kpmg cloud computing presentation short version

Cloud computing

Assurance of “The Cloud”

Drs. Mike Chung RE

KPMG�Risk�&�Compliance

ADVISORY

1© 2010�KPMG�ELLP,�the�member�firm�of�KPMG�International,�a�Swiss�cooperative.�All�rights�reserved.�KPMG�and�the�KPMG�logo�are�registered�trademarks�of�KPMG�International,�a�

Swiss�cooperative.

Cloud computing - introduction

Cloud computing as phenomenon

� The�IT�(model)�of�choice�for�2010�and�beyond

− More�than�10�million�enterprises�in�the�cloud�within�3�years

− More�than�50%�of�all�Fortune500�companies�are�already�using�

cloud�computing

� Heavy�investments�from�big�software�vendors�and�IT�integrators

− Google:�enormous�data�storage�capacities,�new�services,�

aggressive�marketing�campaign

− Microsoft:�considerable�expansion�of�data�centres

− Salesforce.com:�new�platform�services,�building�data�centres�in�

Europe

− Accenture:�offering�of�implementation�and�advisory�services

− T-Systems:�offering�of�cloud�and�integration�services

� Growing�interest�despite/thanks�to�economic�downturn�and�the�

perceptive�reliability�of�the�internet



Cloud computing - definition

‘On-premise’ versus cloud computing

Hardware, software + data

Users

Customer

‘On-premise’ Cloud computing

Users

IT services

Internal IT

Cloud vendor

Customer

Hardware, software + data

Software vendor

Software licences +

support costs

Subscription

or‘pay as you go’

Internet

IT services

What is cloud computing?

� Hosted�services�from�the�(inter)net,�metaphorically�depicted�as�a�‘cloud’

� Utilisation�of�Web�2.0

� ASP�2.0

� Examples:

� Characteristics

− Separation�of�ownership�and�use

− On-demand

− Elastic

− Multi-tenant

− External�data�storage

− Use�of�the�(public)�internet

Software-as-a-Service(Salesforce.com, Microsoft BPOS, Gmail)

Platform-as-a-Service(Google Apps, Force.com, 3tera AppLogic)

Infrastructure-as-a-Service(Amazon EC2, Citrix Cloud Centre)



Cloud computing - opportunities

Opportunities

� Cost�savings

− Costs�are�transparent�and�relatively�easy�to�manage:�shift�from�

CAPEX�to�OPEX

− Costs�(TCO)�are�significantly�lower�when�compared�with�traditional�

‘on-premise’ counterparts�– between�10%�and�50%�of�original�costs

� Complexity�reduction�&�business-focus

− Complete�outsourcing�of�IT

− IT�management�discontinued�or�reduced�to�demand�management�and�

vendor�management

− All�required�software�services�accessible�through�the�internet�without�

additional�client�software

− The�enterprise�can�really�focus�on�its�key�activities�without�being�

hampered�or�curbed�by�the�internal�IT�department

� Economies�of�scale

− The�cloud�vendor�is�able�to�deploy�new�technologies�and�service�

processes�efficiently�through�economies�of�scale

− Efficiency�and�effectiveness�of�cloud�services�can�be�enhanced



Cloud computing - risks

Risks

� External�data�storage

− Weak�control�over�data�(failing�backup�&�recovery)

− Legal�complications�(violation�on�privacy,�conflicting�legislations)

− Viability�uncertain�(insufficient�guarantee�on�continuity�and�

availability�of�services)

� Multi-tenancy�architecture

− Inadequate�segregation�of�data

− Poor�Identity�and�Access�Management�(IAM)

− Insufficient�logging�and�monitoring

− Weakest�link�is�decisive�(virtualisation,�shared�databases)

� Use�of�the�public�internet

− Vague�and/or�non-existing�accountability�and�ownership

− Loss,�misuse�and�theft�of�data�

− No�access�to�data�and/or�services

� Integration�with�the�internal�IT�environment

− Unclear�perimeters�

− No�connection�and/or�alignment�with�internal�security

− Complexity�of�integration



Cloud computing - assurance

State of affairs

� Auditing�of�cloud�computing�environments�requires�

specific�knowledge�due�to�the�particular�

architecture�(multi-tenant,�processes),�new�

technologies�(advanced�web�technology,�SOA�and�

virtualisation)�and�changing�organisational�and�legal�

aspects,�and�corresponding�risks.�

� The�much-needed�expertise�and�experience�on�

cloud�computing�audits�and�risk�management�are�

scarce.�Vendors�and�integrators�focus�purely�on�

implementations.

� Various�surveys�show�that�large�organisations�are�

having�the�following�questions�regarding�the�cloud:

− What�are�the�main�(security)�risks�and�

mitigations?

− What�are�the�possible�solutions�and�suitable�

vendors?

− What�should�be�the�migration�strategy�and�

architecture?



Cloud computing - KPMG

What does KPMG do?

� KPMG�performs�audits�on�customer’s�side

− Specific�audits�on�cloud�computing�environments�(security,�

performance,�feasibility)

− As�part�of�the�regular�IT�audits

� KPMG�performs�audits�on�vendor’s�side

− SAS70�audits

− Certifications�(ISO27001,�‘cloud�computing�quality�marks’)

� KPMG�performs�risk�assessments

� KPMG�performs�benchmarkings

� KPMG�delivers�high-quality,�independent�advisory�services

− Market�research

− Cloud�computing�strategies�

− Cloud�architectures

− Quality�Assurance



Cloud computing - contact

Ing. John Hermans RE

Associate Partner

KPMG Advisory N.V.

Tel: +31 6 5136 6389

E-mail: [email protected]

Drs. Mike Chung RE

Manager

KPMG Advisory N.V.

Tel: +31 6 1455 9916

E-mail: [email protected]

kpmg cloud computing presentation short version

Business

audits kpmg

kpmg logo

kpmg ellp

cloud computing audits

cloud vendor

cloud computing definition

cloud computing kpmgwhat

cloud computinghosted