disaster recovery mechanisms Speedier deployment of infrastructure and application Infrastructure and application scalability Cost savings and pricing flexibility Healthcare Financial services Q. What are your organisation’s key drivers for cloud adoption? Respondents who rated within the top 3 Source: PwC-CII joint survey, 2016 43% 57% 71% 64% 79% 45% 50% 32% 82% 91% Adherence to standards and compliances Quality of service Application portability Enterprise grade security Performance Healthcare Financial services Q. What parameters does your organisation consider when evaluating cloud solutions? Respondents who rated within the top 3 Source: PwC-CII joint survey, 2016 13
  16. 16. Q. Which of the following do you consider when negotiating an SLA with a cloud service provider? Respondents who rated within the top 3 Source: PwC-CII joint survey, 2016 7% 29% 43% 21% 64% 79% 57% 23% 23% 23% 23% 73% 73% 64% Multi-tenancy disclosure Data location Retention or destruction of records Legal hold or e-discovery Availability of service Backup and recovery Ownership of data and associated metadata Healthcare Financial services 14
  17. 17. Privacy and data security concerns Data privacy and security have been key concerns and a regular topic of discussion when it comes to the cloud. However, in order to closely analyse this issue, we need to classify it into two major areas: 1. Technical issues related to security of data in a cloud environment 2. Regulatory, compliance and legal issues to consider when moving to the cloud Technical issues related to security Historically, technical aspects of security have inhibited cloud adoption-the primary concerns being the security of virtual machines, trust in the cloud service provider, commingling of data with that of another customer/tenant, intrusion detection and prevention in the cloud, etc. However, with cloud as a technology becoming more stable and with increased maturity, cloud service providers have begun to provide more insights into their security controls, governance and regulatory compliance processes. This is increasing the confidence of businesses in cloud technology. The results are evident: According to a Forrester study on cloud security, from 2011-2013, there was a 24 percentage point decrease in the number of respondents who found security and privacy to be concerns in a virtualised or cloud 14 environment. 6 With the overcoming of the technical hurdles of security, cloud computing is fast moving from a stage of evaluation to value creation and realisation. 14 PwC presentation at Wales & West CIO Forum, 2015 70% 60% 50% 40% 30% 20% 10% 0% 2011 2012 2013 67% 59% 43% Source: Forrester report on cloud security as prepared for PwC, August 2014 Security and privacy concerns in virtualisation or cloud environments 15
  18. 18. Not inherently insecure The point we want to highlight here is that, technically, there are no reasons that should restrict the migration of private data to the cloud. Risks have to be managed, as in the case of any on- 15 premise or in-house system. A report published by the Information Security Forum (ISF) highlighted five major findings with regard to data privacy and the cloud. These are discussed below. l Cloud-based systems are here, and organisations are using them: Organisations cannot avoid the cloud. According to the ISF survey report, 90% of organisations achieve projected savings and 80% increase their competitive advantage with the cloud. Information subject to privacy regulations (known as personally identifiable information [PII]) will inevitably move to the cloud. l The risk of putting private data on the cloud is not always considered or addressed: Cloud- based systems are seen to be complicated; the same is true for privacy regulations. This combination of complexity creates barriers to managing the risk of private data on the cloud, thereby increasing organisational risk. l The cloud can be suitable for PII: There are no inherent reasons for not moving private data to the cloud; the risks have to be managed as in any other case. The process will be made easy if organisations first cut through the perceived complexity, take advantage of existing information risk management approaches and enhance them where necessary to manage risks. l Cloud complexity can be simplified: Cloud-based systems are not as complicated as many people consider them to be, and understanding the basics makes complying with privacy requirements easier. The various cloud deployment and service models provide different levels of control to the purchasing organisation, accordingly creating a different degree of inherent risk. l Privacy obligations are the same for both cloud and non-cloud based systems: Privacy obligations do not change when information moves into the cloud. This means that most organisations' efforts to manage privacy and information risks can be applied to cloud-based systems with only minor modifications, once cloud complexity is understood. This can provide a low-cost starting point to manage cloud and privacy risks. Going by the above findings, what enterprises need to do is identify the common areas in security that need to be addressed from a technology perspective, develop use cases specifically for cloud security based on their individual requirements, create a comprehensive information security strategy to address security concerns with respect to the cloud, and embed the same throughout the enterprise's cloud life cycle. Several components need to be addressed to provide comprehensive cloud security. In addition, the cloud security strategy must be aligned with an enterprise's overall IT security policies and guidelines. We have identified six technical domains that need to be considered while formulating a cloud security strategy: data, governance, user and identity management, infrastructure, platform and software, and integration. 15 Information Security Forum (2013, February). Data privacy in the cloud. Retrieved from 16
  19. 19. Common cloud security use cases Based on the above recommended cloud security domains, PwC has developed some common cloud security use cases that can act as guidance for identifying the key requirements of an enterprise when adopting cloud computing. Each of these use cases has been supplemented with key security and privacy issues that an enterprise must address and the associated recommendations to address the same from a technology point of view. #Use case Common issues faced by enterprises Recommended approach 1 SaaS migration How do I assess and address the risk of SaaS adoption before and after migration? l Perform vendor risk assessment, including SaaS architecture and security, to develop a repeatable assessment framework l Educate/work with procurement on contract terms l Develop a SaaS/cloud security services layer for SaaS (security information and event management [SIEM], identity access management [IAM], data loss prevention [DLP], encryption, etc.); consider security as a service Data Integration Governance Users and identity Infrastructure Platform and software Cloud security strategy • Data loss prevention • Secure storage, secure disposal • Audit and forensics • Roles and authorisation levels and authentication • Evaluation/monitoring of usage patterns • Programme awareness and education • Entitlement stores and role-based access control l Security functionality l Network configuration l Cloud hardening l Vulnerability management l Infrastructure operations • Data classification • Data backup, retention •Data ownership, segregation •Risk assessments •Encryption/tokenisation • Interoperability • Lock-in/portability • Security analytics • Administration console • Public/private/hybrid models • Secure connection to other systems and data • Event management • Threat and vulnerability identification in software development life cycle (SDLC), deployment, upgrade of the application • Access control • Monitoring/management • Application vulnerability management and remediation • Define processes and policies (ownership, connectivity, privacy, audit/wipe) • Legal (NDA, SLA, licensing) • Audit and compliance • Identifying preferred suppliers/service level for business • Business continuity • Training and awareness • Clear security control framework 17
  20. 20. #Use case Common issues faced by enterprises Recommended approach 2 Internal private/hybrid cloud infrastructure buildout How do I build and operate a private/hybrid infrastructure service securely? l Assess private cloud security architecture using an environment and solution-specific framework (e.g. modified Cloud Security 16 Alliance [CSA], International Organization 17 for Standardization [ISO], National Institute of Standards and Technology 18 [NIST], adapted to your architecture, implementation and operations) l Develop cloud security architecture to address gaps; on-premise security may suffice (but look at security as a service if also using public IaaS) 3 Sensitive data security and compliance across SaaS environments How do I detect and protect/respond to what is already on the cloud? l Perform SaaS inventory and data discovery risk assessment l Develop SaaS environment risk assessment capability using customised data protection policies and purpose-built tools l Design and implement training, awareness, and response processes 4 Identity and access management for the cloud We need cost-effective and easy-to-deploy IAM for portals, mobile, and SaaS/cloud environments. What should we do? l Develop the IAM strategy refresh while looking at where/how best to adopt identity-as-a-service (IDaaS) to drive business and IT value l Develop/revise an IAM roadmap and select an IDaaS vendor l Execute the roadmap 16 CSA is the world's leading organisation dedicated to defining and raising awareness of best practices in order to help ensure a secure cloud-computing environment. It has developed the Cloud Controls Matrix (CCM), a controls framework that gives a detailed understanding of security concepts and principles that are aligned to CSA guidance. It also operates the most popular cloud security provider certification programme, the CSA Security, Trust & Assurance Registry (STAR), a three-tiered provider assurance programme of self-assessment, third-party audit and continuous monitoring. 17 ISO is responsible for ISO 9000, ISO 14000, ISO 27000, ISO 22000 and other international management standards. 18 NIST is the federal technology agency that works with industry to develop and apply technology, measurements and standards. 18
  21. 21. 19 This can include the cloud tenant or the consumer, cloud service provider, cloud broker and other members in the cloud service providers' supply chain. 20 Hogan Lovells. (2010). Cloud computing: A primer on legal issues, including privacy and data security concerns. Retrieved from #Use case Recommended approach 5 Shadow IT and cloud governance l Develop policies to address/guide non-IT managed tech securely l Develop cloud inventory and risk assessment capability (see SaaS data security) l Develop data detection and/or encryption capabilities for cloud environments 6 Data centre migration to IaaS l Develop a migration risk and operational assessment framework l Assess the IaaS vendor for native risk/security capabilities with specific end-state architecture in mind; design controls to address gaps l Implement cost and risk- appropriate controls in a phased/strategic manner Common issues faced by enterprises We cannot protect what we do not know. How do we detect and govern shadow IT use of the cloud? How should risk and security play into migration decision- making, architecture, and operations? Regulatory, compliance and legal issues to consider when moving to the cloud The regulatory, compliance and legal issues related to cloud privacy are another major challenge for businesses planning to move their workloads to cloud environments. Moreover, the changing nature of the legal and regulatory landscape around cloud computing creates a practical challenge in understanding how a law applies to the different 19 parties under various scenarios. Regardless of the cloud service or the deployment being used, an enterprise will also need to consider the issues surrounding the data collected, stored and processed in the cloud. Some of these concerns are related to a specific industry and some to where the data is stored or transferred, or both. The key challenges enterprises face with regard to the various regulatory, compliance and legal 20 issues in cloud computing services are outlined below: Cloud computing that employs a hybrid, community or public cloud model 'creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios.' Source: Security guidance for critical areas of focus in cloud computing, published by the CSA 19
  22. 22. l Compelled disclosure to the government l Data security and disclosure of breaches l Transfer of, access to, and retention of data l Location of data The table below summarises the above concerns and identifies the applicable or related laws, regulations and standards in the US, UK and India. 21 Ibid 22 Mohammed, A. T., AlSudiari, T., & Vasista, T. G. K. (2012, March). Cloud computing and privacy regulations: An exploratory study on issues and implications, Advanced computing: An international journal (ACIJ), 3(2). 23 ECPA was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computers. New provisions were added to prohibit access to stored electronic communications (i.e. the Stored Communications Act, 1986). 24 SCA addresses voluntary and compelled disclosure of 'stored wire and electronic communications and transactional records' held by third-party Internet service providers. 25 The US Patriot Act is an Act of Congress that was signed on 26 October 2001 and amended in 2005. It allows the Federal Bureau of Investigation (FBI) access to certain business records with a court order. The law limits the ability of cloud providers to reveal that they received an order-hence, cloud users may not even know about a disclosure. # Concerns 21 Description Related laws, regulations and 22 standards 1 Compelled disclosure to the government l Information stored on the cloud is subject to different protections (primarily jurisdictional) than information stored in-house In the US l Electronic Communications Privacy 23 Act (ECPA), (1986) l Stored Communications Act (SCA), 24 1986 25 l USA Patriot Act, 2001 l Federal Trade Commission (FTC) Fair Information Practice, 1973 In the UK l Regulation of Investigatory Powers Act (RIPA), 2000 In India l Right to information (RTI) Act, 2005 l Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 20
  23. 23. # Concerns Description Related laws, regulations and standards 2 Data security and disclosure of breaches l How does a cloud provider protect a cloud consumer's data? l When the law (primarily industry specific) imposes data security requirements on a cloud consumer, how can it ensure compliance when in-house storing the information on the cloud? l If the cloud's security is breached, must the cloud provider give notice of the breach? In the US l Family Educational Rights and 26 Privacy Act (FERPA) 27 l Gramm-Leach Bliley Act (GLBA) l Health Insurance Portability and 28 Accountability Act (HIPAA) l Health Information Technology for Economic and Clinical health 29 (HITECH) Act 30 l Sarbanes-Oxley Act (SOX), 2002 l State laws and regulations (for data breach notification) 31 l Section 5 of the FTC Act, 1914 In the UK 32 l Data Protection Act (DPA), 1998 l The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (PECR), 2011 l Directive 95/46/EC (data protection 33 directive) In India l No specific laws but IT Act, 2005, and 2008 amendments (cyber law) can be helpful l Recently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provides regulation on collection, disclosure, transfer and storage of sensitive personal data, and widens the scope of the regulation in section 43A of the 2000 act. 26 FERPA is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records. 27 GLBA requires financial institutions-companies that offer consumers financial products or services like loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data. 28 HIPAA is a US legislation that provides data privacy and security provisions for safeguarding medical information. 29 The HITECH Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on 17 February 2009 to promote the adoption and meaningful use of health information technology. 30 The SOX Act of 2002 is a legislation passed by the US Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures. 31 Section 5 prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce 32 DPA is an Act of the Parliament of the UK and Northern Ireland which defines the UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. 33 The Data Protection Directive (officially, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union (EU) directive adopted in 1995 which regulates the processing of personal data within the EU. It is an important component of the EU's privacy and human rights law. 21
  24. 24. # Concerns Description Related laws, regulations and standards 3 Transfer of, access to, and retention of data l Will companies and consumers have access to data on the cloud? l Can the data (stored in the cloud) be destroyed by the cloud provider or should it be returned to the cloud consumer? In the US l Freedom of Information Act (FOIA), 34 1967 l Payment Card Industry Data Security 35 Standard (PCI DSS) l FTC Fair Information Practice, 1973 In the UK l The 'Safe Harbour' agreement (for data transfer between the EU and 36 US) In India l No specific laws in India, but the RTI Act, 2005, can be helpful 4 Location of data l The physical location of the (cloud) server storing the data may have legal (jurisdictional) implications. In the US l National Association for Regulatory Administration (NARA) regulations (Title 36 of the code of federal regulations) l PCIDSS l Sarbanes–Oxley (SOX) Act, 2002 l FTC Fair Information Practice, 1973 In the UK l Compliance with EU Data Protection Directive (EC/95/46) (the directive) is required In India l No specific laws in India but the IT Act, 2008, can be helpful The above sections highlight the fact that businesses need to deliberate upon a number of considerations from a technical, regulatory compliance and legal perspective before migrating to the cloud. The task might seem daunting; however, following a structured approach with initial due diligence can help address the above issues. We have identified two industries which have stringent data privacy and security requirements-healthcare and financial services-to drive the point that security and privacy should not be an issue hindering cloud adoption if an enterprise follows a structured approach with proper due diligence and adheres to industry best practices. 34 FOIA is a law that gives you the right to access information from the federal government. 35 PCI DSS is a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions, and protect cardholders against misuse of their personal information. 36 EU privacy law forbids the movement of its citizens' data outside the EU, unless it is transferred to a location which is deemed to have 'adequate' privacy protections in line with those of the EU. The Safe Harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens' data if transferred by American companies to the US. 22
  25. 25. Addressing security, privacy and regulatory concerns in healthcare Technology is disrupting the healthcare industry-never have patients been so involved in their healthcare. According to our Customer Experience in Healthcare survey, 55% of patients trust the Internet more than a doctor, 75% want to move from informed consent to shared decision-making and 74% of the consumers are open to virtual doctor visits. We believe technological advances will continue in the future, and the healthcare industry will see adoption of more and more disruptive technologies. These advancements will be at the heart of revolutionising the healthcare industry that we know today. Technology will become a key driver of change and a solution for creating greater efficiency and value. Technological advances are creating new care delivery models and the most interesting fact is that consumers are responding to the same. According to a report 37 published by PwC, about 49% of the patients said they expect mHealth to change how they manage their overall health and 59% said mHealth has changed how they seek information on health issues. Further, another 59% of the patients said mHealth services have replaced some visits to doctors or nurses. Technology is clearly empowering patients to take greater accountability for their care. The revolution in the healthcare industry is giving rise to a new health economy. In this new economy, the traditional notion of 'how, where and by whom care is delivered' is changing. Consumers are ready to receive care in new ways and in new places. This is forcing organisations to re-examine their current business models to demonstrate value. According to PwC's 17th Annual Global CEO Survey, 94% of healthcare CEOs plan to alter their customer growth and retention strategies, and 84% plan to alter their channels to market. The top three global trends that healthcare CEOs believe will transform their business the most over the next five years include technical advances, demographic shifts and a shift in global economic power. The areas where the CEOs believe a change is already underway are the use and management of data and data analytics, technology investments, and R&D and innovation capacity. 7 Some characteristics of the healthcare revolution we are experiencing today: l Emergence of new business models l New entrants expanding and reshaping the health system l Rebalance of the public and private sectors in the financing and delivery of care l Greater focus on reward for outcomes instead of volume of activity l Shift in trend from inpatient care to outpatient services l Industrialising of the healthcare sector 36 PwC. (2014). Emerging mHealth: Paths for growth. Retrieved from 23
  26. 26. The cloud is foundational to this healthcare transformation. Be it mHealth, virtual healthcare, telemedicine, leveraging big data analytics for bulk data management or trying to make sense of the online medical chatter-the cloud is the fundamental building block which provides secure, robust, scalable infrastructure or a platform with literally infinite computation and storage capacity. The global cloud computing market is thus poised to witness unprecedented interest from the healthcare services sector and will register a compound annual growth rate (CAGR) of 21.3% between 2012 and 2018. The global cloud computing market size for healthcare 38 39 is estimated to be 6.79 billion USD by 2018. According to industry estimates, the total addressable opportunity for cloud solutions in the Indian healthcare industry (hospitals) could be around 600 million USD by 2020. Further, cloud solutions may account for close to 40% of the total annual healthcare IT spending in India. With the potential cloud holds for the healthcare transformation, healthcare providers are taking measured steps toward the cloud. They remain circumspect about data privacy, security and service levels. This is primarily due to the numerous challenges being faced by the healthcare providers-primarily in terms of the need to comply with the HIPAA and HITECH Act for meaningful use of information, recovery audit tracker (RAC) audits, International Classification of Diseases (IDC)-10, and the mandate of providing improved care while protecting patient health information (PHI). The most common use cases of the cloud in healthcare include electronic medical records (EMRs), radiology information systems (RISs), picture archiving communication systems (PACs), backup and disaster recovery, virtual desktops, and consumer and patient portals that streamline communications with external and internal parties. In addition, the cloud is ideal for managing and maintaining integrated population health and clinical information by using care collaboration tools and deploying big data analytics solutions-data analysis, data warehousing and health information exchanges (HIEs). Contrary to popular belief, the cloud provides a more robust and secure environment and ensures easier compliance with the HIPAA or HITECH Act. Our experience of working with multiple healthcare organisations has enabled us to come up with the following best practices that need to be followed for cloud planning and migration: 38 Transparency Market Research. (2015). Cloud computing market: Global industry analysis, size, share, trends and forecast 2012–2018. Retrieved from 39 Zinnov Management Consulting. (2010). Indian healthcare poised to harness the cloud. Retrieved from Use and management of data and data analytics Technology investments R&D and innovation capacity Recognise need to change Source: PwC’s 17th Annual Global CEO Survey Developing strategy to change Concrete plans to implements change programmes Change programme underway or complete % Planning Doing 12 11 12 15 22 26 32 27 26 36 33 25 24
  27. 27. # Category Recommended best practices 1 Assessment l Assess the current IT infrastructure and applications landscape to identify applications/services that can be migrated to the cloud l Determine the appropriate cloud deployment model-private, public or hybrid l Determine the appropriate cloud service model-IaaS, SaaS, PaaS l Understand the data security, privacy and risk implications of the above cloud models and their respective combinations l Conduct cost-benefit analysis for the chosen model and build a business case 2 Integration l Determine integration requirements l Determine data flow model between applications l Clearly outline security and compliance requirements for each application l Develop a comprehensive security strategy for cloud 3 Migration planning l Develop a migration plan l Develop a pre- and post-migration checklist l As part of the migration plan, also develop a checklist for vendor evaluation: n Tier III data centre that is Service Organization Controls (SOC) II and III and Statement on Standards for Attestation Engagements (SSAE) 16-certified n HIPAA and PCI compliant n Determine SLAs that address the main components of availability: security, network, cloud platform and storage 4 Vendor due l Conduct rigorous vendor evaluation diligence l Choose a vendor that satisfies the following requirements: n Is HIPPA compliant and ready to sign a HIPAA business associate agreement n Supports SOC2, SSAE16 and HIPAA compliances n Provides defined SLA with response times based on organisational risk classification (emergency, urgent, standard, and so on) n Flexibility to provision additional cloud services as necessary n Deliver 24X7X365 live healthcare-level support n Focus on healthcare industry and list of existing clients 5 Solid implementation l Develop an implementation plan with a clear focus on the following: process n Clearly defined project management plan n Performance monitoring n Roll-back plan if critical applications/services need to be reverted temporarily to the old infrastructure n Organisational change management and training n Defined schedule of deliverables with roles and responsibilities n Project progress and issue-tracking mechanism 25
  28. 28. The financial services industry is at a crossroads. CEOs are generally optimistic about the economy and their own company prospects, but are concerned about the impact of factors beyond their control, such as regulatory change and geopolitical instability, along with industry disruption from new entrants. The uncertainty and change that lie ahead are reflected in the fact that 61% of industry leaders believe there are more opportunities for growth than 40 there were three years ago. However, almost as many (58%) believe there are more threats. Technological advancements in this sector are reshaping the relationship between customers and companies by lowering the barriers to entry that had existed traditionally. Global megatrends identified by PwC- 41 demographic and social change, rapid 42 urbanisation and shift in global economic 43 powers -are enabling the proliferation of new business model adoption. In addition, customer behaviours and expectations are changing, driven by experiences outside the financial services industry. This intersection of the financial services and technology sectors has led to the emergence of a new breed of companies, which are termed as fintech. The key driver for fintech is the convergence of retail financial services with social media, mobile, analytics and cloud technology. This is making the business leaders of the incumbent financial services organisations question the very business they are in as they are forced to reassess how their organisation's differentiating capabilities can be better used to negate the threat of fintechs and solve customer problems. Addressing security, privacy and regulatory concerns in financial services 'We are a technology company…' – Lloyd Blankfein, Goldman Sachs 40 PwC. (2015). 18th Annual Global CEO Survey. Retrieved from 41 By 2020, millennials will form 50% of the global workforce and by 2020, 78 million baby boomers born between 1946 to1964 will hit retirement age. Source: PwC. (2014). Anticipating problems, finding solutions. Global Annual Review. Retrieved from 42 Currently, 50% (and growing) of the world's population lives in urban areas. Source: PwC. (2012). Insurance 2020: Competing for the future. Retrieved from 43 The global middle class is projected to grow by 180% over the next 25 years. Source: PwC. (2010). Asset management 2020: A brave new world. Retrieved from 2020-a-brave-new-world-final.pdf 8 Key fintech highlights: l Global financial services revenue potentially impacted by Fintech companies: ~4.7 USD trillion l Year-on-year funding growth to fintech companies from private equity and venture capital firms from 2010 to 2014: ~45.8% l Number of fintech companies on AngelList as of May 2015: ~4,000 Source: The future of finance, volumes 2 and 3, Goldman Sachs, March 2015, and FinTech Week London, 2015 Why you should consider the cloud in the financial services industry: l Accelerate time to market l Innovate with the business l Respond rapidly to changes in demand l Optimise cost and usage of assets 26
  29. 29. Cloud-based solutions can create remarkable opportunities across the enterprise as they present strategic ways to strike a balance between enabling business growth and innovation and lowering costs while continuing to provide operating efficiencies. CIOs are now looking at cloud solutions to transform a traditional IT department into a business growth engine, revamp operations to achieve scale and enhance speed and collaboration, and spark innovation around new products and services to generate new sources of revenue. Through our interaction with leading financial services companies globally, we continue to see key financial services firms push to gain time to market and cost optimisation benefits from the cloud. However, data security and privacy concerns, regulations, legacy infrastructure and migration costs seem to counter-act the business case and are a major reason for preventing a faster adoption rate. Data security concerns continue to remain the foremost concern among cloud users in the financial services industry, and regulatory restrictions are a major obstacle to the adoption of cloud computing within financial services. Around 60% of financial institutions rank data confidentiality as their biggest security concern, followed by loss of control of data (57%) and data breach (55%). Another 71% of financial companies consider compliance as a 44 reason to keep controls in-house and not migrate data to public cloud services. 44 CSA. (2015, March). How Cloud is Being Used in the Financial Sector: Survey Report. Retrieved from services/Cloud_Adoption_In_The_Financial_Services_Sector_Survey_March2015_FINAL.pdf 5% 6% 4% 7% 9% 6% 6% 4% 3% 5% 6% 4% 4% 7% 6% 4% 8% 14% 11% 9% 18% 15% 4% 4% 15% 17% 13% 5% 25% 8% 16% 14% 26% 25% 30% 19% 11% 12% 30% 29% 30% 7% 40% 27% 30% 40% 25% 31% 19% 33% 22% 28% 25% 25% 28% 25% 24% 55% 42% 25% 29% 29% 27% 29% 60% 51% 24% 25% 25% 56% 0% 20% 40% 60% 80% 100% User activity monitoring/visibility Data breach Data loss Lack of auditing features Malicious insider Secure deletion Availability Integrity Data confidenciality Compliance and legal issues Isolation failures Provider lock-in User account control Loss of control over data (governance) 1 2 3 4 5 Low High Source: Cloud Security Alliance, March 2015 27
  30. 30. We have listed some of the major data regulations that can have a significant impact on financial services organisations seeking to remain compliant with domestic and international regulations. It is critical for financial services organisations to be aware of the various country- specific regulations prevalent in the industry and to have a clear idea of the implications of each and the steps required to ensure compliance. The point we want to highlight is that the regulatory requirements for financial services institutions may vary because of the use of the cloud, but the fact that compliance with regulatory requirements requires usage of a specific type of technology only is a misconception. This false assumption mainly stems from the complex nature of these regulations and lack of clarity surrounding them. Country/ region Regulation Data type Guidelines to meet the regulatory requirements Worldwide PCI DSS Credit card l Protect credit card details like card number, expiry date, service code and cardholder's name from logical or physical access l Implement a role-based access control mechanism to provide separation of duties between administrators and users accessing credit card information l Secure storage of encryption keys and implement a strong key management procedure (like dual control) l Establish a logging mechanism for access and administration of encryption keys and sensitive data l Document your process and protection measures The US GLBA Corporate l Ensure security and confidentiality of customer finance records and information l Protect against any anticipated threats or hazards to the security or integrity of such records l Protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer Europe EU Data Personal l Notice: That personal data is being collected Protection information l Purpose: Data should only be used for stated Directive of purposes 1995 (46/EC) l Consent: Data should not be disclosed without and Internet the subject's consent Privacy Law l Security: Collected data should be kept secure of 2002 from any potential abuses (58/EC) l Disclosure: Subjects should be informed about who is collecting their data l Access: Subjects should be allowed to access their data and to make corrections to any inaccurate data l Accountability: Data subjects should have a method available to them to hold data collectors accountable for following the above principles 28
  31. 31. Based on our experience of helping major financial institutions achieve a transformation through technology, we have developed a set of best practices for the financial services sector to address the issue of data security, protection and regulatory compliances while adopting cloud computing. # Steps High-level recommendations 1 Assess Before moving sensitive financial or customer-related information to the cloud, conduct a detailed assessment to identify the following: Stakeholders (internal and external) who should or should not have access to thel data Develop a mechanism to define content that is sensitive or non-sensitive,l proprietary or not, and is or can be subjected to regulations or not Identify where in the cloud the data will reside, and the respective regional orl country-specific data protection, privacy, disclosure and other laws that might be applicable 2 Design Once the assessment is complete, develop practical system designs and identify effective tools to protect sensitive information in order to ensure the following: Unauthorised users are not able to access, leak or disclose protected and sensitivel data Ability to apply the appropriate level of security to specific data types to thel required level of granularity, including encryption, tokenisation, data loss prevention and malware protection Complete visibility and reporting over data that is entering and leaving the cloudl environment. This is critical because effective monitoring and audit of activities in the cloud are a must to demonstrate compliance with regulations. 3 Build Build and implement appropriate solutions around your cloud environment to ensure the following: Data sanctity is maintained in terms of formats, fields and functions; meta data isl maintained both for structured and unstructured data Searching, sorting, indexing and reporting of data while it is secured in the cloudl A unified platform that supports any type of cloud application and integrates withl the existing third-party enterprise tools used in the on-premise environment 4 Review Implement mechanisms and associated solutions to ensure ongoing monitoring of data and information flowing in and out of the cloud and provide detailed visibility, application awareness and understanding of the context of business information by ensuring the following: Granular reporting and visibility of cloud application usage, with a focus on userl roles, content and accessibility to specific types of data Monitoring of data loss prevention policies, violations and actions taken tol address any anomalies occurring in the system Integration between multiple cloud applications to ensure seamless data flow andl provide consistent controls across the enterprise 29
  32. 32. Like the global market, cloud computing is set to transform the business and operating model of Indian organisations and move them up the digital value chain. According to Gartner, cloud computing will constitute the bulk of IT spending by 2016 and in India alone, it is predicted that the cloud market will reach over 3 billion USD by this year-an almost fivefold increase from 2012. Though the cloud story will be led primarily by small and medium businesses (SMBs) and the growing start-up community in the country, we believe enterprises will also have a major role to play in this space. With major cloud service providers like Microsoft and Amazon setting up their data centres in India, the future for the cloud looks promising. The roll-out of the Digital India initiative by the Government of India will provide a major push for Indian organisations to switch to the cloud model. However, the lack of specific legislations on privacy and data protection in India continues to remain a key concern for organisations in this space. Moreover, the global and distributed nature of the cloud makes it even more difficult to ensure that all laws and regulations applicable to a given case are complied with. A summary of data protection laws in India that may be relevant to the cloud has been provided below: l Under the IT Act, 2000, a network service provider or an intermediary is liable for any known misuse of third-party information or data, or for not exercising due diligence to prevent the offence. The IT Act, 2000, covers offences and contraventions committed outside India as well, irrespective of the offender's nationality, as long as the computer system or network is located in India. l In India, the IT Act, 2000, deals remotely with the issue of privacy in cloud computing. Section 72 of the IT Act lays down the penalty for breach of confidentiality and privacy. This section is one of the few provisions which apply in the case of breach of privacy. The offence is punishable with imprisonment up to two years and a fine up to 1 lakh INR. l Apart from section 72, we have section 80 of the IT Act, 2000, which deals with the search and seizure of computer data on connected systems if there is reasonable justification to do so. State of data protection and privacy laws in India 9 Recent developments In 2011, the Indian government introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which provide a list of items which will be treated as 'sensitive personal data' and include various provisions which govern the collection of such information by a body corporate. Further, the rules impose a mandate upon the entities to implement a privacy policy for dealing with the relevant issues. According to these rules, a body corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed upon by the parties through any contract. However, the rules also state that such information can be shared without any prior consent with government agencies mandated under law, or with any other third party by an order under the law, who shall be under a duty not to disclose it further. In addition, there is the Privacy (Protection) Bill, 2013, which this is still in the draft stage (the third draft has been updated) and has not yet been passed as a rule or law. However, this new bill remains silent on the issue of location of data and focusses primarily on the protection of personal data. 30
  33. 33. l Recently, the concept of due diligence requirements has been prescribed by the Information Technology (Intermediaries Guidelines) Rules, 2011. The cyber law due diligence requirements oblige all companies and intermediaries to ensure that privacy is maintained and respected in the cloud. Intermediaries need to take proper measures to maintain and safeguard all information that is stored in the cloud from unauthorised access. In particular, they need to put more emphasis on cloud services dealing with monetary transactions. Further, if cloud service providers fail to provide or observe due diligence, then they will be subject to legal action. l Similarly, under section 69 of the IT Act, 2000, the government has the authority to monitor as well as decrypt any information shared through a computer resource in the cloud. 31
  34. 34. Clearly, data privacy and protection laws in India with regard to the cloud are still at a nascent stage and there has not been much progress in comparison with other developed nations. Many countries have managed to ensure that the data in the cloud is protected by implementing certain geographical restrictions which disallow 45 cross-border data interchange. Such measures have put a check on the data being saved in the cloud from unwarranted access and usage. Given the existing regulations around the world to protect privacy, we feel there is a serious lack of regulations and legislations around data privacy and protection in the cloud in India. Though the 46 Government Cloud Policy, published by the Government of India in 2013, highlights security and privacy as a potential area of risk for cloud adoption and acknowledges the need for standardised policies and guidelines for data security and privacy in the cloud for the country, none have been published till date. PwC recommends a four-pronged approach for defining policy guidance around data protection and privacy for cloud and cyber security in India. Conclusion 10 In the US, the Patriot Act gives the government broad latitude to intercept suspicious electronic data that comes through the country. In the EU, the data protection directive imposes stringent standards on the collection of electronic data by the government and by any other entity. In the UK, the Information Commissioner's Office (ICO) has published clear guidance which outlines the responsibilities of companies storing the data of their customers in the cloud. As part of this guidance, full responsibility for security of the data lies with the company that owns the data, rather than the company taking care of it. Hence, if an organisation with customer data (stored and processed in the cloud) suffers a data breach, it will not be able to blame the third party (i.e. the cloud service provider). # Steps Recommendations 1 Identify l Identify the data protection and privacy laws relevant to cloud computing and cyber security being enforced globally l Determine gaps in the current state of laws and regulations related to data protection and privacy in India l Define areas that need to be addressed and draft high-level policy principles 2 Formulate l Elaborate on the policy principles to draft detailed policies l May require formulating new policies and/or making amendments to existing policies and acts 3 Enforce l Develop a framework for policy enforcement 4 Review l Develop a review mechanism l Conduct regular reviews of the relevance of the enforced laws and regulations l Make amends as required 45 Sen, K. (2013). India: Privacy issues in cloud computing with reference to India. Retrieved from +To+India 46 DeitY, Government of India. (2013, May). Government of India's GI cloud (MeghRaj) strategic direction paper. Retrieved from 32
  35. 35. It must be noted that the last step of the above approach-i.e. review-is a critical step because, given the rapid pace of advancements in the space of cloud computing, a law or regulation that is relevant today may not be relevant in a few years. In addition, participation from the industry is recommended while drafting the policies. 33
  36. 36. Case study #1: Application migration to the Azure cloud *The content of the case study has been provided by Narayana Hrudayalaya. Company Narayana Hrudayalaya, also known as Narayana Health (NH) Project Application migration to the Azure cloud Challenges NH has been expanding its national and international presence significantly through a combination of greenfield projects and acquisitions. It used to host its mission critical applications-Health Information Management System (HINAI), enterprise resource planning (ERP), ICU monitoring and its related applications out of a managed data centre service provider facility in India. The on-premise infrastructure and its related applications suffered from performance bottlenecks and service downtime along with governance, process, and compliance issues. All these factors caused multiple unscheduled outages, which resulted in poor end-user experience and negative customer feedback. In 2013, PwC had conducted a data centre and application architecture assessment across its entire applications landscape across multiple service areas at NH. Several issues such as lack of high availability (HA), disaster recovery (DR) and workload characterisation were identified and the application performance issues were fixed. The intent for PwC was not only to address the current challenges faced at NH but also to lay down a roadmap for the technological transformation. As recommended, major and minor initiatives were undertaken over a 3-6-12 month period of as part of the digital transformation. Some of the key initiatives included the following: l Migrating HINAI (along with other business applications) from its current virtualised environment to a true cloud infrastructure l Developing enterprise-wide policies and standards for operations in the cloud l Formulating and implementing IT service management processes for the cloud infrastructure environment l Adopting a continuous application delivery approach to operationalise high-frequency release cycles Project description Based on PwC's recommended roadmap, NH decided to embark on the cloud journey. PwC was engaged for programme management and was appointed as the implementation partner for the cloud migration. The approach taken by PwC was as follows: Appendix 11 34
  37. 37. l Assessing and benchmarking NH's application infrastructure performance and utilisation levels l Setting up a managed test area (MTA) for HINAI, Oracle eBS, iKare, TruMobi and SAP on both AWS and Azure platforms l Assisting the respective application teams for the creation and implementation of application-wise test plans, success criteria, and testing methodologies l Executing integrated infrastructure testing and generating relevant test reports for the MTA platforms. Based on the test results, the Azure cloud was selected by NH as the preferred cloud platform. l Defining the standards and best practices to be followed by NH, pre- and post-migration to the cloud covering regulatory requirements, locational feasibility, application latency, user experience, cost, ownership, vendor relationship management, service level agreements (SLAs), technical support, contract, billing, licensing, IP addressing, workload segregation, network connectivity, redundancy, security, baseline hardening, storage provisioning and configuration. l Defining architectural principles ranging from enterprise (self-service, metering and chargeback), operations (resiliency, modularity, elasticity, scalability, flexibility, performance assurance, automation, orchestration and workflow, failover/HA, agility and business continuity) and security (role-based access control, isolation, policy enforcements, audit, compliances, monitoring and reporting) requirements l Designing NH's target cloud deployment architecture and validating the same with the architects from Microsoft Azure and obtaining a sign-off on the design from the client l Building, constructing and configuring the designed target cloud environment in Azure and providing cloud infrastructure support to the respective applications team during the application/database setup and configuration l Preparing the application migration plan with defined move groups, migration wave timelines, pre- and post-cutover requirements and communications plan l Working closely with the applications team and providing the required cloud infrastructure support during production cutover l Defining, documenting and formalising the IT service management framework for the following key processes to be followed in the cloud environment: incident management, problem management, change management (aligning it with the existing process at NH), availability management and vendor relationship management l Defining, documenting and formalising the standard operating procedure (SOP) with detailed steps, process flow, and flowcharts for the following areas: managed network and firewall services, application user provisioning, desktop-laptop request, local administrator access, IT asset management, desktop-laptop-standard operating environment, IT 47 peripherals request, SSL VPN access, cloud instance provisioning, cloud instance de- provisioning, infrastructure power checks and core infrastructure resource request l Providing day-to-day operations support and coordinating with multiple stakeholders within NH for programme management 35
  38. 38. In addition, PwC leveraged its internal IPs in terms of accelerators, frameworks and methodologies, such as the transform methodology, cloud reference architecture, cloud components map, application profiling framework and cloud migration programme tracker during the entire project for ensuring efficient delivery. Impact/potential impact All business and system applications at NH were migrated to the Azure cloud in a span of two months. The key impacts are outlined below: l At least 40% cost savings in IT infrastructure l Ninety per cent reduction in the infrastructure procurement cycle-from days to hours l Fifty per cent improvement in overall productivity and responsiveness l Reduction of proof of concept (PoC) execution time from months to 3-4 days, thus fostering innovation l Drastic improvement in satisfying 3,000+ HINAI end-users at NH Moreover, cloud adoption has paved the way for NH to adopt digital technologies in the healthcare space and ensure that critical healthcare services are delivered to the reach the common masses at an affordable cost. Comments on scalability HINAI being the core business application at NH, the scalability considerations were duly noted during the cloud architecture design to ensure that the application and underlying cloud infrastructure is able to sustain additional loads without affecting the performance. Best practices Here are the best practices which were followed in the execution of this project: l Workload characterisation: Conducting assessments and benchmarking the application infrastructure performance and utilisation levels during the initial phases of the project to determine the optimum workload requirements in the cloud l P0C: Conducting PoC tests across multiple public cloud platforms for selecting the cloud vendor l Cloud standards: Defining enterprise-wide standards to be followed at NH pre- and post- migration to the cloud The (PwC) team offered their extensive capabilities from a domain and technical standpoint in the form of methodologies, cloud accelerators, best practices, architecture standards and programme management. With the help of these accelerators, we were able to successfully benchmark the application performance across service providers, select a service provider based on our requirements and migrate our applications with little or no downtime. The team displayed excellent technical knowledge combined with domain expertise which, in turn, helped us achieve our strategic objective. Migration to the cloud should not be considered as a lift and shift programme but as a journey towards digital transformation, and by partnering with PwC we have taken the first steps towards the same.' — Kumar Krishnamur thy Venkateswaran, VP and CIO, Narayana Health (NH). 36
  39. 39. l Architectural principles: Defining architectural principles covering enterprise, operations and security requirements l Design and architecture: Investing considerable time on developing the optimum architecture design along with its associated components l SME validation: Conducting multiple rounds of validation of architecture design and its associated components by the respective SMEs before venturing into implementation and migration l Migration planning: Investing a significant amount of time in migration planning to develop a comprehensive migration tracker; identifying application dependencies to define application move groups with pre- and post-migration checklists and downtime requirements by benchmarking data transfer time l Security: Putting in place a comprehensive strategy to ensure the security of business critical workloads deployed on the cloud. Some of the controls implemented include conducting a detailed mapping of all ingress and egress ports for each application and configuring these in the security controls provided in the cloud, thereby ensuring that no unauthorised traffic goes into or out to the Internet; and enabling a firewall on all the systems as an added layer of security l Update IT service delivery and management processes: Existing IT service delivery and management processes were updated to incorporate the cloud and the same were documented and formalised l Communication: Strengthening communication with the stakeholders since it is the key to a successful migration exercise. Regular communications were sent to the relevant stakeholders during the entire exercise. Lessons learned The key lessons learned include the following: l Laying the foundation: It is necessary to invest time to lay the foundation for the migration in terms of design and architecture at the later stages of migration, and building a scalable and robust platform l Processes post-cloud migration: It is important to understand that the set of processes and standards relevant in a pre-cloud environment will not hold well in a post-cloud scenario. Hence, cloud-specific standards and processes for IT service management and delivery needs to be developed. l Communication: For enterprise-wide migration initiatives, it was important to ensure that regular communication goes out to all the responsible and associated stakeholders involved. As mentioned earlier, regular communication was key to the success of the entire initiative. l Change management: Cloud adoption will be a game changer for most enterprises. Hence, managing the change is critical, right from the initial stages, and involvement of the senior management is essential to drive this change. 37
  40. 40. Recommendations to the government With the adoption of cloud picking up in India, it is critical for the government to define standards and policies around cloud hosting, data privacy and security. Independent bodies like the Cloud Security Alliance (CSA) have defined standards around cloud security and data privacy–the government may take cue from this and align the policies with these standards to ensure standardisation. Suggestions to other companies Cloud migration is more than a matter of mere lift and shift. It is advisable to start the cloud journey with a strategy exercise followed by laying the foundations through extensive planning and design. NH worked with PwC for three months to define the architecture principles, the target cloud architecture on Azure along with its associated components, and the standards and best practices to be followed by NH pre- and post-migration to the cloud. These were subsequently validated with the Microsoft Azure SMEs as well. Owing to the rigorous planning and design, we were able to migrate all of NH's business and system applications within two months, with minimal business downtime. The entire journey can be broken down into the following phases: a) Assess b) Design c) Construct d) Implement e) Operate and review The above-mentioned phases need to be aligned around strategy, structure, people, process and technology. This has been outlined below. Structure Strategy Process People Technology Programme delivery Change management DrivingchangeDeliveringchange Assess Design Construct Implement Operate and review Develop target architecture blueprint followed by detailed design Build the cloud environment along with the associated components and controls Migrate applications to the cloud Operate the cloud environment and identify areas of optimisation Assess current IT applications and infrastructure landscape; determine cloud readiness 38
  41. 41. Key people l Kumar Krishnamurthy Venkateswaran, VP and CIO, NH l Jagadeesh Ramasamy, VP and Lead, Business Applications Services l Sridharan Subramaniam, Senior Manager and Lead , Core Infrastructure Services Case study #2: SAP on cloud (AWS) *The content of the case study has been provided by AWS. Company Macmillan India Project SAP on cloud (AWS) Project description In 2011, Macmillan India got a new senior management team, changed its business strategy and restructured operations in India. The reorganisation prompted them to update the SAP business suite enterprise resource planning solution, which the company used to manage the sale and distribution of textbooks across India. The infrastructure in the on-premise data centre in Chennai had several problems that affected the system's availability. Challenges faced The reorganisation prompted Macmillan India to update its SAP Business Suite enterprise resource planning solution, which the company used to manage the sale and distribution of textbooks across India. The infrastructure in the on-premises data centre in Chennai had several problems that affected system availability: old hardware nearing end of life resulting in frequent breakdown, utility (electricity) shortfall resulting in downtime, networking issues causing outages and affecting productivity. These issues meant that the SAP solution operated with 90 percent or less system availability, when the company needed 99 percent or more availability. Macmillan India realised this situation was unsustainable and started looking for alternative infrastructure options. Impact or potential impact After analysing various solutions, Macmillan India found that migrating its infrastructure to an external cloud service, and specifically to AWS, would enable the company to achieve its objectives and avoid the expenses and management load of employing in-house IT administrators. It then set about moving its core applications-the SAP modules, a Drupal online learning system, and a customer relationship management (CRM) system-from the Chennai data centre to AWS. The company engaged PricewaterhouseCoopers (PwC) to design an SAP solution on AWS that would meet the technical and cost requirements, and comply with the Indian government regulations. Macmillan India and PwC initially moved several SAP modules- 39
  42. 42. including SAP business intelligence (BI), SAP sales and distribution, SAP materials management, SAP financial accounting and controlling and SAP human resources-to AWS and tested SAP performance under a range of scenarios. PwC completed the migration of the project in about six months. Macmillan India benefitted from the AWS pay-as-you-go model, which allowed the company to consume only the resources needed to support peaks and declines in the demand. The company was able to lower their capital expenditure by nearly 100% and expected to achieve reductions in operating cost by about 30% in one year. Comments on scalability The company has reduced the time needed to provision a new environment from six weeks to 30 minutes, which engineers can scale up and down at the click of a mouse. Furthermore, Macmillan India can automate its backups and meet recovery time objectives. Additionally, Macmillan India has been able to take advantage of robust security and data protection controls to protect its environment. Availability of their SAP applications has improved from 90% to almost 100% since moving to AWS as per their estimates. Case study #3 *The content of the case study has been provided by AWS. Company Manipal Global Education Services (MaGE) Project MaGE uses AWS to save 25% on infrastructure Project description MaGE offers numerous services including corporate programmes, skills training, assessment services, certification programmes, student enrolment and placement services. Most of these are delivered online, and with the number of students growing every year, traffic to MaGE's web applications increased by up to 60% per year, with demand spiking exponentially during admission, examination, and result-publishing cycles. It is also the operator of university campuses in Malaysia, Antigua in the Caribbean, Dubai, and Nepal and services and supports more than 400,000 learners, many of them through its award-winning technology platform, EduNxt™. Challenges faced Until 2013, MaGE hosted its applications in an on-premises data centre that could not meet its dynamic business needs. Application performance was a challenge, page-load time was slow, and availability was running at 98.5 to 99 percent with the business experiencing downtime of a few days per year. The company also identified a potential risk with its critical SAP system, which did not adequately provide for disaster recovery. In the event of a disaster, recovering the 40
  43. 43. system would take a few weeks, which had the risk of having significant business impact. Furthermore, the on-premise infrastructure was expensive and complex to maintain. Several team members were needed to configure and deploy infrastructure resources for new workloads, and scaling the data centre for growth could take several weeks, which restricted MaGE's ability to respond quickly to changing business needs. Impact or potential impact MaGE was convinced by the agility and elasticity that cloud computing provided and decided to build a robust and 'future-ready' technology platform to support business growth. Based on the success of the initial deployments, MaGE decided that the time was right to move to a 'cloud-first' strategy and began a massive shift to the cloud. MaGE has moved nine applications and systems-including campaign management and digital marketing, student management, learning management, assessment, and websites-into AWS. By early 2015, Manipal was running 70% of its workload in AWS and had adopted a policy that any new applications have to be delivered as a service from the cloud. The business is also running a disaster recovery environment for its SAP student management system within AWS. After moving to the AWS cloud, the availability of customer-facing applications and student services climbed to 99.9%, and page-load time fell by 30%, improving the end-user experience. The business now has the ability to recover from any disaster impacting their SAP environment in hours, minimising disruption to the business operations. While realising all these benefits, Manipal has also seen reductions in operational costs of around 20–25%. Comments on scalability During seasonal peaks, these systems handle 100,000 internal assessment uploads per day on EduNxt', 450,000 result hits per day on the student portal for distance learning programmes, and three million hits on their website with around 10 TB of data transferred each month. MaGE is now operating a virtual data centre within AWS that can support sustained business growth and expansion, as well as maintain availability and performance when demand peaks occur during admission and exam period. The business can scale the infrastructure up or down to manage seasonal peaks and only pays for the resources it consumes. With instant provisioning, the company is able to support new business demands within hours, compared to four to five weeks previously with the traditional data centre approach. Case study #4 *The content of the case study has been provided by SAP. Company National Center for Tumor Diseases (NCT), Heidelberg University Hospital, Heidelberg (Germany) Project Gaining medical insights and enhancing cancer care for patients 41
  44. 44. Objectives l Start treating cancer patients by establishing a protocol on Day 1 that is tailored to their specific genetic profile. l Generate ideas for future trials based on analysis of patient attributes, including genetic variations and mutations. l Extract biomarker data from patient evaluation letters written by physicians. Why SAP HANA l The SAP HANA® platform enables consolidation of and real-time access to various structured data sources, such as tumour documentation, medical records and clinical trials, in addition to unstructured data sources, such as physician evaluation letters, treatment guidelines, trial reports and medical publications. l It offers fast, ad hoc reporting of treatment histories by patient attributes and survival rates from a central data warehouse. Benefits l Real-time identification of cancer types to enable the grouping of patients by relevant characteristics l Insight into treatment response and outcome probability by diagnoses l Detailed view of previous treatment activities, including, for example, diagnosis, chemotherapy, surgery, and home visits l Real-time visibility into current and upcoming clinical trials to match patients for participation based on profile data and treatment needs Achievement of objectives l Faster diagnosis: More than 10,000 new patients evaluated each year since 2011 l Greater visibility: Detailed view of patient history extracted from both structured and unstructured data sources l High data volume: 150,000 data sets in combination with 3.6 million data points successfully analysed during a proof of concept test l Faster matching: Quickly match patients for participation in right clinical studies. Customer testimonial l The project showed that we could integrate various data sources, extract relevant information and present it to physicians in a way that enables surprising new insights. In the future, we would like to use SAP HANA at every diagnostic and therapeutic step, because every case of cancer is different and can vary immensely from one patient to the next.” Dr. Christof von Kalle, Head, National Center for Tumor Diseases (NCT) Heidelberg 42
  45. 45. Case study #5 *The content of the case study has been provided by SAP. Company Sun Communities Inc., Southfield, Michigan (USA) Project Reducing manual processes for new hires Business context With a primary focus on creating exceptional on-site customer experiences, completing mandated onboarding requirements was not previously top of mind for hiring managers. Sun Communities was ready to break free from the challenges on manually onboarding new employees. What Sun needed was an onboarding solution that would be intuitive and accessible via mobile devices, would automate paperwork, and could also facilitate and track mandated training. Objectives l Build a foundation for success and make a positive impression with new employees. l Complete new-hire processes and mandated training before employees start on the job. l Integrate recruiting and on boarding data across the enterprise for a complete view of talent acquisition. SAP Solution l Implemented SAP Success Factors On boarding l Empowered new hires to complete requirements with user-friendly mobile tools l Simplified complex systems and standardised processes with one solution for better overall HR efficiency Why SAP Success Factors l Strong, flexible, core HR foundation with SAP ® Success Factors® HCM Suite from Success Factors, an SAP company l Ability to combine the tactical components of onboarding, such as orientation, paperwork and compliance training, with strategic aspects that would set up new hires for success using the SAP Success Factors Onboarding solution l Scalable software-as-a-service infrastructure in the cloud Benefits l More time for hiring managers to focus on productivity and customer service 43
  46. 46. l Configurable workflows that consider geography and job functions to ensure proper forms, orientation, and compliance training are completed l Mass onboarding process for the acquisition of properties that is simple, clear, and well organised l Faster background checks with data integration Achievement of objectives l 100,000 USD in annual labour savings by reducing data entry on new hires l 100% of paperwork for new hires completed before each employee's first day l 100% completion rate for compliance-related training l 6.5 weeks of annual person-hours saved by automating paperwork l 48% faster statutory verification of employment eligibility (2.7 days down to 1.4 days) l 29.4% faster average time to fill positions and reach productivity (34 days down to 24 days) Customer quote l New hires have access to our system within hours and can take courses and connect with the right people in our organisation. They are set up for success and can hit the ground running.” Marc Farrugia, Vice President of Human Resources, Sun Communities Inc. 44
  47. 47. The Confederation of Indian Industry (CII) works to create and sustain an environment conducive to the development of India, partnering with industry, the government and civil society through advisory and consultative processes. CII is a non-government, not-for-profit, industry-led and industry-managed organisation that plays a proactive role in India's development process. Founded in 1895, India's premier business association has over 8,000 members from the private as well as public sectors, including SMEs and MNCs, and an indirect membership of over 2,00,000 enterprises from around 240 national and regional sectoral industry bodies. CII charts change by working closely with the government on policy issues, interfacing with thought leaders, and enhancing efficiency, competitiveness and business opportunities for industry through a range of specialised services and strategic global linkages. It also provides a platform for consensus building and networking on key issues. Extending its agenda beyond business, CII assists industry in identifying and executing corporate citizenship programmes. Partnerships with civil society organisations carry forward corporate initiatives for integrated and inclusive development across diverse domains, including affirmative action, healthcare, education, livelihood, diversity management, skill development, empowerment of women and water. The CII theme for 2016–17, Building National Competitiveness, emphasises industry's role in partnering with the government to accelerate competitiveness across sectors, with sustained global competitiveness as the goal. The focus is on six key enablers: human development, corporate integrity and good citizenship, ease of doing business, innovation and technical capability, sustainability, and integration with the world. With 66 offices, including 9 Centres of Excellence, in India and 9 overseas offices in Australia, Bahrain, China, Egypt, France, Germany, Singapore, the UK, and USA, as well as institutional partnerships with 320 counterpart organisations in 106 countries, CII serves as a reference point for Indian industry and the international business community. Confederation of Indian Industry The Mantosh Sondhi Centre 23, Institutional Area, Lodi Road, New Delhi - 110 003 (India) T: 91 11 45771000/24629994-7 | F: 91 11 24626149 E: | W: Reach us via our Membership Helpline: 00-91-11-435 46244 / 00-91-99104 46244 • CII Helpline Toll free No: 1800-103-1244 Follow us on :