kpmg - buiness guidelines to cloud computing and beyond

AdVISory

Orchestrating the New Paradigm

KPMGs Business Guidelines to

Cloud Computing and Beyond

kpmg.com

2 | KPMGs Business Guidelines to Cloud Computing and Beyond 2011 KPMG Advisory N.V.

Contents

1 Foreword 3

2 Introduction 5

3 Current business challenges 6

4 The old paradigm of IT 9

5 The shift towards the cloud 11

6 Into perspective 15

7 Considerations 18

8 Steps forward: orchestration 25

9 Key message 33

Appendix 34

2011 KPMG Advisory N.V.

KPMGs Business Guidelines to Cloud Computing and Beyond | 3 2011 KPMG Advisory N.V.

organisations face immense challenges in the aftermath of the financial crisis. In the current fragile economic climate IT often represents a costly and rigid structure that does not live up to expectations. Meanwhile a paradigm shift is taking place: a transition from locally installed and maintained IT towards the centralisation and commoditisation of IT services. A growing number of organisations embrace concepts such as cloud computing in order to reduce IT spending, to increase the speed of implementations and to ensure an innovative business approach. Concurrently, questions arise regarding security, compliance and privacy.

What are the potential rewards and the main risks of this new paradigm of IT?

This paper will deal with these issues from a strategic point of view. We believe that the key challenge for CEos and CIos is to orchestrate complex IT ecosystems encompassing both traditional IT systems and cloud services from various providers.

This paper assists in a wider understanding of this current evolution/transition in IT and provides guidance from a business perspective. Just as you might expect from KPMG, we aim to clarify the process by demystify the hype and to inform decision-makers beyond the obvious success stories as told by cloud service providers and the reluctant stance of many traditional IT service integrators.

We look forward to continuing the dialogue on this subject with you.

Foreword

John Hermans

Partner, KPMG Advisory

KPMG in the Netherlands

01


Cloud computing is undoubtedly the most significant phenomenon in IT today. Although there seems to be some confusion within the IT industry regarding the exact definition of the term, from a business point of view cloud computing simply means obtaining IT services from the internet without owning an IT infrastructure. The internet is often depicted by technicians as a cloud, hence the term cloud computing. Gmail and Facebook are good examples of cloud computing.

The increasing significance of cloud computing is supported by the fact that many organisations are slowly but surely adopting this model. A recent survey by KPMG in the Netherlands also indicates that the majority of participants considers cloud computing to be the future model of IT. on the other hand, some people still feel that cloud computing is nothing more than a hype and that it will subside. After all, the IT industry has made many promises over the years that were not fulfilled.

Amidst the debate decision-makers most pressing questions often go unanswered. The business perspective on cloud computing and potential developments in the IT landscape remain largely underexposed, unrecognised and/or misunderstood.

We are convinced that this broader perspective is essential for a thorough understanding of the impact of cloud computing, since IT is of vital importance for creating business value in the majority of organisations. Therefore, we interviewed CEos and CIos as well as the leading specialist within KPMG with regard to cloud computing and the future of IT in general. As a result of our conversations we gained a clearer understanding of the main difficulties and opportunities in organisations related to their IT infrastructure. Based on this information, the following key items were identified:

Currentbusinesschallenges: what are the foremost challenges for organisations in the aftermath of the financial crisis?

The old paradigm of IT: what is traditional ITs reaction to the current business challenges?

Theparadigmshift:whatdevelop-ments in IT can be observed?

Perspective:whatdoesthenewparadigm actually mean?

Considerations:whataretherisks of this new paradigm?

Stepsforward:whatstepsshouldorganisations take?

This paper aims to provide answers to these questions. In addition, Appendix A explains the definition and characteristics of cloud computing in more detail.

IntroductionWe aim to demystify the hype and to inform decision-makers.02



According to the decision-makers of large organisations, the main business challenges are cost savings, time-to-market and innovation.

3.1 Cost savingsCost savings can help to maintain profit margins during a period of recession. despite signs of economic recovery, many private enterprises face uncertain market conditions and have intensified their cost-saving efforts. This is often a daunting task, particularly when it comes to changing cost structures.

Current business challenges

In the aftermath of the financial crisis, it is clear that market

conditions have remained extremely volatile. While there

is room for optimism regarding the economic future, many

companies are confronted with persistent pressure on profit

margins and a highly competitive, fast changing and globalised

business environment. rising energy prices and unstable

political situations are making matters increasingly challenging.

Organisations are challenged with cost savings, faster time-to-market and innovation.

03


3.2 Faster time-to-marketTime-to-market is undoubtedly one of the critical success factors for organisations. Consumer and employee demands have become increasingly volatile, forcing organisations into fast and flexible market approaches. The lifetime cycle has changed and todays products are characterised by:

anearly,highpeak in sales volume;

arapiddeclineinsalesafterthepeak;

shortmarkettime.

Therefore, in order to meet demands quickly and with precision, organisations must be able to react instantly to ensure fast delivery of their products. delays not only result in a significant loss of opportunity but also a (much) smaller market share amongst fierce competition.

3.3 InnovationProduct development has become a major factor for companies, particularly in Europe and the US, while emerging economies such as China, India and Brazil excel in the efficient production of many generic products.

It is obvious that constant innovation has a decisive impact on a companys success. The ability to collaborate, to exchange ideas and access to the relevant information resources are prerequisites for innovation. Source: KPMG in the Netherlands, 2011

Product lifetimes

Current products lifetimeTraditional products lifetime

Sal

es v

olu

me

Time

8 | KPMGs Business Guidelines to Cloud Computing and Beyond


Traditional, locally installed and maintained IT typically comprises various incompatible systems, numerous applications and a myriad of interfaces and connections between all these different parts. IT has become extremely complex for the majority of organisations. This complexity is not only expensive to maintain, but changes bear high risks and the deployment of new applications also involves greater time and effort.

According to many decision-makers, their organisations IT costs are unreasonably high, IT is too rigid and outdated and instead of supporting the business, IT has become a hindrance.

4.1 Increasing expendituredespite the pressure on IT spending during the last two years, expenditure on IT remains unconscionably high:

at up to five percent of revenue for Fortune500 enterprises and well over five percent of government budgets in most oECd countries.

Moreover, the bulk of these costs, usually around 80 percent, are spent on maintenance of existing IT rather than on new and innovative applications. While IT spending did not increase dramatically for most EU companies in the last two years, the IT operational budget as a percentage of revenue continued the upward trend. overdue investment in the IT infrastructure and exceedingly complicated software releases are important causes of this increase.

The old paradigm of IT

Source: KPMG in the Netherlands, 2010

It is quite shocking to see how traditional IT concepts fail to

deliver on the three aforementioned business challenges of cost

saving, quicker time-to-market and innovation. IT simply does not

deliver these concepts and thereby fails to meet the needs and

requirements of contemporary business.

IT operational budget as percentage of revenue

2,62,5

21,9

2,3

2007 2008 2009 2010 2011 (expected)

Traditional IT is unable to support the business.04


It is obvious that reducing IT spending while assuring similar levels of service will be an exceptionally challenging task for CIos in the coming years.

recent studies by KPMG also show that investment in IT often does not add tangible value to the business (approximately 30 percent) with a significant portion of IT projects failing to meet time and budget constraints. Less than 40 percent of IT projects can be considered successful, having been completed on time, on budget and meeting quality standards.

In short, traditional IT is costing more and providing less.

4.2 RigidityIn order to shorten time-to-market of new products, businesses need to have flexible, scalable and instantly available IT resources. In reality however, many organisations depend entirely on local IT resources that are bound to their existing hardware, network bandwidth and personnel. As a result, traditional IT is hardly scalable and this rigidity contrasts sharply with the businesss required agility.

In addition to limited scalability, traditional IT is unsuited to making new applications instantly available in accordance with business demands. deploying new applications often takes months and involves high operational and financial risks.

IT departments have to acquire hardware and software, set-up different environments (development, test, acceptance, production), implement procedures, train their IT staff and appoint application managers.

In short, traditional IT is unable to provide the flexibility and speed needed to shorten time-to-market.

4.3 Outdated infrastructureConsumer IT products and services have evolved dramatically during the last decade. An explosion of smartphones and tablet computers, new ready-to-use web-based applications and social networks have enabled mobile use of IT, information sharing and collaboration on a scale never seen before.

Traditional IT appears to be unsuccessful at coping with the changing computing habits of consumers. It generally comprises static, legacy components which were never designed to facilitate mobile use or to provide platforms for collaboration and the exchange of ideas.

While the new generation of employees are accustomed to the new possibilities of IT in their private lives, corporate IT falls short in fulfilling their expectations.

In short, traditional IT fails to keep pace with innovation and the way consumers use IT.


5.1 Lower costsIT operational costs can be reduced significantly by adopting cloud computing, since this models initial investments (capital expenditure) are marginal compared to the costs that are involved with the large-scale, costly and risky implementations of traditional IT resources. All installations actually take place on the providers servers and the management costs for making the services continuously available are borne by the provider. Moreover, there are considerable savings in terms of hardware, server rooms, air conditioning and electricity. The costs passed on to customers are relatively low due to the economies of scale of most cloud service providers, efficient use of (shared) resources and centralisation of expertise.

The shift towards the cloud

As the old paradigm of IT simply no longer lives up to its

expectations, organisations are looking for alternative concepts.

Cloud computing seems to offer the ideal solution in this

respect; it enables organisations to phase out parts of their

IT including hardware and software, they can regain authority

over their core business and keep the costs under control.

Cloud computing seems to offer solutions.

05


With cloud computing, charges only apply to the use of the IT service, as the IT resource remains in the possession of the provider. Although paying by subscription remains the norm, pay-as-you-go has recently come into vogue, enabling the customer to pay each time the service is employed. The advantage of pay-as-you-go is that payment is only made for services that are actually used, and unnecessary overheads are avoided.

5.2 Flexibility of deploymentFaster deployment of IT services is an important driver of cloud computing. The on-demand nature of the cloud enables the rapid implementation of applications to business users.

IT complexity is no longer an issue for organisations as IT is owned and run by specialised cloud service providers. Instead of building and running an internal IT factory, commoditised IT services are delivered via the internet, similar to the way in which electricity is sourced from specialised power plants. Cloud based e-mail services such as Gmail and Hotmail are well known examples and positive testimonials of this trend.

Furthermore, using the public internet as the basic network infrastructure for services means that business users are able to access applications and data via various devices from multiple access points all over the world. This can enhance productivity, improve collaboration and enrich the user experience.

5.3 Instant scalabilityCloud computing also offers the advantage of being able to adjust the use of IT resources either upwards or downwards, thus improving the scalability of IT. This is possible due to the enormous of scale of the foremost cloud service providers whose IT capacity easily exceeds that of individual customer organisations.

By using technologies such as various types of virtualisation and load-balancing, cloud computing solutions can easily be scaled up and down. Combined with the pay-as-you-go or subscription models that are common to cloud computing, customers only pay for what they use and the required IT capacity is always available. In contrast to traditional IT, IT capacity in the cloud is in theory never idle or scarce.



The scalability of cloud computing

Sto

rage

req

uir

emen

t

Time

On-premiseLoss of opportunity

Unusedresources

Sto

rage

req

uir

emen

t

Time

Cloud


Into perspective

6.1 Marginality of the cloudBased on oECd and KPMGs figures, the current share of cloud computing is negligible in terms of the total IT spending of organisations at between two percent to four percent globally. With the US as the leading outlet (60 percent), the rest of the world including Europe can be considered as periphery. Cloud computing applications in our private lives, such as Facebook and Gmail, may be very popular but large-scale adoption of cloud services by the corporate community has yet to take place. In particular, concerns about the level of security and compliance in the cloud are decelerating factors.

Notwithstanding the continuous development of cloud computing, the catalogue of cloud services is relatively limited to already commoditised services such as e-mail, office applications, CrM and data storage. The cloud currently offers virtually no complex, integrated business applications as yet.

despite the popularity of cloud computing, its market share is

still low. only a small percentage of overall IT budgets are spent

on cloud services. Meanwhile, the growth of cloud computing is

too large to disregard and the investments by leading players in

the IT industry too big to ignore. Cloud computing is both

marginal and significant.

A hybrid IT environment with growing significance of cloud services will prevail over the next five years.

06


On-premise IT

SSC

Hosting

Outsourcing

Cloud computing

Low

High

HighCommoditisation

Cent

ralis

atio

n

Paradigm shift


Enterprise resource Planning and custom-made billing systems only make their way to the cloud in isolated cases and remain locally installed in a traditional way, at least for the time being.

6.2 Significance of the cloud yet the emergence of cloud computing should not be underestimated. According to market estimates of leading analysts the growth of commercial cloud services is between 20 percent to 30 percent per year for 2010 - 2015, despite (or perhaps thanks to) the economic low tide. Even though the current market share of cloud computing is marginal, it will own a considerable portion by 2015.

Moreover, the move towards centralisation and commoditisation of IT services is a process that has been taking place since the turn of the millennium. Centralisation enhances efficiency by using the economies of scale and resource sharing. Centralised delivery of services also facilitates volatile demand more effectively.

Commoditisation by using standardised services instead of custom-made solutions involves lower costs and less time as the turnkey solutions are easier to deploy. From locally installed and managed IT, organisations chose to set-up Shared Service Centres (SSC) often in combination with harmonisation of their IT portfolio. Then came the waves of hosting applications on external platforms and outsourcing/offshoring of

IT departments to low-wage countries. In this respect, cloud computing is the next phase in this process and part of the paradigm shift in IT from traditional IT towards the centralised provision of services and shared use of IT resources.

The foremost players in the IT industry also anticipate this trend. While the established pioneers of cloud computing (Google, Salesforce.com and Amazon being the best known) are steadily expanding their service portfolios, almost all major IT providers are investing heavily in cloud services in order to meet the apparently rising demand. Even the goliaths (or perhaps mastodons) of traditional IT such as Microsoft, IBM and oracle are offering cloud services, occasionally in collaboration with other software vendors and IT integrators who do not want to miss the boat.

It will take at least another five years before cloud computing becomes the de facto standard for the majority of IT services, but the course towards the cloud has been clearly set.

6.3 The hybrid environment as the new paradigmGiven the current, minor position of cloud computing and the ongoing wave of centralisation and commoditisation of IT, most organisations will adapt to a hybrid environment. only a relative few organisations will sustain an entirely traditional IT infrastructure by ignoring or disregarding the drivers of cloud computing. on the other hand, there is no business case for a full-scale move of IT to the cloud for the vast majority of organisations anytime soon. A hybrid environment, a mixture of traditional IT and outsourced elements with growing significance of cloud services, will prevail over the next five years. For the greater part, IT will be installed and managed locally whether by internal units or by an IT service provider. A growing portion of IT will, however, depend on external resources and on cloud computing in particular.

This paradigm shift will not be a sudden transition from the old paradigm of predominantly traditional, on-premise IT to the cloud. Neither will it mark an end to all the short-comings of the old paradigm. The future mode of IT will be a hybrid environment offering huge potential for organisations as well as points of consideration, which will be discussed in the next chapter.


Cloud computing shares certain characteristics with hosting and outsourcing from the viewpoint of decision-makers. All three models involve a certain degree of using shared IT resources from external providers. In reality, the boundaries between hosting, outsourcing and cloud computing are often vague and overlapping. Providers frequently present their hosting solutions in the form of a private cloud while cloud computing can be seen as a radical form of outsourcing. Where outsourcing usually means moving internal IT resources to an external party, cloud computing means

a phasing out of internal IT resources and using those of the provider instead.

The specific definition of each of these models is of minor importance so long as the following business aspects can be determined correctly: the exclusivity of the delivery of IT services, the assignment of the management of IT resources and the ownership of software and hardware. The extent to which these aspects are adopted determines the potential benefits and risks of the solution.

Delivery ofservice

Dedicated Shared

On-premise IT SSC Hosting Outsourcing Cloud Computing

Management of IT resources

ExternalInternal

Ownership of assets

ProviderCustomer

Hosting, outsourcing and cloud computing

Business aspects

KPMGs Business Guidelines to Cloud Computing and Beyond | 17




Considerations

As with opportunity comes danger, organisations should be aware

of the risks of operating in a hybrid IT environment and cloud

computing in particular. Security and compliance are important

factors as rules and regulations with respect to risk management

have been tightened in the last two years. Compliance with these

rules and regulations may be difficult in a hybrid environment.

Additionally, as organisations are inherently reliant on their providers

controls within the cloud with regards to compliance monitoring

and reporting, decision-makers will need to cope with different

contracts, integration issues and an ever-changing IT industry.

Managing multiple concepts regarding data, contracts and technology can be a daunting task for organisations.

07

7.1 Dependency on the cloudWith an ever greater proportion of the IT components moving to external premises, organisations will be increasingly dependent on their providers. This form of dependency on providers already exists, such as dependency on energy providers, banks and public facilities e.g. the transport infrastructure. yet when it comes to IT many organisations maintain the notion that they are in control, although in practice most have issues on this point.


At the same time, the level of trust between organisations and their IT service providers remains relatively low compared to, for example, financial institutions (in spite of the credit crunch), and there are valid reasons for this reserved stance towards IT service providers, particularly with regard to cloud computing.

Cloud computing is not devoid of dangers. Although the number of major incidents involving commonly used cloud services was relatively small in 2010 in relation to the number of customers, all the Big Four cloud service providers (Google, Salesforce.com, Amazon and Microsoft) have needed to remedy several critical vulnerabilities in their cloud offerings in which customer data was, to a certain extent, compromised. Consequences of loss, leakage or the unavailability of data residing at providers premises can be disastrous to the business. one crucial point is emphasised by this the customer is highly dependent on the cloud service provider when it comes to data protection.

Another aspect of dependency is provider lock-in. due to the limited, albeit growing, number of cloud service providers combined with the lack of (open, interchangeable) standards for provider interoperability, it can be extremely difficult to switch to alternative providers and/or to migrate back to locally installed IT. A providers failure to support the extraction of data

in open formats after termination of service may aggravate this issue. This means that the data is only suitable for one specific solution or at one specific provider.

Provider lock-in also comprises unforeseen circumstances such as bankruptcy, litigation, SEC probing or any other act of provider defamation that could significantly damage an organisations business. Shutdown of services, change of service levels, shift of focus in the event of strategy alterations and the mergers or acquisitions of the provider may also have undesired effects.

dependency on public internet can have implications on service reliability and uptime outside the scope of control of both the customer organisation and provider. Although leased lines and proprietary networks can be used for cloud computing, the primary infrastructure of cloud computing is the public internet. Given the fact that the public internets ownership and accountability are for the greater part undefined, ensuring contractual obligations with network providers and accountable parties that enable internet connectivity is virtually impossible and legally cumbersome.


The risk profile of the cloud

The risks of cloud computing should be put into perspective. on the one hand, cloud computing is mainly based on existing technologies such as virtualisation, data segregation and web services. The existing IT risks apply, albeit the controls and mitigating measures are largely the providers responsibility as the provider owns and manages the IT resources within the cloud. on the other hand, cloud computing has characteristics which considerably affect the risk profile compared to traditional, on-premise IT. These characteristics are:

externaldatastorageandprocessing;

thesharingofITresourceswithothercustomers (multi-tenancy);

dependencyonthepublicinternet.

Traditional IT Cloud computing

Location of data storage and IT assets

Within the (internal) security domain of the customers organisation

outside the internal security domain of the customers organisation; hosted/located at cloud service provider or distributed/scattered over a multitude of (third party) providers

Usage of (IT) resources Exclusive to the customer Varying degrees of multi-tenancy

Primary infrastructure for data transfer

LAN, leased lines Public internet


Data processingand storage

On-premise Off-premise

On-premise IT SSC Hosting Outsourcing CloudComputing

Access and authorisation

Multi-tenantSingle-tenant

Primary networkInfrastructure

(Public) InternetLAN

Considerations



7.2 Complexity of the hybrid environmentAs the name suggests, the hybrid environment covers multiple concepts regarding data management, contracts, and technology. Managing these items can be a daunting task for organisations.

data management is important to prevent disruption of business. The complexity of data management in

hybrid environments is primarily caused by the processing and storage of data at different physical locations. data is distributed or scattered between several providers premises as well as being located on-site and this implies challenges concerning security and privacy. It is difficult to implement integrated control measures and processes for data management over several, often incompatible infrastructures.

Insufficient data segregation and process isolation can lead to data contamination and/or breach of confidentiality, while lack of identity and access controls can cause illegitimate access to sensitive data such as intellectual property. For large corporations that often need to comply with specific regulations, inadequate measures regarding data management may also result in regulatory incompliance.

In addition, storing data outside the organisations perimeters may raise privacy issues. For example, within the European Economical Area laws are applicable regarding the processing of personal data. Anyone who handles personal data has to comply with these rules, no matter how and where the data is actually being processed. Simply put, the customer who is using the cloud services will remain responsible for their data. This poses a risk for the customer, as in cloud scenarios it is often unclear where and when data is being processed, how it is being transported and who has access to this data. The international presence of cloud service providers compounds this problem.

With the growing share of cloud services that can be purchased and delivered from all over the planet, organisations will have contracts involving providers from different jurisdictions.


different jurisdictions imply different legislations, rules and procedures. regulations which apply for defined geographical locations are at odds with cloud computing services crossing various borders. As a result, the location of data in different jurisdictions can conflict with local legislations applicable to the customer.

When it comes to technical integration, integration of access controls and authori sation pose the biggest chal-lenges for organisations.

different authentication strengths, especially when authentication of the cloud service is weaker than the customers requirements, can lead to weaknesses in the IT environment with the result that the integrity and confidentiality of data is compromised. In most large organisations, the processes for authorisation to access internal IT resources are complex and open to improvement. Frequently, authorisations for role/function changes within the organisation include new permissions while the old permissions may not have been removed, resulting in too many permissions and the

potential infringement of segregation of duties. This complexity is increased by cloud services that use different procedures and/or other technologies to facilitate these processes.

7.3 AssuranceHybrid environments have far-reaching consequences on the degree of assurance, especially where it comes to financial statements. To obtain assurance, transparency from provi ders concerning data and management of the physical and logical security is essential. In practice however, assurance frameworks are often inadequate.

This is principally an issue for the customer organisation, as legislation such as privacy laws state that a customer has the legal obligation to validate the measures implemented by the service provider. Therefore when using externally hosted services such as cloud computing, it is the customers responsibility to know what is outsourced, to whom and where the data is processed and located.

SAS70 reports and various other certifications appear to offer a solution to this issue, but only a minority of providers engage independent parties to regularly perform external audits.


Moreover, the selected IT controls are often based on the single-tenant structure and not on the multi-tenancy characte ristic of cloud services. Many of the controls necessary to ensure segregation of the data and resource utilisation of various customers are not selected and therefore rarely audited. New IT controls are currently being formulated, but the number of initiatives remains large without any of the frameworks being widely accepted on the market. In addition, the public internet, which is the main infrastructure facilitating the cloud, is exceptionally hard to audit and to monitor as accountability on internet traffic is difficult to assign and even more difficult to enforce. As a result, management across multiple providers, the black box nature of cloud computing and the public internet rarely resonates well with tightly controlled industries.

It should be noted that the current SAS70 standard, which is used globally to meet assurance on activities impacting the financial statements, will be replaced by June 2011 by the ISAE3402 standard. This new standard will establish an international basis for practice supported by IFAC (International Federation of Accountants) and ASB (US Auditing Standards Board). This new standard will also relate to all outsourced controls relevant to the financial statements.


Orchestration

Business Case

Selecting solutions

Risk Management

Minimising risks

Governance

Optimising benefits

8.1 Business caseA solid business case for using the cloud is preconditional. organisations should devise a business case based on how to utilise different technologies and models. Some elements of the IT landscape should be left in their legacy state, while other elements could be moved to the cloud. The lifecycle and depreciation of the existing IT assets should also be assessed and evaluated.

The question of whether a service in the cloud is fit for the job is largely dependent on the organisations business needs. In practice, custom-tailored and complex services are far less common in the cloud than commodity services such as e-mail and storage. Furthermore, it is unlikely that highly confidential and/or sensitive data will be moved to the cloud within the near future.

Close monitoring of the market is strongly recommended. Changes occur one after another at a rapid pace, each with its new opportunities and drawbacks.

Steps forward: orchestration

Orchestration

To reap the benefits of the new paradigm of IT, organisations

will need to be in control of the hybrid environment. This implies

that the ability to define business cases, analyse and mitigate

risks and govern IT services will be the success factors. The

combination of these elements is what we call orchestration.


Orchestration of the hybrid environment is a critical success factor.08


KPMG was asked by the dutch government to perform an analysis of the possibilities of the cloud as part of the cloud computing strategy development. The objective of this project was to identify which part of the dutch governments IT could be moved to the cloud and what types of cloud computing offering were feasible.

Based on the information collected during workshops and expert sessions, KPMG determined that cloud computing was only suitable for a subset of IT within the dutch government, comprising the parts that comply with the following conditions:

Containsnohighlyconfidentialdata:this type of data cannot be taken to external domains due to the need for security, privacy and for political reasons.

Isnotpartofthelegacysystems:migration or transformation of large scale legacy systems with specific functionalities are too labour intensive and bear too great a risk.

Wasnotrecentlypurchased:systemsin the initial stage of their lifecycle are financially unfit given the long depreciation period involved.

Hasalimitednumberofconnectionswith other systems: as the standards to interconnect different systems

between the cloud and on-premise need to crystallise out, complex systems can be excluded.

KPMG also determined that an internal private cloud was only viable for a limited proportion of the governments IT systems due to the required (high level of) investments and specialist knowledge versus virtually no benefits.

Although the supply of cloud services will increase and diversify in time, the external cloud markets proven and matured services are limited to mainly e-mail, office applications, CrM, collaboration, application development platforms, data storage and server/infrastructure capacity.

The cloud computing strategy for the Dutch government

No mature cloud services available

Highly confidential data

- External private cloud- Public cloud

Internal private cloud

Suitable for the cloud

Complex systems

Recently purchased systems

Legacy systems

Cloud computingIT Dutch government

KPMGs cloud analysis method



Case study 1:



KPMG was asked by an international bank to perform an opportunity scan with the aim of identifying the areas in the banks application landscape that could be moved to the cloud.

Given the exceptionally valuable and confidential nature of the data involved, the bank demanded a high level of security and control over its IT systems, therefore compliance with applicable regulations and standard such as PCI dSS was required.

during two sessions KPMG and representatives from the bank (senior business representatives, CIo, IT architects, security officer, audit and risk managers) defined the following items:

Definition:apracticableandconsistent definition of cloud computing within the organisation was agreed.

Scopedefinition:thescopeofapplications within the bank was defined.

Selectionofcloudservices:anoverview of cloud service providers and their solutions were defined and briefly described. Prerequisites were:

- a proven track record at financial organisations;

- data residing within EU;

- ISo27001 certified.

Outlineofbusinesscase:potentialbenefits of those selected solutions were identified.

Outlineofriskassessment:potentialrisks, mitigations and residual risks were assessed.

Opportunityanalysis:suitableareasfor cloud computing were identified.

only a fraction of the banks applications were suitable for the cloud. The main restricting factors regarding cloud computing were the low number of providers with a solid track record, risk of lock-in and the confidentiality of the banks data.

KPMGs cloud analysis method

A cloud computing opportunity scan for an international bank

KPMGs cloud opportunity scan

Developmentplatform

Portals

Office

E-mail

HR

ESB

CRM

ERP

Finance BI

DMSBilling

IntranetBPM

Under stringent conditions only

Commodity applicationsPrimary process applications

Publ

ic d

omai

n da

taCo

nfid

entia

l dat

a

In the long term Suitable

Unsuitable



Case study 2:



8.2 Risk managementrisk management is an essential element in the hybrid environment. Next to the traditional risk manage-ment activities for the traditional IT, specific attention should be paid to measures mitigating the risks of excessive provider-dependency, complexity of processes and technology, and assurance.

regarding the dependency on providers and their solutions, risk assessment at an early stage is advised. The providers track record, its integrity and financial/market position should all be assessed and verified. When it comes to cloud computing, decision-makers should bear in mind that the cloud computing market is in its development stage and large-scale migrations to the cloud and expertise on this subject are scarce.

In any event, the customer should have an exit/migration strategy prepared.

regarding the complexity of processes and technology, the entire ecosystem including the various relations between the components of the hybrid environment should be identified. Cloud services frequently comprise many parties at various locations, operating under different conditions and subject to different legislations. It is essential to identify the entire ecosystem and to obtain sufficient assurance on all its components.

A right-to-audit for all off-premise services is recommended, although the reality is that large cloud service providers honour few requests for audits. Moreover, many auditors lack the technical knowledge and experience with the architecture of the cloud. As a consequence, many organisations are forced to rely on provider transparency through reports and certifications. It is advisable to utilise this secondary option to its maximum extent.

Cloud computing has a number of specific characteristics with major a impact on risk profile, such as external data storage and processing, the sharing of IT resources with other customers (multi-tenancy) and the dependency on the public internet. These characteristics imply potential high risks and mitigations concerning multiple dimensions including data, security, privacy, compliance and finance. Therefore, risks relating to all dimensions should be assessed, mitigating measures defined and responsibilities/accountabilities assigned.



KPMG was asked to assess the risks for an organisation already using cloud services. IT and security units were not involved during the purchasing process which complicated the eventual mitigating measures.

In the case of this organisation, we identified the following four relevant characteristics of cloud services concerning risks:

externaldatastorage;

multi-tenancyarchitecture;

useofthepublicinternet;

integrationwiththeinternalITenvironment.

These four characteristics were plotted on several risk dimensions.

The main risks related to integration with the internal IT environment, and more specifically to authentication and authorisation of business users.

Firstly the customer organisations authentication (3-factor) was stronger than the authentication supported by the cloud service provider (2-factor).

This led to undesired weaknesses in the IT environment with the result that the integrity and confidentiality of (financial) data could be harmed.

Secondly the processes for user management (creating, changing and disabling/deleting computer accounts)

and authorisation (who and/or which roles have which permissions for which data) to internal IT resources could not be integrated with the processes of the cloud service provider. This situation of two, separate domains therefore increased the risk of higher complexity, additional costs and management.

Case study 3:

KPMGs risk dimensions model


Financial

Security and Privacy

Operational

Technology

Regulatory and

Compliance

Vendor

BUSINESS RISKS

Source: KPMG in the US, 2010

A cloud computing risk assessment for an organisation in the industrial markets sector



8.3 GovernanceGovernance encompasses the management of multiple service providers, demand/purchase control, and the integration of processes and technology. optimal governance of a hybrid environment will lead to a higher effectiveness of IT on the customers side.

Management of multiple service providers encompasses similar elements to those of traditional IT. However there is greater emphasis on vendor management, legal support, compliance monitoring and integration. The main components of governance are depicted below.

Cloud computing services can be purchased on-demand by everyone in the organisation outside the control of IT and risk/audit departments. As a result, business users circumventing IT may result in a surplus/duplication of applications. A policy on cloud computing should be drafted in

order to control the purchase of cloud computing services and promote correct use of the cloud. This policy should also outline conditions, commitments, service level requirements, the terms of engagement between provider and customer and procedures concerning compliance with the policy.

defining architecture to ensure adequate interoperability between various technologies and service models is an important step and ensures alignment with the organisations strategy. In general, a consistent architecture within one organisation outweighs the advantages of using several models. Understanding the architecture of various services and their relations is of major importance when implementing services. In this regard, it is recommended to pay specific attention to Identity and Access Management (IAM) and workflow integration, as they frequently pose technical difficulties in practice.


Governance

Vendor management

Contract management

Service levelmanagement

Legalsupport

Enterprise riskmanagement

Compliancemonitoring

Demand management

Service portfolio management

Identity & accessmanagement

Serviceintegration

Technicalintegration

Security management


Cloud computings impact triggers taxation issues in the service providers country as well as in the customers country. Typically, three taxation themes need thorough consideration.

The first is the fact that a permanent establishment issue may occur if a cloud computing vendor has a server in another country. In such cases, the other countrys tax authorities may have the fiscal viewpoint that the server creates a local permanent establishment and that part of the related profits are taxable in their country.

The second is in the field of VAT. For VAT purposes, a cloud computing vendor may need to register itself in foreign countries where its customers are based and local VAT may be due.

A third point of consideration is the set-up of cloud computing services. Under certain circumstances tax authorities may take the position that a cloud computing service rendered to a customer is subject to local withholding tax.

It is important that the structure is set-up correctly and processes are continuously monitored in order to minimise tax exposures and risks. This requires an integrated process and control framework.

Through planning and structuring, there are opportunities to design tax-efficient structures under the appropriate circumstances.

Cloud computing and Tax issues Minimising risk and exposure



9 Key message

organisations are facing immense challenges during the aftermath of the financial crisis. Cost savings, faster time-to-market and innovation in an increasingly competitive business environment are the decision-makers main concerns. Against the background of these challenges, to what extent does IT provide valuable support? The reality is that IT costs too much without adding sufficient value and can even hinder innovation.

A paradigm shift in IT is currently taking place, away from traditional, locally installed and managed IT towards applications on the internet, the cloud. Cloud computing corresponds with the aims of business by delivering services at lower costs, enabling faster deployment of applications and facilitating innovation. yet, cloud computings share in the IT market is marginal and the portfolio of services limited. And yet the growth of cloud computing is solid, in accordance with industrys high expectations.

Nonetheless, a new paradigm is underway. It will not be a sudden transition from traditional IT to the cloud. Neither will it mark an end to all the shortcomings of the old paradigm.

The new paradigm of IT will be a hybrid environment with both traditional, on-premise IT and services

in the cloud, at least for the time being (2011 - 2015). This offers opportunities for organisations; cost effectiveness, flexibility and speed, as well as specific points to consider.

orchestration of the hybrid environ-ment will be a critical success factor. orchestration encompasses the ability to define business cases, risk assessments and the governance of

multiple service providers, demand/purchase control and the integration of processes and technology. optimal orchestration of a hybrid environment will lead to a higher effectiveness of IT on the customers side. And to an organisation that can cope with tomorrows challenges in an ever changing marketplace.

Organisations are challenged with cost savings, faster time-to-market and innovation

Traditional IT is unable to support the business

Cloud computing seems to offer solutions

Cloud computing is emerging but still a marginal phenomenon

Hybrid environment is the mode of IT for 2011 - 2015

Hybrid environment harbours opportunities and risks

Orchestration of the hybrid environment is a critical success factor

Key message


Appendix



Cloud computing in more detail

A search using an internet search engine delivers a multitude of definitions, descriptions and opinions on cloud computing. Some speak of applications on the internet or a computational style in which IT provides scalable and flexible capabilities as services to external customers through the use of internet technology, while others qualify it with terms such as old wine in new bottles. obviously there is a lack of consensus and a lot of confusion on what cloud computing actually is.

Simply viewed, cloud computing stands for the provision of IT services from shared resources via the internet. The internet is often metaphorically depicted as a cloud, hence the term cloud computing. Well known examples of cloud computing applications include Gmail, Google Apps, Hotmail and Apple MobileMe.

The reason why this seemingly simple concept is so differently explained by IT providers, analysts and academics is mainly due to the fact that cloud computing is a combination of important technological and business elements.

From a technological perspective, cloud computing is based on already existing technologies such as

virtualisation, web services, shared data caches and grid computing. Since ASPs (Application Service Providers) have been providing IT applications over the internet for more than a decade, cloud computing can indeed be described as old wine in new bottles.

However, the commercial provision of IT services over the internet on a large scale from shared pools of IT resources has only become economically viable due to three relatively recent developments. Firstly, the above mentioned technologies, of which virtualisation and web services are the

Appendix A

Cloud computing stands for hosted applications and platforms, built on shared infrastructure, delivered via a web browser. An Industry Head at Google Enterprise

Traditional, on-premise IT versus cloud computing

Source: KPMG the Netherlands, 2010

On-premise

Customer

Users

IT services

SubscriptionPay-as-you-go

Hardware, Software + data

Licences andsupport costs

Cloud computing

Customer

Users

IT services

Hardware, Software + data

VendorVendor

Internet


most important, have been refined, standardised and widely applied during the last five years. Secondly, public broadband networks have become abundant and readily available at a reasonable cost. Thirdly, some providers have expanded the scale of their IT resources enormously, making them the major players in todays cloud computing market.

The business principle of cloud computing is based on the fact that possession/ownership of IT resources (i.e. applications, platforms or infrastructure) is independent of the use of these resources. In cloud computing, the IT resources, whether it is an application or storage, remain the property of the cloud service provider and customers only pay for the use of the IT service without requiring local software or hardware installations. In theory, cloud computing does not require upfront investments (capital expenditure) unlike the traditional, on-premise IT. The customer only needs access to the internet.

Cloud services can be offered at various layers of IT. At the software layer, this service is called Software-as-a-Service (SaaS). Platform-as-a-Service (PaaS) provides IT services at the platform level (e.g. operating systems, application frameworks) and, in this case, additional software must then be developed or installed by customers. Infrastructure-as-a-Service (IaaS) provides technical infrastructure components (e.g. storage, memory,

CPU, network). Additional platforms and software have to be installed by the customer or specific infrastructure components can be utilised for on-premise processes (see the diagram below). In general, cloud service providers specialise in one or two layers only.

depending on the layer, cloud computing has the following characteristics:

External data storage and processing. Unlike traditional IT, data is stored and processed outside the customers domain at the cloud service providers location(s)

Multi-tenancy. Contrary to traditional IT, resources are (to a certain degree) shared by multiple customers

Internet-dependent. Although leased lines and proprietary networks can be used for cloud computing, its primary infrastructure is the public internet

Contracted services. Customers pay for a service (pay-as-you-go or by subscription) instead of licences and/or hardware

On-demand services. In contrast to the vast majority of traditional IT, cloud services can be used almost instantly

Elasticity. Cloud services can be easily upscaled and downsized

Multi-tenancy may be limited to a select group of customers or even a single customer, although there is

Layers of cloud computing


IaaS

PaaS

SaaSSalesforce.com, Microsoft Office 365, GmailSoftware + Platform + Infrastructure

Amazon EC2, Terremark, RackSpaceInfrastructure

App Engine, Force.com, AzurePlatform + Infrastructure


Different types of cloud computing

always a degree of multi-tenancy (e.g. physical facilities, cooling, support staff) with cloud computing. This form of private or dedicated cloud computing represents an alternative to the public cloud with a high degree of multi-tenancy. In either form, the customers data is stored at the providers location(s).

Some providers offer private cloud computing solutions in which an organisations internal IT department uses cloud computing technologies to create an on-premise cloud. Since this internal form of cloud computing is fully dependent on internal, on-premise IT, it is highly questionable whether this type can truly be called cloud computing. Therefore, any such notion of an internal cloud has not been discussed in this paper.


Internal cloud computing

Internal IT Customer A Provider Provider

Customer A

Service

Internet

Customer A Customer ACustomer B Customer BCustomer C Customer C

Private cloud computing Public cloud computing

IT IT ITIT ITIT IT

Internet Internet Internet

Service Service Service Service ServiceService

Internet


ApproachThis paper reflects KPMGs vision of cloud computing in a broad perspective. The basis of the content was provided by a team of international specialists on this subject within the KPMG International network of member firms during September and october 2010. In addition, existing KPMG reports and publications have also been used.

Project organisation Author:Mike Chung Project executives:John Hermans and Frank rizzo Project manager:Mike Chung With valuable support from:Nasreen Patel, roy van der Veld, dennis van Ham, Edo roos Lindgreen, Ingar Glenn Pedersen, Tudor Aw, Matthias Bossardt, Alfred Koch, rick Wright, Maarten de Boer, Serge Wallagh, Marco Franken, Willem Guensberg, Bhargav Shah, Marloes de Jong and ralph Houtveen.

References FromHypetoFuture,KPMGs2010

Cloud Computing Survey, KPMG, 2010

CloudsintheForecastCanadianperspectives on the promise of cloud computing services for businesses, KPMG, 2010

ITAttestationinthecloud,KPMG,2010

AuditandComplianceinthecloud,KPMG, 2010

ExecutiveConsiderationsWhenBuilding and Managing a Successful Cloud Service, KPMG, 2009

Auditinthecloud,securityauditsversus cloud computing, Mike Chung, KPMG, 2010

Assuranceinthecloud,impactof cloud computing on financial statements, Mike Chung, Compact, 2011.

OECDInformationTechnologyoutlook 2010, oECd, 2010

Contact us

KPMGLaan van Langerhuize 11186 dS AmstelveenThe Netherlands

P.o. Box 745001070 dB AmsterdamThe Netherlands

John HermansT: +31 (0)20 656 8394M: +31 (0)6 5136 [email protected]

Mike ChungT: +31 (0)20 656 4034M: +31 (0)6 1455 [email protected]

Approach, project organisation and references

Appendix B

2011 KPMG Advisory N.V. is a subsidiary of KPMG Europe LLP and a member firm of the KPMG-network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks of KPMG International Cooperative. 045_0311

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

AdVISory

Orchestrating the New Paradigm

KPMGs Business Guidelines to

Cloud Computing and Beyond

kpmg.com

John HermansPartnerKPMG in the Netherlands

T: +31 6 5136 6389E: [email protected]

Mike ChungManagerKPMG in the Netherlands


Frank RizzoPartnerKPMG in South Africa


Greg BellPartnerKPMG in the US


Rick WrightPartnerKPMG in the US


Tudor AwPartnerKPMG in the UK


Alain BeuchatPartnerKPMG in Switzerland


Matthias BossardtSenior ManagerKPMG in Switzerland


Uwe Bernd-StriebeckPartnerKPMG in Germany


Arne HelmeDirectorKPMG in Norway


Key contacts

kpmg - buiness guidelines to cloud computing and beyond

Documents

term cloud computing

cloud services

cloud service providers

kpmg advisory n

business perspective

com2 kpmgs business

current business challenges

kpmg advisorykpmg