Orchestrating the new paradigm kpmg


Published on

KPMG's vision on cloud computing

Published in: Business, Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Orchestrating the new paradigm kpmg

  1. 1. AdVISoryOrchestrating the New Paradigm KPMG’s Business Guidelines to Cloud Computing and Beyond kpmg.com
  2. 2. 2 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V. Contents 1 Foreword 3 2 Introduction 5 3 Current business challenges 6 4 The old paradigm of IT 9 5 The shift towards the cloud 11 6 Into perspective 15 7 Considerations 18 8 Steps forward: orchestration 25 9 Key message 33 Appendix 34
  3. 3. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 301 Forewordorganisations face immense challenges This paper will deal with thesein the aftermath of the financial crisis. issues from a strategic point of view.In the current fragile economic climate We believe that the key challengeIT often represents a costly and rigid for CEos and CIos is to orchestratestructure that does not live up to complex IT ecosystems encompassingexpectations. Meanwhile a paradigm both traditional IT systems and cloudshift is taking place: a transition services from various providers.from locally installed and maintainedIT towards the centralisation and This paper assists in a wider understandingcommoditisation of IT services. of this current evolution/transition in ITA growing number of organisations and provides guidance from a businessembrace concepts such as cloud perspective. Just as you might expectcomputing in order to reduce IT from KPMG, we aim to clarify the process John Hermansspending, to increase the speed by demystify the hype and to inform Partner, KPMG Advisoryof implementations and to ensure decision-makers beyond the obviousan innovative business approach. success stories as told by cloud service KPMG in the NetherlandsConcurrently, questions arise regarding providers and the reluctant stance of manysecurity, compliance and privacy. ‘traditional’ IT service integrators.What are the potential rewards and the We look forward to continuing themain risks of this new paradigm of IT? dialogue on this subject with you.
  4. 4. 4 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.
  5. 5. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 502 Introduction We aim to demystify the hype and to inform decision-makers.Cloud computing is undoubtedly Amidst the debate decision-makers’ • Current business challenges: the most significant phenomenon most pressing questions often what are the foremost challengesin IT today. Although there seems go unanswered. The business for organisations in the aftermathto be some confusion within the IT perspective on cloud computing of the financial crisis?industry regarding the exact definition and potential developments inof the term, from a business point of the IT landscape remain largely • The old paradigm of IT: what isview cloud computing simply means underexposed, unrecognised and/or ‘traditional’ IT’s reaction to theobtaining IT services from the internet misunderstood. current business challenges?without owning an IT infrastructure.The internet is often depicted by We are convinced that this broader • The paradigm shift: what develop-technicians as a ‘cloud’, hence the term perspective is essential for a thorough ments in IT can be observed?cloud computing. Gmail and Facebook understanding of the impact ofare good examples of cloud computing. cloud computing, since IT is of vital • Perspective: what does the new importance for creating business paradigm actually mean?The increasing significance of cloud value in the majority of organisations.computing is supported by the fact Therefore, we interviewed CEos • Considerations: what are the risks that many organisations are slowly but and CIos as well as the leading of this new paradigm?surely adopting this model. A recent specialist within KPMG with regardsurvey by KPMG in the Netherlands to cloud computing and the future • Steps forward: what steps should also indicates that the majority of of IT in general. As a result of our organisations take?participants considers cloud computing conversations we gained a clearerto be the future model of IT. on the other understanding of the main difficulties This paper aims to provide answershand, some people still feel that cloud and opportunities in organisations to these questions. In addition,computing is nothing more than a hype related to their IT infrastructure. Appendix A explains the definition andand that it will subside. After all, the IT Based on this information, the characteristics of cloud computing inindustry has made many ‘promises’ following key items were identified: more detail.over the years that were not fulfilled.
  6. 6. 6 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V. 03 Current business challenges Organisations are challenged with cost savings, faster time-to-market and innovation. In the aftermath of the financial crisis, it is clear that market conditions have remained extremely volatile. While there is room for optimism regarding the economic future, many companies are confronted with persistent pressure on profit margins and a highly competitive, fast changing and globalised business environment. rising energy prices and unstable political situations are making matters increasingly challenging. According to the decision-makers of large organisations, the main business challenges are cost savings, time-to- market and innovation. 3.1 Cost savings Cost savings can help to maintain profit margins during a period of recession. despite signs of economic recovery, many private enterprises face uncertain market conditions and have intensified their cost-saving efforts. This is often a daunting task, particularly when it comes to changing cost structures. © 2011 KPMG Advisory N.V.
  7. 7. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 73.2 Faster time-to-marketTime-to-market is undoubtedly oneof the critical success factors fororganisations. Consumer andemployee demands have becomeincreasingly volatile, forcingorganisations into fast and flexiblemarket approaches. The lifetimecycle has changed and today’sproducts are characterised by:• an early, high peak in sales volume;• a rapid decline in sales after the peak;• short market time.Therefore, in order to meetdemands quickly and with precision,organisations must be able to reactinstantly to ensure fast delivery oftheir products. delays not only resultin a significant loss of opportunity but Product lifetimesalso a (much) smaller market shareamongst fierce competition. Sales volume3.3 InnovationProduct development has become amajor factor for companies, particularlyin Europe and the US, while emergingeconomies such as China, India andBrazil excel in the efficient productionof many generic products.It is obvious that constant innovationhas a decisive impact on a company’s Timesuccess. The ability to collaborate, Current product’s lifetimeto exchange ideas and access to the ‘Traditional’ product’s lifetimerelevant information resources areprerequisites for innovation. Source: KPMG in the Netherlands, 2011
  8. 8. 8 | KPMG’s Business Guidelines to Cloud Computing and Beyond
  9. 9. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 904 The old paradigm of IT Traditional IT is unable to support the business.It is quite shocking to see how traditional IT concepts fail to Moreover, the bulk of these costs, usually around 80 percent, aredeliver on the three aforementioned business challenges of cost spent on maintenance of existingsaving, quicker time-to-market and innovation. IT simply does not IT rather than on new and innovative applications. While IT spending diddeliver these concepts and thereby fails to meet the needs and not increase dramatically for mostrequirements of contemporary business. EU companies in the last two years, the IT operational budget as a percentage of revenue continued theTraditional, locally installed and at up to five percent of revenue for upward trend. overdue investment inmaintained IT typically comprises Fortune500 enterprises and well over the IT infrastructure and exceedinglyvarious incompatible systems, five percent of government budgets in complicated software releases arenumerous applications and a myriad most oECd countries. important causes of this increase.of interfaces and connections betweenall these different parts. IT has becomeextremely complex for the majority IT operational budget as percentage of revenueof organisations. This complexity isnot only expensive to maintain, but 2,6changes bear high risks and the 2,5deployment of new applications also 2,3involves greater time and effort. 2 1,9According to many decision-makers,their organisation’s IT costs areunreasonably high, IT is too rigid andoutdated and instead of supporting thebusiness, IT has become a hindrance.4.1 Increasing expenditure 2007 2008 2009 2010 2011despite the pressure on IT spending (expected)during the last two years, expenditureon IT remains unconscionably high: Source: KPMG in the Netherlands, 2010
  10. 10. 10 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V. IT departments have to acquire hardware and software, set-up different environments (development, test, acceptance, production), implement procedures, train their IT staff and appoint application managers. In short, traditional IT is unable to provide the flexibility and speed needed to shorten time-to-market. 4.3 Outdated infrastructure Consumer IT products and services have evolved dramatically during the last decade. An explosion of smartphones and tablet computers, new ready-to-use web-based applications and social networks have enabled mobile use of IT, information sharing and collaboration on a scale never seen before.It is obvious that reducing IT spending 4.2 Rigiditywhile assuring similar levels of In order to shorten time-to-market of Traditional IT appears to beservice will be an exceptionally new products, businesses need to have unsuccessful at coping with thechallenging task for CIos in the flexible, scalable and instantly available changing computing habits ofcoming years. IT resources. In reality however, many consumers. It generally comprises organisations depend entirely on local static, legacy components whichrecent studies by KPMG also show IT resources that are bound to their were never designed to facilitatethat investment in IT often does not existing hardware, network bandwidth mobile use or to provide platformsadd tangible value to the business and personnel. As a result, traditional IT for collaboration and the exchange(approximately 30 percent) with a is hardly scalable and this rigidity of ideas.significant portion of IT projects failing contrasts sharply with the business’sto meet time and budget constraints. required agility. While the new generation ofLess than 40 percent of IT projects can employees are accustomed to thebe considered successful, having been In addition to limited scalability, new possibilities of IT in their privatecompleted on time, on budget and traditional IT is unsuited to making new lives, corporate IT falls short inmeeting quality standards. applications instantly available in fulfilling their expectations. accordance with business demands.In short, traditional IT is costing more deploying new applications often takes In short, traditional IT fails to keepand providing less. months and involves high operational pace with innovation and the way and financial risks. consumers use IT.
  11. 11. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 11 05 The shift towards the cloud Cloud computing seems to offer solutions. As the old paradigm of IT simply no longer lives up to its expectations, organisations are looking for alternative concepts. Cloud computing seems to offer the ideal solution in this respect; it enables organisations to phase out parts of their IT including hardware and software, they can regain authority over their core business and keep the costs under control. 5.1 Lower costs IT operational costs can be reduced significantly by adopting cloud computing, since this model’s initial investments (capital expenditure) are marginal compared to the costs that are involved with the large-scale, costly and risky implementations of traditional IT resources. All installations actually take place on the provider’s servers and the management costs for making the services continuously available are borne by the provider. Moreover, there are considerable savings in terms of hardware, server rooms, air conditioning and electricity. The costs passed on to customers are relatively low due to the economies of scale of most cloud service providers, efficient use of (shared) resources and centralisation of expertise.
  12. 12. 12 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V. With cloud computing, charges only Furthermore, using the public internet apply to the use of the IT service, as the as the basic network infrastructure for IT resource remains in the possession services means that business users of the provider. Although paying by are able to access applications and subscription remains the norm, ‘pay-as- data via various devices from multiple you-go’ has recently come into vogue, access points all over the world. This enabling the customer to pay each time can enhance productivity, improve the service is employed. The advantage collaboration and enrich the user of pay-as-you-go is that payment is experience. only made for services that are actually used, and unnecessary overheads are 5.3 Instant scalability avoided. Cloud computing also offers the advantage of being able to adjust the 5.2 Flexibility of deployment use of IT resources either upwards Faster deployment of IT services is an or downwards, thus improving the important driver of cloud computing. scalability of IT. This is possible due to The on-demand nature of the cloud the enormous of scale of the foremost enables the rapid implementation of cloud service providers whose IT applications to business users. capacity easily exceeds that of individual customer organisations. IT complexity is no longer an issue for organisations as IT is owned and run By using technologies such as various by specialised cloud service providers. types of virtualisation and load- Instead of building and running an balancing, cloud computing solutions internal IT factory, commoditised IT can easily be scaled up and down. services are delivered via the internet, Combined with the ‘pay-as-you-go’ or similar to the way in which electricity is subscription models that are common sourced from specialised power plants. to cloud computing, customers only pay Cloud based e-mail services such as for what they use and the required IT Gmail and Hotmail are well known capacity is always available. In contrast examples and positive testimonials of to traditional IT, IT capacity in the cloud this trend. is in theory never idle or scarce.
  13. 13. © 2011 KPMG Advisory N.V.The scalability of cloud computingStorage requirement Loss of On-premise opportunity Unused resources TimeStorage requirement Cloud TimeSource: KPMG in the Netherlands, 2010
  14. 14. 14 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.
  15. 15. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 15 06 Into perspective A hybrid IT environment with growing significance of cloud services will prevail over the next five years.despite the popularity of cloud computing, its market share is 6.1 Marginality of the cloud Based on oECd and KPMG’s figures,still low. only a small percentage of overall IT budgets are spent the current share of cloud computingon cloud services. Meanwhile, the growth of cloud computing is is negligible in terms of the total IT spending of organisations at betweentoo large to disregard and the investments by leading players in two percent to four percent globally.the IT industry too big to ignore. Cloud computing is both With the US as the leading outlet (60 percent), the rest of the worldmarginal and significant. including Europe can be considered as periphery. Cloud computing applications in our private lives, suchParadigm shift as Facebook and Gmail, may be very popular but large-scale adoption High Cloud computing of cloud services by the corporate community has yet to take place. In particular, concerns about the level of Outsourcing security and compliance in the cloud Centralisation are decelerating factors. Hosting Notwithstanding the continuous development of cloud computing, SSC the catalogue of cloud services is relatively limited to already On-premise IT commoditised services such as e-mail, ‘office’ applications, CrM Low Commoditisation High and data storage. The cloud currently offers virtually no complex, integratedSource: KPMG in the Netherlands, 2011 business applications as yet.
  16. 16. 16 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.Enterprise resource Planning and IT departments to low-wage countries. 6.3 The hybrid environment as thecustom-made billing systems only make In this respect, cloud computing is the new paradigmtheir way to the cloud in isolated cases next phase in this process and part of Given the current, minor positionand remain locally installed in a traditional the paradigm shift in IT from traditional of cloud computing and theway, at least for the time being. IT towards the centralised provision of ongoing wave of centralisation services and shared use of IT resources. and commoditisation of IT, most6.2 Significance of the cloud organisations will adapt to a hybridyet the emergence of cloud computing The foremost players in the IT industry environment. only a relative fewshould not be underestimated. also anticipate this trend. While the organisations will sustain anAccording to market estimates of leading established pioneers of cloud computing entirely traditional IT infrastructureanalysts the growth of commercial cloud (Google, Salesforce.com and Amazon by ignoring or disregarding theservices is between 20 percent to 30 being the best known) are steadily drivers of cloud computing. on thepercent per year for 2010 - 2015, despite expanding their service portfolios, almost other hand, there is no business case(or perhaps thanks to) the economic low all major IT providers are investing for a full-scale move of IT to the cloudtide. Even though the current market heavily in cloud services in order to meet for the vast majority of organisationsshare of cloud computing is marginal, it the apparently rising demand. Even anytime soon. A hybrid environment,will own a considerable portion by 2015. the goliaths (or perhaps mastodons) a mixture of traditional IT and of traditional IT such as Microsoft, IBM outsourced elements with growingMoreover, the move towards and oracle are offering cloud services, significance of cloud services, willcentralisation and commoditisation occasionally in collaboration with other prevail over the next five years. For theof IT services is a process that has software vendors and IT integrators who greater part, IT will be installed andbeen taking place since the turn of the do not want to miss the boat. managed locally whether by internalmillennium. Centralisation enhances units or by an IT service provider.efficiency by using the economies of It will take at least another five yearsscale and resource sharing. Centralised before cloud computing becomes the A growing portion of IT will, however,delivery of services also facilitates de facto standard for the majority of IT depend on external resources and onvolatile demand more effectively. services, but the course towards the cloud computing in particular. cloud has been clearly set.Commoditisation by using standardised This paradigm shift will not be aservices instead of custom-made sudden transition from the oldsolutions involves lower costs and less paradigm of predominantly traditional,time as the turnkey solutions are easier on-premise IT to the cloud. Neitherto deploy. From locally installed and will it mark an end to all the short-managed IT, organisations chose to set- comings of the old paradigm. Theup Shared Service Centres (SSC) often future mode of IT will be a hybridin combination with harmonisation of environment offering huge potentialtheir IT portfolio. Then came the waves for organisations as well as points ofof hosting applications on external consideration, which will be discussedplatforms and outsourcing/offshoring of in the next chapter.
  17. 17. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 17Hosting, outsourcing and cloud computingBusiness aspects Delivery of Dedicated Shared service Management of Internal External IT resources Ownership of Customer Provider assets On-premise IT SSC Hosting Outsourcing Cloud ComputingSource: KPMG in the Netherlands, 2011Cloud computing shares certain characteristics with hosting a phasing out of internal IT resources and using those of theand outsourcing from the viewpoint of decision-makers. provider instead.All three models involve a certain degree of using shared ITresources from external providers. In reality, the boundaries The specific definition of each of these models is of minorbetween hosting, outsourcing and cloud computing are importance so long as the following business aspects canoften vague and overlapping. Providers frequently present be determined correctly: the exclusivity of the delivery of ITtheir hosting solutions in the form of a ‘private’ cloud while services, the assignment of the management of IT resourcescloud computing can be seen as a radical form of outsourcing. and the ownership of software and hardware. The extent toWhere outsourcing usually means moving internal IT which these aspects are adopted determines the potentialresources to an external party, cloud computing means benefits and risks of the solution.
  18. 18. 18 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V. 07 Considerations Managing multiple concepts regarding data, contracts and technology can be a daunting task for organisations. As with opportunity comes danger, organisations should be aware of the risks of operating in a hybrid IT environment and cloud computing in particular. Security and compliance are important factors as rules and regulations with respect to risk management have been tightened in the last two years. Compliance with these rules and regulations may be difficult in a hybrid environment. Additionally, as organisations are inherently reliant on their provider’s controls within the cloud with regards to compliance monitoring and reporting, decision-makers will need to cope with different contracts, integration issues and an ever-changing IT industry. 7.1 Dependency on the cloud With an ever greater proportion of the IT components moving to external premises, organisations will be increasingly dependent on their providers. This form of dependency on providers already exists, such as dependency on energy providers, banks and public facilities e.g. the transport infrastructure. yet when it comes to IT many organisations maintain the notion that they are in control, although in practice most have issues on this point.
  19. 19. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 19At the same time, the level of trustbetween organisations and their ITservice providers remains relatively lowcompared to, for example, financialinstitutions (in spite of the creditcrunch), and there are valid reasons forthis reserved stance towards IT serviceproviders, particularly with regard tocloud computing.Cloud computing is not devoid ofdangers. Although the number ofmajor incidents involving commonlyused cloud services was relativelysmall in 2010 in relation to the numberof customers, all the ‘Big Four’ cloudservice providers (Google, Salesforce.com, Amazon and Microsoft) haveneeded to remedy several criticalvulnerabilities in their cloud offerings inwhich customer data was, to a certainextent, compromised. Consequencesof loss, leakage or the unavailability ofdata residing at providers’ premises in open formats after termination of dependency on public internetcan be disastrous to the business. one service may aggravate this issue. This can have implications on servicecrucial point is emphasised by this – the means that the data is only suitable for reliability and uptime outside thecustomer is highly dependent on the one specific solution or at one specific scope of control of both the customercloud service provider when it comes provider. organisation and provider. Althoughto data protection. leased lines and proprietary networks Provider lock-in also comprises can be used for cloud computing,Another aspect of dependency is unforeseen circumstances such as the primary infrastructure of cloudprovider lock-in. due to the limited, bankruptcy, litigation, SEC probing or computing is the public internet.albeit growing, number of cloud service any other act of provider defamation Given the fact that the public internet’sproviders combined with the lack of that could significantly damage an ownership and accountability are for(open, interchangeable) standards organisation’s business. Shutdown the greater part undefined, ensuringfor provider interoperability, it can of services, change of service levels, contractual obligations with networkbe extremely difficult to switch to shift of focus in the event of strategy providers and accountable partiesalternative providers and/or to migrate alterations and the mergers or that enable internet connectivityback to locally installed IT. A provider’s acquisitions of the provider may also is virtually impossible and legallyfailure to support the extraction of data have undesired effects. cumbersome.
  20. 20. 20 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.The risk profile of the cloudThe risks of cloud computing should Considerationsbe put into perspective. on the onehand, cloud computing is mainlybased on existing technologies suchas virtualisation, data segregation and Data processing On-premise Off-premise and storageweb services. The existing IT risksapply, albeit the controls and mitigatingmeasures are largely the provider’sresponsibility as the provider ownsand manages the IT resources within Access and Single-tenant Multi-tenantthe cloud. on the other hand, cloud authorisationcomputing has characteristics whichconsiderably affect the risk profilecompared to traditional, on-premise IT.These characteristics are: Primary network LAN (Public) Internet Infrastructure• external data storage and processing;• the sharing of IT resources with other On-premise IT SSC Hosting Outsourcing Cloud Computing customers (multi-tenancy);• dependency on the public internet. Source: KPMG in the Netherlands, 2011 Traditional IT Cloud computing Location of data storage Within the (internal) outside the internal security domain of the and IT assets security domain of the customer’s organisation; hosted/located at cloud customer’s organisation service provider or distributed/scattered over a multitude of (third party) providers Usage of (IT) resources Exclusive to the customer Varying degrees of multi-tenancy Primary infrastructure for LAN, leased lines Public internet data transfer
  21. 21. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 217.2 Complexity of the hybrid hybrid environments is primarily Insufficient data segregation andenvironment caused by the processing and storage process isolation can lead to dataAs the name suggests, the hybrid of data at different physical locations. contamination and/or breach ofenvironment covers multiple data is distributed or scattered confidentiality, while lack of identityconcepts regarding data management, between several providers’ premises and access controls can causecontracts, and technology. Managing as well as being located on-site and illegitimate access to sensitive datathese items can be a daunting task for this implies challenges concerning such as intellectual property. For largeorganisations. security and privacy. It is difficult to corporations that often need to comply implement integrated control with specific regulations, inadequatedata management is important to measures and processes for data measures regarding data managementprevent disruption of business. The management over several, often may also result in regulatorycomplexity of data management in incompatible infrastructures. incompliance. In addition, storing data outside the organisation’s perimeters may raise privacy issues. For example, within the European Economical Area laws are applicable regarding the processing of personal data. Anyone who handles personal data has to comply with these rules, no matter how and where the data is actually being processed. Simply put, the customer who is using the cloud services will remain responsible for their data. This poses a risk for the customer, as in cloud scenarios it is often unclear where and when data is being processed, how it is being transported and who has access to this data. The international presence of cloud service providers compounds this problem. With the growing share of cloud services that can be purchased and delivered from all over the planet, organisations will have contracts involving providers from different jurisdictions.
  22. 22. 22 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.different jurisdictions imply different different authentication strengths, potential infringement of segregation oflegislations, rules and procedures. especially when authentication of the duties. This complexity is increased byregulations which apply for defined cloud service is weaker than the cloud services that use differentgeographical locations are at odds customer’s requirements, can lead to procedures and/or other technologieswith cloud computing services weaknesses in the IT environment with to facilitate these processes.crossing various borders. the result that the integrity andAs a result, the location of data in confidentiality of data is compromised. 7.3 Assurancedifferent jurisdictions can conflict In most large organisations, the Hybrid environments have far-reachingwith local legislations applicable to processes for authorisation to access consequences on the degree ofthe customer. internal IT resources are complex assurance, especially where it comes and open to improvement. Frequently, to financial statements. To obtainWhen it comes to technical integration, authorisations for role/function changes assurance, transparency from providersintegration of access controls and within the organisation include new concerning data and management of theauthorisation pose the biggest chal- permissions while the old permissions physical and logical security is essential.lenges for organisations. may not have been removed, resulting In practice however, assurance in too many permissions and the frameworks are often inadequate. This is principally an issue for the customer organisation, as legislation such as privacy laws state that a customer has the legal obligation to validate the measures implemented by the service provider. Therefore when using externally hosted services such as cloud computing, it is the customer’s responsibility to know what is outsourced, to whom and where the data is processed and located. SAS70 reports and various other certifications appear to offer a solution to this issue, but only a minority of providers engage independent parties to regularly perform external audits.
  23. 23. © 2011 KPMG Advisory N.V.Moreover, the selected IT controls areoften based on the single-tenantstructure and not on the multi-tenancycharacteristic of cloud services.Many of the controls necessary toensure segregation of the data andresource utilisation of various customersare not selected and therefore rarelyaudited. New IT controls are currentlybeing formulated, but the number ofinitiatives remains large without any ofthe frameworks being widely acceptedon the market. In addition, the publicinternet, which is the main infrastructurefacilitating the cloud, is exceptionally hardto audit and to monitor as accountabilityon internet traffic is difficult to assign andeven more difficult to enforce. As a result,management across multiple providers,the ‘black box’ nature of cloud computingand the public internet rarely resonateswell with tightly controlled industries.It should be noted that the currentSAS70 standard, which is usedglobally to meet assurance on activitiesimpacting the financial statements,will be replaced by June 2011 by theISAE3402 standard. This new standardwill establish an international basis forpractice supported by IFAC (InternationalFederation of Accountants) and ASB(US Auditing Standards Board). Thisnew standard will also relate to alloutsourced controls relevant to thefinancial statements.
  24. 24. 24 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.
  25. 25. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 2508 Steps forward: orchestration Orchestration of the hybrid environment is a critical success factor.To reap the benefits of the new paradigm of IT, organisations 8.1 Business case A solid business case for using thewill need to be in control of the hybrid environment. This implies cloud is preconditional. organisationsthat the ability to define business cases, analyse and mitigate should devise a business case based on how to utilise different technologiesrisks and govern IT services will be the success factors. The and models. Some elements of the ITcombination of these elements is what we call orchestration. landscape should be left in their legacy state, while other elements could be moved to the cloud. The lifecycle and depreciation of the existing IT assets should also be assessed and evaluated.Orchestration The question of whether a service in the cloud is fit for the job is largely dependent Orchestration on the organisation’s business needs. In practice, custom-tailored and complex services are far less common in the cloud than commodity services such as e-mail and storage. Furthermore, it is unlikely that highly confidential and/or sensitive Business Risk Governance data will be moved to the cloud within Case Management the near future. Selecting Minimising Optimising solutions risks benefits Close monitoring of the market is strongly recommended. Changes occur one after another at a rapid pace, each with its newSource: KPMG in the Netherlands, 2011 opportunities and drawbacks.
  26. 26. 26 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.Case study 1:The cloud computing strategy for the Dutch governmentKPMG’s cloud analysis method IT Dutch government Cloud computing No mature cloud Suitable for services available the cloud - External private cloud - Public cloud Highly confidential data Complex systems Recently purchased systems Internal private cloud Legacy systemsSource: KPMG in the Netherlands, 2010KPMG was asked by the dutch • Contains no highly confidential data: between the cloud and on-premisegovernment to perform an analysis this type of data cannot be taken to need to crystallise out, complexof the possibilities of the cloud as external domains due to the need systems can be excluded.part of the cloud computing strategy for security, privacy and for politicaldevelopment. The objective of this reasons. KPMG also determined that anproject was to identify which part of the internal private cloud was onlydutch government’s IT could be moved • Is not part of the legacy systems: viable for a limited proportion of theto the cloud and what types of cloud migration or transformation of large government’s IT systems due to thecomputing offering were feasible. scale legacy systems with specific required (high level of) investments functionalities are too labour intensive and specialist knowledge versusBased on the information collected and bear too great a risk. virtually no benefits.during workshops and expertsessions, KPMG determined that • Was not recently purchased: systems Although the supply of cloud servicescloud computing was only suitable in the initial stage of their lifecycle will increase and diversify in time, thefor a subset of IT within the dutch are financially unfit given the long external cloud market’s proven andgovernment, comprising the parts that depreciation period involved. matured services are limited to mainlycomply with the following conditions: e-mail, ‘office’ applications, CrM, • Has a limited number of connections collaboration, application development with other systems: as the standards platforms, data storage and server/ to interconnect different systems infrastructure capacity.
  27. 27. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 27Case study 2:A cloud computing opportunity scan for an international bankKPMG was asked by an international - a proven track record at financial • Opportunity analysis: suitable areas bank to perform an opportunity scan organisations; for cloud computing were identified.with the aim of identifying the areas inthe bank’s application landscape that - data residing within EU; only a fraction of the bank’scould be moved to the cloud. applications were suitable for the cloud. - ISo27001 certified. The main restricting factors regardingGiven the exceptionally valuable and cloud computing were the low numberconfidential nature of the data involved, • Outline of business case: potential of providers with a solid track record,the bank demanded a high level of benefits of those selected solutions risk of lock-in and the confidentiality ofsecurity and control over its IT systems, were identified. the bank’s data.therefore compliance with applicableregulations and standard such as PCI • Outline of risk assessment: potential dSS was required. risks, mitigations and residual risks were assessed.during two sessions KPMG andrepresentatives from the bank (seniorbusiness representatives, CIo, IT KPMG’s cloud opportunity scanarchitects, security officer, audit andrisk managers) defined the following In the long term Suitableitems: Portals Development Public domain data platform• Definition: a practicable and consistent definition of cloud Intranet computing within the organisation BPM Office was agreed. ESB E-mail CRM Confidential data• Scope definition: the scope of applications within the bank was DMS ERP Billing defined. HR Finance BI• Selection of cloud services: an Unsuitable Under stringent conditions only overview of cloud service providers Primary process applications Commodity applications and their solutions were defined and briefly described. Prerequisites were: Source: KPMG in the Netherlands, 2010
  28. 28. 28 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.8.2 Risk management A right-to-audit for all off-premiserisk management is an essential services is recommended, althoughelement in the hybrid environment. the reality is that large cloud serviceNext to the ‘traditional’ risk manage- providers honour few requests forment activities for the traditional audits. Moreover, many auditorsIT, specific attention should be paid lack the technical knowledge andto measures mitigating the risks experience with the architecture ofof excessive provider-dependency, the cloud. As a consequence, manycomplexity of processes and organisations are forced to rely ontechnology, and assurance. provider transparency through reports and certifications. It is advisable toregarding the dependency on utilise this secondary option to itsproviders and their solutions, risk maximum extent.assessment at an early stage isadvised. The provider’s track record, its Cloud computing has a number ofintegrity and financial/market position specific characteristics with major ashould all be assessed and verified. impact on risk profile, such as externalWhen it comes to cloud computing, data storage and processing, thedecision-makers should bear in mind sharing of IT resources with otherthat the cloud computing market is in customers (multi-tenancy) and theits development stage and large-scale dependency on the public internet.migrations to the cloud and expertise These characteristics imply potentialon this subject are scarce. high risks and mitigations concerning multiple dimensions including data,In any event, the customer should have security, privacy, compliance andan exit/migration strategy prepared. finance. Therefore, risks relating to all dimensions should be assessed,regarding the complexity of processes mitigating measures defined andand technology, the entire ecosystem responsibilities/accountabilitiesincluding the various relations between assigned.the components of the hybridenvironment should be identified.Cloud services frequently comprisemany parties at various locations,operating under different conditionsand subject to different legislations.It is essential to identify the entireecosystem and to obtain sufficientassurance on all its components.
  29. 29. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 29Case study 3:A cloud computing risk assessment for an organisationin the industrial markets sectorKPMG was asked to assess the risks This led to undesired weaknesses and authorisation (who and/or whichfor an organisation already using cloud in the IT environment with the result roles have which permissions for whichservices. IT and security units were not that the integrity and confidentiality of data) to internal IT resources could notinvolved during the purchasing process (financial) data could be harmed. be integrated with the processes of thewhich complicated the eventual cloud service provider. This situationmitigating measures. Secondly the processes for user of two, separate domains therefore management (creating, changing and increased the risk of higher complexity,In the case of this organisation, we disabling/deleting computer accounts) additional costs and management.identified the following four relevantcharacteristics of cloud services KPMG’s risk dimensions modelconcerning risks:• external data storage; Security• multi-tenancy architecture; and Privacy• use of the public internet; Financial Operational• integration with the internal IT environment.These four characteristics were plotted BUSINESS RISKSon several risk dimensions.The main risks related to integrationwith the internal IT environment, andmore specifically to authentication and Vendor Technologyauthorisation of business users. RegulatoryFirstly the customer organisation’s and Complianceauthentication (3-factor) was strongerthan the authentication supported bythe cloud service provider (2-factor). Source: KPMG in the US, 2010
  30. 30. 30 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V. 8.3 Governance order to control the purchase of Governance encompasses the cloud computing services and management of multiple service promote correct use of the cloud. providers, demand/purchase control, This policy should also outline and the integration of processes and conditions, commitments, service technology. optimal governance of a level requirements, the terms of hybrid environment will lead to a engagement between provider higher effectiveness of IT on the and customer and procedures customer’s side. concerning compliance with the policy. Management of multiple service defining architecture to ensure providers encompasses similar adequate interoperability between elements to those of traditional IT. various technologies and service However there is greater emphasis on models is an important step and vendor management, legal support, ensures alignment with the compliance monitoring and integration. organisation’s strategy. In general, The main components of governance a consistent architecture within one are depicted below. organisation outweighs the advantages of using several models. Understanding Cloud computing services can be the architecture of various services and purchased on-demand by everyone in their relations is of major importance the organisation outside the control when implementing services. In this of IT and risk/audit departments. As a regard, it is recommended to pay result, business users circumventing specific attention to Identity and Access IT may result in a surplus/duplication Management (IAM) and workflow of applications. A policy on cloud integration, as they frequently pose computing should be drafted in technical difficulties in practice. Governance Vendor Contract Service level Legal management management management support Enterprise risk Compliance Demand Service portfolio management monitoring management management Identity & access Service Technical Security management integration integration management Source: KPMG in the Netherlands, 2010
  31. 31. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 31Cloud computing and Tax issues – Minimising risk and exposureCloud computing’s impact triggers taxation issues in the A third point of consideration is the set-up of cloud computingservice provider’s country as well as in the customer’s services. Under certain circumstances tax authorities maycountry. Typically, three taxation themes need thorough take the position that a cloud computing service rendered toconsideration. a customer is subject to local withholding tax.The first is the fact that a permanent establishment issue It is important that the structure is set-up correctly andmay occur if a cloud computing vendor has a server in processes are continuously monitored in order to minimiseanother country. In such cases, the other country’s tax tax exposures and risks. This requires an integrated processauthorities may have the fiscal viewpoint that the server and control framework.creates a local permanent establishment and that part ofthe related profits are taxable in their country. Through planning and structuring, there are opportunities to design tax-efficient structures under the appropriateThe second is in the field of VAT. For VAT purposes, a cloud circumstances.computing vendor may need to register itself in foreigncountries where its customers are based and local VATmay be due.
  32. 32. 32 | KPMG’s Business Guidelines to Cloud Computing and Beyond
  33. 33. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 339 Key messageorganisations are facing immense in the cloud, at least for the time being multiple service providers,challenges during the aftermath of the (2011 - 2015). This offers opportunities demand/purchase control andfinancial crisis. Cost savings, faster for organisations; cost effectiveness, the integration of processes andtime-to-market and innovation in an flexibility and speed, as well as technology.increasingly competitive business specific points to consider.environment are the decision-makers’ optimal orchestration of a hybridmain concerns. Against the background orchestration of the hybrid environ- environment will lead to a higherof these challenges, to what extent ment will be a critical success factor. effectiveness of IT on the customer’sdoes IT provide valuable support? The orchestration encompasses the side. And to an organisation thatreality is that IT costs too much without ability to define business cases, risk can cope with tomorrow’s challengesadding sufficient value and can even assessments and the governance of in an ever changing marketplace.hinder innovation.A paradigm shift in IT is currently taking Key messageplace, away from traditional, locallyinstalled and managed IT towards Organisations are challenged with cost savings,applications on the internet, the ‘cloud’. faster time-to-market and innovationCloud computing corresponds withthe aims of business by deliveringservices at lower costs, enabling Traditional IT is unable to support the businessfaster deployment of applicationsand facilitating innovation. yet, cloudcomputing’s share in the IT market is Cloud computing seems to offer solutionsmarginal and the portfolio of serviceslimited. And yet the growth of cloudcomputing is solid, in accordance with Cloud computing is emerging but still a marginal phenomenonindustry’s high expectations.Nonetheless, a new paradigm is Hybrid environment is the mode of IT for 2011 - 2015underway. It will not be a suddentransition from traditional IT to thecloud. Neither will it mark an end Hybrid environment harbours opportunities and risksto all the shortcomings of the oldparadigm. Orchestration of the hybrid environment is a critical success factorThe new paradigm of IT will bea hybrid environment with bothtraditional, on-premise IT and services Source: KPMG in the Netherlands, 2011
  34. 34. 34 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.Appendix
  35. 35. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 35Appendix ACloud computing in more detailA search using an internet search Traditional, on-premise IT versus cloud computingengine delivers a multitude ofdefinitions, descriptions and opinions ‘On-premise’ Cloud computingon cloud computing. Some speak Customer Customerof ‘applications on the internet’or ‘a computational style in which Users UsersIT provides scalable and flexiblecapabilities as services to external IT services IT servicescustomers through the use of internettechnology’, while others qualify itwith terms such as ‘old wine in new Hardware, Software + data Internetbottles’. obviously there is a lack ofconsensus and a lot of confusion on Licences and Subscription support costs Pay-as-you-gowhat cloud computing actually is.Simply viewed, cloud computing Vendor Vendorstands for the provision of IT services Hardware, Software + datafrom shared resources via theinternet. The internet is oftenmetaphorically depicted as a cloud, Source: KPMG the Netherlands, 2010hence the term ‘cloud computing’.Well known examples of cloudcomputing applications include “Cloud computing stands for hosted applicationsGmail, Google Apps, Hotmail andApple MobileMe. and platforms, built on shared infrastructure, delivered via a web browser.” An Industry Head atThe reason why this seemingly simpleconcept is so differently explained by Google EnterpriseIT providers, analysts and academicsis mainly due to the fact that cloud virtualisation, web services, shared However, the commercial provision ofcomputing is a combination of data caches and grid computing. IT services over the internet on a largeimportant technological and business Since ASPs (Application Service scale from shared pools of IT resourceselements. Providers) have been providing IT has only become economically applications over the internet for viable due to three relatively recentFrom a technological perspective, more than a decade, cloud computing developments. Firstly, the abovecloud computing is based on already can indeed be described as ‘old wine mentioned technologies, of whichexisting technologies such as in new bottles’. virtualisation and web services are the
  36. 36. 36 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.most important, have been refined, Layers of cloud computingstandardised and widely appliedduring the last five years. Secondly,public broadband networks havebecome abundant and readily available Salesforce.com, Microsoft Office 365, Gmail SaaSat a reasonable cost. Thirdly, some Software + Platform + Infrastructureproviders have expanded the scale oftheir IT resources enormously, makingthem the major players in today’s cloudcomputing market. App Engine, Force.com, Azure Platform + Infrastructure PaaSThe business principle of cloudcomputing is based on the factthat possession/ownership of IT Amazon EC2, Terremark, RackSpaceresources (i.e. applications, platforms IaaS Infrastructureor infrastructure) is independent ofthe use of these resources. In cloudcomputing, the IT resources, whetherit is an application or storage, remain Source: KPMG the Netherlands, 2010the property of the cloud serviceprovider and customers only pay CPU, network). Additional platforms • Internet-dependent. Althoughfor the use of the IT service without and software have to be installed by leased lines and proprietaryrequiring local software or hardware the customer or specific infrastructure networks can be used for cloudinstallations. In theory, cloud components can be utilised for on- computing, its primary infrastructurecomputing does not require upfront premise processes (see the diagram is the public internetinvestments (capital expenditure) below). In general, cloud serviceunlike the traditional, on-premise IT. providers specialise in one or two • Contracted services. Customers payThe customer only needs access to layers only. for a service (‘pay-as-you-go’ or bythe internet. subscription) instead of licences and/ depending on the layer, cloud or hardwareCloud services can be offered at computing has the followingvarious layers of IT. At the software characteristics: • On-demand services. In contrastlayer, this service is called Software- to the vast majority of traditional IT,as-a-Service (SaaS). Platform-as-a- • External data storage and cloud services can be used almostService (PaaS) provides IT services processing. Unlike traditional IT, data instantlyat the platform level (e.g. operating is stored and processed outsidesystems, application frameworks) the customer’s domain at the cloud • Elasticity. Cloud services can beand, in this case, additional software service provider’s location(s) easily upscaled and downsizedmust then be developed or installed bycustomers. Infrastructure-as-a-Service • Multi-tenancy. Contrary to traditional Multi-tenancy may be limited to a(IaaS) provides technical infrastructure IT, resources are (to a certain degree) select group of customers or evencomponents (e.g. storage, memory, shared by multiple customers a single customer, although there is
  37. 37. © 2011 KPMG Advisory N.V. KPMG’s Business Guidelines to Cloud Computing and Beyond | 37Different types of cloud computing Internal cloud computing Private cloud computing Public cloud computing Customer A Customer A Customer B Customer C Customer A Customer B Customer C Service Service Service Service Service Service Service Internet Internet Internet Internet Internet IT IT IT IT IT IT IT Internal IT Customer A Provider ProviderSource: KPMG the Netherlands, 2010always a degree of multi-tenancy (e.g.physical facilities, cooling, supportstaff) with cloud computing. Thisform of private or dedicated cloudcomputing represents an alternativeto the public cloud with a high degreeof multi-tenancy. In either form, thecustomer’s data is stored at theprovider’s location(s).Some providers offer private cloudcomputing solutions in which anorganisation’s internal IT departmentuses cloud computing technologiesto create an ‘on-premise cloud’. Sincethis internal form of cloud computingis fully dependent on internal, on-premise IT, it is highly questionablewhether this type can truly be calledcloud computing. Therefore, any suchnotion of an internal cloud has notbeen discussed in this paper.
  38. 38. 38 | KPMG’s Business Guidelines to Cloud Computing and Beyond © 2011 KPMG Advisory N.V.Appendix BApproach, project organisationand referencesApproach References Contact usThis paper reflects KPMG’s vision of • From Hype to Future, KPMG’s 2010 cloud computing in a broad perspective. Cloud Computing Survey, KPMG, KPMGThe basis of the content was provided 2010 Laan van Langerhuize 1by a team of international specialists 1186 dS Amstelveenon this subject within the KPMG • Clouds in the Forecast – Canadian The NetherlandsInternational network of member firms perspectives on the promise of cloudduring September and october 2010. computing services for businesses, P Box 74500 .o.In addition, existing KPMG reports and KPMG, 2010 1070 dB Amsterdampublications have also been used. The Netherlands • IT Attestation in the cloud, KPMG, Project organisation 2010 John Hermans T: +31 (0)20 656 8394Author: • Audit and Compliance in the cloud, M: +31 (0)6 5136 6389Mike Chung KPMG, 2010 hermans.john@kpmg.nlProject executives: • Executive Considerations When Mike ChungJohn Hermans and Frank rizzo Building and Managing a Successful T: +31 (0)20 656 4034 Cloud Service, KPMG, 2009 M: +31 (0)6 1455 9916Project manager: chung.mike@kpmg.nlMike Chung • Audit in the cloud, security audits versus cloud computing, MikeWith valuable support from: Chung, KPMG, 2010Nasreen Patel, roy van der Veld, dennisvan Ham, Edo roos Lindgreen, Ingar • Assurance in the cloud, impact Glenn Pedersen, Tudor Aw, Matthias of cloud computing on financialBossardt, Alfred Koch, rick Wright, statements, Mike Chung, Compact,Maarten de Boer, Serge Wallagh, Marco 2011.Franken, Willem Guensberg, BhargavShah, Marloes de Jong and ralph • OECD Information Technology Houtveen. outlook 2010, oECd, 2010
  39. 39. Key contactsJohn Hermans Tudor AwPartner PartnerKPMG in the Netherlands KPMG in the UKT: +31 6 5136 6389 T: +44 207 694 1265E: hermans.john@kpmg.nl E: aw.tudor@kpmg.co.ukMike Chung Alain BeuchatManager PartnerKPMG in the Netherlands KPMG in SwitzerlandT: +31 6 1455 9916 T: +41 44 249 2017E: chung.mike@kpmg.nl E: abeuchat@kpmg.comFrank Rizzo Matthias BossardtPartner Senior ManagerKPMG in South Africa KPMG in SwitzerlandT: +27 11 6477 388 T: +41 44 249 2239E: rizzo.frank@kpmg.co.za E: mbossardt@kpmg.comGreg Bell Uwe Bernd-StriebeckPartner PartnerKPMG in the US KPMG in GermanyT: +1 404 222 7197 T: +49 201 455 6870E: rgregbell@kpmg.com E: uberndstriebeck@kpmg.comRick Wright Arne HelmePartner DirectorKPMG in the US KPMG in NorwayT: +1 617 988 1163 T: +47 40 63 9507E: richardwright@kpmg.com E: arne.helme@kpmg.no© 2011 KPMG Advisory N.V. is a subsidiary of KPMG Europe LLP and a member firm of the KPMG-network of independent memberfirms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved. The KPMG name, logoand ‘cutting through complexity’ are registered trademarks of KPMG International Cooperative. 045_0311The information contained herein is of a general nature and is not intended to address the circumstances of any particular individualor entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information isaccurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such informationwithout appropriate professional advice after a thorough examination of the particular situation.