belgacom cloud computing workshop

Cloud Computing Workshop with Belgacom

20 June 2012

Agenda

ActivityActivity DurationDurationSpeakersSpeakers

Goal setting and expectationsGoal setting and expectations 10 min10 minKPMG/BelgacomKPMG/Belgacom

Setting the sceneSetting the scene 10 min10 minMike Chung Mike Chung

Best practices telcos and cloud servicesBest practices telcos and cloud services 45 min45 minMike Chung Mike Chung

BreakBreak 10 min10 min--

Demo Cloud Readiness ScanDemo Cloud Readiness Scan 15 min15 minTünde BalintTünde Balint

Rules, regulations and (pre)conditionsRules, regulations and (pre)conditions 35 min35 minJohn Hermans/Mike ChungJohn Hermans/Mike Chung

Determining Belgacom’s need for adviceDetermining Belgacom’s need for advice 25 min25 minBelgacom/KPMGBelgacom/KPMG

Defining steps forward and action itemsDefining steps forward and action items 15 min15 minKPMG/BelgacomKPMG/Belgacom

1: © 2012 KPMG Advisory, a Belgian civil CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Belgium

Goal setting and expectations

Your nameYour nameYour nameYour name

Your function/roleYour function/role

What are your expectations?What are your expectations?

What question(s) would you like to have answered?What question(s) would you like to have answered?


Setting the sceneSetting the scene


Defining the cloud


Into perspective

Ongoing, solid growth in 2012• Microsoft Office 365 at All India Council for Technical Education containing 7.5 million Ongoing, solid growth in 2012• Microsoft Office 365 at All India Council for Technical Education containing 7.5 million

users• Google signs with BBVA to migrate over 100,000 users to GoogleApps• About 40% of CRM software has gone online (Wall street Journal)

users• Google signs with BBVA to migrate over 100,000 users to GoogleApps• About 40% of CRM software has gone online (Wall street Journal)

Evolving partnership ecosystem• HP Cloud with Amazon ECEvolving partnership ecosystem• HP Cloud with Amazon EC• Cisco, VMware, EMC, NetApp partnership• IBM pacts with Cloudera (Hadoop) – also with Siebel• Cisco, VMware, EMC, NetApp partnership• IBM pacts with Cloudera (Hadoop) – also with Siebel

Move towards privacy and security• New data centers in Europe (Verizon/Terremark, HP, Salesforce (planned))• GoogleApps ISO2700x certified

Move towards privacy and security• New data centers in Europe (Verizon/Terremark, HP, Salesforce (planned))• GoogleApps ISO2700x certified


• Emergence of external private clouds• Emergence of external private clouds

Emergence of telcos

DTAG’s Cloud 7 0 including SAP onlineDTAG’s Cloud 7 0 including SAP onlineDTAG s Cloud 7.0 including SAP onlineDTAG s Cloud 7.0 including SAP online

KPN’s Hybrid cloudKPN’s Hybrid cloudyy

Telenor’s Ibiroda cloud based on MSTelenor’s Ibiroda cloud based on MS

KT’s UcloudKT’s Ucloud


Presumed business case

Telcos own and manage (mobile) networksTelcos own and manage (mobile) networksTelcos own and manage (mobile) networksTelcos own and manage (mobile) networks

Telcos have an existing business client baseTelcos have an existing business client basegg

Telcos have full enterprise solutions portfolioTelcos have full enterprise solutions portfolio

Telcos have enterprise sales capability Telcos have enterprise sales capability


Best practices telcos and cloud servicesBest practices telcos and cloud services


Topics

Sales & marketingSales & marketingSales & marketingSales & marketing

Product portfolioProduct portfoliopp

Building blocks & integrationBuilding blocks & integration

Service & supportService & support


Approach

General market’s viewGeneral market’s viewGeneral market s viewGeneral market s view

Focus on the telecommunication sectorFocus on the telecommunication sector

Specific case regarding two telcosSpecific case regarding two telcos


Sales & marketing: market focus

SMBs vs enterprisesSMBs vs enterprisesSMBs vs. enterprisesSMBs vs. enterprises

National or internationalNational or international

Selected or generalSelected or general


Sales & marketing: unique selling points

PricePricePricePrice

TrustTrust

InnovationInnovation


Sales & marketing: revenue model

Emerging cloud pricing models

Subscription Usage basedFree – Ad Supported

• Still evolving• Primarily for applications

• Primarily for applications• Salesforce.com

• Infrastructure focus• Amazon AWS

Amazon Rackspace AT&T

SMB Focus:À la carte Product & Variable Pricing

Terremark

Enterprise Focus:Custom Built Product & Fixed PricingVs

.• None

Fixe

d • $100/month (One 1.2GHz server, 500 GB bandwidth, 50 GB storage)

• Compute: 10c -$1 2/instance hr*

• Compute: $0.01/compute cycle*bl

e

• Mostly fixed pricing– ~$4000/month for a

starting compute bundle

• Low variable pricing component

• Mostly fixed pricing– $2000/month for a

starting 5GHz compute bundle

• Low variable pricing component$1.2/instance hr

• Bandwidth: $0.10 -$0.17/GB

• Storage: $0.10/GB month

cycle• Bandwidth: $0.25/GB• Storage: $0.5/GBVa

riab component component

– $425/Ghz month added capacity


Product portfolio: overview

2003-20042003-2004 2007-20082007-2008 2009-20102009-2010 2011-present 2011-present

BT Open Orchard T-Systems Dynamic

Telstra T-Suite

NTT Business Security Telia Sonera Business

Vodafone Cloud Services SK Telecom T-bizpoint

Software as a Service (SaaS)

Software as a Service (SaaS)

T-Systems Dynamic Services

T-Suite Orange IT Plan

Telia Sonera Business Class Cloud Services

Telefónica Aplicateca Softbank White Cloud T-Systems ERP on-

demand

Platform as a Service (PaaS)

Platform as a Service (PaaS)

T-Systems (Database and Middleware Environments)

SK Telecom Cloud Computing Platform

AT&T Telstra KT Ucloud

AT&T Synaptic Hosting Orange Flexible computing

BT Virtual Data Center

Telecom Italia NTT IaaS Telefónica (T-Cloud)

Infrastructure as a Service

(IaaS)

Infrastructure as a Service

(IaaS)

BT Virtual Data Center Verizon Computing as a

Service AT&T Synaptic Storage

and Compute Telefónica: Cloud

Storage & Virtual Data

Telefónica (T Cloud) KPN Hybrid Cloud


gCenter

Product portfolio: different concepts

Proprietary services vs partnershipsProprietary services vs partnershipsProprietary services vs. partnerships Proprietary services vs. partnerships

Development or acquisitionDevelopment or acquisitionp qp q

Reselling or value-added servicesReselling or value-added services


Product portfolio: scope of services

Integration/aggregation servicesIntegration/aggregation servicesIntegration/aggregation servicesIntegration/aggregation services

SaaS, PaaS, IaaSSaaS, PaaS, IaaS, ,, ,

Private vs publicPrivate vs public


Product portfolio: partnerships

Reselling of cloud servicesReselling of cloud servicesReselling of cloud servicesReselling of cloud services

ConsultancyConsultancyyy

Technology partnershipsTechnology partnerships


Product portfolio: ecosystem of cloud

Cloud service vendors Cloud service integratorsCloud enablers

Provide the actual cloud services spanning SaaS

Provide cloud focused technology services such as

Provide the technology,

Value added

services, spanning SaaS, PaaS and IaaS, to customers

technology services such as system integration, cloud migration and maintenance

infrastructure, platforms and Middleware to enable provision of cloud services

H/W and S/W vendors IT & Services players (HW & SW vendors / IT distributors)

Integrators

ExamplesPure Cloud players (e-commerce, Internet giants, Hosting companies)

TelcosTelcos


Product portfolio: example of candidates

System Integrators

Example Partner Candidates by Area of Expertise

Applications

y g

Application Development Platform

Infrastructure Platform Software

O S

Virtualization Software

Hardware

Operating System


Building blocks & integration: areas of concern

Identity & Access ManagementIdentity & Access ManagementIdentity & Access ManagementIdentity & Access Management

Network integrationNetwork integrationgg

Backend services integrationBackend services integration


Building blocks & integration: architecture

Organization Other Cloud Customers

Users

Services

Users

Internet or LAN Internet

Organizations Internal IT Service providerService provider Service provider

Hardware, software + data

Managed hostingPrivate-External


Third-Party Vendor (Multi-Tenant)Public


Internal Data CenterPrivate


Combined Public + Private CloudHybrid


Building blocks & integration: technology 1/2

CloudMultiple

authentication

IT function of CSPat

ion

Cloud ServiceCloud

Service

Cloud Service

PUBLIC CLOUD

authentication methods

MultipleCSPBusiness Service

Business ServiceVi

rtua

liza Service Cloud

Service

Multiple API

Multiple software

i

PRIVATE CLOUDOff-premiseCloud

versions

Hypervisor solutions –controlled in a unified

a

Unified data li i

Business Service

Service

Cloud Service

waypolicies and

security measures


Building blocks & integration: technology 2/2

Client

Multiple authentication methods (e.g. diff t AD

Load estimates

Message Client A

different AD trees)

How to assure SSO?

Different ft

estimates

Monitoring

queues

IT function of CSP

Business Service

Business ServiceVi

rtua

lizat

ion

Client B

softwareversions

Legacy applications

Data migration &

Old data which

Payment model

Client C

migration & different

data types

needs to be moved

Interfacesbetween in-house and

Backup/ restore

and failover

I f ti

Client D

cloud part of the application

Information security


Service & support: main topics

Cloud service advisory and consultancyCloud service advisory and consultancyCloud service advisory and consultancyCloud service advisory and consultancy

Customer supportCustomer supportpppp

Technical supportTechnical support


Service & support: service integrator model

The Business

IT Risk Management• Risk identification and

analysis across different CSPs

• Risk library

IT Risk Manager

Service Owner

Service Ownership:• Single Point of Contact

with the Cloud Service Providers (CSP) & IT

• Demand Capture• Services Standards • Risk library

• Vendor/CSP Audits

IT Finance Management

VendorManager

• Services Standards• Service Level

Monitoring

Vendor Management:

IT Finance Manager

Management• Business case• Service Costing and

Chargeback• SLA penalty-bonus

calculationRackspaceGoogle

Internal IT O i ti

Vendor Management:• Vendor certification• Contract Negotiations

GoogleAmazon Web Services

Organization(retained IT Services)


Summary

Emergence of telcosEmergence of telcos

Sales & marketingSales & marketing

Emergence of telcosEmergence of telcos

gg

Product portfolioProduct portfolio

Building blocks & integrationBuilding blocks & integration

Service & supportService & support


10 minutes break10 minutes break


Demo Cloud Readiness ScanDemo Cloud Readiness Scan


Cloud Readiness Scan: overview

CSP1

CSP2

People

or C

loud

CSP3

Process

ness

Stra

tegy

fo

TechnologyFinancial

Risk& Regulatory

CSP4Technology

Bus

in

Operational

Business requirements

Delivering Cloud solutions

Technology

1 3IT function requirements2


requirements solutions1 3requirements2

Cloud Readiness Scan: for providers

• Need to determine which part of the organization (which application) can be migrated to the cloud• Take into account different areas:

• Assess what needs to change to be able to adopt a service from a given cloud provider• Assess the integration efforts• Assess the integration efforts


Cloud Readiness Scan: a global effort


Demo


Rules, regulations and (pre)conditionsRules, regulations and (pre)conditions


Overview of (perceived) risks

Finance & Tax• Movement from CapEx to OpEx model • Tax considerations• ROI and cost/benefit analysis of cloud model

Finance & Tax• Movement from CapEx to OpEx model • Tax considerations• ROI and cost/benefit analysis of cloud model

Security

Security and Privacy• No control over critical security areas• Weak logical access controls• Legal jurisdiction over data

Security and Privacy• No control over critical security areas• Weak logical access controls• Legal jurisdiction over data

Security and

Privacy

OperationsFinance & Tax

BUSINESS CHALLENGES

& Tax Operations• Redundant roles and skills • Rapid change of the organization • Business resiliency impact

Operations• Redundant roles and skills • Rapid change of the organization • Business resiliency impact

Vendor Management• Ownership of responsibilities• Standards for interoperability• Reliance on the vendor

Vendor Management• Ownership of responsibilities• Standards for interoperability• Reliance on the vendor

IT

Regulatory d

Vendors

Information Technology• External access of the Data Center• Bypass of the IT for technology solutions• Change of the IT paradigm

Information Technology• External access of the Data Center• Bypass of the IT for technology solutions• Change of the IT paradigm

and Compliance

Regulatory and Compliance• Cloud provider’s compliance with regulations• Complexity of records management/records

retention

Regulatory and Compliance• Cloud provider’s compliance with regulations• Complexity of records management/records

retention


• Independent silo of information• Independent silo of information• Lack of industry standards and certifications• Lack of industry standards and certifications

Compliance: customer side

Laws and directivesLaws and directivesLaws and directivesLaws and directives

Internal control standards Internal control standards

Sector specific regulations Sector specific regulations


Compliance: main questions

Enterprise requirements

concerning data


concerning data

Enterprise IT controls setEnterprise IT controls set

What should the methodology to keep the controls up-to-date?

What should the methodology to keep the controls up-to-date?

Are our controls still valid and what need to be actualised?

Are our controls still valid and what need to be actualised?

RFPRFP

Contracts &

SLA

Contracts &

SLAAssuranceAssurance

How can assurance be obtained; statements be tested?

How can assurance be obtained; statements be tested?What should be the process toWhat should be the process to

-RFP- Negotiations

-RFP- Negotiations

SLAsSLAsWhat should be the process to include these controls in each

contract/SLA?

What should be the process to include these controls in each

contract/SLA?

- (Right-to-) Audit- (Realtime) Monitoring

-Periodical assurance reports


-Periodical assurance reports

Implemented controls in IT environment



Compliance: mode of assurance


concerning data


concerning data

Traditional mode Future mode

Enterprise IT controls set

Enterprise IT controls set

gg

Controls for on-premises ITControls for on-premises IT

Static controls setStatic controls set

Controls included for cloud and mobile services

Controls included for cloud and mobile services

Dynamic controls setDynamic controls set

Contracts &

Contracts &

Shell-specific quality statements

Shell-specific quality statements

AssuranceAssurance

Standardised quality statements

Standardised quality statements

-RFP- Negotiations

-RFP- Negotiations

& SLAs

& SLAs

Custom-fit monitoring and logging

Custom-fit monitoring and logging

AssuranceAssuranceRight-to-auditRight-to-audit

Standardised monitoring and logging

Standardised monitoring and logging

Limited right-to-auditLimited right-to-audit





gg ggg g

Dedicated IT resourcesDedicated IT resources

On-premise data processing & storage

On-premise data processing & storage

gg ggg g

Shared IT resourcesShared IT resources

External data processing & storage

External data processing & storage

-Periodical assurance reports-Periodical assurance reports


Security and privacy


Security risk profile

Data processing and storage

On-premise Off-premise

Resource use Single-tenant Multi-tenant

Primary network LAN (Public) internetyinfrastructure

( )

Cl dOn-premise IT SSC Hosting Outsourcing Cloud computing


Compliance: trust

ReputationReputationReputationReputation

GuaranteeGuarantee

AssuranceAssurance


KPMG’s track record: framework development

• ISO 27017 Working Group• ISO TC68 Financial Services Security subcommittee and working groups• ISO 27017 Working Group• ISO TC68 Financial Services Security subcommittee and working groups• ISO TC68 Financial Services Security subcommittee and working groups• ISO SC27 Information Security working groups• BITS Shared Assessments Cloud Working Group• ISACA Cloud Working Group

• ISO TC68 Financial Services Security subcommittee and working groups• ISO SC27 Information Security working groups• BITS Shared Assessments Cloud Working Group• ISACA Cloud Working Group• ISACA Cloud Working Group• IETF DNS Security working group• CA/Browser Forum• ANS X9 Financial Services Security board and working groups

• ISACA Cloud Working Group• IETF DNS Security working group• CA/Browser Forum• ANS X9 Financial Services Security board and working groups• ANS X9 Financial Services Security board and working groups• Identity Theft Prevention and Identity Management Standards Panel (IDSP)• AICPA/CICA Trust Services Task Force

AICPA/CICA Pri ac Task Force

• ANS X9 Financial Services Security board and working groups• Identity Theft Prevention and Identity Management Standards Panel (IDSP)• AICPA/CICA Trust Services Task Force

AICPA/CICA Pri ac Task Force• AICPA/CICA Privacy Task Force• AICPA/CICA WebTrust for CAs Task Force• NOREA

• AICPA/CICA Privacy Task Force• AICPA/CICA WebTrust for CAs Task Force• NOREA


KPMG’s track record: cloud audits

KPMG provides assurance services to providers

KPMG provides assurance services to providers

KPMG provides assurance advisory services to Fortune 500

enterprises

KPMG provides assurance advisory services to Fortune 500

enterprises

To be shown on demand


Summary

Laws and directivesLaws and directivesLaws and directivesLaws and directives

Internal control standards Internal control standards

Sector specific regulations Sector specific regulations

KPMG’s track recordKPMG’s track record


Contacts

John A.M. HermansPartner KPMG Risk ConsultingKPMG Advisory N.V.

drs. Mike Chung RE Senior ManagerIT Advisory - KPMG Advisory N.V.

Laan van Langerhuize 11186 DS AmstelveenPA: +31 20 6568131Mobile: +31 6 51366389

Laan van Langerhuize 11186 DS AmstelveenDirect Line: +31 (0) 20 656 4034Mobile :+31 (0) 61 455 9916Mobile: +31 6 51366389

[email protected] :+31 (0) 61 455 9916 [email protected]


© 2012 KPMG Advisory, a Belgian civil CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Belgium.

The KPMG name, logo and “cutting through complexity” are registered trademarks or trademarks of KPMG International Cooperative (“KPMGtrademarks or trademarks of KPMG International Cooperative ( KPMG International”).

belgacom cloud computing workshop

Business

kpmg advisory

belgian civil cvbascrl

swiss entity

cloud computingworkshop

cloud services mike

enterprise focus

enterprise sales capability

minbest practices telcos