How to avoid storms in the cloud The Australian experience and global trends
Discussion Topics 1. Understanding Cloud and Benefits 2. KPMG research The Australian Experience and Global Trends 3. Considerations for Operating in Cloud 4. Regulation and Compliance 5. Security and Privacy 6. Data and Technology
Understanding the Cloud Environment Software as a Service Cloud Service Models Platform as a Service Infrastructure as a Service SaaS PaaS IaaS Private Cloud Deployment Models Operated for a single organisation typically controlled,managed and hosted in a private data centre Business operations over a network Deploy customercreated applications to a cloud Rentstorage, processing, network and other computing resources Public Available to multiple organisationsona shared basis and hosted/managed by a third party Community Shared by several related organisations Cloud Environment Characteristics: On-Demand Self-Service Internet Accessibility Pooled Resources Elastic Capacity Usage- Based Billing 3
4
Cloud Adoption Australian Information Industry Association 5
Cloud Adoption Australian Information Industry Association Australian Cloud Market at early stages Private over Public KPMG s analysis shows cost benefits: lower operating costs by 25% lower capital costs by 50% Productivity improvements (increased output per unit of cost) Innovation (Ability to deliver new and evolving products) Frost and Sullivan Survey 43% in Aus using Cloud up from 35% in 2010. In ASPAC22% will budget more than 20% of annual IT expenditure on Cloud 6
Cloud Adoption KPMG Global Study 7
Impact of Cloud on Business Operations Adopting cloud has a big impact on IT, but it doesn t stop there. Critical business operations are also affected. Organisationsneed an enterprise-wide approach that takes in the crossfunctional effects of cloud Your approach may vary, depending on your cloud service model, your deployment model, and the maturity of existing business and IT processes Lessons learned from outsourcing apply in the cloud Business Operations Financial Management and Tax Security and Privacy Operational Data & Technology Regulatory and Compliance Vendor Management 8
Regulatory and Compliance (Australian Focus) APRA Outsourcing Policy Off Shoring arrangements Risk Based approach Audit Arrangements BCM Considerations Information security accountability and audit trails Australian Government Public Service Act 1999 Freedom of Information Act 1982 Privacy Act 1988 Archives Act 1983 Evidence Act 1995 Copy Right Act 1968 Electronic Transactions Act 1999 Information Privacy Principles Disclosure Storage and security Data segregation Data destruction Transborder data flow agencies may choose to use cloud computing services where they provide value for money and adequate security 9
Considerations for Operating in Cloud Regulatory & Compliance Regulatory and Compliance Breach and Disclosure Challenges/Implications Lack of visibility into the CSP s operations inhibits analysis of its compliance with pertinent laws and regulations Complexity of records management/records retention creates challenges Lack of industry standards and certifications for cloud providers creates risks Data Location Assurance Collaborative Risk Assessment E-Discovery 10
Considerations for Operating in Cloud Security & Privacy Security and Privacy Data Access Challenges/Implications Data may be stored in cloud (1) without customer segregation, allowing accidental or malicious disclosure to third parties and/or (2) in a legal jurisdiction where the data subject is not protected Loss of governance of critical security areas Weak logical access controls due to cloud vendor s IAM immaturity Security Risk Assessment Data Governance Privacy Security Requirements 11
Considerations for Operating in Cloud Data & Technology Data & Technology IT Solution Delivery Challenges/Implications There is a risk of creating independent silos of information and creating issues with data integrity, quality, and insight Business can bypass the IT function to implement cloud solutions, making IT governance challenging Cloud dramatically changes how IT delivers services Cloud adoption opens the four Data Center walls, creating new risks IT Service Management Service Catalog Data Governance Technology Strategy & Architecture 12
Key Take-Aways IT Professionals Work closely with the business Evaluate interoperability Refine the role of the CIO Risk and Internal Audit Professionals Risk and controls in cloud selection Traditional IT controls may not support assurance programs Determine how cloud impacts regulatory and compliance requirements
Key Take-Aways (cont) Considerations for moving to the cloud vary by organisation. Make an informed decision. Cloud is not about technology and affects all aspects of business Implement lessons learned from the IT Outsourcing experience Constantly monitor the marketplace
Thank you! Angela Pak Associate Director, IT Advisory Tel: 9263 7202 Mob: 0403 326 790 apak@kpmg.com.au
All information provided is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. 2012 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").