new paradigm of automation eur kpmg
DESCRIPTION
How to orchestrateTRANSCRIPT
New Paradigm of Automation
January 2011, Rotterdam
drs. Mike Chung RE
Risk & Compliance
ADVISORY
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
2
Introduction
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
3
Hypothesis
Paradigm shift in automation is in progress
Hybrid environment is the ‘future’ mode of operation
Orchestration of this hybrid environment will be a critical success factor
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
4
Why this presentation?
We, auditors, see organizations taking irresponsible risks in anincreasingly complex technology and business environment
We strongly feel auditors are to provide clear and structured insight into risks and mitigations
We believe in sharing this knowledge to benefit the community
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
5
Objectives
Understanding the context of the new paradigm
Addressing the considerations
Defining steps forward
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
6
Assumptions & limitations
Assumptions Participants have advanced (technical) knowledge of IT Locally-installed and managed IT as ‘traditional’, on-premise IT
Limitations Not an exhaustive overview One-way communication
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
7
Understanding the context
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
8
Current business challenges
Cost savings Cost savings often necessary in order to maintain profit margins In practice, difficult to enforce and cutting expenses is never a popular
measure
Time-to-market Volatile consumer and employee demands Short lifetime of products and services Delay results in significant loss of opportunity and smaller market
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
9
Old paradigm
Increasing expenditure IT spending at up to 5% of revenue for Fortune500 enterprises and over
5% of government’s budgets in most OECD countries 80% of these costs spent on maintenance of the existing IT IT budgets show an upward trend
Rigid and static Bound to existing, local IT resources Deployment of new services bear high risks, involves more time and
effort Never designed to facilitate mobile use
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
10
Trend: centralization and commoditization
Centralization of IT assets Economies of scale result in cost savings Centralized delivery of services facilitate volatile demand more
effectively
Commoditization Standardized use of IT services lead to lower costs Usage of turnkey solutions are easier to deploy
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
11
Various solution models (1/2)
Portfolio management Management of IT purchases Controlled use of existing IT assets ‘Vendor/solution-X-unless’ policies
Shared Service Centers Centralization of scattered IT units and resources Allocation of expertise and IT assets
Hosting Use of provider’s IT resources to host specific services (e.g. web sites) Use of provider’s IT resources as additional IT capacity
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
12
Various solution models (2/2)
Outsourcing & offshoring Shift of IT services to providers Transfer of IT units and resources to providers
Cloud computing Use of standardized, shared services from providers (varying degrees
of multi-tenancy) IT service as a commodity
Supporting technologies/infrastructure Virtualization Web services and ‘Service Oriented Architecture’ Broadband internet Mobile networks
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
13
“I realised that what I was standing in was a prototype of a new kind of power plant – a computing power plant that would come to power our information age the way great electric plants powered the industrial age.” Nicolas Carr, the Big Switch
Outsourcing of IT resources and managementLow
High
Res
ourc
e sh
arin
g
Locally installed IT
SSC
Hosting
Outsourcing &Offshoring
Cloud computing
High
Source: KPMG
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
14
Old to new paradigm
Traditional IT
Provider’s proprietary technology
and processes
IT management
Data
Outsourcing
Provider’s proprietary technology
and processes
Data
Cloud computing
Provider’s proprietary technology
and processes
Data
Man
aged
Purc
hase
d
IT assets/resources IT assets/resources
IT management
IT assets/resources
IT management
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
15
Cloud computing
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
16
Cloud computing: definition(s)
Too many definitions of cloud computing “Cloud computing is storing your data on someone else’s hard
disk and accessing it via a network” Hosted services from the (inter)net, metaphorically depicted as
a cloud Utilization of Web 2.0 ‘ASP 2.0’ Characteristics:
Multi-tenancy (resource sharing) Separation of use and ownership of IT assets Subscription based Elastic (upscale and downsize) External data storage Use of the internet
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
17
On-premise vs cloud computing
‘On-premise’ Cloud computing
Customer
Hardware, software + data
Users
IT services
Vendor
Licences and support costs
Customer
Hardware, software + data
Users
IT services
Vendor
Subscription; pay-as-you-go
Internet
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
18
Cloud computing: types and layers
Types of cloud computing Public cloud External private cloud Internal private cloud
Layers Software-as-a-Service (Salesforce.com, Gmail, Office 365) Platform-as-a-Service (Google AppEngine, Force.com, Azure) Infrastructure-as-a-Service (Amazon EC2, Terremark Cloud)
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
19
Cloud computing: history
First computer: UNIVAC in 1940 Thomas Watson: “the world needs only five computers..” Hardware revolution 1960 - 1970 Mainframe era 1970 - 1990 Rise of the client computer 1980 - 1990 Rise of the client-server architecture 1990 - 1995 Rise of the network computer 1995 - 2000 Moore’s law Grove’s law By 2005:
Sufficient bandwidth Matured virtualization technology Matured web services technology Salesforce.com
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
20
Cloud computing down-to-earth
Cloud computing is marginal Current share of external types of cloud computing in IT is less than 5% US are the leading outlet of cloud services (60%), the rest of the world
can be considered as periphery Internet platforms for collaborative/social purposes are yet to be
adopted by business communities
Cloud computing is considerable The market of cloud computing is expected to grow between 20 and
40% per year (2010 – 2015) According to a recent survey by KPMG, more than 40% of corporations
are already using some form of cloud computing Cloud computing is part of the paradigm shift in automation from
locally installed/managed IT towards centralized delivery and shared use of services
Sources: KPMG, OECD, IDC, Burton Group
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
21
Incidents and threats in practice
Incidents Hackers stole credentials of Salesforce.com’s customers via phishing
attacks (2007) Thousands of customers lost their data in the cloud due to the ‘Sidekick
disaster’ of Microsoft/T-Mobile (2009) Botnet incident at Amazon EC2 infected customer’s computers and
compromised their privacy (2009) Thousands of hotmail accounts were hacked due to technical flaws in
Microsoft’s software (2010)
Threats Botnets are increasingly threatening access to internet services SPAM, excessive traffic of multimedia sites and P2P networks are
clogging the internet’s arteries – internet traffic is growing by 40% per year
Sources: KPMG, Cisco
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
22
Considerations
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
23
New paradigm of automation: hybrid environment
Given the position of cloud computing and ongoing wave of sourcing, the future mode will be a hybrid environment
At large organizations, this hybrid environment will consist of on-premise IT, outsourced parts, parts on hosting providers, and parts in the cloud
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
24
New paradigm: hybrid environment
Source: KPMG
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
25
Characteristics impacting risk profile
Location of data storage and IT assets Traditional IT: on-premise; within the internal security domain of
customer Cloud computing: off-premise; outside the internal security domain of
customer; hosted/located at cloud service provider or distributed/scattered over a multitude of (third party) providers
Usage of (IT) resources Traditional IT: exclusive for the customer Cloud computing: varying degrees of multi-tenancy
Principal infrastructure Traditional IT: LAN, leased lines Cloud computing: public internet
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
26
Risk dimensions
Technology Compliance&
Legal
Data
Operations
Provider Finance
Risks
Source: KPMG
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
27
Risk dimension: data
External IT operations Inadequate and/or insufficient data security measures at provider’s
location(s) compromising data integrity and confidentiality Issues with retracting data after termination of service
Multi-tenancy Inadequate data segregation and process isolation leading to data
contamination and/or breach of confidentiality Inadequate Identity & Access controls causing illegitimate access to
sensitive data such as intellectual property
Public internet Unencrypted data getting lost of stolen in transfer Clogged parts of the network causing unavailability of data
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
28
Risk dimension: operations
External IT operations Discontinuation of business critical services due to failing disaster
recovery at cloud service provider Unclearly defined SLAs leading to unsatisfactory services
Multi-tenancy Restricted/limited services due to insufficient allocation of resources
and/or capacity Standardized functionalities not meeting business requirements
Public internet Dependency on internet access and availability for all cloud services Uncontrolled access from unsecured/malware-infected client devices
affecting services
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
29
Risk dimension: compliance & legal
External IT operations Compliance issues due to lack of assurance concerning the physical
location of data Location of data in different jurisdictions conflicting with local
legislations applicable to the customer
Multi-tenancy Complexity to ensure compliance due to ‘black box’ nature of shared
resources (monitoring & logging) Compliance issues due to complex or unclearly defined ecosystem of
third-party cloud services
Public internet Public internet is exceptionally hard to audit and to monitor Accountability and responsibilities on internet traffic are difficult to
assign and even more difficult to enforce
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
30
Risk dimension: technology
External IT operations Integration issues due to cross-vendor incompatibility Divergent technical controls between internal and external IT resources
causing inconsistent security levels
Multi-tenancy Standardized security controls not meeting the customer’s on-premise
technical standards Standardized functionalities not meeting the technical change control
capabilities of the customer
Public internet Measures to secure internet traffic of valuable data leading to deviating
company security standards Lack of possibilities to influence technology on the internet
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
31
Risk dimension: finance
External IT operations Underestimated cost of migration Inaccurate estimation of cost for pay-as-you-go/subscriptions of cloud
services versus on-premise cost Underestimated cost of legal and risk management support Capital destruction due to unused on-premise IT assets and unused
potential of human resources Additional cost in retrenchment of IT staff
Public internet Additional cost for leased lines and/or more bandwidth Additional cost for measures to secure internet traffic
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
32
Risk dimension: vendor
External IT operations Vendor lock-in due to usage of proprietary standards Discontinuation of business critical services in case of bankruptcy of the
cloud service provider Cloud computing may be part of a ‘tech bubble’ – massive investments
in an uncertain business model (one big incident at Google or Microsoft can push back months of progress)
Multi-tenancy Undesirable change of services or service levels in case of strategy
alterations or take-over of the provider
Less customization due to shift of focus of the provider
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
33
Addressing the challenges
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
34
New paradigm: hybrid environment
Source: KPMG
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
35
Orchestration
Orchestration of automation will be the critical success factor Management of multiple providers Integration of different technologies Risk control over various dimensions
IT complexity will gradually reduce, but compliance challenges and legal complexity will increase Continuous monitoring of compliance Legal support as integral part of service management
The key risk resides in the organization’s inability to orchestrate the new paradigm of automation Dependency on static IT units Proliferation of services
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
36
Control & trust
Traditional IT
Provider’s proprietary technology
and processes
IT management
Data
Outsourcing
Provider’s proprietary technology
and processes
Data
Cloud computing
Provider’s proprietary technology
and processes
Data
Span
of c
ontr
olTr
ust
IT assets/resources IT assets/resources
IT management
IT assets/resources
IT management
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
37
Scope of audit/assurance and area of difficulty
Traditional IT
Provider’s proprietary technology
and processes
IT management
Data
Outsourcing
Provider’s proprietary technology
and processes
Data
Cloud computing
Provider’s proprietary technology
and processes
Data
Scop
e of
aud
itTr
ust
IT assets/resources IT assets/resources
IT management
IT assets/resources
IT management
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
38
Current audit standards
Localized IT as starting point (ITIL)
Strong focus on ‘traditional’, on-premise IT (ISO27001/2, PCI DSS)
Static (Cobit)
Strong focus on processes (SOx)
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
39
New audit ‘standards’
Abundance of ‘standards’ ENISA, Cloud Computing Benefits, risks and recommendations for information
security ENISA, Cloud Computing Information Assurance Framework Cloud Security Alliance (CSA), Top Threats to Cloud Computing V1.0 ISACA, Cloud Computing: Business Benefits With Security, Governance and
Assurance Perspective ISF, Security Implications of Cloud Computing OWASP, Application Security Verification Standard 2009 – Web Application Standard,
2009 KPMG, Beveiligingraamwerk SaaS
Limited scope, mainly focused on security
Scarcely used, barely accepted by the market
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
40
Compliance
Responsibility and risks are with the customer, not the cloud service provider
Legislations versus the current state of (technical) affairs
Compliance with different legislations from different countries (SOx, HIPAA, PCI DSS, WBP..)
SAS70/ISAE 3402/3000 as a way out?
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
41
SAS70/ISAE 3402/3000: objections
Limited to processes relevant to financial statements
Free to choose the controls
Dependent on the expertise and view point of the auditor
Many variations on audit approach, set-out and level of (technical) detail
Wide intervals between audits
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
42
SAS70/ISAE 3402/3000 in practice
Same standards used as for on-premise IT environments
Hardly any attention on multi-tenancy, service integration and external data storage
Superficially reviewed by (potential) customers and auditors
Lacunas rarely raised
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
43
Conclusion
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
44
New paradigm: hybrid environment
Source: KPMG
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
45
Our role
Understand
Participate
Keep your eyes open and keep your head cool
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
46
Conclusion
Paradigm shift in automation is in progress from locally-installed and maintained IT (on-premise IT) towards the centralization and commoditization of IT services
Hybrid environment consisting of different service models is the‘future’ mode of operation
Orchestration of this hybrid environment will be a critical success factor
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
47
Literature
Above the Clouds: A Berkeley View of Cloud Computing, University of California at Berkeley, 2009
Top Threats to Cloud Computing V1.0, Cloud Security Alliance (CSA), 2010 Cloud Computing Benefits, risks and recommendations for information security,
ENISA, 2009 Cloud Computing Information Assurance Framework, ENISA 2009 Cloud Computing: Business Benefits With Security, Governance and Assurance
Perspective, ISACA, 2009 Security Implications of Cloud Computing, ISF, 2009 From Hype to Future, 2010 Cloud Computing Survey, KPMG, 2010 Clouds in the Forecast - Canadian perspectives on the promise of cloud computing
services for businesses, KPMG, 2010 Executive Considerations When Building and Managing a Successful Cloud Service,
KPMG, 2009 Application Security Verification Standard 2009 – Web Application Standard, OWASP,
2009 Mike Chung & Walter van Holst, Vendor lock-in in de cloud, Automatisering Gids,
augustus 2010 Mike Chung, Audit in the Cloud, KPMG Nederland, 2010 Mike Chung, Data Lifecycle in the Cloud, KPMG, 2010 Mike Chung, Informatiebeveiliging versus SaaS, EDP-Auditor nummer 2, 2009 Abhijit Dubey & Dilip Wagle, Delivering Software as a Service, McKinsey Quarterly,
mei 2007
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
48
Contact
Drs. Mike Chung REManagerKPMG Advisory N.V.E-mail: [email protected]: +31 (0)6 1455 9916
© 2011 KPMG ELLP, the member firm of KPMG International, a Swiss cooperative. All rights reserved. KPMG and the KPMG logo are registered trademarks of KPMG International, a Swiss cooperative.
49
About the painter & painting
J.H. Weissenbruch was a famous 19th century Dutch painter famed for his depiction of clouds
His style of painting with various tones of grey and brown is typical for the so-called Hague School (Haagse School)
Ever-changing ‘skyscape’ of clouds and sunlight above the Low Lands and the North Sea was a source of inspiration for the painters of the Hague School
This painting is called Landschap met een boerderij bij een plas(Landscape with a farmhouse at a pond)