Cloud Computing Issues and Impacts

Global Technology Industry Discussion Series

Cloud computing issues and impacts

VIEW NOW Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Contents

4 Overview: clouds are inevitable 50 Outlook All signs point to the rapid adoption of Higher-level business processes as cloud computing as a fundamental shift a service will evolve rapidly atop in the delivery model of information cloud-based IT services, leading to technology (IT) — but abundant the increasing rise of incredibly agile challenges will make it a difficult virtual organizations. adoption curve. 52 Glossary of terms 11 Drill-down discussions A list of new words and phrases that Nine detailed reports explore the cloud-based IT models have placed into specific benefits, risks, accelerants the business vernacular — including a and inhibitors associated with the widely adopted definition of cloud following critical aspects of cloud computing and its characteristics, computing adoption: service and deployment models. • Pricing and business models . . . . . 12 • Vendor management and 54 Source notes strategic sourcing ...... 18 •Availability and interoperability . . . 22 • Security and privacy...... 26 • Standards and risk management. . 30 • Government ...... 34 • Accounting...... 38 • Cross-border taxation of CSP arrangements...... 42 • Regulatory compliance ...... 46

Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

“By concentrating technology in the cloud, making it available as a service and freeing organizations to focus on business strategies — that’s how the IT industry will once again not only transform business, but business models.”

Pat Hyek Global Technology Industry Leader

Cloud computing issues and impacts

Estimates of 2010 worldwide revenue from cloud computing services range from a low of about $12 billion to a high of slightly more than $68 billion — reflecting different views and means of evaluating this fast-growing technology phenomenon.1,2 Where the market researchers all agree, however, is that cloud computing is no fad. Cloud computing is a fundamental shift in IT that will alter the technology industry power structure, improve business agility for all industries and increase everyone’s access to computing, storage and communications power. As one prominent research house put it in the title of a report containing cloud predictions for 2011: “Welcome to the New Mainstream.” 3

Despite the certainty expressed in these IT approach. Finally, both technology and predictions, the transition to cloud computing other businesses need to understand how from in-house IT infrastructure and traditional cloud computing is changing consumers’ outsourcing is really just beginning. By the habits and expectations. end of 2011, public and private cloud services will generate 15% of worldwide IT spending.4 Cloud computing issues and impacts There is a long, hard road of difficult combines the insights of Ernst & Young’s transitions and adoption decisions still ahead. own leading thinkers with analysis of secondary market research and other sources Right now, however, is when cloud service to synthesize our view of the current state providers (CSPs) need to position themselves, of cloud computing, where it is going in the their offerings and their future development foreseeable future and the holistic way you strategies for the rapid changes to come. should think about it. Through this series of Likewise, business users of cloud services topical drill-down discussions, we offer our require immediate insight into the benefits insight and hope to stimulate productive and risks of cloud computing — along with dialogue within and across your organizations how to exploit the former, while avoiding the about how to make the most of the latter — as they adopt this “new mainstream” transformative force of the cloud.

Note: unless otherwise indicated, all quotations are from practitioners at member firms of the global Ernst & Young organization.

Global technology industry discussion series 3 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Overview: clouds are inevitable

“Clouds can free companies Current situation

from the drudgery of The IT services now known as cloud computing have been around for building and maintaining IT decades, but they never grew beyond a small fraction of total industry infrastructure so that they revenue. Now, however, their time has come: over the past few years, a can focus on value-creating dizzying array of hardware and software available as services over the internet has emerged. Consumers and businesses have embraced a differentiation to ride atop multitude of cloud services, from mature sales force management that infrastructure.” services to email and photo editing to the latest smartphone Kevin Price applications and the entire social networking phenomenon. Further, Global Technology Industry researchers project an imminent inflection point in the adoption of Advisory Services Leader cloud services by organizations both large and small.

In fact, research firm International Data Technology advances, business agility Corporation (IDC) calls cloud computing drive cloud adoption readiness the foundation for the technology industry’s Cloud services are finally taking off next 20 years of growth, saying, “it is because technology advances, particularly nothing less than the complete transformation ubiquitous high-speed internet connectivity of the industry’s core offering and business and the ever-decreasing cost of storage, models.”1 According to IDC, public clouds have finally enabled service providers to (delivered to multiple customers via the meet buyers’ needs for simplicity, cost and internet) and private clouds (built by or flexibility. For consumers, the recent delivered to a single organization via proliferation of smart mobile devices that private network) will account for 15% of IT are actually handheld wireless computers spending in 2011 and grow at a compound has accelerated the development of annual rate of about 26% for the next cloud services that provide application four years. This is roughly five times the functionality to those devices. This is an growth rate of the technology industry as a example of why consumers have been whole. In addition, 80% of all new software such rapid adopters of the cloud: cloud offerings in 2011 will be available as computing has the potential to instantly cloud services (regardless of whether deliver simple, easy-to-use, sophisticated they are also available via traditional and high-powered computer applications on-premise business models). and information that consumers could not otherwise access.

4 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

CSP considerations “European companies and CSPs are in the enviable position of being early movers in a movement that governments view cloud is rapidly becoming mainstream. Yet computing as a way to the challenges they face are unenviable, starting with the difficulty of translating stimulate business activity theoretically advantageous business models and create opportunities into concrete services and pricing programs in a young, still-developing market. for future growth.” Setting prices, for example, may seem Rebecca Norris simple but becomes complex fast because Europe, Middle East, India and Africa (EMEIA) Technology Industry Leader cloud monthly service fees may be compared with the amortized total cost of ownership (for their entire useful life) of those elements of a customer’s IT infrastructure that don’t enhance competitive differentiation. Yet the complete economic picture does not reside in cost alone. Variables such as For business organizations, the core These factors combine to lower IT barriers rapid access to new technology and the elements of CSP business models have (and risk) to business change, including ability of cloud customers to focus their always been attractive: pay-as-you-use barriers to entry for start-up businesses, internal resources on what differentiates instead of install-and-own, and inherently whether entrepreneurial or inside an them should also be factored into the greater flexibility in IT. Cloud computing established organization. The same factors economic equation. services generally shift major up-front also enable small- and medium-sized capital expense from the buyer of IT to the businesses (SMBs) to take advantage of Standards, particularly for interoperability provider of IT services — a strong incentive sophisticated applications and a breadth among clouds and between clouds and in- in a world that continues to struggle of functionality that previously could be house infrastructure, are another area of with economic uncertainty and more afforded primarily to large enterprises only, uncertainty. Real standards leadership — restricted access to capital. Of note, this and can do so at much lower cost. As a not just empty promises — might be a shift enables organizations to further result of these factors, SMBs appear to be winning strategy for CSPs, but it is a manage their investment risk by rapidly migrating to the cloud more rapidly than difficult choice given the trade-off with implementing and trialing new solutions larger companies, and start-ups are virtually vendor lock-in. before making long-term commitments. all cloud users. An example already in progress is the mobile applications market: CSPs also need to decide whether to Even more alluring for businesses, however, it is relatively new, is cloud-enabled, includes build their infrastructure to enable is the promise that cloud computing will a plethora of small companies that sell compliance with different rules from increase their business agility in at least two directly to consumers via app stores and is region to region, or to provide a dimensions. “First, clouds can free companies projected to grow to $32 billion by 2015.2 homogenous global cloud. A related from the drudgery of building and maintaining As cloud adoption becomes widespread, its issue is how much transparency into IT infrastructure so that they can focus characteristic of enhancing business agility their infrastructure they should allow on value-creating differentiation to ride is likely to lead to an increasing pace of customers. Both of these issues have atop that infrastructure,” explains Kevin change for all industries worldwide. cost implications that are likely to Price, Global Technology Industry Advisory affect pricing. Services Leader. “Second, clouds provide Adding fuel to the interest in cloud computing flexibility in the form of highly elastic is that cloud services advance “green” However, given the core premise of the scalability, enabling organizations to rapidly agendas: they allow fuller utilization of CSP model — solving difficult IT challenges increase or decrease their IT infrastructure shared infrastructure capacity, thus once and spreading the solution among costs as fast as their business needs change,” consuming less power and lowering the multiple buyers — CSPs can transform he adds. That flexibility dimension is the carbon footprints of their users versus each challenge into a new opportunity. primary way in which cloud services differ alternative IT approaches. For example, “compliant clouds” have from traditional IT services, and why some recently emerged, offering compliance experts refer to cloud computing as “the with specific regulations to companies next generation of outsourcing.” that need it. Many other so-called specialized clouds are likely to emerge rapidly as the cloud model matures.

Global technology industry discussion series 5 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Clouds offer full range of Today, services such as payroll and billing computing services already can be outsourced using traditional Cloud Cloud computing services are available across methods. Looking ahead, we expect higher- the entire computing spectrum. The US value business process services to evolve, National Institute of Standards and differentiated from traditional business computing Technology (NIST) has published a definition process outsourcing because they will ride services are available across the of cloud computing that has been adopted atop multiple underlying cloud services and an organization’s internal staff typically will entire computing spectrum and referred to internationally and which we have included in its entirety (see Glossary, work the process. These new services will page 52). While the US NIST definition be based on the ability of business experts includes three primary service models, the in different domains to optimize a process market has evolved so that you can buy as a and deliver it via cloud-based IT services. service just about any slice of the computing Ultimately, future organizations may create “stack” within the three, which are as follows: innovative offerings by combining such optimized services (see Outlook, page 50). • Infrastructure as a service (IaaS): raw computing power, storage and Transforming inhibitors into accelerants network bandwidth An unusual, perhaps unique characteristic • Platform as a service (PaaS): of cloud services is their ability to transform databases, development tools and other today’s challenges into tomorrow’s adoption components required to support the drivers. In surveying dozens of sources, we delivery of custom applications observed multiple examples of this apparent • Software as a service (SaaS): paradox. For example, security is cited more applications both general, such as word than any other factor as a reason why IT processing, email and spreadsheet; and managers are hesitant to adopt cloud services. specialized, such as customer relationship Yet Forrester Research projects that within management (CRM) and enterprise five years, cloud security will become one resource management (ERM) of the primary drivers for adopting cloud computing.3 The reason for a shift of In addition, we believe a fourth service security from obstacle to driver is that model is evolving, albeit more slowly at CSPs are expected to invest far more in the present than the primary three. Business development of their security infrastructure process as a service combines multiple and expertise than any typical enterprise. components of each of the primary three to deliver an entire business process. Likewise, regulatory compliance in multiple jurisdictions, especially regarding privacy and data location, is another challenge to cloud adoption. In response, some predict the creation of specialized “compliant clouds” that will offer certified compliance with specific regulations for different industries, including a guarantee to store and manage data within the borders of a given nation, as appropriate.4

The generalized lesson we take away from this analysis is that the most difficult challenges facing in-house IT organizations are ripe opportunities for CSPs. CSPs that solve the problem once, using leading practices, can then offer their solution as a service to all who need it.

6 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Cloud adoption accelerants can increase network efficiency through Business user considerations Many factors are causing momentum to global load balancing. If a CSP’s customers build for mainstream adoption of cloud are spread across the globe, peak usage Organizations are attracted to the computing, some of which have been times will be spread over the course of each opportunities cloud computing offers mentioned already. Importantly, there are day as workers from different geographies to lower their costs and free their best examples of relatively mature and successful hit their peaks at different times. technology managers to focus on creating cloud offerings for businesses, such as sales • Public investment — governments strategic differentiation. It’s likely they force management services, to learn from. worldwide are investing to create economic would be even more excited if not for all The cloud accelerants that support business regions of cloud technology development the change cloud computing requires. agility and flexibility — such as elasticity, (e.g., China, Japan), are supporting pay-as-you-go and market barrier reduction — cloud-related standards development The clearest change required for the are among the most important on the (e.g., EU, US) or are migrating their own transition from in-house IT infrastructure following list: IT infrastructures to cloud services in an to cloud computing is the shift to effort to lead by example (e.g., US, UK, managing service quality and availability • Elasticity — the ability to scale IT Japan)(see page 34). through contracts and relationships, infrastructure requirements both up and • Market research — research points to rather than through specifications and down rapidly, on a pay-per-use basis, ongoing rapid adoption of both public direct technology implementation. But is extremely attractive to large and and private cloud services, which tends this implies an even larger corporate small organizations alike (see page 23). to become a self-fulfilling prophecy. culture challenge: because different • Pay-as-you-go versus install-and-own — • Security — delivering “security as a skills are required, existing IT staff will the shift in up-front capital requirements service” eliminates one of in-house IT’s likely need to be retrained or replaced. from the user to the service provider is greatest non-value-adding challenges Organizations face a conundrum: if they equally attractive — again, to large and (see page 26). attempt the cloud transition with existing small organizations alike (see page 12). • Standardization efforts — standards staff they will likely meet internal • Cost savings — a report by the Brookings will reduce or eliminate risk from many resistance, but new staff would lack Institution finds government agencies can current barriers to cloud adoption knowledge of company processes. save 25% to 50% of their IT costs and (see page 30). increase their business agility by • Cloud brokers — emerging cloud services Another challenge organizations face migrating IT infrastructure to cloud brokers simplify an organization’s is the need to better understand the services (see page 34). transition to the cloud by helping to dependencies among their own various • Market barrier reduction — cloud overcome specific security, privacy and systems, which have built up over years computing services reduce IT barriers to compliance issues and helping achieve or even decades, in order to manage market entry, enabling far more start-ups interoperability across multiple public processes that combine their own to emerge with much lower infrastructure clouds, private clouds and in-house IT infrastructure with a CSP’s. costs than were necessary pre-cloud. This infrastructure. increases innovation in and of itself and • Risk of missing out — organizations that Organizations also must consider also spurs larger organizations to do not adopt cloud computing along how transitioning to an external cloud innovate more rapidly. with their competitors risk missing out on affects enterprise risk, especially with • Infrastructure utilization — better expected benefits such as the flexibility regard to data security, privacy, uptime network efficiency results in lower power and agility afforded by on-demand and availability as well as regulatory and consumption and smaller carbon footprints. services and access to the latest versions legal compliance. But cloud computing This comes from virtualizing hardware of technologies. This is because CSPs also is likely to have an influence on more and software resources and providing typically perform more timely upgrades traditional ERM considerations, such as them as a service to multiple users than most private organizations. legal liabilities and brand protection. simultaneously. Additionally, large CSPs For all these reasons, leading organizations are exploring cloud services by building internal private clouds for applications “Asian nations are investing in cloud centers of economic involving sensitive processes and data, development and are adopting cloud services for their while simultaneously investigating public clouds using non-sensitive processes and own use. They are very focused on the cloud opportunity.” data. However, as cloud service maturity levels evolve rapidly over the next few Joe Tsang years, it’s important that organizations Asia-Pacific Technology Industry Leader consistently revisit strategic sourcing decisions. The potential for migrating specific applications to the public cloud will change over time.

TheGlobal world technology of cloud industry computing discussion series 7 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Cloud adoption inhibitors from being an internal provider of While cloud services are simpler to use and services to a manager of external service less costly than many in-house alternatives, providers, described next. they add complexity to the businesses of • Loss of control — instead of controlling established companies entering the cloud the IT environment directly, through the computing market, whether as service implementation of technical specifications providers or users. The delivery of cloud that they define, cloud users manage services is leading to new, multilayered their IT infrastructure through their revenue streams with increasingly complex relationship with their CSPs and through and uncertain security, privacy, tax and service level agreements (SLAs). This related compliance and control consequences requires skills that IT organizations typically for cloud computing users and providers alike. do not possess today, so they will need to reinvent themselves to make this shift However, none of these challenges are (see page 18). impenetrable obstacles, and many can be • Information security — today, opinion is turned into accelerants by CSPs that divided about whether protecting your address them with leading practices, as corporate data in the cloud, both to described earlier. Still, these are the reasons be certain it is there when you need it and why cloud computing adoption will be a to safeguard it from unauthorized access long, difficult curve, especially for large by others, is more difficult than doing so organizations and governments. Among the on your own. Either way, ongoing analysis “The industry already is inhibitors are: of how internal applications exchange providing hardware, data with cloud-based services and • Corporate culture shock — particularly continued enhancement to security software and services to the belief that “we can do it better software and controls are called for customers. Where customers ourselves.” Separating themselves from (see page 26). the underlying technical implementation • Privacy concerns — cloud computing spend their money will move and focusing on differentiating value-add can complicate how you safeguard the from traditional vendors for their organization is a big shift for IT personally identifiable information of managers. No less daunting is the shift your customers, business partners and to cloud service providers, and any net incremental revenue to the industry A brief history of cloud will come from increased Although it feels like cloud computing has arrived all of a sudden, the reality is that it value creation.” has gone through decades of slow evolution.

Paul Chabot In the late 1950s, when computers were massive and costly, hardware time-sharing (a label Global Technology Industry later co-opted by the resort vacation industry) emerged. As the concept expanded to include Advisory — Process Improvement (PI) more than sharing a processor, it became known as “utility computing” and then “grid computing” in the 1980s and early 1990s. These were hazy visions that remained dreams, because even their proponents knew they lacked an efficient delivery mechanism.

But the ubiquitous broadband connectivity proliferated by the internet solved that service delivery problem. Applications service providers appeared in the late 1990s to much fanfare and excitement, but most burst with the rest of the internet bubble. As broadband deployment became widespread in the early 2000s, however, start-ups touting a range of services delivered via the internet cloud, from storage backup to enterprise applications, began to emerge. Established companies recognized their familiar vision and jumped into the cloud computing business with gusto.

Those decades of evolving experience are the reason that so many different cloud computing services have appeared so rapidly now that the conditions are finally right.

8 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

employees, both to meet your organization’s and their effects will change over time. Consumer considerations own legal and ethical requirements and to It’s important to consider them in the comply with the privacy regulations of all context of your own organization, its Given that they generally have no data the jurisdictions in which you do business — culture, its IT infrastructure and its centers of their own, individual consumers or through which your cloud passes (see opportunities and risks. have been embracing cloud computing page 26). since long before the cloud label even • Regulatory compliance — cloud services It is also important to consider them now. appeared. Search engines may have are delivered by “virtualizing” hardware Our own global information security survey been the first cloud-based services that and software that could theoretically found that 45% of its 1,598 respondents consumers adopted en masse; social be located anywhere in the world. Thus, from 56 countries have either already networks are a more recent example. cloud computing raises new questions deployed or are evaluating cloud computing.5 And as recently as September 2008, the about whose rules must be followed An industry research firm predicts that as a Pew Internet & American Life Project (see page 46). result of cloud computing by 2012, 20% of reported that 69% of US residents who • Lack of standards — many standards are business organizations will no longer have are online use web-based email, store required to simplify interoperability any IT assets of their own.6 That’s just one data or use other software applications among cloud providers and between year from now. over the internet.8 enterprise systems and cloud services, but few exist. The lack of standards also Technology companies should be evaluating Since then, the smart mobility “megatrend” may pose obstacles to recovering data, their cloud strategies and determining the has accelerated the use of cloud whether for the purpose of legal discovery best opportunities to position themselves applications by consumers. Smart mobility or for migrating from one CSP to another for the next decade of growth, which will be is the evolution of mobile handsets into (see page 30). built on the foundation of cloud computing. handheld wirelessly networked computers — And business users should be exploring devices capable of interacting with cloud- Continuously monitoring opportunities to deploy cloud services based software to provide a plethora cloud-enabled change pilot projects, or should be learning from of information services to their users. Nine drill-down discussions beginning their existing pilots and preparing to Not surprisingly, much of the software on page 11 explore the accelerants and incorporate lessons from them into sold through smartphone app stores inhibitors described above in more depth. future deployments. actually consists of just the display and However, each accelerant and inhibitor will user interface components of sophisticated apply differently to individual organizations, applications that mostly run in cloud data centers.

The combination of cloud-based The cloud magnification effect applications and smartphones has given consumers unprecedented access to While cloud computing is viewed sometimes as a radical enough shift by itself, when information from wherever they are. This cloud platforms interact with other technology trends the effects can be magnified. is transforming consumer expectations — heightening expectations for instant • Maintaining freedom of information: when internet communications were shut down access to information and increasing the during recent unrest in Egypt, a team of international companies combined cloud services desire for personalized information. At and social networking to connect in-country mobile phone networks to deliver text the same time, social media have created messages internationally via Twitter, in just a couple of days.7 a forum in which consumers are voicing their expectations — and businesses • Broadening frontiers of transformation: while cloud computing has been with us in some have begun to listen. In these ways, form for many years, the continuously falling costs of computing, data transmission and the “consumerization” of technology is storage are constantly broadening the opportunity for cloud services to transform having a profound impact throughout businesses and business models, suggesting that cloud effects, ultimately, will be ubiquitous. the global economy — especially by making inevitable the transition of • Enabling social networking: although the widespread effects of social networking on businesses to the cloud, as more and businesses, governments and lifestyles is the province of its own report, it’s important to more cloud consumers come to expect note that those effects are significant, worldwide, and that the entire social networking similar experiences at work. phenomenon is enabled by cloud computing. Many believe the eventual impact of social networking on businesses and the related improvement in productivity will be profound. Consumers have shown, time and again, that they will rapidly adopt cloud services • Accelerating technology transitions: one big difference between the successful with the right value proposition. Given the introduction of tablet computers in 2010 from earlier failed attempts is that cloud-based recent rise of personal privacy concerns, services are available today to do the background computation, storage and other “heavy those value propositions may need to lifting” that make tablet computers useful tools. include privacy guarantees going forward.

Global technology industry discussion series 9 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

10 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussions Getting granular on critical aspects of cloud computing

As mainstream adoption of cloud services begins in earnest, there is a multitude of factors that CSPs and cloud users must carefully consider. Our drill-downs explore the specific benefits, risks, accelerants and inhibitors associated with critical aspects of cloud computing adoption.

12 Pricing and business models 30 Standards and risk management Multiple challenges — from encouraging Cloud computing can cause important customer behavior that smooths changes in the ways businesses approach consumption highs and lows to risk management, compared with overcoming obstacles to optimal asset in-house IT; industry standards help utilization — complicate cloud business mitigate risks, but cloud standards are models and the pricing programs that still immature. manifest them. 34 Government 18 Vendor management and Despite impediments specific to their strategic sourcing nature, governments are pursuing Many organizations are still developing cloud computing with gusto, both to the skills necessary to achieve and reap the same benefits as private maintain desired levels of service organizations and to create leading through vendor contracts and cloud development and service centers relationships; plus, cloud services within their borders as a source of demand new thinking about strategic economic development. sourcing opportunities. 38 Accounting 22 Availability and interoperability Cloud services typically combine many Achieving the efficiencies and scalability elements of traditional IT infrastructure, promised by cloud services — in the resulting in significant revenue recognition absence of proven standards — requires and timing challenges for providers. diligent investigation of both your own systems and your provider’s. 42 Cross-border taxation of CSP arrangements 26 Security and privacy CSPs face complex tax issues because Relinquishing control over corporate cloud computing is often borderless, data and the additional exposure of but tax regulations are not. transmitting information over the internet are important concerns that 46 Regulatory compliance must be thoroughly addressed. Cloud services pose compliance questions for their users — which can translate into opportunity for their providers.

Global technology industry discussion series 11 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Pricing and business models

“Cloud providers have to Current situation

show customers a cost At first look, cloud computing business models appear deceptively simple. advantage that is not only Instead of buying and installing all their IT infrastructure and applications better than what they’re themselves, cloud customers buy access to the infrastructure and paying today, but also applications they need as they need them. Instead of paying for it all up front, including more capacity than they may need right away, is large enough to offset cloud customers pay only for what they use — and only as they use it. the cost of changing to Customers generally pay either a flat-rate subscription fee per user, a new approach.” or pay-as-you-go usage fees for precisely defined service levels.

Joe Lackner Advisory — PI Look deeper, however, and nuances emerge, new technology, to name a few), while at multiply and become complex. the same time considering less tangible values, such as eliminating the uncertainty First, cloud service fees are just very different of building your own IT infrastructure when from how most companies think about the IT is not your core competency. In addition, cost to build their own IT infrastructure. customers’ consumption patterns and So at any price, CSPs face a daunting task optimal network utilization must be factored in articulating to potential customers into pricing considerations. Similar to many how they create tangible economic value utility company “peak hour” and “volume” compared with customers’ existing models. pricing programs, doing so enables cloud No less difficult is the task of determining service pricing programs to offer incentives the right price points. That analysis must to customers to make their best efforts to encompass the full range of costs necessary use the cloud service efficiently, and to sustain a CSP’s service over the long establishes appropriate value for a CSP’s term (including upgrades, maintenance, ability to provide elastic scalability that capacity planning and incorporating innovative matches customers’ changing needs.

12 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

The “simple” cloud business model may Cloud pricing considerations Questions to consider be equally daunting. Business models for SaaS, for example, tend to become more The main pricing complications for CSPs Cloud business user complex as one moves from simple, come from articulating all of the value • Does my CSP charge a premium for standardized applications such as word captured in the price, determining what consumption that exceeds agreed-upon processing to more complex applications value customers will ascribe to buying the levels? such as enterprise resource planning (ERP). service instead of building the infrastructure • Should I risk increasing CSP “lock-in” In addition, compliance requirements themselves and pricing the peaks and by optimizing my software design to imposed by many governments that restrict valleys of consumption. If, for example, take advantage of my infrastructure where data and processing can physically the top e-commerce sites all migrate to or platform CSP’s particular pricing occur tend to complicate all cloud business the cloud, how will their CSPs charge for approach? models by creating obstacles to optimal the tremendous seasonal activity spikes • How much customization does my infrastructure utilization. that accompany retail sales? How will they application require, and how does my encourage greater utilization during low CSP charge for it? This is a new market, and few providers or usage times? (See Figure 1, below.) • Are there any relatively obscure customers have extensive experience with software functions that my organization cloud computing business models and nonetheless depends on? pricing, so further changes likely lie ahead. Cloud service provider • What is the economically justifiable Figure 1: Important cloud pricing and business model considerations price point for my service, and how will it change over time? • How can I structure a pricing program Issue Implication that helps to smooth out consumption Maximizing asset utilization Pricing programs must encourage customer of my infrastructure? behavior that helps smooth consumption • What is the best model for deploying peaks and valleys new functionality to my customers? Granularly detailed services pricing Enables customers to optimize service cost Is an “open source” model an option? via their software design, but could increase • Does it make sense to expose discrete vendor lock-in elements of functionality for separate purchase by customers? Capital expenditure Corporate preference to use traditional return • How often should we re-evaluate our on investment (ROI) measures in making capital pricing model to grow revenue? expenditure decisions could apply downward pressure to cloud pricing SaaS customization Because it requires non-standard, negotiated pricing, customization reduces the potential economic benefit of cloud models Functionality “menu” If providers make all functions available from a configuration menu, the possibility of differentiation via IT is diminished or eliminated Funding innovation relevant to Given shared infrastructure, the economic customer subsets model is unclear for innovation that benefits only a few customers; clearinghouses or application exchanges may evolve to fill the need National regulation, particularly of Creates obstacles to optimal asset utilization of data location, security and privacy cloud infrastructure

Source: Ernst & Young analysis.

Global technology industry discussion series 13 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Similar challenges in traditional markets Capitalization versus expensing is an issue “Who owns the have been addressed via special pricing that could put downward pressure on any responsibility for the programs, most notably by power utilities CSP’s pricing model. Many corporations and mobile network operators. Power develop annual IT capital expenditure upkeep of custom code utilities and their commercial customers budgets based upon traditional IT in a SaaS model? To me, typically agree to a threshold below which infrastructure costs, and generally consider the customer pays a standard rate; for ROI metrics in making capital expenditure that’s the big dimension example, up to 20% above the customer’s decisions. Depending on the pricing model that makes it different average usage. However, if the customer of the cloud service, cloud vendors and needs 30% more power during a given users will need to understand how to make than infrastructure or usage peak, they may pay a significantly similar evaluations, as the nature of cloud platform as a service.” higher rate for the 10 extra percentage service arrangements may not fit with points. “Cloud pricing likely will end up in a traditional ROI measures. Even if a company Joe Lackner similar place, because the cloud is all about determines that a cloud vendor’s offering is Advisory — PI capacity planning and infrastructure balancing, the better choice from an ROI perspective, so there has to be some incentive for the organizations may find that they don’t have customer to manage that supply and room in their current operating budgets to demand,” explains Joe Lackner,Advisory — PI. adopt the vendor’s offer, due to the fact that the CSP’s offering is a service and not Pricing effect on interoperability; a capital asset. capitalization versus expensing IaaS and PaaS providers have broken up Furthermore, capital assets are generally their service into many itemized offers; depreciated or amortized over the useful they charge separately for processor time, lives of the underlying assets, while cloud database reads and writes, storage capacity services are generally expensed over the (charged differently for the disk on the term of the arrangement. The classification server versus a remote disk), bandwidth of these expenses may also impact the consumed and more. One outcome of this decision to purchase cloud services, detailed pricing strategy is that customers particularly for companies that measure can choose to design their software in ways themselves based upon traditional operating that lower the cost of cloud services.1 For measures, such as earnings before interest, example, one leading IaaS provider prices taxes, depreciation and amortization processor time cheaply relative to the other (EBITDA). “That, in turn, puts pressure on service components, while a major rival pricing models and, overall, on whether the prices processor time as a scarce commodity. value proposition works for one company at one specific time,” Joe says. In this example, because of code differences, a customer that optimizes its software code Further complications for SaaS for low cost using either CSP’s cloud would Pricing for SaaS may seem simpler, at have a hard time migrating that software to first, because it is generally offered as a the other CSP’s cloud — thus complicating flat subscription fee — an amount per user, the issue of interoperability among clouds. per month, with all the infrastructure details submerged into the application functionality. SaaS pricing also must consider how to smooth out the peaks and valleys of consumption, but for SaaS CSPs that is only the first of many complications.

14 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

SaaS CSPs must also determine how to Cloud business charge for the value of configuration and model considerations customization and include separate charges for service integration with in-house In the case of relatively simple, standard customer applications — as well as ongoing productivity applications such as email, incremental innovation and upgrades. word processing and spreadsheets, SaaS Therefore, the complexity challenge for business models are also relatively simple SaaS CSPs is to describe their per-user and standard. Advertising supports “free” fee in a way that shows how it offsets the versions; business customers that want capital expenditure costs of setting up new additional support, storage, reliability or infrastructure (up front and as a company functionality pay monthly subscription fees grows) and includes the notion of having per user. Slightly more complex applications the latest functionality without the pain of typically charge an up-front fee for setup major software upgrades and licensing costs. and a monthly service fee with a variable component based on a relevant usage Certain leading SaaS CSPs have good models parameter, such as web page views, ad for deploying new functionality, but they are impressions or email deliveries. based on limited experience with a small, pay-as-you-go set of applications and limited ERP and other enterprise-level applications, points of integration between the CSP however, can be very complex and are and the customer’s IT environment, which sometimes customized to the needs of an doesn’t lend itself to being customized. If individual organization; even consumption the SaaS market grows as robustly as most patterns are likely to be unique from one observers expect, such “limits” will be vastly company to the next. Pay-as-you-use expanded, and SaaS CSPs will have far more subscription models for ERP software complex scenarios to deal with than currently delivered as a service might have to is the case. support custom configuration and development as well as ongoing support Because cloud computing is still in its early for the customized configuration. stages, many of these pricing issues blur together with business model issues.

Global technology industry discussion series 15 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Agreements involving such applications Extended to its logical conclusion, are likely to be individually negotiated the functionality menu concept gets to and to include a definition of expected the heart of whether an organization consumption patterns as well as special believes its IT systems can be a source of fees for differing from the expected pattern. differentiation. If all potential options are The more customized the application available to be configured from a menu, as becomes, the more unique pricing and opposed to custom-developed, it suggests contracting will be; pricing for complex SaaS that IT isn’t a differentiating factor. “What services, therefore, may turn out to be not companies will want to do will bump up all that different from current outsourcing against the limit of what’s pure configuration negotiations today. versus customization. So, while we will have more commonality over time, I don’t think Is a functionality ”menu” a possibility? we’ll get to a point where the application Offering a “menu” of discrete functions environment can become a box to check,” around a core set of functionality is another says Joe. possibility for how SaaS business models could evolve. Modern software typically Funding ongoing innovation provides far more functionality than any Funding for the development of the lesser- individual customer ever uses but offers used functions described above may also no way to opt out of specific functions — become an issue. Innovation that serves the you just ignore those you don’t use. Many needs of the many will always find funding customers have their “favorites” among the because it has an inherent model for ROI. lesser-used functions, and some customers But what of innovation that serves the are truly dependent on certain of them. needs of the few? Every major software Allowing a customer to pay only for release usually includes a handful of new functions they use might create value and functions that many users ignore but that simplicity for the buyer — but increase are very important to a small number of management complexity for the provider. customers. It remains unclear how CSPs will fund those types of functions.

16 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Among the concepts that have emerged in ownership, allowing for issues such as Ernst & Young observations response to this concern is the idea of transfer pricing and tax liability. That way, clearinghouses or exchanges for innovation. a CSP could maximize the asset utilization To properly value cloud services in the Linux open source software development of its infrastructure. However, when context of their own costs, customer provides a potential model for the strictures are applied, the CSP must turn organizations should start by determining clearinghouse concept. In the Linux model, each stricture into a higher price point for the total cost of ownership (for their developers in the open source community the customer. estimated useful life) of those elements offer new ideas and software code to a of their IT infrastructure that are neutral party (in the case of Linux, a Besides pure cost issues, there is a non-differentiating. “benevolent oligarchy” of individuals) that balancing challenge for asset utilization. decides what to include in future releases If an infrastructure provider has data The complete economic picture does not of the Linux software. An exchange would centers in the US, Canada, India and China, reside in cost alone. Variables such as more likely look like the “app stores” that for example, but every customer in China rapid access to new technology and the have evolved in recent years, initially around must run off the Chinese data centers, the ability to focus internal resources on smartphones. Exchanges would enable “the CSP cannot easily balance its asset usage what differentiates your organization few” who might be interested in an obscure and will likely lose efficiency. should also be factored into the function to find it and buy it, thus providing economic equation. the economic incentive a developer needs To accommodate these challenges, CSPs to create the function. are likely to develop pricing models with Pricing and business model considerations multiple tiers for different service levels that for cloud services are particularly Business model challenges relate to customers’ tolerance for certain complex at this point because the National borders represent a challenge to risks — most notably the compliance, privacy market is so new that most offers are cloud business models because they can and security issues described above. For not yet well-defined. This will work itself be a force in opposition to good asset example, factoring strict compliance with out rapidly, as the market is evolving fast. utilization, which is one of the key drivers of the laws of multiple national jurisdictions economies for CSPs. Many nations impose into a service would cause that service to rules on privacy, data location, management be priced higher than the same service location or all of the above. Without such without any compliance strictures. Likewise, rules, CSPs would build services on top of “platinum” level security would be priced infrastructure that resides in whatever higher than “bronze.” country can offer the lowest total cost of

Global technology industry discussion series 17 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Vendor management and strategic sourcing

An overwhelming number — Current situation

estimated to exceed 60% Cloud computing comes with a unique set of vendor management of enterprises both large challenges and new criteria to evaluate when considering strategic and small — will evaluate sourcing models and analyses. and pilot some type of cloud-enabled outsourcing Vendor management in the cloud Strategic sourcing in the cloud The new vendor management challenges Cloud computing also changes strategic offerings within the next stem from the loss of control and lack of sourcing equations in at least two dimensions. 18 months.1 transparency into infrastructure details that First, complications around data security, often come with moving to cloud services privacy and compliance in the cloud will from in-house or traditional outsourcing influence the types of applications and models. Before, companies could design business processes that are candidates systems to meet — or, if outsourcing, for cloud deployment, as opposed to specify — precise requirements for security, traditional outsourcing. Second, system data integrity, system availability, privacy interdependence will similarly have an and other factors. Moving to the cloud influence. Complex interdependencies means buying from CSPs that do not always may make it very difficult to extract a provide a transparent view into the inner given application from the rest of the workings of their infrastructure. While enterprise infrastructure; also, the solutions the exact nature of the issues vary that address many business processes are depending on the type of cloud service likely to involve both cloud-sourced and (e.g., application, platform, infrastructure), in-house elements that must interact. The the overarching principle is the same: effort required to achieve that interaction instead of specifying technical requirements, across the enterprise-cloud boundary will business users typically must manage affect the strategic sourcing decision. In vendors to meet service levels using SLAs. addition, different cloud opportunities will mature at different rates; for example, security issues might be resolved before compliance issues involving privacy or tax. Therefore, as the market evolves, strategic sourcing opportunities determined to be unfeasible today may become feasible tomorrow — but which ones become feasible, and precisely when, will depend on how the market evolves.

18 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Accelerants Standardized SLAs, personnel shift and Questions to consider time are needed Emergence of cloud service “brokers” Though it may sound like a cliché, time Cloud business user Cloud service aggregators, or brokers, is likely to be among the most important • Do we have the necessary skills and are already beginning to emerge to help accelerants of cloud adoption for issues discipline to manage multiple vendor organizations overcome their initial lack of such as vendor management and strategic relationships to meet critical business experience in managing CSPs, especially for sourcing. Over time, the experiences of requirements? situations in which multiple CSPs may be early adopters will lead to standardized • Am I aware of all of the cloud services required.2 Service aggregators sit between SLAs that help define critical components being used by my organization in all of the cloud and the client to actually package of the relationship between organizations its distributed global operations? all of the services based on the needs of and their CSPs, as well as how to manage • Are all of our internal system the organization. They then manage the those relationships. Such standardized dependencies well understood, or will governance and the service levels for the documents can be put to use by we need to sort out those dependencies organization. Venture capital (VC) funding organizations that don’t have their own before making use of cloud services? is accelerating this trend. VCs wish to direct experience. It will also take time for • Should I consider the use of cloud participate in the cloud opportunity but organizations to shift their personnel from service “brokers” to accelerate either generally try to avoid capital-intensive technical experts capable of directly adoption or pilot projects? businesses that require massive data managing an IT infrastructure to people centers, such as have been constructed skilled at managing complex multifaceted Cloud service provider by Amazon, Google, Microsoft and others relationships with vendors. Finally, time • Given customers’ inexperience with for the provision of cloud services. Service plays a role in strategic sourcing, because SLAs, can I achieve higher growth by aggregators are a more natural fit for different cloud services are maturing at creating standardized SLAs — even if VC funding. different rates, and what organizations they help customers scrutinize my own consider strategic or tactical also tends operations more closely? to change over time. However, these • Should I also provide service changes will not take a long time, organization reports such as because mainstream cloud adoption Statement of Accounting Standards appears to be happening rapidly. No. 70 (SAS 70) or its successors, SSAE 16/ISAE 3402, which incorporate reporting on controls relevant to security, availability, processing integrity and confidentiality?

“An important overall issue is to get control of all your cloud usage — a CIO, for example, might not be aware that a sales department in another country is already using cloud services.”

Mal Postings Global Advisory CTO — IT

Global technology industry discussion series 19 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Inhibitors have traditionally related to the overall “Right now, the issue of availability of service, including disaster strategic sourcing is Inexperience recovery, cloud users have additional For vendor management, new approaches concerns because they typically lack other surrounded by the question and skills are required, and new ways of ways to enforce their requirements. “What of what is sensitive data, thinking are needed for strategic sourcing. information are you going to require that Because cloud computing is so new, the CSP report back to you on an ongoing and very diligently weighing however, most organizations have yet to basis?” asks Atul Sharma, Advisory — PI. the pros and cons of putting develop the necessary experience and skills. What clauses are you going to want in your “How you manage a vendor selling software service agreement to protect your business that into the public cloud.” licenses is very different from how you process? What penalties are you going manage a cloud vendor that is selling on a to want if there’s a failure or if they can’t Atul Sharma pay-per-use basis,” explains Paul Chabot, meet certain service level agreements, and Advisory — PI Global Technology Industry, Advisory — PI. how are you going to quantify the remedy? Practices that are well understood in terms Even seemingly mundane issues can of traditional outsourcing are unlikely to create challenges if they are not anticipated apply. Typical questions organizations and processes agreed upon in advance. must ask themselves in the context of For example, CSPs must upgrade their clouds are, How do we maintain data quality infrastructure and perform maintenance and data integrity when the data is outside from time to time. If the timing and scope our walls? How are we going to assess the of such activities are not defined and CSP’s security? What is the risk of data agreed to in advance, they might occur loss? Until there is more experience around at a moment that interferes with a user’s these questions, they will be inhibitors to critical business process. cloud adoption. Importantly, not all “down time” is equal Re-thinking SLAs in value: for example, an e-commerce site Similarly, inexperience with negotiating selling football apparel will lose more value SLAs for cloud services will inhibit adoption during the Super Bowl in the US, or the until companies figure out how to define World Cup in the rest of the world, than at appropriate service levels at each layer any other time of the year. How will SLAs within the cloud model. Although SLAs be written to account for such variability?

20 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Complications for strategic sourcing Therefore, which applications and processes Ernst & Young observations In terms of strategic sourcing, companies are being considered for migration to the will need to think more about issues of data cloud may be further restricted depending In order to manage their CSPs on privacy, security, regulatory compliance, on whether a company can determine those an ongoing basis, organizations will integration and misuse of data before they dependencies. “The cloud opportunity puts need precisely defined criteria for can make use of a public cloud service, as a spotlight on this issue; many companies the information they wish to have opposed to a private cloud or traditional will have a lot of homework to do before regularly reported; service levels outsourcing. Therefore, the sensitivity of they can even take advantage of the defined specifically in the context of the data involved will be an important factor cloud,” says Atul. The dependency issue is an individual application or business in strategic sourcing analysis, including exacerbated in situations where multiple process; and clear penalties articulated consideration of which applications and cloud vendors are required to interoperate in the event of a service outage or processes may be candidates for cloud to address a given business process. failure to meet service levels. services. Those activities that are lower- risk, and that cloud providers can do more Sorting the “mature” cloud services from Organizations that commit to cloud cost-effectively, will move into the cloud. services that may not be ready for enterprise services may need to focus on More strategic activities, which have higher deployment is another challenge that may deliberately shifting their staff from risk around regulations, security and inhibit adoption. According to Atul, there is technical experts to people more skilled privacy, may remain in the private cloud or no shortcut for this issue; each potential at managing vendor relationships. move more slowly into public clouds. This service should be investigated at a deep dichotomy is seemingly more evident for level of detail and matched to the precise As cloud service maturity levels larger organizations; small- and medium- business requirements involved. Finally, evolve rapidly over the next few years, size companies are pursuing public cloud another inhibitor is that enterprise customers organizations will want to consistently alternatives more broadly. know that with so many start-ups offering revisit strategic sourcing decisions. innovative cloud services, there is a high The potential for migrating specific Dependencies, maturity rates and likelihood that many of them will not survive applications to the public cloud will start-ups may all inhibit adoption over the long term. For larger and more change over time. Because so many corporate IT infrastructures established organizations, potential savings have grown piece by piece over many years, and other benefits may not be worth the Organizations that determine that at the system interdependencies in these risk that a given provider will go out of least a part of their success comes from environments sometimes are difficult to business, while smaller organizations may core competencies reflected in a legacy understand or define. be more willing to accept that risk given the application might consider never putting potential cost savings. that application in the public cloud.

Organizations should consider cyber risk liability insurance in their CSP contracts — it is a protection that is too often overlooked.

“As it becomes more common to have multiple vendors providing applications to support one business process, you’re going to have higher risk profiles to manage.”

Paul Chabot Global Technology Industry Advisory — PI

Global technology industry discussion series 21 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Availability and interoperability

Sixty percent of the Current situation 1,059 North American Cloud computing promises flexibly scalable IT resources, low barriers and European business to change, reduced capital expense risk and usage-based pricing, thus decision-makers surveyed lowering an organization’s IT costs, while freeing management to focus are concerned about service on building business agility, speed and innovation. None of these benefits are likely to be achieved, however, unless you diligently match the availability in the cloud.1 availability and interoperability attributes of a CSP to the requirements of your business. That’s no easy task. Interoperability — enabling processes from different IT systems to work collaboratively or to share data — always presents formidable challenges, and it will be no different in the cloud.

Availability in the cloud workloads among them, many do not. The common vision of cloud computing Often, CSPs have poor regional or global likens cloud services to power or landline coverage that might affect a customer’s telephony — “utility” services that are experience — in other words, a given customer among the most dependably available might be served from a single, potentially services you can buy. Customers cannot distant data center. Disaster recovery simply assume, however, that any cloud- capabilities are, likewise, different from based service from any CSP will always provider to provider and may not match the be there every time they need it. Although needs of all organizations. It’s important to the business models of the largest CSPs know how often a CSP does verification involve multiple data centers in different testing of its disaster recovery capabilities, geographies, spreading and balancing and in what form it reports on such testing.

22 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Further, lack of standardization and CSPs’ single business process,” says Paul Chabot, Questions to consider efforts to differentiate their service Global Technology Industry, Advisory — PI. offerings create issues for customers Additional interoperability issues stem Cloud business user wishing to “recover” to a different cloud from the desire on customers’ part to be • Are my IT capacity requirements really service, or to simply switch CSPs, as described able to move from one CSP to another, so changeable that I need the high by the European Commission.2 Finally, it’s juxtaposed against the CSP’s desire to elasticity of public cloud services? important to understand how availability “lock-in” customers — an issue that is also • Am I ready to pay a higher price for is affected, positively or negatively, by a described in the European Commission integrated tiered disaster recovery CSP’s “supply chain” — for example, a SaaS report cited earlier. capability as part of my cloud service? provider whose application is hosted by a • Can I delineate the dependencies in platform or infrastructure service provider. my own data center well enough to Accelerants coordinate hybrid services and Interoperability in the cloud processes that combine my own CSPs and their customers must consider Elasticity of the public cloud infrastructure with a CSP’s? interoperability issues in many dimensions. Perhaps the major accelerant of public cloud • Have I assessed the comprehensiveness Assuming that no medium or large adoption is its ability to elastically scale of my CSP’s SLA provisions to ensure organization will migrate its IT operations IT resource availability up — and down — that they adequately cover the to a cloud model overnight, the biggest depending on the momentary needs of the availability tolerances of my applications? interoperability issues are likely to be business. This resolves a long-standing • How will I monitor the cost- those between the customer’s existing dilemma for large organizations, which effectiveness of my cloud solutions in infrastructure, data and applications forecast demand for their IT resources yet order to determine if it ever makes and the CSP’s. For example, a customer typically end up with more capacity than sense to return to an in-house model? database migrated to the cloud may still they need — or worse, less than they need — • Am I prepared to deal with multiple need to interact with in-house marketing because of business changes during the CSPs to provide a single business automation and ERM systems. “There will installation process. “Clouds promise to service, or should I consider working also be interoperability issues in orchestrating solve this issue by more closely aligning with cloud “brokers” to orchestrate the efforts of multiple CSPs to provide a demand with supply,” notes Amr Ahmed, multi-provider services? coordinated set of services that address a Advisory — PI. Cloud-based IT services can grow or shrink as business requirements Cloud service provider change, without requiring long implementation • How transparent can I be about the times or aggressive capital investment inner workings of my infrastructure? (see Figure 2, page 24). Does too much transparency increase vulnerability to cyber attack? • What will create more value for my organization: customer lock-in or a demonstrated commitment to interoperability?

“Alliances make a lot of sense because of the lock-in problem that customers face. We’ll end up either with really open interoperability among CSPs, or more groups of alliances.”

Hanny Kemna EMEIA Advisory — IT

Global technology industry discussion series 23 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Emergence of interoperability standards; Further, interoperability standards would “Most SLAs lack detailed superior resilience enhance availability, providing another disaster recovery, because While interoperability standards are not yet potential accelerant. CSPs that can provide mature, several coalitions of technology leading disaster recovery practices may be few buyers are willing to pay vendors, CSPs and service users have able to demonstrate resilience superior to for it. However, this trend is formed to drive the creation and adoption that of an individual enterprise; by adding of such standards. Most include the word strong interoperability standards, CSPs could changing today, as disaster “open” in their name, such as the Open go further by providing “failover” capability recovery is nearing the top Cloud Consortium, the Open Cloud from one cloud to another.4 Manifesto, the Open Data Center Alliance of the IT agenda.” and the Open Cloud Standards Incubator. Some CSPs address availability through They advocate the belief that widespread their own standard SLA provisions and Amr Ahmed acceptance of interoperability standards is processes, and a few have even established Advisory — PI necessary to mainstream cloud adoption.3 public websites that provide users with “A factor that might help enable real-time insight into the status of their interoperability is that cloud services typically services. These leading CSPs view availability are based on virtualization technology, and security as among the most important which is also being adopted inside corporate issues for broad adoption, and the measures data centers,” notes Amr. they are taking are effectively setting the standard for new entrants to be successful.

Figure 2: How the cloud computing model achieves superior supply and demand alignment

Traditional IT resource capacity Cloud view — transforming IT (Utilization challenge) (Align supply and demand)

Under supply

Excess IT growth IT growth

Actual load Actual load Allocated capacity Allocated capacity

Time Time

Source: Ernst & Young analysis.

24 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Inhibitors Inhibitors at every CSP size; public Ernst & Young observations network dependency; legal discovery Lack of standards Two issues related to availability are a By understanding the different The difficulty with all the standards activities cloud user’s ability to recover within the availability tolerances required by described above is that they are brand new — cloud itself and the ability to recover to a individual applications or business and standard-setting is a lengthy process. different cloud. Each brings different issues. processes, cloud business users can Stated simply, the biggest inhibitor to For example, in terms of availability within negotiate varying levels of availability mainstream adoption of cloud computing is a given cloud, larger CSPs typically won’t and pricing, as required. that the cloud services market lacks widely provide much transparent visibility of their accepted standards for availability and disaster recovery mechanisms. Smaller Interoperability already is an important interoperability. When mature standards CSPs may be more flexible about meeting criterion because of the need to emerge, they will mitigate the inhibitors different customer requirements than integrate cloud services with existing described below. larger ones, which are typically unwilling IT infrastructure, and because there to negotiate changes to their standard are many start-up companies whose Previous success agreements given the difficulty of altering innovative cloud service offerings could As is often the case, previous success their large infrastructures to meet non- be integrated with one another. As inhibits rapid adoption of future innovation. standard requirements. CSPs become more specialized, the Large organizations have existing importance of interoperability will increase infrastructure that represents a significant Another inhibitor is that the availability of as multiple CSPs become involved in investment in a set of applications and a public clouds is, by definition, at the mercy supplying a given solution, whether that specific IT architecture. For such business of public network performance, whereas an solution is orchestrated by in-house IT users, moving everything to the cloud all organization with its own private network management or cloud service “brokers.” at once isn’t necessarily feasible, even if can determine its own availability and it were desirable. Thus, the difficulty of performance requirements. Finally, cloud Due to the nearly infinite permutations achieving interoperability between cloud users must ascertain their CSP’s ability that are possible in IT infrastructure, services and internal infrastructure, data to support “e-discovery,” the process of when it comes to interoperability and applications becomes a critical concern locating and preserving data that relates standards there is no substitute for of cloud adoption. Adds Amr, “It’s hard for to investigations and litigation. E-discovery bilateral testing — direct tests between large companies to get a clear picture of has become a requisite for large organizations two parties. CSPs wishing to demonstrate the services interdependencies in their own relatively recently, and it is not yet clear their commitment to interoperability data centers, because of inherited legacy how cloud services will address it. should consider bilateral testing, even environments and a lack of automated with competitors. discovery and correlation in most data centers.” The problem is magnified if only a subset of a business process is migrated to the cloud — for example, the database portion of a sales management process.

“You need to understand the precautions your CSP has taken. If something is truly business-critical, you may want to ask the provider to take additional, specific precautions.”

Paul Chabot Global Technology Industry Advisory — PI

Global technology industry discussion series 25 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Security and privacy

“With regard to security Current situation issues, this is as much While there is no doubt that cloud computing appears to be well on a cultural and mindset its way “across the chasm” to mainstream adoption, concerns over change due to loss of security and privacy slowed its early adoption. control, as it is an Turning over control of the security of their ITinfrastructure and infrastructure change.” data is an inherently uncomfortable situation for senior corporate Jose Granado managers — and it goes against the existing culture of many large Advisory — IT corporate organizations. It’s no surprise, therefore, that a research survey of North American and European businesses found that 50% of respondents said their chief reason for avoiding cloud computing was security concerns.1 In a separate global study of IT risk, 77% of respondents said adopting cloud computing makes protecting privacy more difficult.2

Security in the cloud commune. These issues were cited in a recent Culture and comfort aside, simply European Commission report as the key communicating data over the public internet, reasons why cloud computing will require as opposed to keeping it entirely within a entirely new security governance models private corporate network, may increase and processes.3 data vulnerability. In addition, the business models of CSPs involve sharing infrastructure Privacy in the cloud among many clients and managing IT On the privacy side, there is the concern, of workloads among many different physical course, that personally identifiable information machines or even geographically dispersed stored in the cloud can be breached more data centers. That workload management easily than if stored in-house — but that’s issue means that a given cloud user may mainly a security concern. Beyond data not be able to determine precisely where protection, the core privacy problem for its data is located or how that data is enterprise businesses adopting cloud protected. The shared infrastructure issue computing stems from the diversity of effectively links the security fates of all users privacy regulations from country to country, in a given cloud in a sort of unintended juxtaposed against the CSP business model.

26 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Additionally, the migration to using a CSP Questions to consider may galvanize centralization of enterprise data from across the business. “Having your Cloud business user data all in one place allows for better • What is my organization’s security management and the employment risk tolerance? of consistent policies,” says Jose Granado, • Which compliance and security Advisory — IT. requirements must be met? • How can my CSP help my organization Emergence of leading practices and comply with the varying data privacy standards will promote the cloud rules in all of the jurisdictions where I The main factors that could accelerate do business? resolution of security and privacy issues • What independently verifiable “Because the cloud is a virtual environment associated with cloud adoption are leading assurances of security and privacy and data can be anywhere, you as a user practices, standards and cloud-specific does my CSP offer? may not know whether you are violating regulation of security/privacy — all of which • What security and privacy metrics will privacy regulations in the countries where are slowly emerging from several regions I use in selecting a CSP, and how will I you operate. And if the cloud data center is around the world. monitor them? located in another country, you may not • How will I maintain data quality? even know what country’s regulations For example, the Cloud Security Alliance (CSA) • How will I set up my sourcing apply,” explains Sagi Leizerov, Advisory — IT. is a non-profit organization formed to governance for a CSP landscape? promote the use of leading practices for providing security assurance within cloud Cloud service provider Accelerants computing, for both cloud customers and • Which compliance and security CSPs. CSA’s activities, initiatives and requirements of the customer need Security expected to rise as primary publications in this space include security to be met? driver of cloud adoption guidance, a cloud security competency • How can I comply with varying data In the same research survey where 50% of certification program and a suite of tools privacy regulations, while maintaining respondents cited security concerns as their called “GRC Stack” for governance, risk and a virtual cross-border business model? chief reason for avoiding cloud computing, compliance in the cloud. GRC Stack offers, • What independently verifiable Forrester Research projected that within five for example, a control set and an assessment assurances can I offer cloud users years, cloud security will become one of the questionnaire for cloud stakeholders.6 of agreed-upon security and privacy primary drivers for adopting cloud computing.4 levels? What could cause this shift? At the same time, the European Network • How can I balance the transparency and Information Security Agency (ENISA), of my operations with security for In fact, there already is a growing minority commissioned by the European Parliament, cloud users? view that using a CSP enhances security.5 A is working to harmonize privacy law • What policies can I offer cloud users CSP’s viability depends in part on establishing differences across the EU. Another ENISA related to security/privacy breaches, a reputation as trustworthy. Therefore, initiative is to provide a benchmarking and what remedies am I bound to? according to this view, the CSP will devote model to help cloud users compare CSPs significantly more resources to security on a consistent scale. “To enable the user and data protection than a typical business, to more efficiently compare different cloud whose IT department is a cost center that service offerings based on a standardized often faces diminishing budgets. In fact, set of controls or a set of audit tasks would this is being seen already: leading CSPs be empowering,” notes Thomas Loczewski, view security as among the most important EMEIA Advisory — IT. issues for broad adoption, and the measures they are taking are effectively setting the standard for others.

Global technology industry discussion series 27 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

US government legislation is expected to Inhibitors accelerate the resolution of security and privacy issues in cloud computing, indirectly Loss of control and directly. Health care reform and Loss of control is rapidly emerging as the stimulus funds earmarked for the application number one inhibitor to adoption of public of technology to health care administration cloud computing services. According to processes as well as the E-Government Act Borderless Security: Ernst & Young’s 2010 require standards to be adopted to promote Global Information Security Survey, “many the seamless and secure flow of data. companies are concerned about giving Moreover, as the US government continues up control of access to their business to increase its usage of cloud services, it will information and relying on the cloud to push the development and implementation provide secure authentication, user of standards and regulation. For example, credentials and role management.”10 the Federal Risk and Authorization Management Program (FedRAMP) has Even in traditional outsourcing, the been established to provide a standard enterprise doing the outsourcing typically approach to assessing and authorizing the maintains responsibility for security, or at security of cloud computing services and least co-manages it. Other than establishing products for US government agency use.7 and enforcing policies such as password In late 2010, US agencies began awarding changes, however, CSP business models cloud services contracts, including a General essentially place all responsibility for security Services Administration (GSA) award to a on the CSP. And the same business model team led by Unisys and Google and a issues can limit the transparency of the Department of Agriculture award to CSP’s security measures. In a related issue, Microsoft. Both deals include email and it’s not always clear how an organization can other collaboration applications.8,9 maintain single sign-on for authentication across in-house and cloud systems. Virtualization’s rapid adoption promotes “It’s counterintuitive private clouds Still, the Ernst & Young security survey for security officers, Finally, there is the relatively rapid adoption found that 45% of its 1,598 respondents of virtualization technologies inside the from 56 countries have either deployed who have been firewalls of corporations, essentially creating or are evaluating cloud computing, “a responsible for protecting private clouds. Because private clouds surprisingly high number given that the are under the direct control of a company reliability and security level of many cloud an organization’s data (even though a third-party firm may services is still unknown.” To get comfortable and intellectual property, manage them), they are not subject with cloud services, companies often to all of the inhibitors affecting the adoption require granular detail about how their to give up control of of public clouds. They can provide an information is protected by the CSP. infrastructure and data interim step, however, that helps to prepare Security audits are a typical information a company for rapid migration to lower- security best practice, but a CSP’s ability to a third party.” cost public clouds once risk management to respond to security audits is sometimes and data type classification have been limited if its business model virtualizes Jose Granado appropriately aligned with compliance operational details in order to gain efficiency Advisory — IT requirements and sourcing options. and provide ease of use to customers. To help mitigate these concerns, many CSPs are utilizing assurance programs such as SAS 70 (to be succeeded by SSAE 16/ ISAE 3402), International Organization for Standardization(ISO) 2700X and Trust Services, which provide standardized reporting on security practices.

28 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

CSPs are attractive targets; cross For example, if a European company’s data Ernst & Young observations contamination concerns; protecting is stored in US data centers by its cloud personal information is key provider, it becomes subject to the USA Except where CSPs can demonstrate Other inhibitors include the concern that Patriot Act. That law allows the US the necessary security and privacy CSPs may be more of an attractive target government to access data stored within measures, the safest way for large for hackers than an individual company, US borders.12 “Because you are in a virtual organizations to explore cloud services because multiple companies’ valuable data environment and data can be anywhere, may be to build internal private clouds is housed with the CSP. Another is the risk a business user must be aware of all the for applications involving sensitive data, of cross contamination, i.e., the potential different borders its data is crossing and while simultaneously investigating for one user of a cloud service to gain the regulations that apply from each of public clouds using non-sensitive data. access to another’s data. The European those countries,” explains Bill Schaumann, It’s important to explore public cloud Commission report cited previously noted Advisory — PI. While placing restrictions services in order to be ready to adopt both these concerns. on where data can reside and travel seems these economically advantageous like an easy fix, a CSP may not be able to models as soon as their risk management Protecting the privacy — i.e., the personally comply with such restrictions. If it can, the and data type classification has been identifiable data — of employees, customers restrictions will likely cause an increase in appropriately aligned with your and business partners is already a challenging the price of the service, reducing the value organization’s compliance requirements proposition for multinational corporations. of migrating to the cloud. and sourcing options. Privacy attitudes and regulations differ, sometimes significantly, from jurisdiction to Deleted data doesn’t necessarily To overcome the security and privacy jurisdiction — country by country throughout disappear issues of cloud adoption, buyers of cloud the EU and Asia-Pacific regions and state Finally, CSPs and their clients alike need services can approach the move with by state in the US. Privacy becomes to be concerned with the fact that data thorough diligence that matches their exponentially more complex if a company sometimes persists in servers through risk posture, and also matches security turns over its data to a potentially borderless which it has traveled, even after having and privacy requirements to the risk CSP. This has led to a call for countries to been “deleted.” “Underlying all the security posture, service level agreements and “harmonize their laws on cloud computing” and privacy issues is the concern that once demonstrated capabilities of the provider. to reduce inconsistencies in regard to it is shared, it will persist in that environment privacy and security.11 forever,” says Paul Chabot, Global Technology The potential for breach necessitates Industry, Advisory — PI. that the CSP and business user come to Understand the implications of what you an agreement up front about notification are moving to the cloud and remedy policies. Before migrating any servers, databases, applications or data to the cloud, companies CSPs should provide for internal and should evaluate the nature of the external security audits. information they would be moving, the sensitivity of that information and whether the CSP’s service location is appropriately secure for that information to reside. Before companies proceed, they should consider potential consequences from the fact that any sensitive data placed in the public cloud may become subject to the regulations of an unknown jurisdiction, especially if they are dealing with a CSP that does not make its data center locations known.

Global technology industry discussion series 29 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Standards and risk management

Risk management Current situation is under-addressed: only Anytime you relinquish control, you add a measure of risk to your 36% of US and 57% of EU situation. For IT users, balancing the levels of risk and opportunity survey respondents agreed within their business is a significant task that is added to and changed that their organizations are in important ways when migrating to a CSP. Industry standards are vigilant in auditing and among the key mechanisms that help mitigate risk. assessing the risk associated From a risk management perspective, the main changes when moving with planned cloud offerings from in-house IT infrastructure to cloud services are in the areas of data before adoption.1 security and privacy breaches, as well as regulatory and legal compliance. Cloud computing is also likely to change certain non-IT ERM issues as well, although its impact is not yet well understood. Industry standards, often a risk management safety net, are lagging behind the rapid growth of cloud services. The lack of specific standards, especially in the areas of security, privacy and availability, is often cited as a barrier to industry growth, because without standards, cloud users have a high degree of uncertainty about the risks they are assuming.

Many government, industry and public-private coalitions are racing to fill the standards void and thus ease risk management for CSPs and their users. Standards development, however, is a consensus-driven and therefore lengthy process — especially for international standards such as those being developed for cloud computing. Because cloud computing is a relatively recent phenomenon, the cloud standards process has begun only recently.

30 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Accelerants Multiple coalitions are driving Questions to consider standards efforts Focus on standardization initiatives Other efforts from many supplier-driven, Cloud business user Many standardization initiatives are under user-driven and combined organizations • How is my cloud strategy integrated way, with the intent of helping companies are also under way. Important global into my ERM activities? transition to the cloud by providing standards development organizations • What processes and controls are assurances that help users manage their (SDOs) include the Distributed Management in place for security occurrences or risk. Although cloud standards are being Task Force (DMTF), the CSA, the Object incident reporting and resolution? developed globally, the US NIST has been Management Group (OMG) and the Open • How and how often will I measure my recognized as a leader in cloud standards Cloud Consortium (OCC), all of which CSP’s adherence to agreed-upon development. NIST’s widely accepted include members from dozens of countries service levels/standards? definition of cloud computing is referenced around the world.6,7,8,9 While some SDOs are • How will I test cloud offerings? What in a European Commission cloud report2 narrowly focused, such as the CSA on best are the right pilot projects? and reprinted in a technical report from the practices for cloud security assurance, most • What is my organization’s risk European Telecommunications Standards are developing multiple different standards tolerance profile? Institute (ETSI).3 The full NIST definition of meant to address interoperability issues • What measures are being undertaken cloud computing is included in the Glossary among multi-vendor clouds or between by my CSP to address availability and (see page 52). clouds and in-house systems and data. Their security, including audits to address output consists of standards specifications, compliance with NIST/SAS 70 (or its The NIST views itself as a catalyst in helping reference implementations and benchmarks. successors, SSAE16/ISAE 3402) the industry create its own standards, with The DMTF and CSA are expected to publish standards? the goal of promoting government and draft specifications in 2011. • Do I have the processes in place to industry adoption of those standards.4 The update my services to reflect NIST is in the process of launching an online regulatory and standards changes portal to identify gaps in cloud standards to across the globe in a timely manner? accelerate the development of standards for security, interoperability and portability. Cloud service provider The NIST points out that the product of • How will I stay current with the these initiatives must walk a fine line between perceived risks that have an impact being definitive enough to be useful without on my business? being so overly specific as to retard • What type of assurance will I provide innovation.5 my customers, at what intervals and at what cost?

“Cloud users are worried about the potential for security and data privacy breaches, in addition to worrying about whether they are violating any regulations or compliance rules.”

David Roque Advisory — IT

Global technology industry discussion series 31 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Interoperability versus vendor lock-in Thinking beyond straightforward IT-related Besides finding the right path between risk, migrating to cloud computing is likely useful standards and continued innovation, to have an influence on a broad range many of these standards efforts must deal of organizations’ more traditional ERM with the opposing forces of interoperability considerations, such as legal liabilities, and vendor lock-in. Cloud users wish for the regulatory compliance and brand protection freedom to switch easily among CSPs, and the need to refocus and restructure which lowers risk; but CSPs’ risk is lowered their internal IT organization, among others by proprietary ties that bind customers to (see Figure 3, below). For example, risk their particular systems. Complicating managers must understand how the risk of interoperability issues is that high-value brand damage might change if control of innovations are, by their nature, proprietary a customer-facing website is migrated to a to the CSPs that created them. CSP instead of being administered in-house. There may even be risks to consider in not migrating to cloud computing rapidly Inhibitors enough — e.g., if the cloud paradigm catches “Standards will likely on fast and if cloud-based competitors be developed over the Fear of the unknown gain advantage through faster access to While some believe that the risks inherent the latest advanced technologies. Such next 18 months to in cloud computing are the same as simply questions have only recently been raised, 2 years, with refinement using the internet — namely, exposing your and most companies have not yet begun systems and data to cyber attack or other to consider them. thereafter as cloud users unauthorized or criminal access — many continue to become organizations have a more prevalent overall One way in which some organizations have risk anxiety about the cloud, fueled in part tried to minimize risk is to migrate only non- more aware of the by fear of the unknown. “With traditional core functions and non-sensitive data to the issues they need to outsourcing, there are many of the same cloud initially.For example, the US government risks, but the physically tangible nature migrated its Recovery.gov website, which have addressed.” of the third party and the longer history provides public access to information about of those relationships help businesses the use of economic stimulus funds. That Hugh Rosengarten understand the risk analysis better,” explains approach, however, can mitigate only Advisory — IT David Roque, Advisory — IT. certain risks, such as data security and compliance with privacy regulations.

Figure 3: Cloud security “threat matrix” guidelines

1. Organizations shall develop and maintain an ERM framework to manage risk to an acceptable level. 2. Formal risk assessments shall be performed at least annually, or at planned intervals, determining the likelihood and impact of all identified risks, using qualitative and quantitative methods. A similar assessment should be done for inherent and residual risk, considering all risk categories (e.g., audit results, threat and vulnerability analysis, regulatory compliance). 3. Risks shall be mitigated to an acceptable level and time frame, which shall be established and documented with executive approval. 4. Risk assessment results shall include updates to security and privacy policies, administrative procedures, standards and controls to ensure that they remain relevant and effective. 5. Once access risks have been identified and prioritized, a plan should be put in place to minimize, monitor and measure likelihood and impact of unauthorized or inappropriate access. Compensating controls should also be implemented prior to provisioning access.

The risk guidelines above are described in the CSA’s “threat matrix” — officially the Cloud Controls Matrix — a pragmatic tool to help CSPs address risk management concerns. Source: CSA Controls Matrix web page, http://www.cloudsecurityalliance.org/cm.html

32 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Immature standards Meanwhile, a proposed security standard Ernst & Young observations In the absence of definitive standards, from the US NIST, described in Special current efforts to address risk management Publication 800-125, Guide to Security The decision to embrace cloud are disjointed and inconsistent; there is no for Full Virtualization Technologies (Draft), computing technology should include agreed-upon baseline, creating a nebulous is being evaluated by many CSPs for a risk-based analysis that includes all situation for CSPs and cloud users alike. certification efforts because it has more aspects of the business; it is not simply Cloud users have turned to standards comprehensive detail than many others. a technology decision. originally created for different purposes. “The standard actually has very specific For example, some require CSPs to provide details such as level of encryption, and the The dearth of specific cloud computing SAS 70 reports. SAS 70 was defined by the type of technology used. It drills down to a standards is somewhat mitigated American Institute of Certified Public level where someone could say, ‘I understand because most CSPs have developed their Accountants (AICPA) and was originally that the right safeguards are in place,’” technologies adhering to prior standards geared toward financial controls.10 More David explains. in areas such as security, networking and popular in EMEIA is ISO 27001 certification — protocol standards. or more officially, ISO/IEC 27001:2005, Under these circumstances, it is not published by the ISO and the International surprising that many believe the cloud market CSPs can help address risk management Electrotechnical Commission (IEC). ISO is still too immature for standardization, by offering more “thought leadership” 27001 generally is considered to be a so CSPs and their customers must make in the form of educational materials that better assurance tool for cloud computing do with the tools they have, recognizing provide context for their approach to services because it is focused on security, that they may be imperfect (see Figure 4, the standards and risk management but it is sometimes criticized for lacking below). According to Forrester Research, issues that are the most important to sufficient testing of the security CSPs’ practice of adhering where their customers. environment and controls in operation. appropriate to previously accepted standards Another emerging assurance reporting has so far mitigated some of the trust standard is International Standard on issues resulting from the immaturity of Assurance Engagements 3402 (ISAE current cloud standards.11 3402), put forth by the International Auditing and Assurance Standards Board (IAASB).

Figure 4: Some possible future standards

1. Federated security (e.g., identity) across clouds 2. Metadata and data exchanges among clouds 3. Standards for moving applications between cloud platforms 4. Standards for describing resource/performance capabilities and requirements 5. Standardized outputs for monitoring, auditing, billing, reports and notifications for cloud applications and services 6. Common representations (abstract, APIs, protocols) for interfacing cloud resources 7. Cloud-independent representation for policies and governance 8. Portable tools for developing, deploying and managing cloud applications and services 9. Orchestration and middleware tools for creating composite applications across clouds 10. Standards for machine-readable service level agreements (SLAs)

If all the cloud standards on this wish list were achieved, cloud users would fully realize the cloud’s potential for IT flexibility and scalability that enables business agility. They are unlikely to be realized quickly, however, given that the wish list would limit CSP differentiation. Source: Cloud Standards Overview, Object Management Group, July 2009, http://cloud-standards.org/wiki/index.php?title=Cloud_standards_overview

Global technology industry discussion series 33 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Government

The US federal Current situation government is the world’s Governments around the world are actively pursuing cloud computing largest IT buyer, spending for their own use. Some pursue it for the same benefits being sought more than $76 billion by private companies: lower cost, increased agility and reduced energy each year on more than consumption. Some pursue it as a source of economic development, hoping to create leading cloud development and service centers within 10,000 systems.1 their borders. And many nations look to achieve both these ends.

At the same time, however, critical factors impede government pursuit of cloud computing. Governments have a high degree of concern about the security, privacy and data location issues that come with cloud computing. Governments are often decentralized, with IT usage and purchase authority distributed among dozens, hundreds or even thousands of agencies. Finally, governments are sometimes slower than the private sector in adapting to change — and change is rampant in cloud computing, because it is still rapidly evolving. These can be difficult challenges for CSPs wishing to do business with government agencies.

Government cloud initiatives The US federal government is perhaps the While there are many more government most active. Aneesh Chopra, the US Chief cloud computing initiatives than we can list, Technology Officer, and Vivek Kundra, Chief the following highlights demonstrate the Information Officer (CIO) of the US, are intensity with which governments are both frequent public speakers in support of embracing the cloud. cloud computing. “Over the past decade, the number of federal data centers has grown from 432 to more than 1,100.

34 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

This growth in redundant infrastructure • Leading by example: the migration of Questions to consider investments is costly, inefficient, multiple websites and IT infrastructures unsustainable and has a significant impact to public cloud environments, including Cloud government user on energy consumption,” Kundra said in Recovery.gov, which provides public • What do I have to do, in my contracts an April 2010 speech to the Brookings access to information about the use of and in my technical implementation, Institution about the future of cloud economic stimulus funds. to avoid long-term vendor lock-in? computing.2 Among the US initiatives • Multiple cloud contracts awarded late in that aim to address those challenges through 2010 — with more believed to be on the Cloud service provider accelerated adoption of cloud services are: way — including a GSA award to a team • Given the experience necessary to do • Apps.gov, an electronic SaaS “marketplace” led by Unisys and Google and a business with government agencies, for federal agencies provided by the GSA. Department of Agriculture award to who can I partner with that can • The FedRAMP, which aims to “promote Microsoft. Both deals include email and provide that experience and fit well faster and cost-effective acquisition of other collaboration applications.4,5 with my organization? cloud computing systems by using an • Does it make sense for my ‘authorize once, use many’ approach to organization to contribute to the leveraging security authorizations.”3 economic development of a region • Standards-setting efforts by the NIST. where we intend to do business? • Will my staff withstand the scrutiny required for security clearances necessary to conduct government business with sensitive data? • Can my infrastructure provide the transparency governments require for monitoring controls? “Heightened concern about security, privacy and • Am I prepared to help governments develop the strategic business cases jurisdictional authority will always be an issue for any necessary to justify investments in government, whether the cloud service involved is the cloud? provided via public or private infrastructure.”

Nick Son Advisory — Government and Public Sector

Global technology industry discussion series 35 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

European Union in the cloud The Chinese government announced in “Adaptation to regulatory The EU’s pursuit of cloud computing can October 2010 that five cities — Beijing, requirements is difficult be seen in the European Commission’s two Shanghai, Shenzhen, Hangzhou and Wuxi — main cloud computing recommendations would host cloud computing innovation everywhere. In Europe, each from a January 2010 report: the first centers with the aim of developing them nation implements EU recommendation is to stimulate cloud into leading centers of cloud technology.9,10 research and development within member regulations independently. states; the second is for member states to Security, privacy and compliance Across the US, each state work together with the European Commission Not surprisingly, the high-level obstacles to to “set up the right regulatory framework to government adoption of cloud computing and the counties in them facilitate the uptake of cloud computing.”6 mirror those of any large organization. For have their own nuances to The UK government has gone further by example, one of the most critical issues is defining and beginning to move its IT identifying sensitive data and safeguarding their privacy requirements.” infrastructure into a “G-cloud,” or it better than non-sensitive data, which Government Cloud.7 directly affects the choice of projects to Werner Lippuner pilot in the public cloud. Says US CIO Advisory — Government and Public Sector China and Japan in the cloud Kundra: “There’s a huge difference between The Japanese government also is attempting a government infrastructure in the cloud to lead by example. Its Digital Japan and putting a website like Recovery.gov, Creation Project challenges the nation to a consumer-facing site, in the cloud.”11 take leadership roles in several technology Werner Lippuner, Advisory — Government areas, and identifies the “Kasumigaseki and Public Sector,agrees: “Around the world, Cloud” as a project in which the government governments eager to engage with cloud will “take the initiative.”8 The Kasumigaseki services are beginning with low-risk, consumer- Cloud is intended to provide IT infrastructure facing services. Thus, they are gaining to multiple Japanese ministries, and to experience for future deployments with provide e-government to the nation as well. more sensitive and nuanced requirements.”

“Cloud computing systems don’t ever have a status quo; they are constantly evolving. The challenge for governments is to define regulations that are truly reflective of this cloud characteristic.”

Dhavan Mehta Advisory — Government and Public Sector

36 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Other governments make similar vendors will enable them to know precisely Ernst & Young observations distinctions in their cloud plans. However, where their data is stored, something that does not prevent military and intelligence they acknowledge is not always the case Interoperability standards to enable branches from exploring cloud initiatives. at present despite regulatory requirements. vendor switching appear to be an even For example, the US Central Intelligence Of course, compliance with each government’s higher priority for government than it is Agency has stated its enthusiastic support regulations is a requisite for doing business for private companies, which can decide for cloud computing — although it intends with them. to allow themselves to be locked in if to use its own private cloud.12 “Each they see appropriate value. government agency will need to develop Are global regulatory agreements possible? safeguards that are appropriate to its Yet some believe that governments should Given budget constraints facing most own individual mission,” notes Dhavan work together toward more universal governments, having the flexibility of Mehta, Advisory — Government and Public agreement on such regulations in order to a pay-as-you-go spending model, and Sector. However, Dhavan points out that the ease cloud adoption and accelerate their own the flexibility to expand and contract success of cloud-based services is as inevitable access to cloud computing benefits. The services quickly, makes good in government as it is in the private sector — Brookings Institution recently found that, “mission sense.” and for similar reasons. Agencies are in order to achieve the full potential of cloud attracted to the pay-as-you-use versus computing, “countries need to harmonize their install-and-own business model to manage laws on cloud computing to avoid a ‘Tower costs, to enable flexible and fast response to of Babel’ and reduce current inconsistencies ever-changing technology and to redirect in regard to privacy, data storage, security resources to focus on delivering value. processes and personnel training.”13

Governments are particularly concerned “If governments were to adopt cloud with the privacy of their citizens, which computing in a complete and holistic sense, leads to strict regulations with regard to the benefits have the potential to be greater personally identifiable data as well as data than for any other type of organization,” location. Many of the government plans says Nick Son, Advisory — Government cited above include expectations that cloud and Public Sector.

Global technology industry discussion series 37 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Accounting

Worldwide revenue from Current situation

public IT cloud services Surging use of cloud computing has led to an increased awareness of exceeded $16 billion the many practical complexities inherent in accounting for cloud services in 2009 and is forecast transactions. Part of the attraction of cloud services is their turnkey to reach $55.5 billion and multifaceted nature, potentially offering cloud users a fast and easy way to integrate applications, platforms and infrastructure. Additionally, in 2014.1 CSPs’ service offerings enable businesses to subscribe to a wide variety of application-related services that are developed specifically for, and delivered over,the internet on an as-needed basis, many times with little or no implementation services required and without the need to install and manage third-party software in-house. However, this very service delivery model often creates accounting challenges for CSPs, particularly around revenue recognition and the treatment of certain costs.

Understanding the guidance revenue recognition criteria in Accounting Standards Codification (ASC) Topic 605-25 Revenue recognition and Staff Accounting Bulletin No. 104 (SAB “Much of the available revenue recognition 104), and the multiple-element guidance guidance predates the rise of cloud computing in ASC 605-25, should be applied by and was conceived with product companies companies when accounting for service in mind more than service companies,” transactions not expressly addressed by notes Alex Bender, Technology Industry — other authoritative literature. Under these Assurance. Applying this guidance can be rules, revenue for service transactions should complicated, especially when there are not be recognized before a contract exists, multiple elements included in the cloud services are provided (delivery occurs), service arrangement. amounts to be received as compensation for the services performed can be objectively Generally, little specific guidance exists determined (fees are fixed or determinable), on the accounting treatment of service and the fees are collectible or realizable. arrangements. As a result, the general

38 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

While the revenue recognition for Determining whether elements within Questions to consider stand-alone cloud services arrangements a cloud services arrangement may be may generally be straightforward, accounted for as separate units of Cloud business user complexities arise when multiple elements accounting is a matter of professional • How do I treat costs incurred to are bundled. This is often the case for judgment, and the facts and circumstances implement the cloud services CSPs’ arrangements, which may include the of each arrangement should be considered. (capitalize or expense)? cloud services, hardware or some other ASC 605-25 provides specific criteria • How will my decision to migrate to the product or service (including professional that must be considered in making cloud impact key financial metrics services) that was bargained for as part of this judgment. (e.g., EBITDA, my loan covenants, the arrangement. In order to assess the analyst communications)? appropriate revenue recognition for a cloud If multiple deliverables included in an services arrangement, the CSP must first arrangement are separable into different Cloud service provider identify all of the deliverables within the units of accounting, the multiple-element • How can I identify, value and arrangement. Once the deliverables have arrangements guidance in ASC 605-25 recognize each component of my been identified, the CSP must determine addresses how to allocate the arrangement bundled offerings? which deliverables may be treated as consideration to those units of accounting. • How should I treat direct and separate units of accounting and allocate ASC 605-25 requires the arrangement incremental costs? the transaction consideration to those consideration to be allocated at the • How will I monitor changing guidance? units of accounting. Given that most cloud inception of the arrangement to the • What are the accounting impacts of revenue arrangements are recognized identified separate units of accounting my SLAs? ratably over the service period, cloud based on their relative selling price • Given potential accounting complexity, vendors can get lulled by the idea that (relative-selling-price method). are my financial results sufficiently revenue recognition is simple; however, comprehensible and transparent to evaluating the nature of the contracts investors and analysts? can be quite complex, as seen by recent restatements by cloud vendors due to incorrectly considering all the terms of the arrangements.

TheGlobal world technology of cloud industry computing discussion series 39 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

“While identifying and valuing the different Direct costs revenue elements may be complicated, timing To defer or not to defer is often the of recognition may be more straightforward,” question for CSPs when dealing with says Andrew Cotton, Technology Industry — direct costs. Because most CSPs recognize Assurance. In most cases, existing guidance revenue over the duration of the service will lead to recognition on a pro rata or period, they typically incur direct costs straight-line basis over the term of the before revenue is recognized. For example, agreement, although there may be cases sales commissions are generally paid to the where the specific agreement indicates a salesperson up front based upon the total different pattern. value of the cloud service arrangements; however,the revenue from that arrangement is recognized over the underlying service International guidance period. As a result, CSPs that expense these costs as incurred, while recognizing For companies that report based on the revenue over a period of time, are likely International Financial Reporting Standards to report uneven profit margins over the (IFRS), the key pieces of guidance are cloud service term. Accordingly, CSPs often similar in concept to US GAAP, but do not consider whether it is more appropriate to have specific implementation rules. As a defer these costs and recognize them at the result, non-US companies are encouraged time the associated revenue is recognized. to consider this guidance, because it is consistent with the IFRS principles involved Based on this guidance, we believe that and provides prescriptive guidance in areas although costs associated with a delivered where IFRS is silent.2 item may almost always be expensed as

“The primary accounting issues that CSPs deal with are revenue recognition and the treatment of related costs.”

Alex Bender Technology Industry — Assurance

40 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Pricing and business models | Vendor management and strategic sourcing | Availability and interoperability | Security and privacy Standards and risk management | Government | Accounting | Cross-border taxation of CSP arrangements | Regulatory compliance incurred, these costs may be capitalized if pursuant to ASC 350-40, Internal Use Ernst & Young observations 1) they create an asset or add to the value Software. Under this guidance, costs of an existing asset; 2) accounting for these incurred during the preliminary planning Revenue recognition requires careful costs is not specifically addressed by other and the post-implementation/operation contemplation in light of a CSP’s authoritative literature, and the vendor has stages are expensed as incurred. However, commercial offerings. There is no adopted and consistently applies a policy of certain internal and external costs incurred “one size fits all” approach. deferring such costs in a transaction that during the application development stage results in the deferral of revenue; 3) the may be capitalized provided certain criteria Longer service contracts make revenue vendor has an enforceable contract for have been met. These capitalized costs recognition for CSPs (in many cases) the remaining deliverables; and 4) delivery would then be amortized over the estimated more predictable, which makes forecasting of the remaining items included in the useful life of the technology and periodically and revenue expectations easier. arrangement is expected to generate evaluated for impairment. However, depending on the treatment of positive margins, allowing realization of direct costs, CSPs may see revenue the capitalized costs. It is important for Looking ahead recognized much later than when direct CSPs to carefully evaluate this guidance As cloud computing vendors are evaluating costs are incurred and expensed. when considering the accounting for direct the effects of current US GAAP, they should costs, as the types of costs eligible for be aware that additional changes to the Determining how to reflect direct expenses deferral are different under both models. revenue recognition guidance may be coming. is best done conservatively and CSPs should also closely monitor the The FASB and IASB continue to develop their consistently on a case-by-case basis. evolving accounting guidance in this area. joint project for a single revenue recognition model that would apply to contracts with Costs incurred to develop customers. The Boards issued an exposure internal-use software draft of a converged revenue recognition Given the nature of the CSP’s service standard on 24 June 2010 and are anticipating delivery model, the underlying technology the release of a final converged revenue developed by the CSP will be used internally recognition standard in 2011, with an to deliver the service to its customers. effective date of 2014 or 2015 likely. Therefore, the associated cost to develop Furthermore, the exposure draft may change the software is generally accounted for how companies account for deferred costs.

Global technology industry discussion series 41 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Cross-border taxation of CSP arrangements

“Cloud computing is Current state

borderless by its very Cloud computing is often borderless, but tax regulations and tax nature. One thing is compliance requirements are not. That simple-sounding conflict can certain, however — the give rise to complex and potentially material or significant tax issues, world’s taxing authorities mainly for CSPs. To date, at least, in the evolution of cloud computing, most jurisdictions view CSPs as the responsible party for tax purposes have not issued definitive regardless of any arrangements struck between CSPs and their users. guidance for its taxation; moreover, the business Sometimes CSPs are truly global “clouds,” providing limited or no nature of the overall transparency about where data is being processed and stored. More often, however,cloud service is provided by a group of interrelated but offering is also evolving, distinguishable data centers in different locations. It is important to which creates further understand this underlying point, because especially in the latter case, technical uncertainty as well it means that both the CSP and the cloud user may be subject to all or as timing uncertainty as to some tax regulations in all of the jurisdictions through which the cloud network passes the user’s information. when taxpayers can expect actual guidance. Companies “In general, under current rules the critical taxation issues in cloud are forced to make decisions computing are determining the character of CSP revenue and whether the CSP has a taxable presence (known as “nexus” in the tax world) based on current rules and in each of the jurisdictions in which the CSP does business,” explains interpretations across all Jeff Levenstam, International Tax. Both issues need to be separately relevant jurisdictions, but sorted for income tax and indirect tax (sales, use, or value-added taxes) will likely nonetheless purposes, as different rules may apply. For tax compliance, the key issues are determining which regulations apply as a result of where a CSP’s encounter tax surprises.” data centers are located, as well as the level of support the CSP provides Channing Flynn in meeting those compliance requirements. Other critical issues, such as Global Technology Industry Tax Services Leader transfer pricing, i.e., making decisions about the attribution of value or risk in a CSP model, and recent rules governing the disclosure of tax uncertainties, create even more ambiguity for taxpayers and the need for careful evaluation.

42 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Cloud computing — general service. However,the OECD’s guidance is non- Questions to consider tax considerations binding; each country adopts its own laws “One challenge in dealing with cloud and regulations, and the reality is that some Cloud business user computing taxation issues is that CSP characterize CSP revenue as a service • Have I adequately considered tax business models are developing much more where others treat it as a software sale or nexus and the related compliance rapidly than the global taxing jurisdictions lease. “Making the distinction has significant issues in the selection of my CSP, and can respond with guidance,” explains and complex ramifications for all CSPs in are they clearly documented in our Drew Alltizer, Tax. For example, the CSP terms of an overall tax mitigation strategy — agreement? Are the filing and tax must determine whether its revenue is especially US multinationals operating responsibilities clearly identified characterized as revenue from a service abroad or other multinationals operating in among the parties? or as revenue from a software sale or jurisdictions with similar worldwide taxing • How will I monitor CSP adherence to lease or perhaps a bundled package. The systems,” says Jeff. agreed-upon compliance duties? characterization can have a significant • How will the relationship with my CSP impact on whether sales or withholding From a US multinational’s perspective, adapt to changing tax statutory and taxes might apply, as well as determining the revenue characterization question regulatory requirements? the source from which revenue is earned impacts whether the income of the foreign (e.g., whether from foreign or domestic subsidiaries is eligible for deferral from Cloud service provider sources, which is relevant for determining current taxation in the US, as different rules • Is my tax strategy aligned with my home country taxation). (including different exceptions) apply to business model and flexible enough to services income versus licensing or leasing change as required? Currently, CSP revenue characterization is income. The revenue characterization is also • Where do I have tax nexus? regulated inconsistently around the globe, extremely important for US state and local • What are the revenue characterization and even state-by-state within the US. The tax purposes, since services are generally and sourcing rules for each jurisdiction Organisation for Economic Co-operation not subject to sales tax, although various in which I operate? Do I have tax risk and Development (OECD), a peer group US states are starting to identify exceptions. with respect to these issues? of 34 countries that provides a forum for Currently, 12 US states impose a sales tax • Am I aware of all potential domestic governments to seek solutions to common on digital goods, and another 17 states and global incentives to supplement issues, has issued a general statement that were considering legislation during 2010 to cloud service provider expansion plans? CSP revenue is more akin to revenue from a impose a sales tax on digital transactions.1 • What level of independent assurance am I willing to offer my customers?

“In most jurisdictions, the CSP itself is likely ultimately responsible for reporting and remitting indirect taxes such as sales and use taxes, even if an agreement states that it is the responsibility of the cloud user. Taxpayers are advised to carefully understand the rules and requirements and to ensure the appropriate processes are in place at the outset.”

Drew Alltizer Tax

Global technology industry discussion series 43 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Similarly, outside the US, certain nations competitive advantage for CSPs as they subject services to value-added tax (VAT), seek to build out data centers in the US and goods and services tax (GST) — or other abroad. “Many different jurisdictions are forms of indirect taxation. eager for economic development, so they will offer abatements or holidays for sales Once a CSP has determined revenue tax or VAT or even reduced rates of overall characterization, the CSP must determine income taxation based on profits derived where it has a taxable presence or nexus from activities based in their jurisdictions,” for both income and sales or use taxes so as explains Drew. Current technology requires to properly comply with regulations in the that CSPs rely on physical substance appropriate jurisdictions. Nexus determination somewhere, so consideration of the not only governs taxation and the amount jurisdiction(s) in which to locate this thereof, but can also determine whether activity is paramount, including whether filings are required (irrespective of whether tax incentives may factor into the overall any tax is due). In the current environment, business decision as to where to locate CSP multinationals are often surprised by the data centers. the potential nexus questions and answers that arise in establishing current business Transfer pricing (generally defined as the models. This is especially true with respect intra-company allocation among various to non-US multinationals operating virtually jurisdictions/entities of the overall profit in the US as well as US multinationals elements within related-party transactions) operating in large organized economic is another key issue to consider in designing communities such as the EU. or subscribing to a CSP arrangement. Taxpayers are advised to consider and There is, however, one positive element for clearly identify where the risk and value CSPs in today’s environment: since cloud functions exist in CSP arrangements to services are often provided via a network of ensure that each jurisdiction’s profits are local data centers, and many localities offer determined and reported on an arm’s-length constantly changing special tax and other basis (determined as if the intra-company cash incentives, careful planning can create entities were unrelated).

“Many cloud computing service arrangements are technological evolutions of existing online/internet service and software delivery models. Accessing the insight of an experienced advisor in this area is helpful to understand the complex rules and the issues involved, as well as the uncertainties and overall tax planning opportunities.”

Channing Flynn Global Technology Industry Tax Services Leader

44 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Ernst & Young observations

CSPs and overall service company Analyzing the underlying substance of the CSP’s product offerings and arrangements customer contracts will assist appropriate revenue characterization. Many of the world’s countries have entered into income tax or other related tax treaties that may govern certain elements of the tax profile for CSPs operating Determining where and whether a CSP in cross-border arrangements including withholding tax or nexus determinations. has a taxable presence is a necessary Tax treaties are generally designed to offer tax savings or more relaxed rules for step in designing new business models the signing parties; CSP multinationals should ensure that they understand the tax or subscribing to a CSP offering. treaty implications of their contemplated arrangements and comply with requisite compliance elements for obtaining benefits of various tax treaties. The full range of tax implications for CSPs will continue to evolve. Such issues will become an increasing concern for global multinational companies in all industries. As multinationals respond to their customers’ requests for global service delivery, CSPs should approach CSP design and cloud computing models will play a critical role in how these companies build their service tax compliance as a potential competitive delivery models. Amy Ritchie, International Tax and Americas Tax Technology Leader says, advantage. One way to achieve this is “As multinational companies design service level models and consider how to move people through assurances on design models and data to provide 24/7 service delivery in all time zones, consideration of cloud models is that help cloud users maintain compliance key. There is significant need among US multinationals to understand the complexities and with all tax regulations in the jurisdiction opportunities inherent within global service delivery models, including how cloud arrangements in which they operate. are integrated within them.”

Global technology industry discussion series 45 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Drill-down discussion Regulatory compliance

More than half (52%) Current situation of North American Over the course of history, nations have evolved complex regulatory and European business frameworks emerging out of their own distinct circumstances and IT decision-makers said cultures, and organizations that operate globally work to comply with they were concerned or all of them. Cloud computing services, meanwhile, often strive to be very concerned about borderless in order to optimize the productivity of their infrastructures. When global organizations deploy cloud services, potentially material 1 regulatory compliance. compliance issues arise for users of cloud services — and potential opportunities for CSPs.

With regard to compliance issues, some CSPs provide limited or no transparency about where data is being processed and stored within their network (the “global cloud” approach). More often, however, cloud service is provided by a group of interrelated but distinguishable data centers in different locations (the “network” approach). Cloud users may be subject to all or some of the compliance regulations in all the jurisdictions through which the cloud network passes. The key issues for cloud users are determining which compliance regulations need to be addressed as a result of where a CSP’s data centers are located, and the level of support their CSP provides in meeting those compliance requirements.

46 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Cloud compliance considerations the alternative of a true global cloud Questions to consider Using a CSP means inviting another party to means that you likely have that same all of your business’ regulatory compliance expansion, but the nature of the cloud Cloud business user activities, ranging from tax requirements to precludes you from knowing exactly • Have I adequately considered compliance internal controls policies to privacy statutes, where the issues exist. issues in the selection of my CSP, industry-specific requirements and other and are they clearly documented in legal considerations. This can complicate For example, a cloud user may be subject our agreement? compliance activities or, if a CSP is strategic, to privacy laws, like the USA Patriot Act • How will I monitor CSP adherence to enhance them. Cloud users have ultimate and EU Data Privacy Initiative based on the agreed-upon compliance duties? compliance responsibility — they are the locations of its CSP’s data centers. These • How will the relationship with my ones who must determine how to capitalize and other privacy regulations limit what CSP adapt to changing regulatory on the benefits of cloud computing, while can and cannot be done with information, requirements? adhering to compliance requirements. In especially as it relates to moving across • Should I consider moving to a a recent study of North American and borders. “It is often unclear to the user community cloud, where all tenants European enterprise and small to medium where the information will be and where share common compliance goals, business (SMB) IT decision-makers, more will it travel and therefore how they need to instead of a fully public cloud? than half are very concerned with the address regulatory requirements,” explains • Have I considered working with a monitoring and auditing, regulatory Sagi Leizerov, Advisory — IT. cloud broker? compliance, overall internal controls and data protection capabilities of CSPs.2 As a result of these considerations, Cloud service provider compliance issues are likely to influence • What level of independent assurance The nature of the cloud complicates the types of applications and business of compliance with local and regional compliance issues processes that are candidates for cloud jurisdictions’ regulations am I willing to IaaS and PaaS vendors typically use a deployment, as opposed to traditional offer my customers? network approach, which potentially opens outsourcing. As compliance issues are • Is there an opportunity for competitive their users up to compliance regulations in addressed or resolved, strategic sourcing advantage by offering guaranteed each of the jurisdictions in which the CSP opportunities determined to be unfeasible compliance with specific government operates. While this expansion of today may become feasible tomorrow, or industry regulations? compliance could be a bit overwhelming, depending on how the market evolves.

Global technology industry discussion series 47 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Industry-specific compliance issues can physically occur tend to complicate all Other key compliance regulations that may cloud business models by creating obstacles Cloud require special arrangements between cloud to optimal infrastructure utilization. To users and their CSPs are the Payment Card accommodate these challenges, CSPs are Industry Data Security Standards (PCI likely to develop pricing models with multiple computing DSS), the Health Insurance Portability tiers for different service levels that relate is often borderless, but and Accountability Act (HIPAA) in the to customers’ compliance requirements. For US, and the Data Privacy Directives in the example, factoring strict compliance with regulatory compliance is not EU. Unfortunately, CSPs generally avoid the laws of multiple national jurisdictions customization because it isn’t economically into a service would cause that service to be feasible. However, some predict the creation priced higher than the same service without of specialized “compliant clouds” that will any compliance strictures. offer certified compliance with specific regulations for different industries, including E-discovery is another important area of a guarantee to store and manage data within compliance. “When data is spread in the borders of a given nation, as appropriate.3 multiple locations at a CSP and a cloud user is served with a court order to produce data Importantly, such specialization is likely to within a certain time period, how do they come with a price. Compliance requirements access it? Is it potentially comingled with imposed by governments or industries other tenants’ data?” asks Jose Granado, that restrict where data and processing Advisory — IT.

48 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

“What are the assurances that you’re getting from the vendor that it has the proper controls in place, whether security and privacy controls, or controls that may be necessary to comply with all the regulatory issues?”

Alex Bender Technology Industry — Assurance

Co-managing controls Intermediaries may provide Ernst & Young observations In terms of controls, cloud users sometimes compliance solutions find controls that were previously managed The rise of cloud brokers as intermediaries CSPs should approach compliance as internally are now being managed entirely between service providers and business a potential competitive advantage. by the CSP or are co-managed. Evaluating users may assist cloud users with compliance One way to achieve this is through how the CSP manages controls becomes issues. Cloud brokers generally assist assurances that help cloud users critically important for compliance with businesses with CSP selection, intermediation maintain compliance with all regulations various regulations, such as the Sarbanes- (such as building additional security or appropriate to the market in which the Oxley Act in the US. Such evaluations management layers) and aggregation when CSP wishes to create advantage. are challenging enough in private cloud deploying customer services over multiple scenarios and far more so when public clouds. Cloud brokers also can provide a Cloud users should do their due diligence, cloud services are used. central point of governance and compliance especially if they deal with regulated expertise.4 Use of a community cloud — a data, to determine what contractual cloud service shared by organizations with commitments and what technical similar compliance or other concerns — is capabilities, processes and procedural another way to mitigate compliance issues. support a CSP offers — and how they can be monitored.

Global technology industry discussion series 49 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Outlook

As the vision of IT delivered with the same reliability, flexibility and scalability as a public utility service takes hold, the implications are enormous for businesses and consumers worldwide. Despite lingering concerns about security, privacy and regulatory, legal and compliance issues, as well as the fundamental need to transform existing corporate and IT cultures, we believe the success of cloud computing is inevitable, because companies will be attracted to its flexible, pay-as-you-use business model. That model allows companies to manage their technology costs more efficiently, enables deployment of new technology faster and easier than other models, and allows management to focus on delivering business value.

As the cloud computing model becomes This vision has been discussed for a decade “As the cloud gains traction mainstream, higher-level services, which or more. At the 2001 World Economic Forum in the marketplace, its we call business process as a service, will in Davos, similar thinking was envisioned as evolve. Today, CSPs create efficiency causing a transformation profound enough potential to transform the through scale and expertise, solving IT to be referred to as the death of the modern business enterprise will challenges once and selling the solution to corporation.1 That Davos meeting, however, multiple buyers. That, in turn, is enabling took place a month before the dot-com become truly remarkable. another business model to emerge as crash that began in March 2001, which The corporation will business service providers begin to create dashed such lofty rhetoric — for a time. Today, value similarly. They will be solving business the advent of cloud computing has provided undergo dramatic changes process challenges once and selling their clarity about how such transformations to infrastructure, processes solutions to multiple buyers — and those might happen and the business models that solutions will be built atop a pyramid of might enable them. and talent as it shifts to multiple cloud-based IT services. Such identifying and investing in services will become increasingly specialized For one thing, talk of corporations “dying” to maintain competitive advantage and seems melodramatic today. Instead, opportunities and managing profitability. Service buyers will have to corporations are likely to be transformed complex supply chains in look beyond just the first tier of CSPs they over time into a “conductor” of business — interact with to get visibility into risks and orchestrating the functions of a loose the clouds.” the assurance that these risks are being federation of service providers (which well-managed. of course are themselves corporations) Paul van Kessel that come together in the cloud to deliver Advisory — IT The current shift to cloud computing will holistic, one-stop-shop solutions. In the enable organizations to finally achieve real coming years, the corporation will undergo business agility with regard to IT, enabling dramatic changes to accommodate the far more nimble responses to rapid market future — changes to infrastructure, processes changes than are possible based on in-house and talent as it shifts to a focus on identifying IT. A future shift to cloud business processes and investing in opportunities and managing would enhance that agility further, leading complex supply chains and other outsourced to far more remarkable potential to providers in the cloud. transform enterprises.

50 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

As businesses gain agility through cloud We see this vision as a large opportunity computing and business process as a for companies to create value by bringing “Given the government’s service, consumers will gain unprecedented together multiple pieces, leading to a ‘Kasumigaseki Cloud’ access to information. Both come about dramatic change in the way businesses through the innovative “mashing up” of and consumers access information and, initiative, cloud computing multiple services — i.e., combining existing therefore, in the way we see the world is likely to stimulate new services in new and innovative ways to around us. “For example, companies will create new business value, whether through be able to combine location data, map growth throughout the open application programming interfaces or data, social networking data and business Japanese economy. via private service contracts. In an April information, and serve them all up in a 2010 speech at the Brookings Institution, contextually relevant way,” says Paul Chabot, Beyond the benefits of US CIO Vivek Kundra offered a compelling Global Technology Industry, Advisory — PI. flexibility and scalability, description of the business side of this vision: “Through a mobile device like my phone, it is viewed as a viable cloud applications can know where I am as means to reduce energy “Cloud computing will give rise to virtual I’m walking down the street,” says Paul. organizations. Unencumbered by the “With augmented reality applications, I could consumption through physical constraints of data centers, hosting scan the horizon through my mobile phone’s efficient information providers and hardware platforms, these camera and see information overlaid on the virtual organizations can focus solely on image of my surroundings. What businesses management.” customer needs, tapping into the near are located in the building I’m walking past? Yuichiro Munakata limitless array of options the cloud will Is a store having a sale on my favorite Japan Technology Industry Leader provide. In the same way we now create designer? Is one of my friends there? mash-ups to combine and analyze data Or, I can point my phone at someone passing from disparate websites, new companies by. The cloud does the image recognition will emerge that tie together services from and pulls all the information from their vast networks of suppliers and customers Facebook profile and shares with me who to create a range of new and more agile that person is. We’re getting to the point products and solutions.” 2 where that's possible.”

As this shift happens, organizations will Companies that are able to leverage cloud need to develop new competencies to computing and business process as a remain competitive. For example, they may service to pull together such mash-ups have need the ability to quickly establish and the potential to unlock significant value in dissolve agreements and partnerships, the not-too-distant future. suggesting legal and operations teams that can draw up contracts quickly that are favorable to all partners in a chain. And they may need improved ability to manage partner relationships involving cross- company business processes, to take advantage of the dynamic provider marketplace that is envisioned.

Global technology industry discussion series 51 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Glossary of terms

Application service provider (ASP) is A: Essential cloud computing characteristics a term used to describe computer-based services delivered over the internet in 1. On-demand self-service. A consumer the late 1990s. The term has since been can unilaterally provision computing replaced by “on-demand software” and capabilities, such as server time and “software as a service.” network storage, as needed automatically without requiring human interaction with Cloud computing1 is a model for enabling each service’s provider. convenient, on-demand network access to a shared pool of configurable computing 2. Broad network access. Capabilities are resources (e.g., networks, servers, storage, available over the network and accessed applications, services) that can be rapidly through standard mechanisms that provisioned and released with minimal promote use by heterogeneous thin or management effort or service provider thick client platforms (e.g., mobile interaction. This cloud model promotes phones, laptops, PDAs). availability and is composed of (A) five essential cloud characteristics, (B) three 3. Resource pooling. The provider’s service models and (C) four deployment computing resources are pooled to models. serve multiple consumers using a multi-tenant model, with different physical and virtual resources dynamically assigned and reassigned according to consumer demand. There is a sense of location independence in that the customer generally has no control or knowledge over the exact location of the provided resources but may be able to specify location at a higher level of abstraction (e.g., country, state, data center). Examples of resources include storage, processing, memory, network bandwidth and virtual machines.

4. Rapid elasticity. Capabilities can be rapidly and elastically provisioned, in some cases automatically, to quickly scale out and rapidly released to quickly scale in. Tothe consumer,the capabilities available for provisioning often appear to be unlimited and can be purchased in any quantity at any time.

5. Measured service. Cloud systems automatically control and optimize resource use by leveraging a metering capability at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, active user accounts). Resource usage can be monitored, controlled and reported, providing transparency for both the provider and consumer of the utilized service.

52 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

B: Cloud computing service models C: Cloud computing deployment models Grid computing is a form of distributed computing in which a large set of 1. Cloud software as a service (SaaS). 1. Private cloud. The cloud infrastructure geographically remote computers work The capability provided to the consumer is operated solely for an organization. together to perform a single task. Although is to use the provider’s applications It may be managed by the organization it started out as a more general term, running on a cloud infrastructure. The or a third party and may exist on today it applies primarily to supercomputer- applications are accessible from various premise or off premise. level tasks and is used mostly in the client devices through a thin client scientific community. interface such as a web browser (e.g., 2. Community cloud. The cloud web-based email). The consumer does infrastructure is shared by several Mash-ups are new, innovative combinations not manage or control the underlying organizations and supports a specific of existing services, usually on the internet, cloud infrastructure, including network, community that has shared concerns that create new business value, whether servers, operating systems, storage or (e.g., mission, security requirements, through open public means or via service even individual application capabilities, policy, compliance considerations). agreements. with the possible exception of limited It may be managed by the organizations user-specific application configuration or a third party and may exist on premise Time-sharing is the process in which settings. or off premise. multiple users share the processor time of a mainframe computer system. It faded 2. Cloud platform as a service (PaaS). 3. Public cloud. The cloud infrastructure is out of use beginning in the 1980s after The capability provided to the consumer made available to the general public or the PC emerged. is to deploy onto the cloud infrastructure a large industry group and is owned by consumer-created or acquired an organization selling cloud services. Utility computing is the provision of applications created using programming computing resources as a metered service, languages and tools supported by the 4. Hybrid cloud. The cloud infrastructure similar to a public utility. The term is an provider.The consumer does not manage is a composition of two or more clouds ancestor of cloud computing; it was most or control the underlying cloud (private, community or public) that popular in the 1980s and early 1990s. infrastructure, including network, remain unique entities but are bound servers, operating systems or storage, together by standardized or proprietary Service level agreements (SLAs) are but has control over the deployed technology that enables data and written contracts between IT service applications and possibly application application portability (e.g., cloud providers and their customers that stipulate hosting environment configurations. bursting for load-balancing between details such as system availability and clouds). customer service response time, as well as 3. Cloud infrastructure as a service penalties for failure to meet the agreed-upon (IaaS). The capability provided to the service levels. consumer is to provision processing, storage, networks and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Global technology industry discussion series 53 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Source notes

Opening statement Availability and interoperability 1 “Enterprise cloud-based services market 1 “Compliance With Clouds: Caveat Emptor,” to treble by 2015,” Telecompaper World, Forrester Research Inc., August 26, 2010. 23 July 2010, via Dow Jones Factiva, 2 “The Future of Cloud Computing: © 2010 Telecompaper. Opportunities For European Cloud 2 “Cloud Services To Top $68 Billion In 2010,” Computing Beyond 2010,” European CMP TechWeb, 22 June 2010, via Dow Jones Commission, 27 January 2010. Factiva, © 2010 United Business Media LLC. 3 “Symbian Pledges Support for the Open 3 IDC Predictions 2011: Welcome to the New Cloud Manifesto,” eWeek, 2 July 2010, Mainstream, International Data Corporation, via Dow Jones Factiva, © 2010 Ziff Davis December 2010. Enterprise Holdings Inc. 4 Ibid. 4 “IT user super group forces vendors to take notice; Open Data Center Alliance focuses Overview on interoperability,” Network World Fusion, 1 IDC Predictions 2011: Welcome to the New 23 November 2010, via Dow Jones Factiva, Mainstream, International Data Corporation, © Network World, Inc. December 2010. Security and privacy 2 “Indie App Stores Struggle,” The Wall Street 1 Journal, 24 November 2010, via Dow Jones “Cloud Security to reap $1.5 Billion by Factiva, © 2010 Dow Jones & Company, Inc. 2015,” CMP TechWeb, 22 October 2010, via Dow Jones Factiva, © 2010 United 3 “Cloud Security To Reap $1.5 Billion By Business Media LLC. 2015,” InformationWeek.com, 22 October 2 2010, via Dow Jones Factiva, © 2010 “IBM Introduces Security Services to Protect United Business Media LLC. Cloud Environments,” eWeek, 22 October 2010, via Dow Jones Factiva, © 2010 Ziff 4 IDC Predictions 2011: Welcome to the New Davis Enterprise Holdings Inc. Mainstream, International Data Corporation, 3 December 2010. “The Future of Cloud Computing: Opportunities For European Cloud 5 Borderless Security: Ernst & Young’s Computing Beyond 2010,” European 2010 Global Information Security Survey, Commission, 27 January 2010. Ernst & Young, 2010. 4 “Cloud Security to reap $1.5 Billion by 6 “The future for IT looks cloudy, with silver 2015,” CMP TechWeb, 22 October 2010, linings,” The Age, 17 November 2010, via Dow Jones Factiva, © 2010 United via Dow Jones Factiva, © 2010 John Fairfax Business Media LLC. Holdings Limited. 5 “Cloud Computing: 5 Things No One Will Tell 7 “Information Age: Egypt’s Revolution by You,” Biz-Tech 3.0, 19 October 2010. Social Media,” The Wall Street Journal, 6 14 February 2011, © 2011 Dow Jones Cloud Security Alliance Official website, & Company, Inc. http://www.cloudsecurityalliance.org, accessed 8 October 2010. 8 “Cloud Computing Gains Momentum 7 but Security and Privacy Issues Persist,” Proposed Security Assessment and DigitalCommunities.com, 25 September 2009. Authorization for U.S. Government Cloud Computing, Draft Version 0.96, Pricing and business models 2 November 2010, accessed from cio.gov 1 “Evolution of the Cloud, Part 1 SAAS,” on 10 November 2010, PluGGd in (India), 6 January 2011, via http://www.cio.gov/pages.cfm/page/ Dow Jones Factiva, © 2011 HT Media Federal-Risk-and-Authorization- Limited; “Amazon Web Services slashes Management-Program-edRAMP. support pricing,” VNUNet United Kingdom, 8 “Microsoft Wins U.S. Agency Deal,” The Wall 7 January 2011, via Dow Jones Factiva, Street Journal, 9 December 2010, via Dow © 2011 VNU Business Publications. Jones Factiva, © 2010 Dow Jones & Vendor management and strategic sourcing Company, Inc. 9 1 David Mitchell Smith, “Hype Cycle for “GSA Picks Google Email,” The Wall Street Cloud Computing, 2010,” Gartner, Inc., Journal, 2 December 2010, via Dow Jones 27 July 2010. Factiva, © 2010 Dow Jones & Company, Inc. 10 2 “Cloud Engineering: The CIO’s Dilemma,” Borderless Security: Ernst & Young’s 2010 CIO Insight, 20 July 2010, via Dow Global Information Security Survey, Jones Factiva, © 2010 Ziff Davis Enterprise Ernst & Young, 2010. Holdings Inc.

54 Cloud computing issues and impacts Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

11 “Federal Agencies Could Save Billions by Government Accounting Switching to the Cloud; RightNow ‘Safe 1 “Federal CIO Views Cloud Computing As 1 Worldwide and Regional Public IT Cloud Switch’ Helps Federal Government Meet Safe, Economical, And Efficient,” IP Network Services, 2010-2014 Forecast, IDC, Stringent Certification and Accreditation to Policy Report, 12 April 2010, via Dow Jones June 2010. Move into RightNow’s Secure Cloud Today,” Factiva, © 2010 Aspen Publishers. 2 IFRS Outlook, Insights on international Business Wire, 13 April 2010, via Dow 2 Ibid. GAAP, Ernst & Young, July 2010. Jones Factiva, © 2010 Business Wire. 3 “Government Closer to Universal Cloud- 12 “The legal considerations of cloud Cross-border taxation of CSP arrangements Computing Security Assessment and computing,” Computer Weekly, 1 “The states strike back; Aim to boost Authorization Program,” Targeted News 14 December 2010, via Dow Jones Factiva, revenue with tough new sales and use tax Service, 2 November 2010, © 2010 © 2010 Reed Business Information Limited. strategies,” Accounting Today, 13 September Targeted News Service. 2010, via Dow Jones Factiva, © 2010 Standards and risk management 4 “Microsoft Wins U.S. Agency Deal,” The Wall Accounting Today and SourceMedia, Inc. 1 “ERM & Internal Controls: Study Finds Gap Street Journal, 9 December 2010, via Dow in Privacy Expectations, Delivery,” Jones Factiva, © 2010 Dow Jones & Regulatory compliance Compliance Week, 31 July 2010, via Dow Company, Inc. 1 Enterprise And SMB Security Survey, Jones Factiva, © 2010 Haymarket Media. 5 “GSA Picks Google Email,” The Wall Street North America And Europe, Q3 2009, 2 “Council Resolution of 18 December 2009 Journal, 2 December 2010, via Dow Jones Forrester Research. on a collaborative European approach to Factiva, © 2010 Dow Jones & Company, Inc. 2 Ibid. Network and Information Security OJ C 6 “The Future of Cloud Computing: 3 Source: IDC Predictions 2011: Welcome 321, 29.12.2009, p. 1–4,” EUR-Lex, Opportunities For European Cloud to the New Mainstream, International Data 7 January 2010, via Dow Jones Factiva, Computing Beyond 2010,” European Corporation, December 2010. © 2010 European Communities. Commission, 27 January 2010. 4 “Layer 7 Technologies; Layer 7 Launches 3 “Feds Advance Cloud Adoption Plans,” CMP 7 “Building Britain’s Digital Future; New Cloud Security, Connectivity and TechWeb, 21 May 2010, via Dow Jones Government Unveils Action Plan for the Management Solutions,” Telecommunications Factiva, © 2010 United Business Media LLC. Digital Economy; Digital Economy central to Weekly, 5 May 2010, © 2010 4 Overview: NIST Cloud Computing Efforts, industrial strength and competitiveness; Telecommunications Weekly via NewsRx.com Proceedings of the NIST Cloud Computing Communications Infrastructure critical for Forum & Workshop, 20 May 2010. future economic growth,” M2 Presswire, Outlook 1 5 “House Oversight and Government Reform 16 June 2009, via Dow Jones Factiva, “Davos economic summit and globalization Subcommittee on Government © 2009 M2 Communications, Ltd. — yet another spate of opposition,” The Management, Organization, and 8 “Japan Hopes IT Investment, Private Cloud Independent, 5 February 2001, via Dow Procurement Hearing — ‘Cloud Computing: Will Spur Economic Recovery,” CMP Jones Factiva, © 2001 Knight- Benefits and Risks of Moving Federal IT into TechWeb, 15 May 2009, via Dow Jones Ridder/Tribune Business News. the Cloud,’” Congressional Documents and Factiva, © 2009 United Business Media LLC. 2 “One on One: Vivek Kundra, U.S. Chief Publications, 1 July 2010, via Dow Jones 9 “Shanghai to invest in cloud computing,” Information Officer,” NYT Blogs, Factiva, © 2010 Federal Information & News Shanghai Daily, 27 October 2010, via 5 November 2010, via Dow Jones Factiva, Dispatch, Inc. Dow Jones Factiva, © 2010 Shanghai © 2010 The New York Times Company. 6 Distributed Management Task Force website, Daily Company. Glossary of terms http://www.dmtf.org/about, accessed 10 “China to develop cloud computing services 1 The definition of cloud computing and its 10 November 2010. in five pilot cities,” Interfax: China Telecom essential characteristics, service models and 7 “Cloud, smart computing to drive tech Newswire, 22 October 2010, via Dow Jones deployment models is excerpted from the sector growth,” Forrester, 16 December Factiva, © 2010 Interfax Information US National Institute of Standards and 2010, Business Line (The Hindu), via Dow Services B.V. Technology’s widely referenced definition, Jones Factiva, © 2010 The Hindu Business 11 “One on One: Vivek Kundra, U.S. Chief NIST Definition of Cloud Computing v15. Line. Information Officer,” NYT Blogs, 5 The full text is available at the NIST web site 8 “Groups Seek Cloud Computing Standards,” November 2010, via Dow Jones Factiva, at http://csrc.nist.gov/groups/SNS/cloud- CMP TechWeb, 15 July 2009, via Dow © 2010 The New York Times Company. computing/ Jones Factiva, © 2009 United Business 12 Cloud Computing, keynote presentation by Media LLC. Ira A. (Gus) Hunt, Chief Technology Officer, 9 Open Cloud Consortium website, CIA, for the Virtualization, Cloud Computing http://opencloudconsortium.org, accessed and Green IT Summit, 27 October 2010. 10 November 2010. 13 “Federal Agencies Could Save Billions by 10 “SAS 70 is the measure of cloud security,” Switching to the Cloud; RightNow ‘Safe Network WorldFusion, 23 June 2009, via Dow Switch’ Helps Federal Government Meet Jones Factiva, © 2009 Network World, Inc. Stringent Certification and Accreditation to 11 “Cloud, smart computing to drive tech Move into RightNow’s Secure Cloud Today,” sector growth,” Forrester, 16 December Business Wire, 13 April 2010, via Dow 2010, Business Line (The Hindu), via Jones Factiva, © 2010 Business Wire. Dow Jones Factiva, © 2010 The Hindu Business Line.

TheGlobal world technology of cloud industry computing discussion series 4755 Overview Drill-downs Outlook Glossary of terms Source notes Contacts Contents

Ernst & Young’s Global Technology Center contacts Ernst & Young

Pat Hyek Channing Flynn Assurance | Tax | Transactions | Advisory Global Technology Industry Leader Global Technology Industry [email protected] Tax Services Leader About Ernst & Young +1 408 947 5608 [email protected] Ernst & Young is a global leader in +1 408 947 5435 assurance, tax, transaction and advisory Yuichiro Munakata services. Worldwide, our 141,000 people Japan Technology Kevin Price are united by our shared values and an Industry Leader Global Technology Industry unwavering commitment to quality. We [email protected] Advisory Services Leader make a difference by helping our people, our clients and our wider communities +81 3 3503 1528 [email protected] achieve their potential. +1 415 894 8229 Rebecca Norris Ernst & Young refers to the global EMEIA Technology Joe Steger organization of member firms of Industry Leader Global and Americas Technology Industry Ernst & Young Global Limited, each of [email protected] Transaction Advisory Services Leader which is a separate legal entity. +44 1189 28 1140 [email protected] Ernst & Young Global Limited, a UK company limited by guarantee, does not +1 408 947 5488 Joe Tsang provide services to clients. For more Asia-Pacific Technology information about our organization, please visit www.ey.com. Industry Leader [email protected] How the Ernst & Young Global Technology +86 10 5815 2902 Center can help your business The technology industry is in a constant state of change — driven by continuous innovation, shifting markets, converging industries, consumer demand and the need for first-mover advantage. Ernst & Young’s Global Technology Center connects a worldwide team of more than 14,000 technology professionals to help you navigate the challenges of this continuous change. We provide assurance and tax guidance through a network of experienced advisors to help you manage risk, transform business performance and sustain improvement. We can help you deliver cost-effective innovation, balance product portfolios, maintain effective supply chains, and identify, execute and integrate strategic growth transactions. Our global technology network leverages our leading market share position in serving technology companies to provide you with timely, reliable information. Our teams use a cross-discipline, collaborative approach to help you achieve your business objectives. We encourage our people to use their ingenuity and initiative to help you develop approaches, create options and seize opportunities. It’s how Ernst & Young makes a difference. www.ey.com/technology.

In line with Ernst & Young’s commitment to minimize its impact on the environment, this document has been printed on paper with a high recycled content.

This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Neither EYGM Limited nor any other member of the global EYG No. DC0078 Ernst & Young organization can accept any responsibility for loss occasioned to any person acting or refraining from action as a result of any material in this publication. On any specific matter, reference should be made to the appropriate advisor.