saas cloud computing presentation kpmg - opportunities, implications and practices

ADVISORY

Software-as-a-service

Opportunities, implications and practices

Mike Chung

2© 2008 KPMG EDP Auditors N.V., ingeschreven bij het handelsregister in Nederland onder nummer 33263684, is lid van het KPMG-netwerk van

zelfstandige ondernemingen die verbonden zijn aan KPMG International, een Zwitserse coöperatie. Alle rechten voorbehouden. 145_0908

Contents

• Introduction

• Definition of SaaS

• Opportunities of SaaS

• Points of consideration

• Risks of SaaS

• Overview of main risk areas

• SaaS life cycle methodology

• KPMG’s reference model for SaaS

• Conclusion

• Contact details



Introduction

• Software-as-a-Service (SaaS) has evolved from limited on-line software delivery of the late 1990s to a fully matured “direct-sourcing” business model for enterprise application services

• SaaS is one of the fastest growing ICT service concepts: more than 10 million companies will be using SaaS in the next 5 - 10 years; more than 50% of all Fortune 500 companies are already using SaaS for one or more application services

• According to influential IT institutes, SaaS is the leading business model of choice for 2008/2009

• Virtually all big software/service vendors (Microsoft, Oracle, IBM, Cisco) are investing heavily in SaaS while the ‘traditional’ SaaS/ASP vendors such as Salesforce.com and Google are expanding their business application services steadily

• With the continuously increasing bandwidth and reliability of the internet, using web services over the (public) internet has become a viable option for many companies

• Increasing number of SaaS vendors and SaaS aggregators are offering customized, market-specific solutions



Definition of SaaS

• Software provided as a service by a software vendor to multiple customers with the following main characteristics:

– Standardisation of software – eventually customized for specific customers and markets

– License based on usage (subscription or “pay-as-you-go”)

– Service including maintenance, support and upgrades

– Data storage at the SaaS vendor

– Web based – usage over the (public) internet

Software vendor

CustomerCustomer

‘On-premise’

User

Software vendor

Software services

Software + data

Software licenses & Operational costs

‘On-demand’ (SaaS)

User

Software services

‘Pay-as-you-go’

Software + data

Internet



Opportunities of SaaS 1/3

SaaS offers potential for lowering the Total Cost of Ownership

• Lower operational ICT costs– No large scale, costly, high risk implementations of applications– Fewer operational resources for application management– No platform and hardware (maintenance) costs for application servers– Reduced operational complexity: software delivered as a transparent service through the web

• Minimized software development costs– No lengthy software development and testing cycles

• Lower costs for software use – No software license and annual maintenance fees – No expensive software upgrades– Lower application consultancy and support costs– Efficient use of software without paying for unused/unnecessary software and software modules– Financial benefits by the Economies of Scale of the vendor




SaaS offers potential for corporate’s business focus

• Focus on core business activities and responsibilities– Transparent overview and usage of electronic data and information– Automation of iterative, manual tasks– Faster Time to Market – easy to scale software– More flexibility in changing and modifying application services for business needs– Full-scale integration of business processes

• Control over ICT– Minimized ICT Service Management efforts mainly focused on availability– Well-defined SLAs between the corporation and the ICT vendor– More predictable cash flow – easier licensing based on access/usage of software

• Increased productivity and improved user satisfaction– Shorter implementation times for ICT services and changes– Single point of entrance to business applications provided via the web– Automatic software upgrades with minimal outage




SaaS offers potential for utilizing advanced ICT technology

• Enhanced level of security– Less locally stored data and very limited locally installed software– Monitoring and logging at one (vendor’s) location– Benefits from the high security levels at SaaS vendors with centralised security expertise and experience– Centralised redundancy and fall-back measures– Integrated approach of security

• State-of-the art technology– Deployment of state-of-the-art technology by SaaS vendors investing for multiple customers– Usage of energy-efficient technology– Usage of technology that is scalable and flexible



Points of consideration

• Outsourcing of software services and (business critical) data

• Depreciation of existing software and software servers

• Integration/alignment of existing Service Management processes and the processes of the SaaS vendor(s)

• Single or multi-vendor solutions

• Standardized or customized services

• Several pricing models possible

• Identity & Access Management

• Direct contact with the software vendor or via SaaS resellers/aggregators

• The rate of “outsourcing”

• Logging and monitoring



Risks of SaaS (1/5)

Data confidentiality/integrity

• By using SaaS, the business (critical) data is stored at remote location outside the corporate’s controlled/owned range. It may well lead to extreme dependency on vendor’s integrity and expertise concerning the corporate’s valuable and/or confidential data.

Risks:

– Loss of business data due to inadequate ICT operations by the vendor (redundancy, back-ups, storage)– Abuse/misuse/theft of business data due to insufficient security measures including Identity & Access

Management – Abuse/misuse/theft of business data by vendor’s personnel– Abuse/misuse/theft of business data by unauthorised external parties such as other SaaS customers– Abuse/misuse/theft of business data by unauthorised internal parties causing breaches in the Segregation of Duties

– Non-compliance due to poor auditability– Non-compliance due to lack of Segregation of Duties– Uncontrolled data management caused by inadequate separation of data between different SaaS

customers– Privacy issues due to insufficient assurance to protect confidential and/or personal data



Risks of SaaS (2/5)

Service continuity & availability

• SaaS relies on the availability and the performance of the (public) internet. Any outage or performance degradation may well lead to loss of business. Moreover, since no one really “owns” the internet, it is exceptionally difficult to appoint responsible/accountable parties.

Risks:

– Discontinuity/unavailability of services in case there is no connectivity to the (public) internet– Poor performance due to geographic limitations– Difficulties in planning and forecasting when the performance of the internet fluctuates– Loss of business data due to poor connectivity or unanticipated activities on the internet– Loss/abuse/misuse/theft of business data caused by poor data protection when traversing unsecured

networks– Non-repudiation issues caused by insufficient authentication and verification mechanisms



Risks of SaaS (3/5)

Service integration

• Most SaaS vendors and aggregators/integrators offer a limited service catalogue, often focused on one market segment and/or functionality. Integration between SaaS with existing (legacy) services as well as service integration between different SaaS vendors may well lead to loss of functionalities as well as complex and potentially vulnerable IT environment.

Risks:

– Loss of software functionalities due to constraints in integrating different services– Poor performance due to interface limitations– Complexity of the IT environment due to many and/or customized interfaces and connections

– Difficulties in executing IT changes– Complex root-cause analysis

– Security breaches caused by unclear perimeterisation and unclear demarcation of security responsibilities



Risks of SaaS (4/5)

Performance and support

• SaaS cannot guarantee better performance and support in principle. Operational issues may have been transferred to the vendor, it does not reduce the risk levels. Complexity of the ICT may have been outsourced, it does not take away the complexity itself.

Risks:

– Poor performance of the serviced software due to constraints and limitations at the vendor (too many customers, insufficient capacity)

– Less flexibility and longer Time-to-market due to too standardised software or inadequate development and testing processes

– Difficulties in receiving support due to poor ICT governance at the vendor– Poorly defined SLAs

– Difficulties in receiving support due to unclear agreements– Imbalance between the customer’s service requirements/expectations and the vendor’s service delivery due to

unrealistic expectations and/or inadequate mapping of services and requirements

– Long-lasting incidents and change requests due to complex root-cause analysis– Complex service management due to multiple SaaS vendors and aggregators– Loss of productivity by unannounced software/interface changes (Frankenstein Switch)



Risks of SaaS (5/5)

Legal and contractual

• Due to the relatively recent nature of the SaaS concept, legal and contractual issues are yet to be elaborated.

Risks:

– Difficulties in appointing responsible and accountable parties due to poorly defined contracts and agreements

– Increased ICT costs by choosing the wrong costs/pricing models– Complex contract management due to contracts with multiple SaaS vendors and aggregators– Difficulties in data restoration when changing vendors due to unclear contractual demands and lack of

control from the customer’s perspective



Overview of main risk areas for SaaS



KPMG’s SaaS life cycle methodology (1/4)

Strategy

Scope & Plan

Design & Select

Transition

Deliver

Evolve

Strategic ReviewsNew Contracts NegotiationPerformance Improvement

VisionStrategyFeasibility AssessmentBusiness Case

Current ArchitectureFuture ArchitectureOutline Project PlanRisk AnalysisRefined Business Case

Selection CriteriaRFI / RFPVendor EvaluationSelection and Contract

PilotDetailed Project Plan & ApproachMigration/Implementation

SaaS DeliveryBenefits RealizationMonitoringRisk and Controls Assessment




1. Strategy

• Defining vision– Drivers and objectives– Outline scope of services to be purchased as SaaS

• Defining strategy– Principles and standards– Outline approach– Tranches/plateaus

• Performing feasibility assessment– Organisation and processes– Technology– Legal and contractual subjects– Outline risk analysis

• Building the Business Case– Drivers and objectives– Alternatives and options– Cost and benefits

2. Scope and Plan

• Assessing current architecture– Business/Enterprise architecture– Technical architecture

• Building future architecture– Requirements and limitations– Processes (service design)– Technology

• Producing outline project plan– Sourcing (HR and finances)– Governance and project management

• Performing risk analysis– Project risks including migration/implementation risks– SaaS-related risks

• Refining the Business Case




3. Design and Select

• Defining selection criteria– Functional – Service Management– Migration/implementation strategy

• Publishing RFI/RFP– Market research and analysis– Tender strategy

• Evaluating vendors– Assessment– Proof of Concept– Selection– Due diligence

• Signing contract(s)– SLAs including KPIs– OLAs– Legal agreements

4. Transition

• Setting up pilot– Pilot migration– Functional/technical implementation– Service management– Risk mitigation– Evaluation

• Producing detailed, updated transition project plan and approach

• Executing migration– Data– Service (functional/technical)– Service (governance/processes)




5. Deliver

• Delivering SaaS– Functional/technical – Governance/processes

• Realizing benefits– Financial– Business-wise– Service oriented – Technological

• Monitoring

• Performing risk and controls assessment– Security – Service and performance– Compliance– Legal and contractual

6. Evolve

• Performing strategic reviews– Functional/technical– Financial– Service delivery– Risk assessment– Pre/post SaaS impact– Benchmarking

• Negotiating new contracts

• Processing performance improvement– Remediation– Restructuring– Optimization



KPMG’s reference model for SaaS

Identity and Access M

anagement

Inte

gral

Sec

urity

M

anag

emen

t

FederationFederation

Federation



Conclusion

•As with opportunity comes danger, SaaS offers huge possibilities and poses serious risks

•While the software and operational activities can be transferred to the SaaS vendor, SaaS will not reduce the risk levels in principal

•To benefit optimally from SaaS, it is essential to take mitigating measures prior to implementation

•Structured approach and ‘best practices’ are key success factors



Contact details

Mike Chung

Manager+31 (0)6 1455 [email protected]

Office address:KPMG IT Advisory, Burg. Rijnderslaan 201185 MC Amstelveen, The Netherlands

saas cloud computing presentation kpmg - opportunities, implications and practices

Technology

alle rechten voorbehouden

een zwitserse coperatie

receiving support due

business data due

multiple saas vendors

compliance due

risk levels

business data