The "Cloud"
Risk
Presentation
                  Risks
               And Benefits
Cloud - What is it?

• Software as a Service (SaaS)
 •   GoTo meeting / Webex
 •   Sales Force
 •   Gmail & Google Docs
 •   Zoho

• Platform as a Service (PaaS)
 •   Force.com
 •   AppEngine - Google
 •   Apple App store
 •   Rubik Bank-in-a-Box

• Infrastructure as a Service (IaaS)
 • Amazon S3
 • MS Azure
                                       Note: all logos owned by
                                       respective businesses –
                                       illustration only
Cloud - What is it?

• Characteristics
   •   On demand
   •   Any device
   •   Self service
   •   Pooled resource
   •   Elastic provisioning
   •   Service measurement
• Deployment
   • Private Cloud
   • Public Cloud
   • Hybrids/shared
Why worry...
• Your clients are using it
• Your advisers / suppliers will use
  it (eg. Data rooms, credit
  decisioning,...)
• You will be / are using it
    • Westpac doing risk modelling
      using cloud compute power
    • CBA signing legal documents
      using it
    • Various ADIs (of all sizes from
      Deutche Bank to the smallest
      Credit Unions) using for
      CRM, eMail, Office, Card
      processing, Collections, Core
      banking, Internet
      banking, treasury and more...
    • and more are planning to...
Technical Risks

•   Security
•   Service interruption
•   Disaster recovery
•   Privacy
•   Data separation
Outsourcing Risks

•   Intellectual Property
•   Data
•   Ownership
•   Co-mingling
•   Sovereignty
•   Sustainability
•   Compliance
Cloud Specific Risks

•   Contract / SLA
•   Liability
•   Penalties
•   Reputation
•   Metrics



                       Mediocrity Rules in Cloud SLAs
                        Source: Yankee Group, 2011
Credit Specific Risks - Client
• Continuity - What happens to client if service provider
  fails? Can they transfer data and processes?
• Business Interruption - Do Clients have plans that
  secure data and ensure recovery - these could be
  accounting, client, sales or other core business assets
  - has failure been tested?
• Default - How do you get control/access of key
  Business assets during workout - consents for entry to
  property, but to data in a cloud data centre? Rights to
  passwords or control?
Credit Specific Risks - Portfolio
• Concentration risk - what if many customers on
  same platforms - eg. The LinkedIn password
  loss, a widespread SalesForce failure?
• Country risk - are systems being delivered from
  countries with poor IT, Network, or governance
  structures - eg. The Estonia/Russia hacker
  wars, Stuxnet, Patriot Act
So why use the cloud?
• The benefits are too economically and
  competitively important to ignore
• All of these risks can be mitigated
• Often these are hidden risks in internal
  business practices – just not evident
• Services have already moved to cloud and
  so we need to create standards for
  evaluating risk and managing
Final Slide

  Rubik Financial Limited
  ABN 51 071 707 232


  •   10/17 Castlereagh St, Sydney, NSW
  •   1/1 Eden Park Drive, Macquarie Park, NSW
  •   4/68 St Georges Terrace, Perth , Western Australia
  •   24/22 Clifford Centre, Singapore 308900
  •   PO Box 213314 Dubai UAE


  PO Box 4808
  Sydney NSW 2001
  Phone: +61 2 9488 4000
  Fax: +61 2 9449 1116
  www.rubik.com.au
Challenges - what problem are we solving?

  • Data silos and maintaining a secure
    perimeter with legacy design
  • Energy consumption and low system
    usage
  • Increased labour costs and pool of
    professionals spreading and declining
  • User demands - used to many web
    based free, high quality, reliable services
    with great User Interfaces (UI)
  • Data volume growth
Technical Benefits
• Provisioning speed
• Storage capacity
• Agility / flexibility
  • Elasticity
  • Load balancing – burst
• „green‟ computing – power and resource
  saving
• Attracts innovators and rapid prototyping
• Specialized services – lesson learned can
  be shared across multiple tenants
Business
• Ease of adaption
  • Configuration over customisation
  • Speed to market
  • Device independence
• Availability
  • Resilience
  • Redundancy
  • Response
• Cost structure
  • Units - Pay as you grow
  • Low Capex
Security benefits
  • Cloud has to be more secure simply because
    it is the greatest impediment to adopting cloud
    solutions!
  • Some advantages
     •   Data held centrally
     •   Data access, and backup all controlled and logged
     •   System Snapshots for EOM, forensics, training, …
     •   Virtual systems allow easy recovery
     •   Security tests can be more extensive and frequent
  • A serious cloud provider will be in
    conformance with all required security and
    compliance requirements by design.
Hidden benefits
•   Legacy free
•   “Web” Standards - XML, Services
•   Common defined interfaces
•   Focus shift
    • Processes
    • Outcomes
    • Offers
• Third party contracted management of
  some key business risks

Rubik cloud risks-jun2012

  • 1.
  • 2.
    Cloud - Whatis it? • Software as a Service (SaaS) • GoTo meeting / Webex • Sales Force • Gmail & Google Docs • Zoho • Platform as a Service (PaaS) • Force.com • AppEngine - Google • Apple App store • Rubik Bank-in-a-Box • Infrastructure as a Service (IaaS) • Amazon S3 • MS Azure Note: all logos owned by respective businesses – illustration only
  • 3.
    Cloud - Whatis it? • Characteristics • On demand • Any device • Self service • Pooled resource • Elastic provisioning • Service measurement • Deployment • Private Cloud • Public Cloud • Hybrids/shared
  • 4.
    Why worry... • Yourclients are using it • Your advisers / suppliers will use it (eg. Data rooms, credit decisioning,...) • You will be / are using it • Westpac doing risk modelling using cloud compute power • CBA signing legal documents using it • Various ADIs (of all sizes from Deutche Bank to the smallest Credit Unions) using for CRM, eMail, Office, Card processing, Collections, Core banking, Internet banking, treasury and more... • and more are planning to...
  • 5.
    Technical Risks • Security • Service interruption • Disaster recovery • Privacy • Data separation
  • 6.
    Outsourcing Risks • Intellectual Property • Data • Ownership • Co-mingling • Sovereignty • Sustainability • Compliance
  • 7.
    Cloud Specific Risks • Contract / SLA • Liability • Penalties • Reputation • Metrics Mediocrity Rules in Cloud SLAs Source: Yankee Group, 2011
  • 8.
    Credit Specific Risks- Client • Continuity - What happens to client if service provider fails? Can they transfer data and processes? • Business Interruption - Do Clients have plans that secure data and ensure recovery - these could be accounting, client, sales or other core business assets - has failure been tested? • Default - How do you get control/access of key Business assets during workout - consents for entry to property, but to data in a cloud data centre? Rights to passwords or control?
  • 9.
    Credit Specific Risks- Portfolio • Concentration risk - what if many customers on same platforms - eg. The LinkedIn password loss, a widespread SalesForce failure? • Country risk - are systems being delivered from countries with poor IT, Network, or governance structures - eg. The Estonia/Russia hacker wars, Stuxnet, Patriot Act
  • 10.
    So why usethe cloud? • The benefits are too economically and competitively important to ignore • All of these risks can be mitigated • Often these are hidden risks in internal business practices – just not evident • Services have already moved to cloud and so we need to create standards for evaluating risk and managing
  • 11.
    Final Slide Rubik Financial Limited ABN 51 071 707 232 • 10/17 Castlereagh St, Sydney, NSW • 1/1 Eden Park Drive, Macquarie Park, NSW • 4/68 St Georges Terrace, Perth , Western Australia • 24/22 Clifford Centre, Singapore 308900 • PO Box 213314 Dubai UAE PO Box 4808 Sydney NSW 2001 Phone: +61 2 9488 4000 Fax: +61 2 9449 1116 www.rubik.com.au
  • 12.
    Challenges - whatproblem are we solving? • Data silos and maintaining a secure perimeter with legacy design • Energy consumption and low system usage • Increased labour costs and pool of professionals spreading and declining • User demands - used to many web based free, high quality, reliable services with great User Interfaces (UI) • Data volume growth
  • 13.
    Technical Benefits • Provisioningspeed • Storage capacity • Agility / flexibility • Elasticity • Load balancing – burst • „green‟ computing – power and resource saving • Attracts innovators and rapid prototyping • Specialized services – lesson learned can be shared across multiple tenants
  • 14.
    Business • Ease ofadaption • Configuration over customisation • Speed to market • Device independence • Availability • Resilience • Redundancy • Response • Cost structure • Units - Pay as you grow • Low Capex
  • 15.
    Security benefits • Cloud has to be more secure simply because it is the greatest impediment to adopting cloud solutions! • Some advantages • Data held centrally • Data access, and backup all controlled and logged • System Snapshots for EOM, forensics, training, … • Virtual systems allow easy recovery • Security tests can be more extensive and frequent • A serious cloud provider will be in conformance with all required security and compliance requirements by design.
  • 16.
    Hidden benefits • Legacy free • “Web” Standards - XML, Services • Common defined interfaces • Focus shift • Processes • Outcomes • Offers • Third party contracted management of some key business risks

Editor's Notes

  • #13 But does your organisation use the cloud already?Middleware/ESB, Virtualisation, Web services, Packaged software, WDSL etc. already are steps toward CloudDigital Universe (the amount of digitalinformation created and replicated in the world) grew by 62% to nearly 800,000 petabytes (a petabyte is a million gigabytes, or a quintillion bytes), and this year, the DigitalUniverse will grow almost as fast to 1.2 million petabytes, or 1.2 zettabytes, according to IDC's annual report, "The Digital Universe Decade - Are You Ready?" May 2010
  • #14 Replication - automation and consistency of deliveryScalability - in Processing and storage (hint use some SSD!)Provisioning - fast setup, and strong DR, and updated regularly across multiple tenantsMore efficient resource use leads to power and then environmental savingsAttracts staff who seek to be on the latest capabilities, but also allows them to rapid POC systems and new ways of operatingFacilities managed by providers whose core capability is providing and maintaining the right facilities – they can share learnings and specialist skills across multiple tenants
  • #15 Cloud system have to be able to adapt to a number of ways of working within the general modelSystems that took 3-12 mths to get onto hardware and integrated can now be created in days and weeksMobility and device independenceThe systems have known, contracted, and reported service levels – and the contracted response rate must be met or penalties apply – this may be true with internal IT resources but it removes any favours
  • #16 Its not all bad news – you might find some improvements in:Less data loss – the data is in the cloud, not the deviceBetter backup, mirroring and central access controlIf investigating a breach an entire image of the system can be made and stored while business continuesCloud systems have to encrypt and timestamp everything as you must know what went wrong and when – combined with massive storage – log away!Patching, Rollbacks and performance optimisation all improved by virtualised systemsPenetration testing and other high value security tests can be more regular as shared across multiple tenants
  • #17 The hardware is abstracted/virtualised and the interfaces are all messages and queues so the legacy can be ‘ignored’ or encapsulated.Cloud relies on common standards, definitions and structures to maximise interoperabilityThe interfaces wind up being ‘common’ across organizations – eg. Salesforce spreads with sales person migrationShift in IT org focus and skills from H/w network to applications, data, processes – more staff to work on thereal business issues.Someone else responsible for some of your most challenging business risk - negative incidents (data loss, fraud, downtime) can be managed with more clarity and less direct brand damage