February 2010Deloitte Consulting

Cloud computing10 things a CxO should know about cloud computing

2

3 Introduction 5 Why is it called ‘Cloud’ computing? 6 Corporate strategy needs to take Cloud computing into account 7 Cloud computing allows to adjust IT spending through operational expenditures 8 Business agility and IT flexibility 10 Business users are put into the information technology driver seat 11 The market is not yet mature 12 Uptime 13 Integration with the cloud 15 Considerable security and audit challenges 16 Cloud computing puts privacy compliance at risk 17 For further information 18 Disclaimer

Contents

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing3

Todaymorethanever,organizationsneedtosecuretheircompetitiveadvantageandtocopewiththevolatilityandtheeverincreasingglobalizationofthemarkets.Whilefacingthesechallenges,CxOsshouldconsiderITasanenablerfortheirstrategy.ThisisespeciallythecaseasatechnologicalshiftisoccurringintheITspace:Cloudcomputing.

TheCloudallowsforimprovedITresourcesoptimization,virtuallyunlimitedscalabilityandgreaterflexibility,allatacontainedcost.Asaresult,Cloudadoptionisspreadingrapidlyandrepresentsanewopportunitythatcompaniesshouldnotignoregivenitsprofoundimpact.

Althoughnotnewasaconcept,CloudcomputingisnewinitsgeneralizedapplicationtoallITservicesandisthenextstepintherelentlessjourneyofcorporateIT.However,expectationsaboutthemeritsandimplicationsofCloudcomputingaredifferentfromorganizationtoorganization.Withthisinmind,wewillhighlight10keyaspectsofCloudcomputing,rangingfromitsimpactoncorporatestrategytowhatitmeanstoyourcapitalexpenditureandoperationalexpense,includingorganizational,securityandintegrationchallenges.

Notonlydowelookatmainadvantagesandexistingsolutions,butaswellwewillunderlinetherisksthatCloudcomputingtechnologyentailsandwhatcanbedonetoaddressthese.

PatrickCallewaert ChristianCombesCustomerPracticeLeadEMEA PartnerTechnologyandIntegration

Introduction

4

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing5

Inthe1960s,engineersdesigningcomputernetworksdrewdiagramswhichincludedcloudoutlinestoindicatethefactthatinformationsentthroughthenetworkisroutedinvaryingways.Muchlikegasparticlesinacloud,theprecisepathofapacketofinformationcomingoutattheotherenddoesnotreallymatter.

Similarly,Cloudcomputingresources(suchasrawcomputingpower,datastorage,orcompleteapplica-tionspresentedinabrowser),areavailabletotheuser,buttheexactlocationoftheseservicesisofnoconcerntotheuser.

Infact,usersofCloudcomputingresourcesshouldnotcareabouthardwaremanagement,softwaremain-tenanceoranythingelseunderlyingtheserviceitself.JustasthewordcloudhasbecomeshorthandfortheInternet,‘Cloudcomputing’istheprovisioningofcomputingservicesovertheInternet.Usersarebilledforasubscriptionoronlypayforusage,muchlikepayingforelectricitybythekilowatthourinsteadofproducingitthemselves.

Therearethreemainadvantagesofdeliveryofserviceswithouthavingtoworryabouthardwaremanage-mentorsoftwaremaintenance:thefirstisscalability.Scalabilitymeansgoingfrom1usertothousandsormillions.Externalprovidersallocatecapacityamongmanyclients,whichallowthemtoapportionresourcesmoreorlessinstantlytoaclientasusageincreases.

Thesecondisinnovationandagility.Typically,ITsystemsareslowtoevolve.Majorfeatureupgradesareonlypushedthrougheverycoupleofyears,whichthenrequirecomplicatedsystem-widechanges.Instead,deliveryofsoftwareapplicationsthroughthebrowserallowsacontinuousstreamofimprovements,allowingforafasterinnovationcycle.

ThethirdisthereductioninupfrontITcapitalexpendi-turesforusers–betheyinhardwareorsoftware–byshiftingthesecoststovendorswhocanspreadthemacrosstheirclientbase.Indeed,insteadofpayingforhardwareandlicensesupfront,andhavingtowaitforthecustomizationofanonpremisesolution,Cloudconsumerspayaperiodicsubscriptionorutilizationfeewithminimalupfrontcostscoveringashorteneddeploy-menteffort.

Why is it called ‘Cloud’ computing?

Key points

•TheCloudisacollectionofInternet-basedorprivate-networkservicesprovidinguserswithscalable,abstractedITcapabilities,includingsoftware,developmentplatformsandvirtualizedservers&storage

•Cloudcomputingisdisruptiveduetoitsfourkeycharacteristics: -Highlyabstracted -Variableexpense -Multi-tenant -Immediatelyscalable

6

Manylargecorporations,suchasVisa,GeneralElectricandVerizonhavealreadyoutsourcedlargepartsoftheirIToperationstocountrieslikeIndiaandChina.UsingCloudcomputing,thesecompaniesmightnotonlyrelinquishoperationalcontrolbutalsotheownershipoftheirITresources.

Theabilitytorelyonutilitystylecomputinghasalreadyhadsignificantimpactonsmalltomidsizecompaniesincertainindustries.Takeaccountingasanexample.Intheearly2000s,atypicalaccountancycompanyoperatedmuchlikeintheearly1950s.Accountantswerelikelytohavelocalclients,whowouldsendfilestotheaccountantatregularintervals.Inthelate2000s,theadventofthirdpartyaccountingsoftware-as-a-serviceallowedaccountancycompaniestoconnectwithclientsusinginternetbasedplatforms,whichmeantdeepshiftsfortheprofession.

Theseplatformsallowedtoworkwithprofessionaltalentanywhereandtodivideclientworkinnewways.Accountantsnowhavethetimetofocusmoreonhighervalueadvisoryservices,whileoutsourcingmanyroutinetaskssuchastaxpreparation.Similarly,theabilitytorelyonutilitystylecomputingcouldhaveanimpactforlargerorganizationsaswell.

Thereisalagbetweentheavailabilityofacertaintech-nologyandtheensuingriseinproductivity.Ahistoricalparallelinthisregardistheelectrificationoffactoriesaroundthe1900s.Factoriesatfirstwerenotanymoreefficientwhenusingelectricityinsteadofusingcrank-shaftstodrivethemachines.Thereasonisthatfactorieswerestillbuiltas4or5storywarehouseseventhoughmachineswerepoweredontheirown,withoutmechan-icalenergy.Ittookalongtime,perhaps30years,beforefactorieswerebuiltonwidergroundlevelspaces,unlockingtheproductivitygainsfromtheeasierflowofgoodsandmaterials.

DetermininghowCloudcomputingtechnologycapa-bilitiescanhelpachievecorporategoalsisofkeyimportanceasbusinessusersbecomeempoweredtopulltogethercomputingresourcesondemand.AsthecorporateITlandscapechanges,aligningbusinessstrategywithITtotakeadvantageofnewcapabilitiesbecomesapriority.Servicesbecometheprimefocusratherthanhavingtoworryabouthardwaremanage-mentandsoftwaremaintenance.Thisfocusonserviceswillimposefewerbutdifferentconstraintscomparedtoon-premisecapabilitiesandwillpresentauniquesetofopportunitiesandchallenges.

Corporate strategy needs to take Cloud computing into account

Key points

•Duetoitsbenefits,Cloudadoptionisalreadyhighinsmallandmidsizecompanies

•UsingCloud,companiescanconcentrateontheircorebusinessandrelinquishoperationalcontrolandownershipoftheirITresources

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing7

Whileitisunclearatthispointintimehowandatwhatspeedutilitystylecomputingwilldevelop,corporateITisinvestigatingCloudcomputingatanacceleratingpace.Oneofthemaindriversforthisinterestisthereductionofcapitalcosts.Usually,companieswillfundoperationalcoststhroughrevenuesandpayforcapitalexpensesthroughequityanddebt.Growingthecompanyfasterthanthecostofcapitalcreatesvalue.

Largeportionsofacompany’scapitalexpensebudgetareinvestedininformationtechnology.TheU.S.DepartmentofCommerceestimatesthatITspendingaccountsonaveragefor50percentofcapitalexpensebudgets.Formostcompanies,ITusuallyhasabroadsupportfunction,whichisnottieddirectlytorevenuegeneratingoperations.Intheclouddeliverymodel,companiespayforbothhardwareandsoftwareasoperationalexpenditures.

Whilethereisnoinherentbenefitinshiftingcapitalexpenditurestooperationalexpenditures,reducingcapitalexpendituresallowscompanies(especiallyincyclicalindustries)topayforwhattheyneed,whentheyneedit.Managedservicesinfrastructuresandthecloudareattractivetocompaniesbecausetheylargelyeliminateinitialcapitalinvestmentsandotherup-frontcosts.Thecloudhastheaddedadvantageoftyingyourcoststoexactlywhatyouareusing;meaningthatyouareabletoconnectITcoststorevenueinsteadoftreatingthemasoverhead.

PreservingcapitalisimportantespeciallyinsituationswherehighelasticityisneededinprovidingITresources.Oftencompaniesneedtoprovisionforpeakloads,requiringmorecapitalinvestmentthanneeded.Realworldestimatesofserverutilizationindatacentresrangefrom5%to20%.CompaniesembracingCloudcomputingcanreducetheopportunitycostofcapitalinvestments,forexamplewhentheyarefacedwithhighlyfluctuatingneedsduetoseasonaldemandintheirbusiness.

Cloud computing allows to adjust IT spending through operational expenditures

Key points

•Cloudeliminatesinitialcapitalinvestmentsandotherup-frontcosts

•Cloudcomputingtiesyourcoststoexactlywhatyouareusing,withoutneedtoprovisionforpeakloadsandfluctuatingdemand

8

Cloudcomputingisallaboutusingtechnologywhenyouneedit,foraslongasyouneedit.Thereisnoneedtoinstallanything,andnoneedtopayforthetech-nologywhenitisnotinuse.

CloudcomputingeliminatesthelagthatoftenexistsbetweenbusinessandIT,thusensuringorganizationalagility.Asbusinesscyclesaccelerate,manybusinessesrequirealmostimmediatedeployment,adaptationordecommissioningofapplications.Whileitwasnotenvisagablewithtraditionalonpremisesolutions,Cloudcomputingenablesaccelerateddeploymentandgreaterflexibility.Cloudrepresentsanopportunityfororganiza-tiontofocusontheircorecompetenciesandtosolvetheirbusinessproblemsinwaysthatwereimpossible.

Somecompaniesencourageresponsivenessbyhavingsmallteams.Google,forexample,hascreatedacorporateorganismthattacklesmostbigprojectsinsmall,tightlyfocusedteams,settingthemupinaninstantandbreakingthemdownweekslaterwithoutremorse.Theabilitytodrawonon-demandsupportingtechnologyfacilitatestheworkenvironmentofsuchteams.

Business agility and IT flexibility

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing9

The Evolution of Strategic Management

Thetableaboveshowsthedominantthemesandmainissuescompaniesdealtwithfromthe1950stothe2000s.Reconcilingsizewithflexibilityandresponsive-nessisakeystrategicdrivertoday,supportingthedeploymentofflexiblecloudcomputingsolutions.

Asbusinessusersdecidetolaunchnewproductsandventureintonewmarkets,on-demandinformationcapabilitiescanbeselected,assembledandscaledouttomeetorganizationalandgeographicaldemandsasrequired.ItisfairtosaythatCloudcomputingtech-nologiescanbekeyelementsinbusinessenvironmentsthatincreaseagilityanddecreasetimetomarket.ThereasonisthatCloudcomputingishighlydemanddriven,meaningahighdegreeofuserselfserviceispossibleinthedeploymentofservicesandresources.

CloudcomputingeliminatesthelagthatoftenexistsbetweenbusinessandIT,thusensuringorganizationalagility.Asbusinesscyclesaccelerateinaweb-enabledworld,manybusinessesrequirealmostimmediatedeploymentoradaptationoftheirsupportingITenviron-mentwhichcanonlybeachievedatscalebyleveragingoutoftheboxsolutionsbenefitingfromoptimizedprocurement,set-up,andmigrationtime,aswellasrelativelyhighstandardization.

Key points

•Reconcilingsizewithflexibilityandresponsivenessremainsanimportantissuetoday

•Cloudcomputingoffershighdegreeofuserselfserviceinthedeploymentofservicesandresources

•Cloudcomputingenablescompaniestoleveragetheircorecompetenciesandbeagileenoughtoevolvewiththischallengingenvironment,especiallyinIT

Adaptedfrom:RobertGrant,ContemporaryStrategyAnalysis,2006

Period 1950s 1960s – Early 1970s

Late 1970s – Mid 1980s

Late 1980s – 1990s 2000s

Dominant theme

Budgetaryplanningandcontrol

Corporateplanning Positioning Competitiveadvantage Strategicandorganizationalinnovation

Main issues FinancialControl Planninggrowthespeciallydiversificationandportfolioplanning

SelectingindustriesandmarketsPositioningformarketleadership

FocussingstrategyaroundsourcesofcompetitiveadvantageNewbusinessdevelopment

Reconcilingsizewithflexibilityandresponsiveness

Principal concepts and techniques

FinancialbudgetingProjectappraisal

ForecastingCorporateplanningtechniques

IndustryanalysisSegmentationExperiencecurves

ResourcesandcapabilitiesShareholdervalueKnowledgemanagementInformationtechnology

CompetingforstandardsComplexityandself-organization

Organizational implications

Systemsofoperationalandcapitalbudgetingbecomekeymechanismsofcoordinationandcontrol

CorporateplanningdepartmentsMergersandAcquisitions

Multidivisionalandmultinationalstructures

RestructuringandreengineeringOutsourcingE-business

AlliancesandnetworksInformalstructuresLessrelianceondirection,moreonemergence

10

IfthepromiseofCloudcomputingisfulfilled,businessuserswillselectandarrangeservicesasneeded,bypassingthetraditionalrelianceontheITdepartmentwhosetaskistoallocateITresourcesandmanagetechnicalconstraints.

Today,asmuchas10percentto20percentofITspendingoccursoutsidetheITdepartmentinbusinessunitbudgets.ThisoccursbecauseineffectiveITdepart-mentsbecomeabottleneckforprojectsandtechnologyinvestments.BusinessunitsgoaroundITtocompletetheircriticalinitiatives,oftencreatingminiatureITdepartmentswithinthebusinessunit,resultinginadditionalITvendorspend,aswellasinvestmentsinhardwareandsoftwarethatdonotshowupintheITbudget.

Allowingbusinessunitstocompleteprojectswithoutwaitingforalengthyupgradetoprovideadditionalfunctionalitiesortoaccommodatemoreuserscouldbeakeyadvantage.CIOsurveysfromavarietyofresearchorganisations,includingGartnerandForresterunivocallyshowthatITleadersexpectCloudcomputingtoprovidesignificantlymoreflexibilityindeliveringITresources.

Therearerisksinvolvedinacompletelydemanddrivenapproachtoserviceprovisioning.TheITdepart-mentlosingcontrolcouldleadtodecreasedstrategyalignment,aswellastheriskofhavingmoretechnologysilosinsteadofconnectingpeopleanddata.ItisakeytaskforITManagementtoensuretheappropriategovernancestructuresareinplacetodealwiththeserisks.

Business users are put into the information technology driver seat

Key points

•CompaniesareshiftingawayfrombuyingandmaintainingtheirownIThardwareandsoftwareandareinsteadtappingintotheInternetforthecomputingservicestheyrequiretoruntheirbusinesses

Cloud Computing

Cloud Computing

PC

Mobile

Code

AppServer

Database

1010101

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing11

ImportantprovidersofCloudcomputingserviceshavejustbegunenteringthemarket.EnterprisefriendlyservicessuchastheMicrosoftAzureplatformandtheSuncloudareforthemostpartnascentefforts.Consequently,theecosystemofthirdpartyserviceprovidersaroundsuchservicesisgrowingrapidlybutisstilllimitedatthispointintime.

Althoughmajorvendorshavepledgedtomaintainopenstandardstoenabledataportability(toavoidvendorlockin),thereisariskthatdatawillnotmoveeasilybetweenvendors.Similarly,seamlessinteroperabilitywithon-premiseserverbasedsystemshasjustbegunbeingaddressedbythirdpartyITindustryproviders.Thisisimportantasmanyissuessuchasintegrationwithon-premisecapabilitieswillbealleviatedthroughthirdpartyservicesproviders.

GartnerandForresterforeseevastlyincreasedspendingonCloudcomputingtechnologyinthecomingyears.Gartnerestimatesthatthecurrentmarketforcloudservicesaccountsfor$46.4billionandthatitwillreach$150.1billionby2013.Thecompoundannualgrowthrate(CAGR)varieswidelybetweendifferenttypesofservices,andthekeyleadingsegmentsareInfrastructure-as-a-Service(computingpowerandstorage,50%),Content,CommunicationsandCollaboration(19%),CustomerRelationshipManagement(17%),SupplyChainManagement(espe-ciallyprocurementandlogistics)(17%)andHumanCapitalManagement(7%).

The market is not yet mature

Key points

•EcosystemofCloudprovidersisgrowingrapidlybutremainslimitedatthispointintime

•Analystsestimateacompoundannualgrowthrateof26.5%inCloudinvestmentduringthe2008-2013period

•Thefivemostgrowingareasare-Infrastructure-as-a-Service

(computingpowerandstorage) -Content,Communications,andCollaboration

-CustomerRelationshipManagement-SupplyChainManagement-HumanCapitalManagement

12

Cloudcomputingproviderscurrentlyprovidelessuptimeguaranteesthananumberofcriticalbusinessapplica-tionsrequire.Forexample,Amazon'scloud-basedSimpleStorageServiceonlypromises99.9%uptime.Thismaybebelowwhatiscurrentlyofferedbyin-housecapabilities.

Additionally,Cloudprovidersofrawcomputingresourcescurrentlyprovideonlylimitedhighavailabilityfunctionalities.Intheeventofinfrastructurefailure,enterpriselevelsystemsprovideforautomatedfailovermechanismstowardsotherlocations.Often,failoverfunctionalitiesmustbeaddedbycustomersthemselves.

Cloudcomputinguptimeandautomatedfailoverfunc-tionalitieswillimproveovertimeandwilllikelyexceedwhatbusinessescanprovidethemselves.Economiesofscaleinbuildingservicesallowproviderstoshareuptimecostsamongmanyclients,enablingmoreinvest-mentsinhardeningsystemsandbuildinginresilience.However,atthistime,anyenterprisesystemsarchitec-turemusttakeintoaccounttherequirementsofcriticalcomponents.

Criticalcomponentsarenotreadytobemovedtoacloudenvironment,asavailabilityofdataandapplica-tionsisaprimaryconcern.Insteadofa‘Whatcouldpossiblygowrong?’mindset,smallscaleCloudcomputinginitiativesshouldbesetupfirsttoevaluatethetechnology’smeritsbasedonapracticalapproach,focussedonachievingmeasurablebusinessgoals.Increasedinternaluseoftechnologiessuchasvirtualisa-tioncouldimprovethecosteffectivenessofITinvest-mentsandtheavailabilityofdata.

Recentmarketdevelopmentsshowatrendtowardsanincreaseduseofservicelevelagreements,althoughisitnotyetclearifaconvergencewilltakeplacetowardsindustrystandardservicelevels.ComparisonovertimeofwhatCloudcomputingvendorsdeliverencouragestheexpectationthatservicelevelsingeneralwilltrendupwards(someprovidersoffer100%uptime)asanimportantdifferentiatingfeatureamongproviders.

Uptime

Key points

•AnalystsbelievethatClouduptimewillimprovefromthe99,9%standardtodayandwillexceedwhatbusinessescanprovideforthemselves

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing13

Intoday’sworld,Cloudcomputingisexperiencingstrongadoptioninthemarketandthistrendisexpectedtocontinue.AccordingtoForrester,integrationisoneofthetopconcernspeoplehaveaboutCloudcomputing.IntegrationwillplayakeyroleintheuseradoptionforCloudcomputing.AsnewapplicationsappearontheCloudmarket,integrationvendorsareproposingnewintegrationsolutionsmostcommonlyknownasIntegrationasService.

Organisationsarefindingthatmanagementofintegra-tionstillisaresponsibilityoftheITorganization.EvenasSaaShasproveditcanhandlecriticalrolesatlargecompanies,integrationremainsfarfromadrag-and-dropjob.

Thekeychallengesaroundintegrationarethefollowing:•Integration Cost and Duration:Inanyimplementa-

tion,integrationremainscriticalintermofbudgetanddurationbutalsointermofskillsrequiredduetothediversityoftheapplicationstointegrateandthetech-nologyusedbehind.Simplifyingintegrationinordertoreducethesecostsrepresentarealchallenge.

•Integrating SaaS and traditional applications:Theroleofintegrationistoconnectdifferentapplicationinordertosharedatabetweentheseapplications.WiththeCloudcomputingandtheSaaSapplica-tionscominguponthemarket,integrationneedstobeabletoprovideaneasywaytointegratethesedifferentapplicationstogether.

•Managing and Monitoring Integration Interfaces:Duetothefactcompaniesareintegratingmoreandmoreapplications,eachapplicationhavingitsownspecifityandtechnology,managingandmonitoringthedifferentinterfacesisnoteasy.Havingagoodvisibilityaroundthedifferentintegrationinterfacesisfundamentalandrepresentsachallengeforthecompanies.

Integration with the cloud

“Integration as a Service is expected to reach maturity and mainstream adoption in 2-5 years”Gartner(June2008)

Europe (N=148) North America (N=429)

40%35%30%25%20%15%10%5%0%

Other reason

Complicated pricing models

We are currently lockedwith our current vendor

Application performance(i.e., downtime speed)

Lack of customization

Integration issues

We can’t find the specificapplication we need

Security concerns

Total cost concerns (i.e., total cost of ownership)

12%

12%

11%

15%

16%

15%

14%

17%

14%

18%

17%

22%

18%

26%

25%

29%

33%

35%

14

TorespondtothesekeychallengesaroundIntegration,vendorsaredevelopingandmarketingSaaSIntegrationsolutions.ThesesolutionsofferaneasywaytointegratesystemscomparedtothetraditionalapproachusingEAIToolsorcustomcode.Thecapabilitiesofthesenewsolutionsareatleasttothetraditional,on-premisesones.

TheSaaSIntegrationsolutionsareactinglikeanOrchestratormanagingthedifferentintegrationinter-facesdefined.Thekeyelementsofsuchsolutionsarethefollowing:•Providesdifferentdeploymentoptions:allowing

adeploymentontheCloudbutalsobehindthecompanies’firewall.

•ConfigurationBasedapproach:TheIntegrationisimplementedthroughagraphicalUIandcustomcodeisavoidedasmuchaspossible.

•Integrateswith“on-premise”applicationandwith“on-demand”applications.

•Providesacentralplacetomonitorandmanagetheintegration.

IntegratingsystemsthroughIntegrationasaServicesolutionswillhelptoeasetheintegrationandreducecostsbutintegrationremainsinmostofthecasescomplexandcriticaltoanyimplementation.

ItisexpectedthatmarketoftheIntegrationasaServicetogrowinthecomingyears,offeringevenmoreadvancedandsophisticatedsolutionsforintegratingcloudcomputingapplications.

TheIntegration-as-a-Servicemarketisinexpansionandwecanexpectasignificantgrowthinthecomingyears.Theaddedvalueandsignificantcostreductionthattheseservicesareprovidingwillhelpintegrationtogotothe“nextlevel”.

Key points

•Torespondtotheintegrationchallengesunderlyingmostimplementations,CloudvendorsarenowproposingSaaSIntegrationsolutionsthatofferaneasywaytointegratesystemscomparedtotraditionalapproachesusingEAIToolsorcustomcode

“We believe that integration appliances will play a critical part in the growth, acceleration & acceptance of Software-as-a-Service”FrankKenney,ResearchDirector,Gartner

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing15

Comparedtothestandardmodelofserviceprovision,CloudComputingraisesstrongsecurityconcerns,namely:•AredatasafelystoredandhandledbyCloud

providers?•Howarereliabilityandavailabilityguaranteed?•AreCloudproviderssufficientlyprotectedagainst

cyber-attacks?

ThecorecapabilitiesofCloudcomputingtodayandtomorrowarefoundedontheconvergenceofseveraldifferenttechnologies.Theerosionofthetraditionalboundariesoftrust,onwhichtheservicesprovisionmodelsarebased,bringsaboutnewchallengesintermsofuser’scontrolovertheservices,resourcesorinforma-tionentrustedtotheCloud.

Onemajorsecuritychallengeishowtomanageaccesscontrolandensureconfidentialityofdata.Typically,cloudusershavenocontrolovertheCloudresourcesandthereisaninherentriskofdataexposuretothirdpartiesortheCloudprovideritself.Unauthorizedaccessoracompromisedexternalprovidercouldhavewide-spreadconsequencesforallproviders’clients.

Datacentralisationposesanothersecuritychallenge.InmanyCloudimplementations,thecentralisedmanage-mentandcontrolintroducesseveralso-calledsinglepointsoffailure.ThesecouldthreatentheavailabilityofCloudusers’dataorcomputingcapabilitiesindirectly,asasmallincidentintheCloudcouldhaveanexponentialimpact.

Asageneralrule,thesecuritycontrolsthatCloudusersmaywanttheCloudprovidertoadoptmaygobeyondthecontrolsinherenttotheCloudplatform.Contractuallanguageshallbeusedtoreflectthepreferredsecuritylevels.Clouduserscanalsomitigatesecurityrisksbyconductingauditsandrequestingproviderstoholdsecurityaccreditations.ThemarketalsooffersseveraltoolsparticularlydesignedtoovercomeCloudsecurityconcerns.

Insummary,Cloudproviderswillneedtoofferahigherdegreeofprotectionandtransparencytoreassurecustomers.TheOpenCloudManifesto(www.open-cloudmanifesto.org)ishereapioneeringinitiativetobringtogethertheCloudcommunityandestablishcoreprinciplesfortheadoptionandprovisionofCloudservices.

Considerable security and audit challenges

Key points

•Cloudcomputingisnotsecurebynatureandfaceskeychallengessuchasaccesscontrol,datacentralizationandsecurity

16

TherelationofdatatoageographiclocationhasneverbeenmoreblurredthanwiththeadventofCloudcomputing.However,inmanyjurisdictions,thephysical“location”playsakeyrolefordeterminingwhichprivacyrulesapply.Forexample,datacollectedand“located”withintheEuropeanterritorycanbenefitfromtheprotectionoftheEuropeanprivacyrules.ItisthereforeimportanttotackleregulatoryandauditissuesrelatedtothecrossbordernatureofCloudcomputing.

Fromaprivacyperspective,ifthepersonaldatausedby,orhostedon,theCloudmaychangelocationregularlyormayresideonmultiplelocationsatthesametime,itbecomescomplicatedtowatchoverthedataflowsand,consequently,todeterminetheconditionsthatlegitimisethesetransfers.Personaldatatransferstothirdcountriesoftenrequirecontractualorotherarrange-mentstobeinplace.

Overall,itiscrucialforclouduserstorequestevidencefromserviceprovidersoftheircompliancewithregula-tions(e.g.Generalcivillawandcontractlaw,Consumerprotectionlaw,“e-commerceregulation”,Fairtradepracticeslaw)andgenerally-acceptedstandards(e.g.PCIDSS,ISO27001).

Cloud computing puts privacy compliance at risk

Key points

•Thecross-bordernatureofCloudcomputingcomplicatesthecontroloverdatalocationandthereforethecompliancewithlocallegalrequirements

•Cloudcomputingvendorsshouldprovideproofofcompliancewithregulators

Cloud computing10ThingsaCxOShouldKnowAboutCloudcomputing17

ShouldyouwishtotalktousaboutCloudcomputing,orhaveanyfeedbackonthispaper,pleasedonothesitatetoreachouttoourdedicatedCloudcomputingteam.

For further information

Patrick CallewaertCustomerPracticeLeadEMEAPartner+3227495743pacallewaert@deloitte.com

Christian CombesDeloitteConsultingTechnologyandIntegrationPartner+3227495858ccombes@deloitte.com

Erik LuysterborgDeloitteEnterpriseRiskServicesPartner+3228002336eluysterborg@deloitte.com

Aleksej ChoukhmanDeloitteConsultingCRMDirector+3227495781alchoukhman@deloitte.com

William AxelssonDeloitteConsultingTechnologyandIntegrationDirector+3227495623waxelsson@deloitte.com

Ward DuchampsDeloitteEnterpriseRiskServicesDirector+3228002442wduchamps@deloitte.com

Geert DefreynDeloitteConsultingCRMDirector+3227495945gdefreyn@deloitte.com

18

Deloitte disclaimerThematerialincludedinthispresentationisintendedasageneralguideonly,anditsapplicationtospecificsituationswilldependonthecircumstancesinvolved.Thisinformationshouldnotberelieduponasfinaladvice.Whileallreasonableattemptshavebeenmadetoensurethattheinformationcontainedhereinisaccurate,DeloitteToucheTohmatsuacceptsnoresponsabilityforanyerrorsoromissionsitmaycontainwhethercausedbynegligenceorotherwise,orforanylosses,howevercaused,sustainedbyanypersonthatreliesuponit.

Gartner disclaimerAllstatementsinthisreportattributabletoGartnerrepresentDeloitteinterpretationofdata,researchopinionorviewpointspublishedaspartofasyndicatedAsofApril2009subscriptionservicebyGartner,Inc.,andhavenotbeenreviewedbyGartner.EachGartnerpublicationspeaksasofitsoriginalpublicationdate(andnotasofthedateofthis[presentation/report]).TheopinionsexpressedinGartnerpublicationsarenotrepresentationsoffact,andaresubjecttochangewithoutnotice.

Disclaimer

Deloitteprovidesaudit,tax,consulting,andfinancialadvisoryservicestopublicandprivateclientsspanningmultipleindustries.Withagloballyconnectednetworkofmemberfirmsin140countries,Deloittebringsworld-classcapabilitiesanddeeplocalexpertisetohelpclientssucceedwherevertheyoperate.Deloitte’s165,000professionalsarecommittedtobecomingthestandardofexcellence.Deloitte’sprofessionalsareunifiedbyacollaborativeculturethatfostersintegrity,outstandingvaluetomarketsandclients,commitmenttoeachother,andstrengthfromculturaldiversity.Theyenjoyanenvironmentofcontinuouslearning,challengingexperiences,andenrichingcareeropportunities.Deloitte’sprofessionalsarededicatedtostrengtheningcorporateresponsibility,buildingpublictrust,andmakingapositiveimpactintheircommunities.

DeloittereferstooneormoreofDeloitteToucheTohmatsu,aSwissVerein,anditsnetworkofmemberfirms,eachofwhichisalegallyseparateandindependententity.Pleaseseewww.deloitte.com/aboutforadetaileddescriptionofthelegalstructureofDeloitteToucheTohmatsuanditsmemberfirms.

©February2010-DeloitteConsulting.MemberofDeloitteToucheTohmatsuDesignedandproducedbytheCreativeStudioatDeloitte,Belgium