Cii-PwC Cloud Summit Report 2016
48
BOOSTING MARKET DYNAMICS WITH DIGITAL TECHNOLOGIES The cloud in healthcare and financial services
-
Upload
confederation-of-indian-industry -
Category
Government & Nonprofit
-
view
850 -
download
2
Transcript of Cii-PwC Cloud Summit Report 2016
BOOSTING MARKET DYNAMICS WITH DIGITAL TECHNOLOGIESThe cloud in healthcare and financial services
Content
1 Foreword ....................................................................................................................02
2 Introduction...............................................................................................................03
3 Rise of the New IT Platform.....................................................................................04
4 Word of caution .........................................................................................................06
5 Cloud computing: Laying the foundation for a global digital .............................07
ecosystem for a new form of business
6 Privacy and data security concerns........................................................................15
7 Addressing security, privacy and regulatory concerns in healthcare.................23
8 Addressing security, privacy and regulatory concerns in financial services.....26
9 State of data protection and privacy laws in India ...............................................30
10 Conclusion .................................................................................................................32
11 Appendix ..................................................................................................................34
01
Lead Sponsor Principal Sponsor Gold Sponsor Technical Partner
Content
1 Foreword ....................................................................................................................02
2 Introduction...............................................................................................................03
3 Rise of the New IT Platform.....................................................................................04
4 Word of caution .........................................................................................................06
5 Cloud computing: Laying the foundation for a global digital .............................07
ecosystem for a new form of business
6 Privacy and data security concerns........................................................................15
7 Addressing security, privacy and regulatory concerns in healthcare.................23
8 Addressing security, privacy and regulatory concerns in financial services.....26
9 State of data protection and privacy laws in India ...............................................30
10 Conclusion .................................................................................................................32
11 Appendix ..................................................................................................................34
01
Lead Sponsor Principal Sponsor Gold Sponsor Technical Partner
2Introduction
The fact that today's business landscape is changing
faster than ever has become a cliché. Things that
were relevant a few years back or are relevant today
will not be so in the near future. Digital technology has
become the foundation of this transformation. It holds the
key-right from strategy formulation to execution. Companies
will need to adapt quickly to these changes to achieve
growth, meet disparate consumer needs, reach out to
markets, compete and succeed.
With cloud computing being perceived as the platform for
digital transformation, its adoption is fast transforming from
hype to reality across industries. Two industries in particular-
healthcare and financial services-where security is a key
concern due to the sensitive nature of data that is transacted
and which have traditionally been subjected to stringent
regulations and compliances, are experiencing a rise in the
adoption of cloud services.
Yet, data privacy and security threats have always been the
dark side of the cloud and remain a cause for concern among
these industries. However, it is interesting that healthcare
and financial services companies that have adopted cloud
computing are finding that security and compliances
delivered by cloud service providers exceed their needs.
As cloud services continue to mature, companies as well as
governments are placing trust in service providers and are
migrating data and applications to the cloud. One of the best
examples of this new-found trust is the US federal
government's adoption of cloud-based solutions for cabinet-
level agencies, including the Department of Homeland
Security, which is pursuing both public and private cloud solutions. The Indian government has
also published a comprehensive policy report for its adoption and usage of cloud services.
This joint CII-PwC report covers the benefits and challenges faced in the adoption of cloud
computing in the healthcare and financial services industry in India. It highlights the best
practices being followed globally by companies in industries that have successfully adopted
the cloud, and recommends an approach for future adoption. The report also assesses the
current state of data protection and privacy laws in India and proposes an approach to formulate
and enforce newer laws and regulations that are relevant to the current context.
1Foreword
1 A clipped compound of 'development' and 'operations’
S Premkumar
Chairman, CII Sub-Committee on
Cloud Computing and Executive Vice
Chairman and Managing Director,
HCL Infosystems Ltd
Chandrajit Banerjee
Director General
Confederation of Indian Industry
Digital technologies are impacting industries and businesses alike. Social, mobile, analytics and cloud (SMAC), along with agile, continuous integration and
1development practices like DevOps and Internet of things (IOT), are having an unforeseen impact as enablers of business. Businesses today are relying heavily on technology. With new-age start-ups changing the market dynamics with digital technologies, the message to incumbents is clear-either you innovate or you perish.
Cloud computing in particular promises significant transformational benefits across industries and is seen as the foundation for digital business transformation. Though enterprises have been adopting the cloud at a rapid pace, concerns like data security and privacy continue to hinder the migration of the core business-critical workloads to cloud.
Given the rapid changes in the current economic scenario and market structure in India, cloud computing assumes particular significance in multiple sectors, including technology, healthcare and financial services. With the launch of the Digital India programme by the government, cloud computing, along with other technologies like mobility, analytics and IoT, will be key to implementing the vision of transforming the country into a digitally empowered knowledge economy. However, before organisations can fully leverage the benefits of cloud technologies, they need to understand the impact of this shift on their business model. Moving the infrastructure to the cloud is not merely an IT change but also a total transformation that needs to be assessed across strategy, structure, people, process and technology. As cloud computing brings in business and financial benefits, it also needs to be addressed from the viewpoints of business strategy, finance, regulations, compliance, tax, enterprise architecture and, most importantly, culture.
In order to understand the state of cloud adoption in the financial services and healthcare sectors, PwC and CII conducted a joint survey. This report identifies the adoption trends among Indian enterprises across the two sectors and highlights the factors that are driving cloud adoption and the key challenges or areas of concern.
Finally, the report analyses the legal scenario with regard to data security and privacy globally vis-à-vis the Indian context, and defines a way forward for setting up a robust legal and regulatory structure in the country with regard to cloud adoption.
Arnab Basu
Partner, Technology Consulting and Digital
PwC
Dipankar Chakrabarti
Executive Director, AdvisoryPwC
0302
2Introduction
The fact that today's business landscape is changing
faster than ever has become a cliché. Things that
were relevant a few years back or are relevant today
will not be so in the near future. Digital technology has
become the foundation of this transformation. It holds the
key-right from strategy formulation to execution. Companies
will need to adapt quickly to these changes to achieve
growth, meet disparate consumer needs, reach out to
markets, compete and succeed.
With cloud computing being perceived as the platform for
digital transformation, its adoption is fast transforming from
hype to reality across industries. Two industries in particular-
healthcare and financial services-where security is a key
concern due to the sensitive nature of data that is transacted
and which have traditionally been subjected to stringent
regulations and compliances, are experiencing a rise in the
adoption of cloud services.
Yet, data privacy and security threats have always been the
dark side of the cloud and remain a cause for concern among
these industries. However, it is interesting that healthcare
and financial services companies that have adopted cloud
computing are finding that security and compliances
delivered by cloud service providers exceed their needs.
As cloud services continue to mature, companies as well as
governments are placing trust in service providers and are
migrating data and applications to the cloud. One of the best
examples of this new-found trust is the US federal
government's adoption of cloud-based solutions for cabinet-
level agencies, including the Department of Homeland
Security, which is pursuing both public and private cloud solutions. The Indian government has
also published a comprehensive policy report for its adoption and usage of cloud services.
This joint CII-PwC report covers the benefits and challenges faced in the adoption of cloud
computing in the healthcare and financial services industry in India. It highlights the best
practices being followed globally by companies in industries that have successfully adopted
the cloud, and recommends an approach for future adoption. The report also assesses the
current state of data protection and privacy laws in India and proposes an approach to formulate
and enforce newer laws and regulations that are relevant to the current context.
1Foreword
1 A clipped compound of 'development' and 'operations’
S Premkumar
Chairman, CII Sub-Committee on
Cloud Computing and Executive Vice
Chairman and Managing Director,
HCL Infosystems Ltd
Chandrajit Banerjee
Director General
Confederation of Indian Industry
Digital technologies are impacting industries and businesses alike. Social, mobile, analytics and cloud (SMAC), along with agile, continuous integration and
1development practices like DevOps and Internet of things (IOT), are having an unforeseen impact as enablers of business. Businesses today are relying heavily on technology. With new-age start-ups changing the market dynamics with digital technologies, the message to incumbents is clear-either you innovate or you perish.
Cloud computing in particular promises significant transformational benefits across industries and is seen as the foundation for digital business transformation. Though enterprises have been adopting the cloud at a rapid pace, concerns like data security and privacy continue to hinder the migration of the core business-critical workloads to cloud.
Given the rapid changes in the current economic scenario and market structure in India, cloud computing assumes particular significance in multiple sectors, including technology, healthcare and financial services. With the launch of the Digital India programme by the government, cloud computing, along with other technologies like mobility, analytics and IoT, will be key to implementing the vision of transforming the country into a digitally empowered knowledge economy. However, before organisations can fully leverage the benefits of cloud technologies, they need to understand the impact of this shift on their business model. Moving the infrastructure to the cloud is not merely an IT change but also a total transformation that needs to be assessed across strategy, structure, people, process and technology. As cloud computing brings in business and financial benefits, it also needs to be addressed from the viewpoints of business strategy, finance, regulations, compliance, tax, enterprise architecture and, most importantly, culture.
In order to understand the state of cloud adoption in the financial services and healthcare sectors, PwC and CII conducted a joint survey. This report identifies the adoption trends among Indian enterprises across the two sectors and highlights the factors that are driving cloud adoption and the key challenges or areas of concern.
Finally, the report analyses the legal scenario with regard to data security and privacy globally vis-à-vis the Indian context, and defines a way forward for setting up a robust legal and regulatory structure in the country with regard to cloud adoption.
Arnab Basu
Partner, Technology Consulting and Digital
PwC
Dipankar Chakrabarti
Executive Director, AdvisoryPwC
0302
Rise of the New IT Platform
The past one-and-a-half years have experienced tremendous advancement of technology,
particularly in the digital space. This has been fuelled by the opportunities these
technologies provide to change the traditional business and operating model through
the development of more effective ways to engage with stakeholders, fine-tune operational
effectiveness and strengthen risk management strategies. High on the agenda for any
enterprise today is transforming the IT organisation to meet the needs of businesses today. In
addition, with the advent of new age technology start-ups that are changing the market
dynamics, the message to incumbents is loud and clear: disrupt or get disrupted!
The convergence of digital technologies is leading to 2
the rise of what we call the New IT Platform, where
the IT organisation within an enterprise is being
transformed to meet the growing needs of the
business and its stakeholders, including customers,
employees, partners and suppliers. In this model,
the IT organisation is no longer a centralised
authority; rather, it is an orchestrator of business
services. Further, the chief information officer (CIO)
serves as a catalyst for digital conversations
throughout the enterprise, and is responsible for
creating a tightly integrated and secure environment
that enables anyone to plug into the enterprise anytime and across any device.
‘Organisations that have been able to
think differently about the role of IT and
the use of technology to enable business
are achieving higher performance
compared to those organisations that are
maintaining the IT status quo.'
- Mike Pearl, PwC's Technology
Consulting and Global Cloud
Computing Leader
These developments are leading to a new
trend-IT spend and IT resources are rapidly
shif t ing outside the traditional IT
organisation. According to our 6th Global
Digital IQ Survey, 47% of the total enterprise
IT spend is outside the CIO budget. Also, an 3
International Data Corporation (IDC) study
shows that 8% of department personnel are
now dedicated to IT. Needless to say, this is a
clear deviation from what we have
traditionally experienced.
Implications for the IT organisation
l The IT governance model must reflect this shift in technology decision rights.
l Technology sourcing must mature to avoid duplication of costs and suboptimal vendor agreements.
l Enterprise architecture and integration must become critical IT competencies to avoid silos.
l IT must provide the foundation for enterprise data, master data, analytics and security.
l IT must provide the foundation for enterprise
1 PwC. (2015, May). Reinventing information technology in the digital enterprise - PwC's new IT platform: Achieve high velocity IT in a digital world. Retrieved from http://www.pwc.com/us/en/increasing-it-effectiveness/publications/new-it-platform.html
PwC expects this trend to continue in the future as well, irrespective of industry, and we expect 4that business units will get more involved in technology decisions.
3 Whalen, M., Anderson, C., & Smith, K. (2013). The six implications of the 3rd platform on IT staffing. Retrieved from http://www.idc.com/getdoc.jsp?containerId=2434524 PwC. (2015). PwC's 6th Annual Digital IQ Survey. Retrieved from https://www.pwc.in/publications/digital-iq-survey.html
3
Total enterprise IT spend outsideCIO budget
47% 8%
Average departmental technicalmake-up
Source: PwC’s 6th Annual Digital IQ Survey
IT spending outside the CIO’s budget
43%
46%
48%
51%
52%
53%
Energy and mining
Automotive
Healthcare
Entertainment, media and communications
Business and professional services
Retail and consumer
Industrial products
Hospitality and leisure
Power and utilities Technology Financial
services
Source: PwC’s 6th Annual Digital IQ Survey
47% overall39% 39%
42% 42%43%
0504
New IT Platform approach
Professional and managed services
BuildCloud services
ConsumeCloud services
CIO / Broker
Traditional ITPrivate cloud Virtual Private Cloud Public cloud
Optimised workload placement, secure, tightlyintegrated and rapid delivery
Applications, information, business processes
Rise of the New IT Platform
The past one-and-a-half years have experienced tremendous advancement of technology,
particularly in the digital space. This has been fuelled by the opportunities these
technologies provide to change the traditional business and operating model through
the development of more effective ways to engage with stakeholders, fine-tune operational
effectiveness and strengthen risk management strategies. High on the agenda for any
enterprise today is transforming the IT organisation to meet the needs of businesses today. In
addition, with the advent of new age technology start-ups that are changing the market
dynamics, the message to incumbents is loud and clear: disrupt or get disrupted!
The convergence of digital technologies is leading to 2
the rise of what we call the New IT Platform, where
the IT organisation within an enterprise is being
transformed to meet the growing needs of the
business and its stakeholders, including customers,
employees, partners and suppliers. In this model,
the IT organisation is no longer a centralised
authority; rather, it is an orchestrator of business
services. Further, the chief information officer (CIO)
serves as a catalyst for digital conversations
throughout the enterprise, and is responsible for
creating a tightly integrated and secure environment
that enables anyone to plug into the enterprise anytime and across any device.
‘Organisations that have been able to
think differently about the role of IT and
the use of technology to enable business
are achieving higher performance
compared to those organisations that are
maintaining the IT status quo.'
- Mike Pearl, PwC's Technology
Consulting and Global Cloud
Computing Leader
These developments are leading to a new
trend-IT spend and IT resources are rapidly
shif t ing outside the traditional IT
organisation. According to our 6th Global
Digital IQ Survey, 47% of the total enterprise
IT spend is outside the CIO budget. Also, an 3
International Data Corporation (IDC) study
shows that 8% of department personnel are
now dedicated to IT. Needless to say, this is a
clear deviation from what we have
traditionally experienced.
Implications for the IT organisation
l The IT governance model must reflect this shift in technology decision rights.
l Technology sourcing must mature to avoid duplication of costs and suboptimal vendor agreements.
l Enterprise architecture and integration must become critical IT competencies to avoid silos.
l IT must provide the foundation for enterprise data, master data, analytics and security.
l IT must provide the foundation for enterprise
1 PwC. (2015, May). Reinventing information technology in the digital enterprise - PwC's new IT platform: Achieve high velocity IT in a digital world. Retrieved from http://www.pwc.com/us/en/increasing-it-effectiveness/publications/new-it-platform.html
PwC expects this trend to continue in the future as well, irrespective of industry, and we expect 4that business units will get more involved in technology decisions.
3 Whalen, M., Anderson, C., & Smith, K. (2013). The six implications of the 3rd platform on IT staffing. Retrieved from http://www.idc.com/getdoc.jsp?containerId=2434524 PwC. (2015). PwC's 6th Annual Digital IQ Survey. Retrieved from https://www.pwc.in/publications/digital-iq-survey.html
3
Total enterprise IT spend outsideCIO budget
47% 8%
Average departmental technicalmake-up
Source: PwC’s 6th Annual Digital IQ Survey
IT spending outside the CIO’s budget
43%
46%
48%
51%
52%
53%
Energy and mining
Automotive
Healthcare
Entertainment, media and communications
Business and professional services
Retail and consumer
Industrial products
Hospitality and leisure
Power and utilities Technology Financial
services
Source: PwC’s 6th Annual Digital IQ Survey
47% overall39% 39%
42% 42%43%
0504
New IT Platform approach
Professional and managed services
BuildCloud services
ConsumeCloud services
CIO / Broker
Traditional ITPrivate cloud Virtual Private Cloud Public cloud
Optimised workload placement, secure, tightlyintegrated and rapid delivery
Applications, information, business processes
As technology reshapes all industries,
enterprises will continue to make sizeable
investments. In order to understand
whether increased technology spending leads to
improved financial performance, we recently 5analysed 250 global companies. Our results clearly
show no direct correlation between technology
investments and profitable growth; that is, spending
more on technology does not necessarily lead to
better financial performance. This by itself is not a
revelation, but our research further shows a strong
correlation between technology and profitable
growth if the investments are focussed on targeted
capabilities, and augmented with the right operating model and implementation skills.
We believe successful IT organisations of the future will be those that evaluate new
technologies with a discerning eye and cherry-pick those that will help solve their most
important business problems. Those who merely jump on the technology bandwagon will
quickly become mired in expensive gadgetry that only creates more complexity.
Word of caution
Four key steps for maximising value
from IT investments are as follows:
1. Alignment between IT spending and
business capabilities
2. The technological capacity to execute
IT initiatives
3. The ability to assess the potential
value from a particular IT initiative
relative to its risk
4. An optimal IT operating model to
sustain results from the new
technology
5 Strategy &. (2015, November). Maximizing the value from technology investments: Spending smart instead of just spending big. Retrieved from http://www.strategyand.pwc.com/reports/maximizing-value-technology-investments
Cloud computing: Laying the foundation for a global digital ecosystem for a new form of business
Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources such as networks, servers, storage,
applications and services that can be rapidly
provisioned and released with minimal management
effort or service provider interaction.
4 5
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Source: National Institute of Standards and Technology (NIST)
33
5
8
14
14
13
10
12
14
10
6
4
8
21
7
11
15
5
67
66
61
50
49
49
52
49
44
48
49
49
44
32
43
34
29
36
0
28
31
36
37
37
38
39
41
42
46
47
47
47
49
55
56
59
0 20 40 60 80 100
Other (please specify)
Open source infrastructure
Open source applications
Virtual meeting and collaboration…
Sensors, sensing technologies,…
Social media for internal communication
Simulation, scenario modelling tools
Data visualisation
Mobile technologies for employees
Data mining and analysis
Digital delivery of products/services
Data security
Social media for external communication
Gamification
Private cloud
Public cloud applications
Public cloud infrastructure
Mobile technologies for customers
Will invest less Will invest the same amount Will invest more
Source: PwC’s 6th Annual Digital IQ Survey
Which technologies are you planning to invest in?
0706
As technology reshapes all industries,
enterprises will continue to make sizeable
investments. In order to understand
whether increased technology spending leads to
improved financial performance, we recently 5analysed 250 global companies. Our results clearly
show no direct correlation between technology
investments and profitable growth; that is, spending
more on technology does not necessarily lead to
better financial performance. This by itself is not a
revelation, but our research further shows a strong
correlation between technology and profitable
growth if the investments are focussed on targeted
capabilities, and augmented with the right operating model and implementation skills.
We believe successful IT organisations of the future will be those that evaluate new
technologies with a discerning eye and cherry-pick those that will help solve their most
important business problems. Those who merely jump on the technology bandwagon will
quickly become mired in expensive gadgetry that only creates more complexity.
Word of caution
Four key steps for maximising value
from IT investments are as follows:
1. Alignment between IT spending and
business capabilities
2. The technological capacity to execute
IT initiatives
3. The ability to assess the potential
value from a particular IT initiative
relative to its risk
4. An optimal IT operating model to
sustain results from the new
technology
5 Strategy &. (2015, November). Maximizing the value from technology investments: Spending smart instead of just spending big. Retrieved from http://www.strategyand.pwc.com/reports/maximizing-value-technology-investments
Cloud computing: Laying the foundation for a global digital ecosystem for a new form of business
Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources such as networks, servers, storage,
applications and services that can be rapidly
provisioned and released with minimal management
effort or service provider interaction.
4 5
Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources such as networks, servers, storage, applications and services that can be rapidly provisioned and released with minimal management effort or service provider interaction.
Source: National Institute of Standards and Technology (NIST)
33
5
8
14
14
13
10
12
14
10
6
4
8
21
7
11
15
5
67
66
61
50
49
49
52
49
44
48
49
49
44
32
43
34
29
36
0
28
31
36
37
37
38
39
41
42
46
47
47
47
49
55
56
59
0 20 40 60 80 100
Other (please specify)
Open source infrastructure
Open source applications
Virtual meeting and collaboration…
Sensors, sensing technologies,…
Social media for internal communication
Simulation, scenario modelling tools
Data visualisation
Mobile technologies for employees
Data mining and analysis
Digital delivery of products/services
Data security
Social media for external communication
Gamification
Private cloud
Public cloud applications
Public cloud infrastructure
Mobile technologies for customers
Will invest less Will invest the same amount Will invest more
Source: PwC’s 6th Annual Digital IQ Survey
Which technologies are you planning to invest in?
0706
The advent of high-speed network connectivity and the ability to deliver traditionally complex
services on demand are contributing to increased cloud adoption. Businesses are moving to the
cloud at a rapid pace in order to differentiate and compete. This rapid pace of cloud adoption
presents both opportunities and challenges across the enterprise. These can be classified
across three areas of technology, operations and services.
Key area Opportunity Challenge
Technology Companies can drive business growth through transforming their IT department/ organisations into a strategic driver of business services.
As companies shift from legacy systems to the New IT Platform, executives need to adapt to this change to stay relevant. They need to manage hybrid architecture and adopt a services culture. They may run into key skills shortages for cloud management capabilities.
Operations Companies can scale the business, decrease time to market and enhance
collaboration with the cloud.
Integration and migration of legacy systems with cloud-based solutions, together with the orchestration and governance of the entire landscape, can be daunting. Governance, risk management and compliance of data managed by cloud providers are also important.
Services Companies can innovate and create new products and services to better engage their customers and communities, and generate new sources of revenue.
Companies must adapt their business models, change their go-to-market strategies and shift to a services-based culture to leverage the true power of the cloud.
Cloud market statistics update
Cloud computing continues to be among the top investment priorities for organisations and is
becoming increasingly integral to an enterprise's overall IT landscape. According to a Forbes 6study conducted last year, globally, around 42% of IT decisions concern a planned increase in
spending on cloud computing.
Though private clouds continue to dominate in terms of overall installed workloads, public
clouds are growing at a much faster rate. In addition, 74% of enterprises have a hybrid cloud 7
strategy and more than half of them are already using both public and private clouds.
With regard to the growth rate of cloud service models, at the aggregate level, though
infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) initially accounted for the
largest workload share, software-as-a-service (SaaS) workloads are growing at a much faster
pace. By 2019, 59% and 11% of the total cloud workloads will be SaaS and PaaS workloads, up 8
from 45% and 13% respectively in 2014.
6 Forbes. (2015). Roundup of cloud computing forecasts and market estimates, 2015. Retrieved from http://www.forbes.com/sites/louiscolumbus/2015/09/27/roundup-of-cloud-computing-forecasts-and-market-estimates-q3-update-2015/#16a5a0416c7a7 Right Scale. (2014). Cloud computing trends: 2014 State of the Cloud Survey. Retrieved from http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey
8 Cisco. (2015). Cisco Global Cloud Index: Forecast and methodology, 2014–2019. Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.pdf
Source: Cisco Global Cloud Index, 2013-18
Public cloud workloads are going to grow at 33% CAGR from
2013 to 2018. Private clouds will grow at a
slower rate of 21%.
33% 21%
180
160
140
120
100
80
60
40
20
0
Growth in Public vs. Private Cloud WorkloadsSource: Cisco Global Cloud Index, 2013-2018
Public Cloud Data Center (33% CAGR) Private Cloud Data Center 21% CAGR
Inst
all
ed
Wo
rklo
ad
s in
Mil
lio
ns
31%
69%22%
78%
2013 2014 2015 2016 2017 2018
180
160
140
120
100
80
60
40
20
02014 2015 2016 2017 2018
Growth in cloud workloads by service model
SaaS (33% CAGR) laas (13% CAGR) PaaS (21% CAGR)
Inst
all
ed
Wo
rklo
ad
s in
Mil
lio
ns
2013
13%
28%
59%15%
44%
41%
0908
The advent of high-speed network connectivity and the ability to deliver traditionally complex
services on demand are contributing to increased cloud adoption. Businesses are moving to the
cloud at a rapid pace in order to differentiate and compete. This rapid pace of cloud adoption
presents both opportunities and challenges across the enterprise. These can be classified
across three areas of technology, operations and services.
Key area Opportunity Challenge
Technology Companies can drive business growth through transforming their IT department/ organisations into a strategic driver of business services.
As companies shift from legacy systems to the New IT Platform, executives need to adapt to this change to stay relevant. They need to manage hybrid architecture and adopt a services culture. They may run into key skills shortages for cloud management capabilities.
Operations Companies can scale the business, decrease time to market and enhance
collaboration with the cloud.
Integration and migration of legacy systems with cloud-based solutions, together with the orchestration and governance of the entire landscape, can be daunting. Governance, risk management and compliance of data managed by cloud providers are also important.
Services Companies can innovate and create new products and services to better engage their customers and communities, and generate new sources of revenue.
Companies must adapt their business models, change their go-to-market strategies and shift to a services-based culture to leverage the true power of the cloud.
Cloud market statistics update
Cloud computing continues to be among the top investment priorities for organisations and is
becoming increasingly integral to an enterprise's overall IT landscape. According to a Forbes 6study conducted last year, globally, around 42% of IT decisions concern a planned increase in
spending on cloud computing.
Though private clouds continue to dominate in terms of overall installed workloads, public
clouds are growing at a much faster rate. In addition, 74% of enterprises have a hybrid cloud 7
strategy and more than half of them are already using both public and private clouds.
With regard to the growth rate of cloud service models, at the aggregate level, though
infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) initially accounted for the
largest workload share, software-as-a-service (SaaS) workloads are growing at a much faster
pace. By 2019, 59% and 11% of the total cloud workloads will be SaaS and PaaS workloads, up 8
from 45% and 13% respectively in 2014.
6 Forbes. (2015). Roundup of cloud computing forecasts and market estimates, 2015. Retrieved from http://www.forbes.com/sites/louiscolumbus/2015/09/27/roundup-of-cloud-computing-forecasts-and-market-estimates-q3-update-2015/#16a5a0416c7a7 Right Scale. (2014). Cloud computing trends: 2014 State of the Cloud Survey. Retrieved from http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey
8 Cisco. (2015). Cisco Global Cloud Index: Forecast and methodology, 2014–2019. Retrieved from http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.pdf
Source: Cisco Global Cloud Index, 2013-18
Public cloud workloads are going to grow at 33% CAGR from
2013 to 2018. Private clouds will grow at a
slower rate of 21%.
33% 21%
180
160
140
120
100
80
60
40
20
0
Growth in Public vs. Private Cloud WorkloadsSource: Cisco Global Cloud Index, 2013-2018
Public Cloud Data Center (33% CAGR) Private Cloud Data Center 21% CAGR
Inst
all
ed
Wo
rklo
ad
s in
Mil
lio
ns
31%
69%22%
78%
2013 2014 2015 2016 2017 2018
180
160
140
120
100
80
60
40
20
02014 2015 2016 2017 2018
Growth in cloud workloads by service model
SaaS (33% CAGR) laas (13% CAGR) PaaS (21% CAGR)
Inst
all
ed
Wo
rklo
ad
s in
Mil
lio
ns
2013
13%
28%
59%15%
44%
41%
0908
Currently, cloud adoption in India is in a growth
phase. The various initiatives launched by the
government under the National e-Governance Plan
(NeGP), such as the State Wide Area Network
(SWAN), State Data Centres (SDC), State Service
Delivery Gateway (SSDG) and e-Portal, have led to
the buildout of ICT infrastructure both at the Centre
and state level. In addition, other initiatives like the
National Fibre Optics Network (NOFN) and launch of
the National Cloud under the umbrella of the 9MeghRaj initiative show the Indian government's
commitment to promote cloud computing in both the
public and private sector.
Gartner's estimates are indicative of the potential of the cloud computing market in India. It
predicts that the total market for public cloud services in India is expected to reach 1.7 billion 10
USD in 2018. Though SaaS will dominate public IT cloud services spending, followed by IaaS,
PaaS will experience fast growth, primarily due to cloud adoption by the developer community 11 12and big data driven solutions. Other estimates are equally upbeat -according to IDC, 3.5
billion USD will be spent on cloud services in India by 2016-a growth of over 400% from 2012. In
addition, Forrester expects the SaaS market in particular to roughly double in value between 13
2014 and 2020, when it will be worth 1.2 billion USD.
State of cloud adoption in the financial services and healthcare industry:
PwC-CII joint survey
In order to understand the state of cloud adoption in the financial services and healthcare
industry, PwC and CII conducted a joint survey. This section highlights the survey findings.
The fact that the cloud is increasingly being recognised as the platform of the future is clear, as
almost a quarter of the organisations surveyed suggested that more than 15% of their IT budget-
21% for financial services and 23% for healthcare-was devoted towards cloud computing.
9 In order to enable governments (both at the Centre and states) to leverage cloud computing for the effective delivery of e-services, the Government of India embarked upon an ambitious and important initiative—GI Cloud, which has been named MeghRaj. Under this initiative, the Department of Electronics and Information Technology (DeitY) announced two cloud policy reports, which have been approved by the Minister of Communications and IT: the 'GI cloud strategic direction paper' and 'GI cloud adoption and implementation roadmap'.10 Gartner. (2014). Forecast analysis: Public cloud services, worldwide, 2012-2018, 1Q14 update and forecast: Public cloud services, worldwide, 2012-2018, 1Q14 update. Retrieved from http://www.gartner.com/newsroom/id/272151711 Gens, F. (2014). Worldwide and regional public cloud IT services 2014-2018 forecast. Retrieved from https://www.idc.com/getdoc.jsp?containerId=25173012 US Department of Commerce and Industry & Analysis (I&A). (2015). 2015 top markets report - cloud computing. Retrieved from http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf13 International Trade Administration. (2015). 2015 top markets report – cloud computing. Retrieved from http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf
With the aim of transforming the entire
ecosystem of public services through the
use of information technology, the
Government of India recently launched
the Digital India programme. The vision is
to make India a digitally empowered
society and knowledge economy.
PwC believes cloud computing will be at
the core of the Digital India programme
and will provide a definite push towards
cloud adoption in the country.
In terms of cloud adoption, more than half of the financial services organisations (57%) surveyed
and almost two-third of the healthcare organisations (64%) surveyed stated that they have
implemented cloud-based services.
However, despite the positive outlook, concerns remain. Data security and trust, followed by
legal and regulatory compliances, are the key issues. In addition, 50% and 36% of respondents
from the financial services and healthcare industry respectively stated that lack of knowledge is
one of their barriers to cloud adoption. Thus, there is further scope for this technology if the
knowledge gaps are addressed suitably.
36%
29%
14%
0
21%
27% 27%
9%
14%
23%
Less than 2%
Between 2% and 5%
Between 5% and 10%
Between 10% and 15%
More than 15%
Financial services Healthcare
Q. What percentage of your organisation’s IT budget is devoted towards the cloud?
Source: PwC-CII joint survey, 2016
Financial services
57%
14%
29%
We are at the discussion stage or currently evaluating the option of the cloud.We are in the process of implementing the cloud.We have implemented the cloud and are currently using the same.
We are at a discussion stage or currently evaluating the option of the cloud.We are in the process of implementing the cloud.
We have implemented the cloud and are currently using the same.
Not applicable
Healthcare
14%
14%
64%
8%
Q. At what stage is your organisation vis-à-vis cloud adoption?
Source: PwC-CII joint survey, 2016
1110
Currently, cloud adoption in India is in a growth
phase. The various initiatives launched by the
government under the National e-Governance Plan
(NeGP), such as the State Wide Area Network
(SWAN), State Data Centres (SDC), State Service
Delivery Gateway (SSDG) and e-Portal, have led to
the buildout of ICT infrastructure both at the Centre
and state level. In addition, other initiatives like the
National Fibre Optics Network (NOFN) and launch of
the National Cloud under the umbrella of the 9MeghRaj initiative show the Indian government's
commitment to promote cloud computing in both the
public and private sector.
Gartner's estimates are indicative of the potential of the cloud computing market in India. It
predicts that the total market for public cloud services in India is expected to reach 1.7 billion 10
USD in 2018. Though SaaS will dominate public IT cloud services spending, followed by IaaS,
PaaS will experience fast growth, primarily due to cloud adoption by the developer community 11 12and big data driven solutions. Other estimates are equally upbeat -according to IDC, 3.5
billion USD will be spent on cloud services in India by 2016-a growth of over 400% from 2012. In
addition, Forrester expects the SaaS market in particular to roughly double in value between 13
2014 and 2020, when it will be worth 1.2 billion USD.
State of cloud adoption in the financial services and healthcare industry:
PwC-CII joint survey
In order to understand the state of cloud adoption in the financial services and healthcare
industry, PwC and CII conducted a joint survey. This section highlights the survey findings.
The fact that the cloud is increasingly being recognised as the platform of the future is clear, as
almost a quarter of the organisations surveyed suggested that more than 15% of their IT budget-
21% for financial services and 23% for healthcare-was devoted towards cloud computing.
9 In order to enable governments (both at the Centre and states) to leverage cloud computing for the effective delivery of e-services, the Government of India embarked upon an ambitious and important initiative—GI Cloud, which has been named MeghRaj. Under this initiative, the Department of Electronics and Information Technology (DeitY) announced two cloud policy reports, which have been approved by the Minister of Communications and IT: the 'GI cloud strategic direction paper' and 'GI cloud adoption and implementation roadmap'.10 Gartner. (2014). Forecast analysis: Public cloud services, worldwide, 2012-2018, 1Q14 update and forecast: Public cloud services, worldwide, 2012-2018, 1Q14 update. Retrieved from http://www.gartner.com/newsroom/id/272151711 Gens, F. (2014). Worldwide and regional public cloud IT services 2014-2018 forecast. Retrieved from https://www.idc.com/getdoc.jsp?containerId=25173012 US Department of Commerce and Industry & Analysis (I&A). (2015). 2015 top markets report - cloud computing. Retrieved from http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf13 International Trade Administration. (2015). 2015 top markets report – cloud computing. Retrieved from http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf
With the aim of transforming the entire
ecosystem of public services through the
use of information technology, the
Government of India recently launched
the Digital India programme. The vision is
to make India a digitally empowered
society and knowledge economy.
PwC believes cloud computing will be at
the core of the Digital India programme
and will provide a definite push towards
cloud adoption in the country.
In terms of cloud adoption, more than half of the financial services organisations (57%) surveyed
and almost two-third of the healthcare organisations (64%) surveyed stated that they have
implemented cloud-based services.
However, despite the positive outlook, concerns remain. Data security and trust, followed by
legal and regulatory compliances, are the key issues. In addition, 50% and 36% of respondents
from the financial services and healthcare industry respectively stated that lack of knowledge is
one of their barriers to cloud adoption. Thus, there is further scope for this technology if the
knowledge gaps are addressed suitably.
36%
29%
14%
0
21%
27% 27%
9%
14%
23%
Less than 2%
Between 2% and 5%
Between 5% and 10%
Between 10% and 15%
More than 15%
Financial services Healthcare
Q. What percentage of your organisation’s IT budget is devoted towards the cloud?
Source: PwC-CII joint survey, 2016
Financial services
57%
14%
29%
We are at the discussion stage or currently evaluating the option of the cloud.We are in the process of implementing the cloud.We have implemented the cloud and are currently using the same.
We are at a discussion stage or currently evaluating the option of the cloud.We are in the process of implementing the cloud.
We have implemented the cloud and are currently using the same.
Not applicable
Healthcare
14%
14%
64%
8%
Q. At what stage is your organisation vis-à-vis cloud adoption?
Source: PwC-CII joint survey, 2016
1110
Private cloud and SaaS are the most widely adopted deployment and service models in
organisations in the financial services and healthcare industry.While performance of the cloud platform or solutions and overall security are the key
considerations for choosing the preferred cloud service provider, data ownership, backup,
recoverability and service availability are the major considerations while negotiating a service-
level agreement (SLA).
The cloud brings pricing flexibility. This, along with cost savings, infrastructure and application
scalability, and speedier deployment of infrastructure and application, is the key driver for cloud
adoption.
50%
29%36%
50%
29%
36%
18%
36%
59%
45%
Lack of knowledge
Indecision about which apps to move
into the cloud
Lack of clarity on costing models
Data security and trust
Legal and regulatorycompliance
Financial services Healthcare
Q. What do you think are the major barriers to adopting the cloud?
Source: PwC-CII joint survey, 2016
14%
57%
36%36%
50%
27%
Public cloud Private cloud Hybrid cloud
Financial services Healthcare
7%
21%
50%
36%
14%
64%
IaaS PaaS SaaS
Financial services Healthcare
Q. Which cloud deployment model(s) has your organisation adopted?
Source: PwC-CII joint survey, 2016
Q. Which cloud service model(s) has your organisation adopted?
Source: PwC-CII joint survey, 2016
14%
36%
21%
21%
57%
57%
64%
18%
23%
32%
23%
59%
68%
73%
Ability for IT department to focus on innovation and core business issues rather than operational aspects
Increased IT efficiency and utilisation
Improved business agility
Robust disaster recovery mechanisms
Speedier deployment of infrastructure and application
Infrastructure and application scalability
Cost savings and pricing flexibility
Healthcare Financial services
Q. What are your organisation’s key drivers for cloud adoption?
Respondents who rated within the top 3Source: PwC-CII joint survey, 2016
43%
57%
71%
64%
79%
45%
50%
32%
82%
91%
Adherence to standards and compliances
Quality of service
Application portability
Enterprise grade security
Performance
Healthcare Financial services
Q. What parameters does your organisation consider when evaluating cloud solutions?
Respondents who rated within the top 3Source: PwC-CII joint survey, 2016
1312
Private cloud and SaaS are the most widely adopted deployment and service models in
organisations in the financial services and healthcare industry.While performance of the cloud platform or solutions and overall security are the key
considerations for choosing the preferred cloud service provider, data ownership, backup,
recoverability and service availability are the major considerations while negotiating a service-
level agreement (SLA).
The cloud brings pricing flexibility. This, along with cost savings, infrastructure and application
scalability, and speedier deployment of infrastructure and application, is the key driver for cloud
adoption.
50%
29%36%
50%
29%
36%
18%
36%
59%
45%
Lack of knowledge
Indecision about which apps to move
into the cloud
Lack of clarity on costing models
Data security and trust
Legal and regulatorycompliance
Financial services Healthcare
Q. What do you think are the major barriers to adopting the cloud?
Source: PwC-CII joint survey, 2016
14%
57%
36%36%
50%
27%
Public cloud Private cloud Hybrid cloud
Financial services Healthcare
7%
21%
50%
36%
14%
64%
IaaS PaaS SaaS
Financial services Healthcare
Q. Which cloud deployment model(s) has your organisation adopted?
Source: PwC-CII joint survey, 2016
Q. Which cloud service model(s) has your organisation adopted?
Source: PwC-CII joint survey, 2016
14%
36%
21%
21%
57%
57%
64%
18%
23%
32%
23%
59%
68%
73%
Ability for IT department to focus on innovation and core business issues rather than operational aspects
Increased IT efficiency and utilisation
Improved business agility
Robust disaster recovery mechanisms
Speedier deployment of infrastructure and application
Infrastructure and application scalability
Cost savings and pricing flexibility
Healthcare Financial services
Q. What are your organisation’s key drivers for cloud adoption?
Respondents who rated within the top 3Source: PwC-CII joint survey, 2016
43%
57%
71%
64%
79%
45%
50%
32%
82%
91%
Adherence to standards and compliances
Quality of service
Application portability
Enterprise grade security
Performance
Healthcare Financial services
Q. What parameters does your organisation consider when evaluating cloud solutions?
Respondents who rated within the top 3Source: PwC-CII joint survey, 2016
1312
Privacy and data security concerns
Data privacy and security have been key concerns and a regular topic of discussion when
it comes to the cloud. However, in order to closely analyse this issue, we need to
classify it into two major areas:
1. Technical issues related to security of data in a cloud environment
2. Regulatory, compliance and legal issues to consider when moving to the cloud
Technical issues related to security
Historically, technical aspects of security have
inhibited cloud adoption-the primary concerns
being the security of virtual machines, trust in the
cloud service provider, commingling of data with
that of another customer/tenant, intrusion detection
and prevention in the cloud, etc. However, with cloud as a technology becoming more stable
and with increased maturity, cloud service providers have begun to provide more insights into
their security controls, governance and regulatory compliance processes. This is increasing the
confidence of businesses in cloud technology. The results are evident: According to a Forrester
study on cloud security, from 2011-2013, there was a 24 percentage point decrease in the
number of respondents who found security and privacy to be concerns in a virtualised or cloud 14
environment.
6
With the overcoming of the technical
hurdles of security, cloud computing is fast
moving from a stage of evaluation to value
creation and realisation.
14 PwC presentation at Wales & West CIO Forum, 2015
Q. Which of the following do you consider when negotiating an SLA with a cloud service provider?
Respondents who rated within the top 3Source: PwC-CII joint survey, 2016
7%
29%
43%
21%
64%
79%
57%
23%
23%
23%
23%
73%
73%
64%
Multi-tenancy disclosure
Data location
Retention or destruction of records
Legal hold or e-discovery
Availability of service
Backup and recovery
Ownership of data and associated metadata
Healthcare Financial services
70%
60%
50%
40%
30%
20%
10%
0%2011 2012 2013
67%
59%
43%
Source: Forrester report on cloud security as prepared for PwC, August 2014
Security and privacy concerns in virtualisation or cloud environments
1514
Privacy and data security concerns
Data privacy and security have been key concerns and a regular topic of discussion when
it comes to the cloud. However, in order to closely analyse this issue, we need to
classify it into two major areas:
1. Technical issues related to security of data in a cloud environment
2. Regulatory, compliance and legal issues to consider when moving to the cloud
Technical issues related to security
Historically, technical aspects of security have
inhibited cloud adoption-the primary concerns
being the security of virtual machines, trust in the
cloud service provider, commingling of data with
that of another customer/tenant, intrusion detection
and prevention in the cloud, etc. However, with cloud as a technology becoming more stable
and with increased maturity, cloud service providers have begun to provide more insights into
their security controls, governance and regulatory compliance processes. This is increasing the
confidence of businesses in cloud technology. The results are evident: According to a Forrester
study on cloud security, from 2011-2013, there was a 24 percentage point decrease in the
number of respondents who found security and privacy to be concerns in a virtualised or cloud 14
environment.
6
With the overcoming of the technical
hurdles of security, cloud computing is fast
moving from a stage of evaluation to value
creation and realisation.
14 PwC presentation at Wales & West CIO Forum, 2015
Q. Which of the following do you consider when negotiating an SLA with a cloud service provider?
Respondents who rated within the top 3Source: PwC-CII joint survey, 2016
7%
29%
43%
21%
64%
79%
57%
23%
23%
23%
23%
73%
73%
64%
Multi-tenancy disclosure
Data location
Retention or destruction of records
Legal hold or e-discovery
Availability of service
Backup and recovery
Ownership of data and associated metadata
Healthcare Financial services
70%
60%
50%
40%
30%
20%
10%
0%2011 2012 2013
67%
59%
43%
Source: Forrester report on cloud security as prepared for PwC, August 2014
Security and privacy concerns in virtualisation or cloud environments
1514
Not inherently insecure
The point we want to highlight here is that, technically, there are no reasons that should restrict the migration of private data to the cloud. Risks have to be managed, as in the case of any on-
15premise or in-house system. A report published by the Information Security Forum (ISF) highlighted five major findings with regard to data privacy and the cloud. These are discussed below.
l Cloud-based systems are here, and organisations are using them: Organisations cannot avoid the cloud. According to the ISF survey report, 90% of organisations achieve projected savings and 80% increase their competitive advantage with the cloud. Information subject to privacy regulations (known as personally identifiable information [PII]) will inevitably move to the cloud.
l The risk of putting private data on the cloud is not always considered or addressed: Cloud-based systems are seen to be complicated; the same is true for privacy regulations. This combination of complexity creates barriers to managing the risk of private data on the cloud, thereby increasing organisational risk.
l The cloud can be suitable for PII: There are no inherent reasons for not moving private data to the cloud; the risks have to be managed as in any other case. The process will be made easy if organisations first cut through the perceived complexity, take advantage of existing information risk management approaches and enhance them where necessary to manage risks.
l Cloud complexity can be simplified: Cloud-based systems are not as complicated as many people consider them to be, and understanding the basics makes complying with privacy requirements easier. The various cloud deployment and service models provide different levels of control to the purchasing organisation, accordingly creating a different degree of inherent risk.
l Privacy obligations are the same for both cloud and non-cloud based systems: Privacy obligations do not change when information moves into the cloud. This means that most organisations' efforts to manage privacy and information risks can be applied to cloud-based systems with only minor modifications, once cloud complexity is understood. This can provide a low-cost starting point to manage cloud and privacy risks.
Going by the above findings, what enterprises need to do is identify the common areas in security that need to be addressed from a technology perspective, develop use cases specifically for cloud security based on their individual requirements, create a comprehensive information security strategy to address security concerns with respect to the cloud, and embed the same throughout the enterprise's cloud life cycle.
Several components need to be addressed to provide comprehensive cloud security. In addition, the cloud security strategy must be aligned with an enterprise's overall IT security policies and guidelines. We have identified six technical domains that need to be considered while formulating a cloud security strategy: data, governance, user and identity management, infrastructure, platform and software, and integration.
Common cloud security use cases
Based on the above recommended cloud security domains, PwC has developed some common
cloud security use cases that can act as guidance for identifying the key requirements of an
enterprise when adopting cloud computing. Each of these use cases has been supplemented
with key security and privacy issues that an enterprise must address and the associated
recommendations to address the same from a technology point of view.
#Use case Common issues faced by enterprises
Recommended approach
1 SaaS migration How do I assess and address the risk of SaaS adoption before and after migration?
l Perform vendor risk assessment, including SaaS architecture and security, to develop a repeatable assessment framework
l Educate/work with procurement on contract terms
l Develop a SaaS/cloud security services layer for SaaS (security information and event management [SIEM], identity access management [IAM], data loss prevention [DLP], encryption, etc.); consider security as a service
15 Information Security Forum (2013, February). Data privacy in the cloud. Retrieved from http://www.infosecurityeurope.com/__novadocuments/107034?v=635780175741100000
Data
Integration Governance
Users and identity
Infrastructure
Platform and software
Cloud securitystrategy
• Data loss prevention• Secure storage, secure disposal• Audit and forensics
• Roles and authorisation levels and authentication• Evaluation/monitoring of usage patterns• Programme awareness and education• Entitlement stores and role-based access control
l Security functionalityl Network configurationl Cloud hardeningl Vulnerability managementl Infrastructure operations
• Data classification• Data backup, retention•Data ownership, segregation•Risk assessments•Encryption/tokenisation
• Interoperability• Lock-in/portability• Security analytics• Administration console• Public/private/hybrid models• Secure connection to other systems and data• Event management
• Threat and vulnerability identification in software development life cycle (SDLC), deployment, upgrade of the application• Access control• Monitoring/management• Application vulnerability management and remediation
• Define processes and policies (ownership, connectivity, privacy, audit/wipe)• Legal (NDA, SLA, licensing)• Audit and compliance• Identifying preferred suppliers/service level for business• Business continuity• Training and awareness• Clear security control framework
1716
Not inherently insecure
The point we want to highlight here is that, technically, there are no reasons that should restrict the migration of private data to the cloud. Risks have to be managed, as in the case of any on-
15premise or in-house system. A report published by the Information Security Forum (ISF) highlighted five major findings with regard to data privacy and the cloud. These are discussed below.
l Cloud-based systems are here, and organisations are using them: Organisations cannot avoid the cloud. According to the ISF survey report, 90% of organisations achieve projected savings and 80% increase their competitive advantage with the cloud. Information subject to privacy regulations (known as personally identifiable information [PII]) will inevitably move to the cloud.
l The risk of putting private data on the cloud is not always considered or addressed: Cloud-based systems are seen to be complicated; the same is true for privacy regulations. This combination of complexity creates barriers to managing the risk of private data on the cloud, thereby increasing organisational risk.
l The cloud can be suitable for PII: There are no inherent reasons for not moving private data to the cloud; the risks have to be managed as in any other case. The process will be made easy if organisations first cut through the perceived complexity, take advantage of existing information risk management approaches and enhance them where necessary to manage risks.
l Cloud complexity can be simplified: Cloud-based systems are not as complicated as many people consider them to be, and understanding the basics makes complying with privacy requirements easier. The various cloud deployment and service models provide different levels of control to the purchasing organisation, accordingly creating a different degree of inherent risk.
l Privacy obligations are the same for both cloud and non-cloud based systems: Privacy obligations do not change when information moves into the cloud. This means that most organisations' efforts to manage privacy and information risks can be applied to cloud-based systems with only minor modifications, once cloud complexity is understood. This can provide a low-cost starting point to manage cloud and privacy risks.
Going by the above findings, what enterprises need to do is identify the common areas in security that need to be addressed from a technology perspective, develop use cases specifically for cloud security based on their individual requirements, create a comprehensive information security strategy to address security concerns with respect to the cloud, and embed the same throughout the enterprise's cloud life cycle.
Several components need to be addressed to provide comprehensive cloud security. In addition, the cloud security strategy must be aligned with an enterprise's overall IT security policies and guidelines. We have identified six technical domains that need to be considered while formulating a cloud security strategy: data, governance, user and identity management, infrastructure, platform and software, and integration.
Common cloud security use cases
Based on the above recommended cloud security domains, PwC has developed some common
cloud security use cases that can act as guidance for identifying the key requirements of an
enterprise when adopting cloud computing. Each of these use cases has been supplemented
with key security and privacy issues that an enterprise must address and the associated
recommendations to address the same from a technology point of view.
#Use case Common issues faced by enterprises
Recommended approach
1 SaaS migration How do I assess and address the risk of SaaS adoption before and after migration?
l Perform vendor risk assessment, including SaaS architecture and security, to develop a repeatable assessment framework
l Educate/work with procurement on contract terms
l Develop a SaaS/cloud security services layer for SaaS (security information and event management [SIEM], identity access management [IAM], data loss prevention [DLP], encryption, etc.); consider security as a service
15 Information Security Forum (2013, February). Data privacy in the cloud. Retrieved from http://www.infosecurityeurope.com/__novadocuments/107034?v=635780175741100000
Data
Integration Governance
Users and identity
Infrastructure
Platform and software
Cloud securitystrategy
• Data loss prevention• Secure storage, secure disposal• Audit and forensics
• Roles and authorisation levels and authentication• Evaluation/monitoring of usage patterns• Programme awareness and education• Entitlement stores and role-based access control
l Security functionalityl Network configurationl Cloud hardeningl Vulnerability managementl Infrastructure operations
• Data classification• Data backup, retention•Data ownership, segregation•Risk assessments•Encryption/tokenisation
• Interoperability• Lock-in/portability• Security analytics• Administration console• Public/private/hybrid models• Secure connection to other systems and data• Event management
• Threat and vulnerability identification in software development life cycle (SDLC), deployment, upgrade of the application• Access control• Monitoring/management• Application vulnerability management and remediation
• Define processes and policies (ownership, connectivity, privacy, audit/wipe)• Legal (NDA, SLA, licensing)• Audit and compliance• Identifying preferred suppliers/service level for business• Business continuity• Training and awareness• Clear security control framework
1716
#Use case Common issues faced by enterprises
Recommended approach
2 Internal private/hybrid cloud infrastructure buildout
How do I build and operate a private/hybrid infrastructure service securely?
l Assess private cloud security architecture using an environment and solution-specific framework (e.g. modified Cloud Security
16Alliance [CSA], International Organization
17for Standardization [ISO], National Institute of Standards and Technology
18[NIST], adapted to your architecture, implementation and operations)
l Develop cloud security architecture to address gaps; on-premise security may suffice (but look at security as a service if also using public IaaS)
3 Sensitive data security and compliance across SaaS environments
How do I detect and protect/respond to what is already on the cloud?
l Perform SaaS inventory and data discovery risk assessment
l Develop SaaS environment risk assessment capability using customised data protection policies and purpose-built tools
l Design and implement training, awareness, and response processes
4 Identity and access management for the cloud
We need cost-effective and easy-to-deploy IAM for portals, mobile, and SaaS/cloud environments. What should we do?
l Develop the IAM strategy refresh while looking at where/how best to adopt identity-as-a-service (IDaaS) to drive business and IT value
l Develop/revise an IAM roadmap and select an IDaaS vendor
l Execute the roadmap
16 CSA is the world's leading organisation dedicated to defining and raising awareness of best practices in order to help ensure a secure cloud-computing environment. It has developed the Cloud Controls Matrix (CCM), a controls framework that gives a detailed understanding of security concepts and principles that are aligned to CSA guidance. It also operates the most popular cloud security provider certification programme, the CSA Security, Trust & Assurance Registry (STAR), a three-tiered provider assurance programme of self-assessment, third-party audit and continuous monitoring.17 ISO is responsible for ISO 9000, ISO 14000, ISO 27000, ISO 22000 and other international management standards.18 NIST is the federal technology agency that works with industry to develop and apply technology, measurements and standards.
19 This can include the cloud tenant or the consumer, cloud service provider, cloud broker and other members in the cloud service providers' supply chain.20 Hogan Lovells. (2010). Cloud computing: A primer on legal issues, including privacy and data security concerns. Retrieved from http://www.cisco.com/c/dam/en_us/about/doing_business/legal/privacy_compliance/docs/CloudPrimer.pdf
#Use case Recommended approach
5 Shadow IT and cloud governance
l Develop policies to address/guide non-IT managed tech securely
l Develop cloud inventory and risk assessment capability (see SaaS data security)
l Develop data detection and/or encryption capabilities for cloud environments
6 Data centre migration to IaaS l Develop a migration risk and operational assessment framework
l Assess the IaaS vendor for native risk/security capabilities with specific end-state architecture in mind; design controls to address gaps
l Implement cost and risk-appropriate controls in a phased/strategic manner
Common issues faced by enterprises
We cannot protect what we do not know. How do we detect and govern shadow IT use of the cloud?
How should risk and security play into migration decision-making, architecture, and operations?
Regulatory, compliance and legal issues to consider when moving to the cloud
The regulatory, compliance and legal issues related to cloud privacy are another major challenge for businesses planning to move their workloads to cloud environments. Moreover, the changing nature of the legal and regulatory landscape around cloud computing creates a practical challenge in understanding how a law applies to the different
19parties under various scenarios. Regardless of the cloud service or the deployment being used, an enterprise will also need to consider the issues surrounding the data collected, stored and processed in the cloud. Some of these concerns are related to a specific industry and some to where the data is stored or transferred, or both.
The key challenges enterprises face with regard to the various regulatory, compliance and legal 20
issues in cloud computing services are outlined below:
Cloud computing that employs a hybrid, community or public cloud model 'creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios.'
Source: Security guidance for critical areas of focus in cloud computing, published by the CSA
1918
#Use case Common issues faced by enterprises
Recommended approach
2 Internal private/hybrid cloud infrastructure buildout
How do I build and operate a private/hybrid infrastructure service securely?
l Assess private cloud security architecture using an environment and solution-specific framework (e.g. modified Cloud Security
16Alliance [CSA], International Organization
17for Standardization [ISO], National Institute of Standards and Technology
18[NIST], adapted to your architecture, implementation and operations)
l Develop cloud security architecture to address gaps; on-premise security may suffice (but look at security as a service if also using public IaaS)
3 Sensitive data security and compliance across SaaS environments
How do I detect and protect/respond to what is already on the cloud?
l Perform SaaS inventory and data discovery risk assessment
l Develop SaaS environment risk assessment capability using customised data protection policies and purpose-built tools
l Design and implement training, awareness, and response processes
4 Identity and access management for the cloud
We need cost-effective and easy-to-deploy IAM for portals, mobile, and SaaS/cloud environments. What should we do?
l Develop the IAM strategy refresh while looking at where/how best to adopt identity-as-a-service (IDaaS) to drive business and IT value
l Develop/revise an IAM roadmap and select an IDaaS vendor
l Execute the roadmap
16 CSA is the world's leading organisation dedicated to defining and raising awareness of best practices in order to help ensure a secure cloud-computing environment. It has developed the Cloud Controls Matrix (CCM), a controls framework that gives a detailed understanding of security concepts and principles that are aligned to CSA guidance. It also operates the most popular cloud security provider certification programme, the CSA Security, Trust & Assurance Registry (STAR), a three-tiered provider assurance programme of self-assessment, third-party audit and continuous monitoring.17 ISO is responsible for ISO 9000, ISO 14000, ISO 27000, ISO 22000 and other international management standards.18 NIST is the federal technology agency that works with industry to develop and apply technology, measurements and standards.
19 This can include the cloud tenant or the consumer, cloud service provider, cloud broker and other members in the cloud service providers' supply chain.20 Hogan Lovells. (2010). Cloud computing: A primer on legal issues, including privacy and data security concerns. Retrieved from http://www.cisco.com/c/dam/en_us/about/doing_business/legal/privacy_compliance/docs/CloudPrimer.pdf
#Use case Recommended approach
5 Shadow IT and cloud governance
l Develop policies to address/guide non-IT managed tech securely
l Develop cloud inventory and risk assessment capability (see SaaS data security)
l Develop data detection and/or encryption capabilities for cloud environments
6 Data centre migration to IaaS l Develop a migration risk and operational assessment framework
l Assess the IaaS vendor for native risk/security capabilities with specific end-state architecture in mind; design controls to address gaps
l Implement cost and risk-appropriate controls in a phased/strategic manner
Common issues faced by enterprises
We cannot protect what we do not know. How do we detect and govern shadow IT use of the cloud?
How should risk and security play into migration decision-making, architecture, and operations?
Regulatory, compliance and legal issues to consider when moving to the cloud
The regulatory, compliance and legal issues related to cloud privacy are another major challenge for businesses planning to move their workloads to cloud environments. Moreover, the changing nature of the legal and regulatory landscape around cloud computing creates a practical challenge in understanding how a law applies to the different
19parties under various scenarios. Regardless of the cloud service or the deployment being used, an enterprise will also need to consider the issues surrounding the data collected, stored and processed in the cloud. Some of these concerns are related to a specific industry and some to where the data is stored or transferred, or both.
The key challenges enterprises face with regard to the various regulatory, compliance and legal 20
issues in cloud computing services are outlined below:
Cloud computing that employs a hybrid, community or public cloud model 'creates new dynamics in the relationship between an organization and its information, involving the presence of a third party: the cloud provider. This creates new challenges in understanding how laws apply to a wide variety of information management scenarios.'
Source: Security guidance for critical areas of focus in cloud computing, published by the CSA
1918
l Compelled disclosure to the government
l Data security and disclosure of breaches
l Transfer of, access to, and retention of data
l Location of data
The table below summarises the above concerns and identifies the applicable or related laws, regulations and standards in the US, UK and India.
21 Ibid22 Mohammed, A. T., AlSudiari, T., & Vasista, T. G. K. (2012, March). Cloud computing and privacy regulations: An exploratory study on issues and implications, Advanced computing: An international journal (ACIJ), 3(2).23 ECPA was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computers. New provisions were added to prohibit access to stored electronic communications (i.e. the Stored Communications Act, 1986).24 SCA addresses voluntary and compelled disclosure of 'stored wire and electronic communications and transactional records' held by third-party Internet service providers.25 The US Patriot Act is an Act of Congress that was signed on 26 October 2001 and amended in 2005. It allows the Federal Bureau of Investigation (FBI) access to certain business records with a court order. The law limits the ability of cloud providers to reveal that they received an order-hence, cloud users may not even know about a disclosure.
# Concerns21Description Related laws, regulations and
22standards
1 Compelled disclosure to the government
l Information stored on the cloud is subject to different protections (primarily jurisdictional) than information stored in-house
In the US
l Electronic Communications Privacy 23Act (ECPA), (1986)
l Stored Communications Act (SCA), 241986
25l USA Patriot Act, 2001
l Federal Trade Commission (FTC) Fair
Information Practice, 1973
In the UK
l Regulation of Investigatory Powers
Act (RIPA), 2000
In India
l Right to information (RTI) Act, 2005
l Information Technology (Reasonable
Security Practices and Procedures
and Sensitive Personal Data or
Information) Rules, 2011
# Concerns Description Related laws, regulations and standards
2 Data security and disclosure of breaches
l How does a cloud provider protect a cloud consumer's data?
l When the law (primarily industry specific) imposes data security requirements on a cloud consumer, how can it ensure compliance when in-house storing the information on the cloud?
l If the cloud's security is breached, must the cloud provider give notice of the breach?
In the US
l Family Educational Rights and 26Privacy Act (FERPA)
27l Gramm-Leach Bliley Act (GLBA)
l Health Insurance Portability and 28Accountability Act (HIPAA)
l Health Information Technology for Economic and Clinical health
29(HITECH) Act30
l Sarbanes-Oxley Act (SOX), 2002
l State laws and regulations (for data breach notification)
31l Section 5 of the FTC Act, 1914
In the UK32
l Data Protection Act (DPA), 1998
l The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (PECR), 2011
l Directive 95/46/EC (data protection 33directive)
In India
l No specific laws but IT Act, 2005, and 2008 amendments (cyber law) can be helpful
l Recently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provides regulation on collection, disclosure, transfer and storage of sensitive personal data, and widens the scope of the regulation in section 43A of the 2000 act.
26 FERPA is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records.27 GLBA requires financial institutions-companies that offer consumers financial products or services like loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data.28 HIPAA is a US legislation that provides data privacy and security provisions for safeguarding medical information.29 The HITECH Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on 17 February 2009 to promote the adoption and meaningful use of health information technology.30 The SOX Act of 2002 is a legislation passed by the US Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.31 Section 5 prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce32 DPA is an Act of the Parliament of the UK and Northern Ireland which defines the UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK.33 The Data Protection Directive (officially, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union (EU) directive adopted in 1995 which regulates the processing of personal data within the EU. It is an important component of the EU's privacy and human rights law.
2120
l Compelled disclosure to the government
l Data security and disclosure of breaches
l Transfer of, access to, and retention of data
l Location of data
The table below summarises the above concerns and identifies the applicable or related laws, regulations and standards in the US, UK and India.
21 Ibid22 Mohammed, A. T., AlSudiari, T., & Vasista, T. G. K. (2012, March). Cloud computing and privacy regulations: An exploratory study on issues and implications, Advanced computing: An international journal (ACIJ), 3(2).23 ECPA was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to include transmissions of electronic data by computers. New provisions were added to prohibit access to stored electronic communications (i.e. the Stored Communications Act, 1986).24 SCA addresses voluntary and compelled disclosure of 'stored wire and electronic communications and transactional records' held by third-party Internet service providers.25 The US Patriot Act is an Act of Congress that was signed on 26 October 2001 and amended in 2005. It allows the Federal Bureau of Investigation (FBI) access to certain business records with a court order. The law limits the ability of cloud providers to reveal that they received an order-hence, cloud users may not even know about a disclosure.
# Concerns21Description Related laws, regulations and
22standards
1 Compelled disclosure to the government
l Information stored on the cloud is subject to different protections (primarily jurisdictional) than information stored in-house
In the US
l Electronic Communications Privacy 23Act (ECPA), (1986)
l Stored Communications Act (SCA), 241986
25l USA Patriot Act, 2001
l Federal Trade Commission (FTC) Fair
Information Practice, 1973
In the UK
l Regulation of Investigatory Powers
Act (RIPA), 2000
In India
l Right to information (RTI) Act, 2005
l Information Technology (Reasonable
Security Practices and Procedures
and Sensitive Personal Data or
Information) Rules, 2011
# Concerns Description Related laws, regulations and standards
2 Data security and disclosure of breaches
l How does a cloud provider protect a cloud consumer's data?
l When the law (primarily industry specific) imposes data security requirements on a cloud consumer, how can it ensure compliance when in-house storing the information on the cloud?
l If the cloud's security is breached, must the cloud provider give notice of the breach?
In the US
l Family Educational Rights and 26Privacy Act (FERPA)
27l Gramm-Leach Bliley Act (GLBA)
l Health Insurance Portability and 28Accountability Act (HIPAA)
l Health Information Technology for Economic and Clinical health
29(HITECH) Act30
l Sarbanes-Oxley Act (SOX), 2002
l State laws and regulations (for data breach notification)
31l Section 5 of the FTC Act, 1914
In the UK32
l Data Protection Act (DPA), 1998
l The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations (PECR), 2011
l Directive 95/46/EC (data protection 33directive)
In India
l No specific laws but IT Act, 2005, and 2008 amendments (cyber law) can be helpful
l Recently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, provides regulation on collection, disclosure, transfer and storage of sensitive personal data, and widens the scope of the regulation in section 43A of the 2000 act.
26 FERPA is a federal law that affords parents the right to have access to their children's education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records.27 GLBA requires financial institutions-companies that offer consumers financial products or services like loans, financial or investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive data.28 HIPAA is a US legislation that provides data privacy and security provisions for safeguarding medical information.29 The HITECH Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on 17 February 2009 to promote the adoption and meaningful use of health information technology.30 The SOX Act of 2002 is a legislation passed by the US Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.31 Section 5 prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce32 DPA is an Act of the Parliament of the UK and Northern Ireland which defines the UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK.33 The Data Protection Directive (officially, Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) is a European Union (EU) directive adopted in 1995 which regulates the processing of personal data within the EU. It is an important component of the EU's privacy and human rights law.
2120
# Concerns Description Related laws, regulations and standards
3 Transfer of, access to, and retention of data
l Will companies and consumers have access to data on the cloud?
l Can the data (stored in the cloud) be destroyed by the cloud provider or should it be returned to the cloud consumer?
In the US
l Freedom of Information Act (FOIA), 341967
l Payment Card Industry Data Security 35Standard (PCI DSS)
l FTC Fair Information Practice, 1973
In the UK
l The 'Safe Harbour' agreement (for data transfer between the EU and
36US)
In India
l No specific laws in India, but the RTI Act, 2005, can be helpful
4 Location of data l The physical location of the (cloud) server storing the data may have legal (jurisdictional) implications.
In the US
l National Association for Regulatory Administration (NARA) regulations (Title 36 of the code of federal regulations)
l PCIDSS
l Sarbanes–Oxley (SOX) Act, 2002
l FTC Fair Information Practice, 1973
In the UK
l Compliance with EU Data Protection Directive (EC/95/46) (the directive) is required
In India
l No specific laws in India but the IT Act, 2008, can be helpful
The above sections highlight the fact that businesses need to deliberate upon a number of considerations from a technical, regulatory compliance and legal perspective before migrating to the cloud. The task might seem daunting; however, following a structured approach with initial due diligence can help address the above issues.
We have identified two industries which have stringent data privacy and security requirements-healthcare and financial services-to drive the point that security and privacy should not be an issue hindering cloud adoption if an enterprise follows a structured approach with proper due diligence and adheres to industry best practices.
34 FOIA is a law that gives you the right to access information from the federal government.35 PCI DSS is a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions, and protect cardholders against misuse of their personal information.36 EU privacy law forbids the movement of its citizens' data outside the EU, unless it is transferred to a location which is deemed to have 'adequate' privacy protections in line with those of the EU. The Safe Harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens' data if transferred by American companies to the US.
Addressing security, privacy and regulatory concerns in healthcare
Technology is disrupting the healthcare industry-never have patients been so involved in
their healthcare. According to our Customer Experience in Healthcare survey, 55% of
patients trust the Internet more than a doctor, 75% want to move from informed consent
to shared decision-making and 74% of the consumers are open to virtual doctor visits.
We believe technological advances will continue
in the future, and the healthcare industry will see
adoption of more and more disruptive
technologies. These advancements will be at the
heart of revolutionising the healthcare industry
that we know today. Technology will become a
key driver of change and a solution for creating
greater efficiency and value. Technological
advances are creating new care delivery models
and the most interesting fact is that consumers
are responding to the same. According to a report 37published by PwC, about 49% of the patients
said they expect mHealth to change how they
manage their overall health and 59% said mHealth has changed how they seek information on
health issues. Further, another 59% of the patients said mHealth services have replaced some
visits to doctors or nurses. Technology is clearly empowering patients to take greater
accountability for their care.
The revolution in the healthcare industry is giving rise to a new health economy. In this new
economy, the traditional notion of 'how, where and by whom care is delivered' is changing.
Consumers are ready to receive care in new ways and in new places. This is forcing
organisations to re-examine their current business models to demonstrate value. According to
PwC's 17th Annual Global CEO Survey, 94% of healthcare CEOs plan to alter their customer
growth and retention strategies, and 84% plan to alter their channels to market. The top three
global trends that healthcare CEOs believe will transform their business the most over the next
five years include technical advances, demographic shifts and a shift in global economic power.
The areas where the CEOs believe a change is already underway are the use and management
of data and data analytics, technology investments, and R&D and innovation capacity.
7
Some characteristics of the healthcare
revolution we are experiencing today:
l Emergence of new business models
l New entrants expanding and reshaping
the health system
l Rebalance of the public and private sectors
in the financing and delivery of care
l Greater focus on reward for outcomes
instead of volume of activity
l Shift in trend from inpatient care to
outpatient services
l Industrialising of the healthcare sector
36 PwC. (2014). Emerging mHealth: Paths for growth. Retrieved from https://www.pwc.com/gx/en/healthcare/mhealth/assets/pwc-emerging-mhealth-full.pdf
2322
# Concerns Description Related laws, regulations and standards
3 Transfer of, access to, and retention of data
l Will companies and consumers have access to data on the cloud?
l Can the data (stored in the cloud) be destroyed by the cloud provider or should it be returned to the cloud consumer?
In the US
l Freedom of Information Act (FOIA), 341967
l Payment Card Industry Data Security 35Standard (PCI DSS)
l FTC Fair Information Practice, 1973
In the UK
l The 'Safe Harbour' agreement (for data transfer between the EU and
36US)
In India
l No specific laws in India, but the RTI Act, 2005, can be helpful
4 Location of data l The physical location of the (cloud) server storing the data may have legal (jurisdictional) implications.
In the US
l National Association for Regulatory Administration (NARA) regulations (Title 36 of the code of federal regulations)
l PCIDSS
l Sarbanes–Oxley (SOX) Act, 2002
l FTC Fair Information Practice, 1973
In the UK
l Compliance with EU Data Protection Directive (EC/95/46) (the directive) is required
In India
l No specific laws in India but the IT Act, 2008, can be helpful
The above sections highlight the fact that businesses need to deliberate upon a number of considerations from a technical, regulatory compliance and legal perspective before migrating to the cloud. The task might seem daunting; however, following a structured approach with initial due diligence can help address the above issues.
We have identified two industries which have stringent data privacy and security requirements-healthcare and financial services-to drive the point that security and privacy should not be an issue hindering cloud adoption if an enterprise follows a structured approach with proper due diligence and adheres to industry best practices.
34 FOIA is a law that gives you the right to access information from the federal government.35 PCI DSS is a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card transactions, and protect cardholders against misuse of their personal information.36 EU privacy law forbids the movement of its citizens' data outside the EU, unless it is transferred to a location which is deemed to have 'adequate' privacy protections in line with those of the EU. The Safe Harbour agreement that was made between the EC and the US government essentially promised to protect EU citizens' data if transferred by American companies to the US.
Addressing security, privacy and regulatory concerns in healthcare
Technology is disrupting the healthcare industry-never have patients been so involved in
their healthcare. According to our Customer Experience in Healthcare survey, 55% of
patients trust the Internet more than a doctor, 75% want to move from informed consent
to shared decision-making and 74% of the consumers are open to virtual doctor visits.
We believe technological advances will continue
in the future, and the healthcare industry will see
adoption of more and more disruptive
technologies. These advancements will be at the
heart of revolutionising the healthcare industry
that we know today. Technology will become a
key driver of change and a solution for creating
greater efficiency and value. Technological
advances are creating new care delivery models
and the most interesting fact is that consumers
are responding to the same. According to a report 37published by PwC, about 49% of the patients
said they expect mHealth to change how they
manage their overall health and 59% said mHealth has changed how they seek information on
health issues. Further, another 59% of the patients said mHealth services have replaced some
visits to doctors or nurses. Technology is clearly empowering patients to take greater
accountability for their care.
The revolution in the healthcare industry is giving rise to a new health economy. In this new
economy, the traditional notion of 'how, where and by whom care is delivered' is changing.
Consumers are ready to receive care in new ways and in new places. This is forcing
organisations to re-examine their current business models to demonstrate value. According to
PwC's 17th Annual Global CEO Survey, 94% of healthcare CEOs plan to alter their customer
growth and retention strategies, and 84% plan to alter their channels to market. The top three
global trends that healthcare CEOs believe will transform their business the most over the next
five years include technical advances, demographic shifts and a shift in global economic power.
The areas where the CEOs believe a change is already underway are the use and management
of data and data analytics, technology investments, and R&D and innovation capacity.
7
Some characteristics of the healthcare
revolution we are experiencing today:
l Emergence of new business models
l New entrants expanding and reshaping
the health system
l Rebalance of the public and private sectors
in the financing and delivery of care
l Greater focus on reward for outcomes
instead of volume of activity
l Shift in trend from inpatient care to
outpatient services
l Industrialising of the healthcare sector
36 PwC. (2014). Emerging mHealth: Paths for growth. Retrieved from https://www.pwc.com/gx/en/healthcare/mhealth/assets/pwc-emerging-mhealth-full.pdf
2322
The cloud is foundational to this healthcare transformation. Be it mHealth, virtual healthcare, telemedicine, leveraging big data analytics for bulk data management or trying to make sense of the online medical chatter-the cloud is the fundamental building block which provides secure, robust, scalable infrastructure or a platform with literally infinite computation and storage capacity. The global cloud computing market is thus poised to witness unprecedented interest from the healthcare services sector and will register a compound annual growth rate (CAGR) of 21.3% between 2012 and 2018. The global cloud computing market size for healthcare
38 39is estimated to be 6.79 billion USD by 2018. According to industry estimates, the total addressable opportunity for cloud solutions in the Indian healthcare industry (hospitals) could be around 600 million USD by 2020. Further, cloud solutions may account for close to 40% of the total annual healthcare IT spending in India.
With the potential cloud holds for the healthcare transformation, healthcare providers are taking measured steps toward the cloud. They remain circumspect about data privacy, security and service levels. This is primarily due to the numerous challenges being faced by the healthcare providers-primarily in terms of the need to comply with the HIPAA and HITECH Act for meaningful use of information, recovery audit tracker (RAC) audits, International Classification of Diseases (IDC)-10, and the mandate of providing improved care while protecting patient health information (PHI).
The most common use cases of the cloud in healthcare include electronic medical records (EMRs), radiology information systems (RISs), picture archiving communication systems (PACs), backup and disaster recovery, virtual desktops, and consumer and patient portals that streamline communications with external and internal parties. In addition, the cloud is ideal for managing and maintaining integrated population health and clinical information by using care collaboration tools and deploying big data analytics solutions-data analysis, data warehousing and health information exchanges (HIEs).
Contrary to popular belief, the cloud provides a more robust and secure environment and ensures easier compliance with the HIPAA or HITECH Act.
Our experience of working with multiple healthcare organisations has enabled us to come up with the following best practices that need to be followed for cloud planning and migration:
38 Transparency Market Research. (2015). Cloud computing market: Global industry analysis, size, share, trends and forecast 2012–2018. Retrieved from http://www.transparencymarketresearch.com/healthcare-cloud-computing.html39 Zinnov Management Consulting. (2010). Indian healthcare poised to harness the cloud. Retrieved from http://www.indiatechonline.com/special-feature.php?id=64
# Category Recommended best practices
1 Assessment l Assess the current IT infrastructure and applications landscape to identify applications/services that can be migrated to the cloud
l Determine the appropriate cloud deployment model-private, public or hybrid
l Determine the appropriate cloud service model-IaaS, SaaS, PaaS
l Understand the data security, privacy and risk implications of the above cloud models and their respective combinations
l Conduct cost-benefit analysis for the chosen model and build a business case
2 Integration l Determine integration requirements
l Determine data flow model between applications
l Clearly outline security and compliance requirements for each application
l Develop a comprehensive security strategy for cloud
3 Migration planning l Develop a migration plan
l Develop a pre- and post-migration checklist
l As part of the migration plan, also develop a checklist for vendor evaluation:
n Tier III data centre that is Service Organization Controls (SOC) II and III and Statement on Standards for Attestation Engagements (SSAE) 16-certified
n HIPAA and PCI compliant
n Determine SLAs that address the main components of availability: security, network, cloud platform and storage
4 Vendor due l Conduct rigorous vendor evaluation
diligence l Choose a vendor that satisfies the following requirements:
n Is HIPPA compliant and ready to sign a HIPAA business associate agreement
n Supports SOC2, SSAE16 and HIPAA compliances
n Provides defined SLA with response times based on organisational risk classification (emergency, urgent, standard, and so on)
n Flexibility to provision additional cloud services as necessary
n Deliver 24X7X365 live healthcare-level support
n Focus on healthcare industry and list of existing clients
5 Solid implementation l Develop an implementation plan with a clear focus on the following: process n Clearly defined project management plan
n Performance monitoring
n Roll-back plan if critical applications/services need to be reverted temporarily to the old infrastructure
n Organisational change management and training
n Defined schedule of deliverables with roles and responsibilities
n Project progress and issue-tracking mechanism
Use and management of dataand data analytics
Technology investments
R&D and innovation capacity
Recognise need to change
Source: PwC’s 17th Annual Global CEO Survey
Developing strategy to change
Concrete plans to implements change programmes
Change programme underway or complete
% Planning Doing
12
11
12
15
22
26
32
27
26
36
33
25
2524
The cloud is foundational to this healthcare transformation. Be it mHealth, virtual healthcare, telemedicine, leveraging big data analytics for bulk data management or trying to make sense of the online medical chatter-the cloud is the fundamental building block which provides secure, robust, scalable infrastructure or a platform with literally infinite computation and storage capacity. The global cloud computing market is thus poised to witness unprecedented interest from the healthcare services sector and will register a compound annual growth rate (CAGR) of 21.3% between 2012 and 2018. The global cloud computing market size for healthcare
38 39is estimated to be 6.79 billion USD by 2018. According to industry estimates, the total addressable opportunity for cloud solutions in the Indian healthcare industry (hospitals) could be around 600 million USD by 2020. Further, cloud solutions may account for close to 40% of the total annual healthcare IT spending in India.
With the potential cloud holds for the healthcare transformation, healthcare providers are taking measured steps toward the cloud. They remain circumspect about data privacy, security and service levels. This is primarily due to the numerous challenges being faced by the healthcare providers-primarily in terms of the need to comply with the HIPAA and HITECH Act for meaningful use of information, recovery audit tracker (RAC) audits, International Classification of Diseases (IDC)-10, and the mandate of providing improved care while protecting patient health information (PHI).
The most common use cases of the cloud in healthcare include electronic medical records (EMRs), radiology information systems (RISs), picture archiving communication systems (PACs), backup and disaster recovery, virtual desktops, and consumer and patient portals that streamline communications with external and internal parties. In addition, the cloud is ideal for managing and maintaining integrated population health and clinical information by using care collaboration tools and deploying big data analytics solutions-data analysis, data warehousing and health information exchanges (HIEs).
Contrary to popular belief, the cloud provides a more robust and secure environment and ensures easier compliance with the HIPAA or HITECH Act.
Our experience of working with multiple healthcare organisations has enabled us to come up with the following best practices that need to be followed for cloud planning and migration:
38 Transparency Market Research. (2015). Cloud computing market: Global industry analysis, size, share, trends and forecast 2012–2018. Retrieved from http://www.transparencymarketresearch.com/healthcare-cloud-computing.html39 Zinnov Management Consulting. (2010). Indian healthcare poised to harness the cloud. Retrieved from http://www.indiatechonline.com/special-feature.php?id=64
# Category Recommended best practices
1 Assessment l Assess the current IT infrastructure and applications landscape to identify applications/services that can be migrated to the cloud
l Determine the appropriate cloud deployment model-private, public or hybrid
l Determine the appropriate cloud service model-IaaS, SaaS, PaaS
l Understand the data security, privacy and risk implications of the above cloud models and their respective combinations
l Conduct cost-benefit analysis for the chosen model and build a business case
2 Integration l Determine integration requirements
l Determine data flow model between applications
l Clearly outline security and compliance requirements for each application
l Develop a comprehensive security strategy for cloud
3 Migration planning l Develop a migration plan
l Develop a pre- and post-migration checklist
l As part of the migration plan, also develop a checklist for vendor evaluation:
n Tier III data centre that is Service Organization Controls (SOC) II and III and Statement on Standards for Attestation Engagements (SSAE) 16-certified
n HIPAA and PCI compliant
n Determine SLAs that address the main components of availability: security, network, cloud platform and storage
4 Vendor due l Conduct rigorous vendor evaluation
diligence l Choose a vendor that satisfies the following requirements:
n Is HIPPA compliant and ready to sign a HIPAA business associate agreement
n Supports SOC2, SSAE16 and HIPAA compliances
n Provides defined SLA with response times based on organisational risk classification (emergency, urgent, standard, and so on)
n Flexibility to provision additional cloud services as necessary
n Deliver 24X7X365 live healthcare-level support
n Focus on healthcare industry and list of existing clients
5 Solid implementation l Develop an implementation plan with a clear focus on the following: process n Clearly defined project management plan
n Performance monitoring
n Roll-back plan if critical applications/services need to be reverted temporarily to the old infrastructure
n Organisational change management and training
n Defined schedule of deliverables with roles and responsibilities
n Project progress and issue-tracking mechanism
Use and management of dataand data analytics
Technology investments
R&D and innovation capacity
Recognise need to change
Source: PwC’s 17th Annual Global CEO Survey
Developing strategy to change
Concrete plans to implements change programmes
Change programme underway or complete
% Planning Doing
12
11
12
15
22
26
32
27
26
36
33
25
2524
The financial services industry is at a
crossroads. CEOs are generally optimistic
about the economy and their own company
prospects, but are concerned about the impact of
factors beyond their control, such as regulatory change and geopolitical instability, along with
industry disruption from new entrants. The uncertainty and change that lie ahead are reflected
in the fact that 61% of industry leaders believe there are more opportunities for growth than 40
there were three years ago. However, almost as many (58%) believe there are more threats.
Technological advancements in this sector are
reshaping the relationship between
customers and companies by lowering the
barriers to entry that had existed traditionally.
Global megatrends identified by PwC-41demographic and social change, rapid
42urbanisation and shift in global economic 43powers -are enabling the proliferation of new
business model adoption. In addition,
customer behaviours and expectations are
changing, driven by experiences outside the
financial services industry.
This intersection of the financial services and technology sectors has led to the emergence of a
new breed of companies, which are termed as fintech. The key driver for fintech is the
convergence of retail financial services with social
media, mobile, analytics and cloud technology. This
is making the business leaders of the incumbent
financial services organisations question the very
business they are in as they are forced to reassess
how their organisation's differentiating capabilities
can be better used to negate the threat of fintechs
and solve customer problems.
Addressing security, privacy and regulatory concerns in financial services
'We are a technology company…'
– Lloyd Blankfein, Goldman Sachs
40 PwC. (2015). 18th Annual Global CEO Survey. Retrieved from https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2016.html41 By 2020, millennials will form 50% of the global workforce and by 2020, 78 million baby boomers born between 1946 to1964 will hit retirement age. Source: PwC. (2014). Anticipating problems, finding solutions. Global Annual Review. Retrieved from https://www.pwc.com/gx/en/global-annual-review/assets/pwc-global-annual-review-2014.pdf42 Currently, 50% (and growing) of the world's population lives in urban areas. Source: PwC. (2012). Insurance 2020: Competing for the future. Retrieved from https://www.pwc.com/gx/en/insurance/pdf/pwc-life-insurance-2020-competing-for-a-future.pdf43 The global middle class is projected to grow by 180% over the next 25 years. Source: PwC. (2010). Asset management 2020: A brave new world. Retrieved from https://www.pwc.com/gx/en/asset-management/publications/pdfs/pwc-asset-management-2020-a-brave-new-world-final.pdf
8
Key fintech highlights:
l Global financial services revenue potentially
impacted by Fintech companies: ~4.7 USD
trillion
l Year-on-year funding growth to fintech
companies from private equity and venture
capital firms from 2010 to 2014: ~45.8%
l Number of fintech companies on AngelList as
of May 2015: ~4,000
Source: The future of finance, volumes 2 and 3, Goldman
Sachs, March 2015, and FinTech Week London, 2015
Why you should consider the cloud
in the financial services industry:
l Accelerate time to market
l Innovate with the business
l Respond rapidly to changes in demand
l Optimise cost and usage of assets
Cloud-based solutions can create remarkable opportunities across the enterprise as they
present strategic ways to strike a balance between enabling business growth and innovation
and lowering costs while continuing to provide operating efficiencies. CIOs are now looking at
cloud solutions to transform a traditional IT department into a business growth engine, revamp
operations to achieve scale and enhance speed and collaboration, and spark innovation around
new products and services to generate new sources of revenue.
Through our interaction with leading financial services companies globally, we continue to see
key financial services firms push to gain time to market and cost optimisation benefits from the
cloud. However, data security and privacy concerns, regulations, legacy infrastructure and
migration costs seem to counter-act the business case and are a major reason for preventing a
faster adoption rate. Data security concerns continue to remain the foremost concern among
cloud users in the financial services industry, and regulatory restrictions are a major obstacle to
the adoption of cloud computing within financial services. Around 60% of financial institutions
rank data confidentiality as their biggest security concern, followed by loss of control of data
(57%) and data breach (55%). Another 71% of financial companies consider compliance as a 44
reason to keep controls in-house and not migrate data to public cloud services.
44 CSA. (2015, March). How Cloud is Being Used in the Financial Sector: Survey Report. Retrieved from https://downloads.cloudsecurityalliance.org/initiatives/surveys/financial-services/Cloud_Adoption_In_The_Financial_Services_Sector_Survey_March2015_FINAL.pdf
5%
6%
4%
7%
9%
6%
6%
4%
3%
5%
6%
4%
4%
7%
6%
4%
8%
14%
11%
9%
18%
15%
4%
4%
15%
17%
13%
5%
25%
8%
16%
14%
26%
25%
30%
19%
11%
12%
30%
29%
30%
7%
40%
27%
30%
40%
25%
31%
19%
33%
22%
28%
25%
25%
28%
25%
24%
55%
42%
25%
29%
29%
27%
29%
60%
51%
24%
25%
25%
56%
0% 20% 40% 60% 80% 100%
User activity monitoring/visibility
Data breach
Data loss
Lack of auditing features
Malicious insider
Secure deletion
Availability
Integrity
Data confidenciality
Compliance and legal issues
Isolation failures
Provider lock-in
User account control
Loss of control over data (governance)
1 2 3 4 5
Low High
Source: Cloud Security Alliance, March 2015
2726
The financial services industry is at a
crossroads. CEOs are generally optimistic
about the economy and their own company
prospects, but are concerned about the impact of
factors beyond their control, such as regulatory change and geopolitical instability, along with
industry disruption from new entrants. The uncertainty and change that lie ahead are reflected
in the fact that 61% of industry leaders believe there are more opportunities for growth than 40
there were three years ago. However, almost as many (58%) believe there are more threats.
Technological advancements in this sector are
reshaping the relationship between
customers and companies by lowering the
barriers to entry that had existed traditionally.
Global megatrends identified by PwC-41demographic and social change, rapid
42urbanisation and shift in global economic 43powers -are enabling the proliferation of new
business model adoption. In addition,
customer behaviours and expectations are
changing, driven by experiences outside the
financial services industry.
This intersection of the financial services and technology sectors has led to the emergence of a
new breed of companies, which are termed as fintech. The key driver for fintech is the
convergence of retail financial services with social
media, mobile, analytics and cloud technology. This
is making the business leaders of the incumbent
financial services organisations question the very
business they are in as they are forced to reassess
how their organisation's differentiating capabilities
can be better used to negate the threat of fintechs
and solve customer problems.
Addressing security, privacy and regulatory concerns in financial services
'We are a technology company…'
– Lloyd Blankfein, Goldman Sachs
40 PwC. (2015). 18th Annual Global CEO Survey. Retrieved from https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2016.html41 By 2020, millennials will form 50% of the global workforce and by 2020, 78 million baby boomers born between 1946 to1964 will hit retirement age. Source: PwC. (2014). Anticipating problems, finding solutions. Global Annual Review. Retrieved from https://www.pwc.com/gx/en/global-annual-review/assets/pwc-global-annual-review-2014.pdf42 Currently, 50% (and growing) of the world's population lives in urban areas. Source: PwC. (2012). Insurance 2020: Competing for the future. Retrieved from https://www.pwc.com/gx/en/insurance/pdf/pwc-life-insurance-2020-competing-for-a-future.pdf43 The global middle class is projected to grow by 180% over the next 25 years. Source: PwC. (2010). Asset management 2020: A brave new world. Retrieved from https://www.pwc.com/gx/en/asset-management/publications/pdfs/pwc-asset-management-2020-a-brave-new-world-final.pdf
8
Key fintech highlights:
l Global financial services revenue potentially
impacted by Fintech companies: ~4.7 USD
trillion
l Year-on-year funding growth to fintech
companies from private equity and venture
capital firms from 2010 to 2014: ~45.8%
l Number of fintech companies on AngelList as
of May 2015: ~4,000
Source: The future of finance, volumes 2 and 3, Goldman
Sachs, March 2015, and FinTech Week London, 2015
Why you should consider the cloud
in the financial services industry:
l Accelerate time to market
l Innovate with the business
l Respond rapidly to changes in demand
l Optimise cost and usage of assets
Cloud-based solutions can create remarkable opportunities across the enterprise as they
present strategic ways to strike a balance between enabling business growth and innovation
and lowering costs while continuing to provide operating efficiencies. CIOs are now looking at
cloud solutions to transform a traditional IT department into a business growth engine, revamp
operations to achieve scale and enhance speed and collaboration, and spark innovation around
new products and services to generate new sources of revenue.
Through our interaction with leading financial services companies globally, we continue to see
key financial services firms push to gain time to market and cost optimisation benefits from the
cloud. However, data security and privacy concerns, regulations, legacy infrastructure and
migration costs seem to counter-act the business case and are a major reason for preventing a
faster adoption rate. Data security concerns continue to remain the foremost concern among
cloud users in the financial services industry, and regulatory restrictions are a major obstacle to
the adoption of cloud computing within financial services. Around 60% of financial institutions
rank data confidentiality as their biggest security concern, followed by loss of control of data
(57%) and data breach (55%). Another 71% of financial companies consider compliance as a 44
reason to keep controls in-house and not migrate data to public cloud services.
44 CSA. (2015, March). How Cloud is Being Used in the Financial Sector: Survey Report. Retrieved from https://downloads.cloudsecurityalliance.org/initiatives/surveys/financial-services/Cloud_Adoption_In_The_Financial_Services_Sector_Survey_March2015_FINAL.pdf
5%
6%
4%
7%
9%
6%
6%
4%
3%
5%
6%
4%
4%
7%
6%
4%
8%
14%
11%
9%
18%
15%
4%
4%
15%
17%
13%
5%
25%
8%
16%
14%
26%
25%
30%
19%
11%
12%
30%
29%
30%
7%
40%
27%
30%
40%
25%
31%
19%
33%
22%
28%
25%
25%
28%
25%
24%
55%
42%
25%
29%
29%
27%
29%
60%
51%
24%
25%
25%
56%
0% 20% 40% 60% 80% 100%
User activity monitoring/visibility
Data breach
Data loss
Lack of auditing features
Malicious insider
Secure deletion
Availability
Integrity
Data confidenciality
Compliance and legal issues
Isolation failures
Provider lock-in
User account control
Loss of control over data (governance)
1 2 3 4 5
Low High
Source: Cloud Security Alliance, March 2015
2726
We have listed some of the major data regulations that can have a significant impact on financial services organisations seeking to remain compliant with domestic and international regulations. It is critical for financial services organisations to be aware of the various country-specific regulations prevalent in the industry and to have a clear idea of the implications of each and the steps required to ensure compliance. The point we want to highlight is that the regulatory requirements for financial services institutions may vary because of the use of the cloud, but the fact that compliance with regulatory requirements requires usage of a specific type of technology only is a misconception. This false assumption mainly stems from the complex nature of these regulations and lack of clarity surrounding them.
Country/ region Regulation Data type Guidelines to meet the regulatory requirements
Worldwide PCI DSS Credit card l Protect credit card details like card number, expiry date, service code and cardholder's name from logical or physical access
l Implement a role-based access control mechanism to provide separation of duties between administrators and users accessing credit card information
l Secure storage of encryption keys and implement a strong key management procedure (like dual control)
l Establish a logging mechanism for access and administration of encryption keys and sensitive data
l Document your process and protection measures
The US GLBA Corporate l Ensure security and confidentiality of customer finance records and information
l Protect against any anticipated threats or hazards to the security or integrity of such records
l Protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer
Europe EU Data Personal l Notice: That personal data is being collected Protection information l Purpose: Data should only be used for stated Directive of purposes 1995 (46/EC) l Consent: Data should not be disclosed without and Internet the subject's consent Privacy Law l Security: Collected data should be kept secure of 2002 from any potential abuses (58/EC) l Disclosure: Subjects should be informed about who is collecting their data l Access: Subjects should be allowed to access their data and to make corrections to any inaccurate data l Accountability: Data subjects should have a method available to them to hold data collectors accountable for following the above principles
Based on our experience of helping major financial institutions achieve a transformation
through technology, we have developed a set of best practices for the financial services sector to
address the issue of data security, protection and regulatory compliances while adopting cloud
computing.
# Steps High-level recommendations
1 Assess Before moving sensitive financial or customer-related information to the cloud, conduct a detailed assessment to identify the following:
Stakeholders (internal and external) who should or should not have access to the l
data
Develop a mechanism to define content that is sensitive or non-sensitive, l
proprietary or not, and is or can be subjected to regulations or not
Identify where in the cloud the data will reside, and the respective regional or l
country-specific data protection, privacy, disclosure and other laws that might be applicable
2 Design Once the assessment is complete, develop practical system designs and identify effective tools to protect sensitive information in order to ensure the following:
Unauthorised users are not able to access, leak or disclose protected and sensitive l
data
Ability to apply the appropriate level of security to specific data types to the l
required level of granularity, including encryption, tokenisation, data loss prevention and malware protection
Complete visibility and reporting over data that is entering and leaving the cloud l
environment. This is critical because effective monitoring and audit of activities in the cloud are a must to demonstrate compliance with regulations.
3 Build Build and implement appropriate solutions around your cloud environment to ensure the following:
Data sanctity is maintained in terms of formats, fields and functions; meta data is l
maintained both for structured and unstructured data
Searching, sorting, indexing and reporting of data while it is secured in the cloudl
A unified platform that supports any type of cloud application and integrates with l
the existing third-party enterprise tools used in the on-premise environment
4 Review Implement mechanisms and associated solutions to ensure ongoing monitoring of data and information flowing in and out of the cloud and provide detailed visibility, application awareness and understanding of the context of business information by ensuring the following:
Granular reporting and visibility of cloud application usage, with a focus on user l
roles, content and accessibility to specific types of data
Monitoring of data loss prevention policies, violations and actions taken to l
address any anomalies occurring in the system
Integration between multiple cloud applications to ensure seamless data flow and l
provide consistent controls across the enterprise
2928
We have listed some of the major data regulations that can have a significant impact on financial services organisations seeking to remain compliant with domestic and international regulations. It is critical for financial services organisations to be aware of the various country-specific regulations prevalent in the industry and to have a clear idea of the implications of each and the steps required to ensure compliance. The point we want to highlight is that the regulatory requirements for financial services institutions may vary because of the use of the cloud, but the fact that compliance with regulatory requirements requires usage of a specific type of technology only is a misconception. This false assumption mainly stems from the complex nature of these regulations and lack of clarity surrounding them.
Country/ region Regulation Data type Guidelines to meet the regulatory requirements
Worldwide PCI DSS Credit card l Protect credit card details like card number, expiry date, service code and cardholder's name from logical or physical access
l Implement a role-based access control mechanism to provide separation of duties between administrators and users accessing credit card information
l Secure storage of encryption keys and implement a strong key management procedure (like dual control)
l Establish a logging mechanism for access and administration of encryption keys and sensitive data
l Document your process and protection measures
The US GLBA Corporate l Ensure security and confidentiality of customer finance records and information
l Protect against any anticipated threats or hazards to the security or integrity of such records
l Protect against unauthorised access to or use of such records or information which could result in substantial harm or inconvenience to any customer
Europe EU Data Personal l Notice: That personal data is being collected Protection information l Purpose: Data should only be used for stated Directive of purposes 1995 (46/EC) l Consent: Data should not be disclosed without and Internet the subject's consent Privacy Law l Security: Collected data should be kept secure of 2002 from any potential abuses (58/EC) l Disclosure: Subjects should be informed about who is collecting their data l Access: Subjects should be allowed to access their data and to make corrections to any inaccurate data l Accountability: Data subjects should have a method available to them to hold data collectors accountable for following the above principles
Based on our experience of helping major financial institutions achieve a transformation
through technology, we have developed a set of best practices for the financial services sector to
address the issue of data security, protection and regulatory compliances while adopting cloud
computing.
# Steps High-level recommendations
1 Assess Before moving sensitive financial or customer-related information to the cloud, conduct a detailed assessment to identify the following:
Stakeholders (internal and external) who should or should not have access to the l
data
Develop a mechanism to define content that is sensitive or non-sensitive, l
proprietary or not, and is or can be subjected to regulations or not
Identify where in the cloud the data will reside, and the respective regional or l
country-specific data protection, privacy, disclosure and other laws that might be applicable
2 Design Once the assessment is complete, develop practical system designs and identify effective tools to protect sensitive information in order to ensure the following:
Unauthorised users are not able to access, leak or disclose protected and sensitive l
data
Ability to apply the appropriate level of security to specific data types to the l
required level of granularity, including encryption, tokenisation, data loss prevention and malware protection
Complete visibility and reporting over data that is entering and leaving the cloud l
environment. This is critical because effective monitoring and audit of activities in the cloud are a must to demonstrate compliance with regulations.
3 Build Build and implement appropriate solutions around your cloud environment to ensure the following:
Data sanctity is maintained in terms of formats, fields and functions; meta data is l
maintained both for structured and unstructured data
Searching, sorting, indexing and reporting of data while it is secured in the cloudl
A unified platform that supports any type of cloud application and integrates with l
the existing third-party enterprise tools used in the on-premise environment
4 Review Implement mechanisms and associated solutions to ensure ongoing monitoring of data and information flowing in and out of the cloud and provide detailed visibility, application awareness and understanding of the context of business information by ensuring the following:
Granular reporting and visibility of cloud application usage, with a focus on user l
roles, content and accessibility to specific types of data
Monitoring of data loss prevention policies, violations and actions taken to l
address any anomalies occurring in the system
Integration between multiple cloud applications to ensure seamless data flow and l
provide consistent controls across the enterprise
2928
Like the global market, cloud computing is set to transform the business and operating
model of Indian organisations and move them up the digital value chain. According to
Gartner, cloud computing will constitute the bulk of IT spending by 2016 and in India
alone, it is predicted that the cloud market will reach over 3 billion USD by this year-an almost
fivefold increase from 2012. Though the cloud story will be led primarily by small and medium
businesses (SMBs) and the growing start-up community in the country, we believe enterprises
will also have a major role to play in this space. With major cloud service providers like Microsoft
and Amazon setting up their data centres in India, the future for the cloud looks promising.
The roll-out of the Digital India initiative by the Government of India will provide a major push
for Indian organisations to switch to the cloud model. However, the lack of specific legislations
on privacy and data protection in India continues to remain a key concern for organisations in
this space. Moreover, the global and distributed nature of the cloud makes it even more difficult
to ensure that all laws and regulations applicable to a given case are complied with.
A summary of data protection laws in India that may be relevant to the cloud has been provided
below:
l Under the IT Act, 2000, a network service
provider or an intermediary is liable for any
known misuse of third-party information or
data, or for not exercising due diligence to
prevent the offence. The IT Act, 2000,
covers offences and contraventions
committed outside India as well,
irrespective of the offender's nationality, as
long as the computer system or network is
located in India.
l In India, the IT Act, 2000, deals remotely
with the issue of privacy in cloud
computing. Section 72 of the IT Act lays
down the penalty for breach o f
confidentiality and privacy. This section is
one of the few provisions which apply in the
case of breach of privacy. The offence is
punishable with imprisonment up to two
years and a fine up to 1 lakh INR.
l Apart from section 72, we have section 80 of
the IT Act, 2000, which deals with the
search and seizure of computer data on
connected systems if there is reasonable
justification to do so.
State of data protection and privacy laws in India
9
Recent developments
In 2011, the Indian government introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which provide a list of items which will be treated as 'sensitive personal data' and include various provisions which govern the collection of such information by a body corporate. Further, the rules impose a mandate upon the entities to implement a privacy policy for dealing with the relevant issues. According to these rules, a body corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed upon by the parties through any contract. However, the rules also state that such information can be shared without any prior consent with government agencies mandated under law, or with any other third party by an order under the law, who shall be under a duty not to disclose it further.
In addition, there is the Privacy (Protection) Bill, 2013, which this is still in the draft stage (the third draft has been updated) and has not yet been passed as a rule or law. However, this new bill remains silent on the issue of location of data and focusses primarily on the protection of personal data.
l Recently, the concept of due diligence requirements has been prescribed by the Information
Technology (Intermediaries Guidelines) Rules, 2011. The cyber law due diligence
requirements oblige all companies and intermediaries to ensure that privacy is maintained
and respected in the cloud. Intermediaries need to take proper measures to maintain and
safeguard all information that is stored in the cloud from unauthorised access. In particular,
they need to put more emphasis on cloud services dealing with monetary transactions.
Further, if cloud service providers fail to provide or observe due diligence, then they will be
subject to legal action.
l Similarly, under section 69 of the IT Act, 2000, the government has the authority to monitor as
well as decrypt any information shared through a computer resource in the cloud.
3130
Like the global market, cloud computing is set to transform the business and operating
model of Indian organisations and move them up the digital value chain. According to
Gartner, cloud computing will constitute the bulk of IT spending by 2016 and in India
alone, it is predicted that the cloud market will reach over 3 billion USD by this year-an almost
fivefold increase from 2012. Though the cloud story will be led primarily by small and medium
businesses (SMBs) and the growing start-up community in the country, we believe enterprises
will also have a major role to play in this space. With major cloud service providers like Microsoft
and Amazon setting up their data centres in India, the future for the cloud looks promising.
The roll-out of the Digital India initiative by the Government of India will provide a major push
for Indian organisations to switch to the cloud model. However, the lack of specific legislations
on privacy and data protection in India continues to remain a key concern for organisations in
this space. Moreover, the global and distributed nature of the cloud makes it even more difficult
to ensure that all laws and regulations applicable to a given case are complied with.
A summary of data protection laws in India that may be relevant to the cloud has been provided
below:
l Under the IT Act, 2000, a network service
provider or an intermediary is liable for any
known misuse of third-party information or
data, or for not exercising due diligence to
prevent the offence. The IT Act, 2000,
covers offences and contraventions
committed outside India as well,
irrespective of the offender's nationality, as
long as the computer system or network is
located in India.
l In India, the IT Act, 2000, deals remotely
with the issue of privacy in cloud
computing. Section 72 of the IT Act lays
down the penalty for breach o f
confidentiality and privacy. This section is
one of the few provisions which apply in the
case of breach of privacy. The offence is
punishable with imprisonment up to two
years and a fine up to 1 lakh INR.
l Apart from section 72, we have section 80 of
the IT Act, 2000, which deals with the
search and seizure of computer data on
connected systems if there is reasonable
justification to do so.
State of data protection and privacy laws in India
9
Recent developments
In 2011, the Indian government introduced the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which provide a list of items which will be treated as 'sensitive personal data' and include various provisions which govern the collection of such information by a body corporate. Further, the rules impose a mandate upon the entities to implement a privacy policy for dealing with the relevant issues. According to these rules, a body corporate shall seek the consent of the concerned provider before disclosing the sensitive data to a third party, unless such disclosure was agreed upon by the parties through any contract. However, the rules also state that such information can be shared without any prior consent with government agencies mandated under law, or with any other third party by an order under the law, who shall be under a duty not to disclose it further.
In addition, there is the Privacy (Protection) Bill, 2013, which this is still in the draft stage (the third draft has been updated) and has not yet been passed as a rule or law. However, this new bill remains silent on the issue of location of data and focusses primarily on the protection of personal data.
l Recently, the concept of due diligence requirements has been prescribed by the Information
Technology (Intermediaries Guidelines) Rules, 2011. The cyber law due diligence
requirements oblige all companies and intermediaries to ensure that privacy is maintained
and respected in the cloud. Intermediaries need to take proper measures to maintain and
safeguard all information that is stored in the cloud from unauthorised access. In particular,
they need to put more emphasis on cloud services dealing with monetary transactions.
Further, if cloud service providers fail to provide or observe due diligence, then they will be
subject to legal action.
l Similarly, under section 69 of the IT Act, 2000, the government has the authority to monitor as
well as decrypt any information shared through a computer resource in the cloud.
3130
Clearly, data privacy and protection laws in India with regard to the cloud are still at a nascent stage and there
has not been much progress in comparison with other developed nations. Many countries have managed to ensure that the data in the cloud is protected by implementing certain geographical restrictions which disallow
4 5cross-border data interchange. Such measures have put a check on the data being saved in the cloud from unwarranted access and usage. Given the existing regulations around the world to protect privacy, we feel there is a serious lack of regulations and legislations around data privacy and protection in the cloud in India. Though the
46Government Cloud Policy, published by the Government of India in 2013, highlights security and privacy as a potential area of risk for cloud adoption and acknowledges the need for standardised policies and guidelines for data security and privacy in the cloud for the country, none have been published till date.
PwC recommends a four-pronged approach for defining policy guidance around data protection and privacy for cloud and cyber security in India.
Conclusion
10
In the US, the Patriot Act gives the government broad latitude to intercept suspicious electronic data that comes through the country. In the EU, the data protection directive imposes stringent standards on the collection of electronic data by the government and by any other entity. In the UK, the Information Commissioner's Office (ICO) has published clear guidance which outlines the responsibilities of companies storing the data of their customers in the cloud. As part of this guidance, full responsibility for security of the data lies with the company that owns the data, rather than the company taking care of it. Hence, if an organisation with customer data (stored and processed in the cloud) suffers a data breach, it will not be able to blame the third party (i.e. the cloud service provider).
# Steps Recommendations
1 Identify l Identify the data protection and privacy laws relevant to cloud computing and cyber security being enforced globally
l Determine gaps in the current state of laws and regulations related to data protection and privacy in India
l Define areas that need to be addressed and draft high-level policy principles
2 Formulate l Elaborate on the policy principles to draft detailed policies
l May require formulating new policies and/or making amendments to existing policies and acts
3 Enforce l Develop a framework for policy enforcement
4 Review l Develop a review mechanism
l Conduct regular reviews of the relevance of the enforced laws and regulations
l Make amends as required
45 Sen, K. (2013). India: Privacy issues in cloud computing with reference to India. Retrieved from http://www.mondaq.com/india/x/279070/Data+Protection+Privacy/Privacy+Issues+In+Cloud+Computing+With+Reference+To+India46 DeitY, Government of India. (2013, May). Government of India's GI cloud (MeghRaj) strategic direction paper. Retrieved from http://deity.gov.in/content/gi-cloud-initiative-meghraj
It must be noted that the last step of the above approach-i.e. review-is a critical step because,
given the rapid pace of advancements in the space of cloud computing, a law or regulation that
is relevant today may not be relevant in a few years. In addition, participation from the industry
is recommended while drafting the policies.
3332
Clearly, data privacy and protection laws in India with regard to the cloud are still at a nascent stage and there
has not been much progress in comparison with other developed nations. Many countries have managed to ensure that the data in the cloud is protected by implementing certain geographical restrictions which disallow
4 5cross-border data interchange. Such measures have put a check on the data being saved in the cloud from unwarranted access and usage. Given the existing regulations around the world to protect privacy, we feel there is a serious lack of regulations and legislations around data privacy and protection in the cloud in India. Though the
46Government Cloud Policy, published by the Government of India in 2013, highlights security and privacy as a potential area of risk for cloud adoption and acknowledges the need for standardised policies and guidelines for data security and privacy in the cloud for the country, none have been published till date.
PwC recommends a four-pronged approach for defining policy guidance around data protection and privacy for cloud and cyber security in India.
Conclusion
10
In the US, the Patriot Act gives the government broad latitude to intercept suspicious electronic data that comes through the country. In the EU, the data protection directive imposes stringent standards on the collection of electronic data by the government and by any other entity. In the UK, the Information Commissioner's Office (ICO) has published clear guidance which outlines the responsibilities of companies storing the data of their customers in the cloud. As part of this guidance, full responsibility for security of the data lies with the company that owns the data, rather than the company taking care of it. Hence, if an organisation with customer data (stored and processed in the cloud) suffers a data breach, it will not be able to blame the third party (i.e. the cloud service provider).
# Steps Recommendations
1 Identify l Identify the data protection and privacy laws relevant to cloud computing and cyber security being enforced globally
l Determine gaps in the current state of laws and regulations related to data protection and privacy in India
l Define areas that need to be addressed and draft high-level policy principles
2 Formulate l Elaborate on the policy principles to draft detailed policies
l May require formulating new policies and/or making amendments to existing policies and acts
3 Enforce l Develop a framework for policy enforcement
4 Review l Develop a review mechanism
l Conduct regular reviews of the relevance of the enforced laws and regulations
l Make amends as required
45 Sen, K. (2013). India: Privacy issues in cloud computing with reference to India. Retrieved from http://www.mondaq.com/india/x/279070/Data+Protection+Privacy/Privacy+Issues+In+Cloud+Computing+With+Reference+To+India46 DeitY, Government of India. (2013, May). Government of India's GI cloud (MeghRaj) strategic direction paper. Retrieved from http://deity.gov.in/content/gi-cloud-initiative-meghraj
It must be noted that the last step of the above approach-i.e. review-is a critical step because,
given the rapid pace of advancements in the space of cloud computing, a law or regulation that
is relevant today may not be relevant in a few years. In addition, participation from the industry
is recommended while drafting the policies.
3332
Case study #1: Application migration to the Azure cloud
*The content of the case study has been provided by Narayana Hrudayalaya.
Company
Narayana Hrudayalaya, also known as Narayana Health (NH)
Project
Application migration to the Azure cloud
Challenges
NH has been expanding its national and international presence significantly through a
combination of greenfield projects and acquisitions. It used to host its mission critical
applications-Health Information Management System (HINAI), enterprise resource planning
(ERP), ICU monitoring and its related applications out of a managed data centre service
provider facility in India. The on-premise infrastructure and its related applications suffered
from performance bottlenecks and service downtime along with governance, process, and
compliance issues. All these factors caused multiple unscheduled outages, which resulted in
poor end-user experience and negative customer feedback.
In 2013, PwC had conducted a data centre and application architecture assessment across its
entire applications landscape across multiple service areas at NH. Several issues such as lack of
high availability (HA), disaster recovery (DR) and workload characterisation were identified
and the application performance issues were fixed.
The intent for PwC was not only to address the current challenges faced at NH but also to lay
down a roadmap for the technological transformation. As recommended, major and minor
initiatives were undertaken over a 3-6-12 month period of as part of the digital transformation.
Some of the key initiatives included the following:
l Migrating HINAI (along with other business applications) from its current virtualised
environment to a true cloud infrastructure
l Developing enterprise-wide policies and standards for operations in the cloud
l Formulating and implementing IT service management processes for the cloud
infrastructure environment
l Adopting a continuous application delivery approach to operationalise high-frequency
release cycles
Project description
Based on PwC's recommended roadmap, NH decided to embark on the cloud journey. PwC was
engaged for programme management and was appointed as the implementation partner for the
cloud migration. The approach taken by PwC was as follows:
Appendix
11l Assessing and benchmarking NH's application infrastructure performance and utilisation
levels
l Setting up a managed test area (MTA) for HINAI, Oracle eBS, iKare, TruMobi and SAP on both
AWS and Azure platforms
l Assisting the respective application teams for the creation and implementation of
application-wise test plans, success criteria, and testing methodologies
l Executing integrated infrastructure testing and generating relevant test reports for the MTA
platforms. Based on the test results, the Azure cloud was selected by NH as the preferred
cloud platform.
l Defining the standards and best practices to be followed by NH, pre- and post-migration to
the cloud covering regulatory requirements, locational feasibility, application latency, user
experience, cost, ownership, vendor relationship management, service level agreements
(SLAs), technical support, contract, billing, licensing, IP addressing, workload segregation,
network connectivity, redundancy, security, baseline hardening, storage provisioning and
configuration.
l Defining architectural principles ranging from enterprise (self-service, metering and
chargeback), operations (resiliency, modularity, elasticity, scalability, flexibility,
performance assurance, automation, orchestration and workflow, failover/HA, agility and
business continuity) and security (role-based access control, isolation, policy enforcements,
audit, compliances, monitoring and reporting) requirements
l Designing NH's target cloud deployment architecture and validating the same with the
architects from Microsoft Azure and obtaining a sign-off on the design from the client
l Building, constructing and configuring the designed target cloud environment in Azure and
providing cloud infrastructure support to the respective applications team during the
application/database setup and configuration
l Preparing the application migration plan with defined move groups, migration wave
timelines, pre- and post-cutover requirements and communications plan
l Working closely with the applications team and providing the required cloud infrastructure
support during production cutover
l Defining, documenting and formalising the IT service management framework for the
following key processes to be followed in the cloud environment: incident management,
problem management, change management (aligning it with the existing process at NH),
availability management and vendor relationship management
l Defining, documenting and formalising the standard operating procedure (SOP) with
detailed steps, process flow, and flowcharts for the following areas: managed network and
firewall services, application user provisioning, desktop-laptop request, local administrator
access, IT asset management, desktop-laptop-standard operating environment, IT 47
peripherals request, SSL VPN access, cloud instance provisioning, cloud instance de-
provisioning, infrastructure power checks and core infrastructure resource request
l Providing day-to-day operations support and coordinating with multiple stakeholders
within NH for programme management
3534
Case study #1: Application migration to the Azure cloud
*The content of the case study has been provided by Narayana Hrudayalaya.
Company
Narayana Hrudayalaya, also known as Narayana Health (NH)
Project
Application migration to the Azure cloud
Challenges
NH has been expanding its national and international presence significantly through a
combination of greenfield projects and acquisitions. It used to host its mission critical
applications-Health Information Management System (HINAI), enterprise resource planning
(ERP), ICU monitoring and its related applications out of a managed data centre service
provider facility in India. The on-premise infrastructure and its related applications suffered
from performance bottlenecks and service downtime along with governance, process, and
compliance issues. All these factors caused multiple unscheduled outages, which resulted in
poor end-user experience and negative customer feedback.
In 2013, PwC had conducted a data centre and application architecture assessment across its
entire applications landscape across multiple service areas at NH. Several issues such as lack of
high availability (HA), disaster recovery (DR) and workload characterisation were identified
and the application performance issues were fixed.
The intent for PwC was not only to address the current challenges faced at NH but also to lay
down a roadmap for the technological transformation. As recommended, major and minor
initiatives were undertaken over a 3-6-12 month period of as part of the digital transformation.
Some of the key initiatives included the following:
l Migrating HINAI (along with other business applications) from its current virtualised
environment to a true cloud infrastructure
l Developing enterprise-wide policies and standards for operations in the cloud
l Formulating and implementing IT service management processes for the cloud
infrastructure environment
l Adopting a continuous application delivery approach to operationalise high-frequency
release cycles
Project description
Based on PwC's recommended roadmap, NH decided to embark on the cloud journey. PwC was
engaged for programme management and was appointed as the implementation partner for the
cloud migration. The approach taken by PwC was as follows:
Appendix
11l Assessing and benchmarking NH's application infrastructure performance and utilisation
levels
l Setting up a managed test area (MTA) for HINAI, Oracle eBS, iKare, TruMobi and SAP on both
AWS and Azure platforms
l Assisting the respective application teams for the creation and implementation of
application-wise test plans, success criteria, and testing methodologies
l Executing integrated infrastructure testing and generating relevant test reports for the MTA
platforms. Based on the test results, the Azure cloud was selected by NH as the preferred
cloud platform.
l Defining the standards and best practices to be followed by NH, pre- and post-migration to
the cloud covering regulatory requirements, locational feasibility, application latency, user
experience, cost, ownership, vendor relationship management, service level agreements
(SLAs), technical support, contract, billing, licensing, IP addressing, workload segregation,
network connectivity, redundancy, security, baseline hardening, storage provisioning and
configuration.
l Defining architectural principles ranging from enterprise (self-service, metering and
chargeback), operations (resiliency, modularity, elasticity, scalability, flexibility,
performance assurance, automation, orchestration and workflow, failover/HA, agility and
business continuity) and security (role-based access control, isolation, policy enforcements,
audit, compliances, monitoring and reporting) requirements
l Designing NH's target cloud deployment architecture and validating the same with the
architects from Microsoft Azure and obtaining a sign-off on the design from the client
l Building, constructing and configuring the designed target cloud environment in Azure and
providing cloud infrastructure support to the respective applications team during the
application/database setup and configuration
l Preparing the application migration plan with defined move groups, migration wave
timelines, pre- and post-cutover requirements and communications plan
l Working closely with the applications team and providing the required cloud infrastructure
support during production cutover
l Defining, documenting and formalising the IT service management framework for the
following key processes to be followed in the cloud environment: incident management,
problem management, change management (aligning it with the existing process at NH),
availability management and vendor relationship management
l Defining, documenting and formalising the standard operating procedure (SOP) with
detailed steps, process flow, and flowcharts for the following areas: managed network and
firewall services, application user provisioning, desktop-laptop request, local administrator
access, IT asset management, desktop-laptop-standard operating environment, IT 47
peripherals request, SSL VPN access, cloud instance provisioning, cloud instance de-
provisioning, infrastructure power checks and core infrastructure resource request
l Providing day-to-day operations support and coordinating with multiple stakeholders
within NH for programme management
3534
In addition, PwC leveraged its internal IPs in terms of accelerators, frameworks and
methodologies, such as the transform methodology, cloud reference architecture, cloud
components map, application profiling framework and cloud migration programme tracker
during the entire project for ensuring efficient delivery.
Impact/potential impact
All business and system applications at NH were migrated to the Azure cloud in a span of two
months. The key impacts are outlined below:
l At least 40% cost savings in IT infrastructure
l Ninety per cent reduction in the infrastructure procurement cycle-from days to hours
l Fifty per cent improvement in overall productivity and responsiveness
l Reduction of proof of concept (PoC) execution time from months to 3-4 days, thus fostering
innovation
l Drastic improvement in satisfying 3,000+
HINAI end-users at NH
Moreover, cloud adoption has paved the way
for NH to adopt digital technologies in the
healthcare space and ensure that critical
healthcare services are delivered to the reach
the common masses at an affordable cost.
Comments on scalability
HINAI being the core business application at
NH, the scalability considerations were duly
noted during the cloud architecture design to
ensure that the application and underlying
cloud infrastructure is able to sustain
additional loads without affecting the
performance.
Best practices
Here are the best practices which were
followed in the execution of this project:
l Workload characterisation: Conducting assessments and benchmarking the application
infrastructure performance and utilisation levels during the initial phases of the project to
determine the optimum workload requirements in the cloud
l P0C: Conducting PoC tests across multiple public cloud platforms for selecting the cloud
vendor
l Cloud standards: Defining enterprise-wide standards to be followed at NH pre- and post-
migration to the cloud
l Architectural principles: Defining architectural principles covering enterprise, operations
and security requirements
l Design and architecture: Investing considerable time on developing the optimum
architecture design along with its associated components
l SME validation: Conducting multiple rounds of validation of architecture design and its
associated components by the respective SMEs before venturing into implementation and
migration
l Migration planning: Investing a significant amount of time in migration planning to develop
a comprehensive migration tracker; identifying application dependencies to define
application move groups with pre- and post-migration checklists and downtime
requirements by benchmarking data transfer time
l Security: Putting in place a comprehensive strategy to ensure the security of business
critical workloads deployed on the cloud. Some of the controls implemented include
conducting a detailed mapping of all ingress and egress ports for each application and
configuring these in the security controls provided in the cloud, thereby ensuring that no
unauthorised traffic goes into or out to the Internet; and enabling a firewall on all the systems
as an added layer of security
l Update IT service delivery and management processes: Existing IT service delivery and
management processes were updated to incorporate the cloud and the same were
documented and formalised
l Communication: Strengthening communication with the stakeholders since it is the key to a
successful migration exercise. Regular communications were sent to the relevant
stakeholders during the entire exercise.
Lessons learned
The key lessons learned include the following:
l Laying the foundation: It is necessary to invest time to lay the foundation for the migration
in terms of design and architecture at the later stages of migration, and building a scalable
and robust platform
l Processes post-cloud migration: It is important to understand that the set of processes and
standards relevant in a pre-cloud environment will not hold well in a post-cloud scenario.
Hence, cloud-specific standards and processes for IT service management and delivery
needs to be developed.
l Communication: For enterprise-wide migration initiatives, it was important to ensure that
regular communication goes out to all the responsible and associated stakeholders involved.
As mentioned earlier, regular communication was key to the success of the entire initiative.
l Change management: Cloud adoption will be a game changer for most enterprises. Hence,
managing the change is critical, right from the initial stages, and involvement of the senior
management is essential to drive this change.
The (PwC) team offered their extensive capabilities from a domain and technical standpoint in the form of methodologies, cloud accelerators, best practices, architecture standards and programme management. With the help of these accelerators, we were able to successfully benchmark the application performance across service providers, select a service provider based on our requirements and migrate our applications with little or no downtime. The team displayed excellent technical knowledge combined with domain expertise which, in turn, helped us achieve our strategic objective.
Migration to the cloud should not be considered as a lift and shift programme but as a journey towards digital transformation, and by partnering with PwC we have taken the first steps towards t h e s a m e . ' — Ku m a r K r i s h n a m u r t h y Venkateswaran, VP and CIO, Narayana Health (NH).
3736
In addition, PwC leveraged its internal IPs in terms of accelerators, frameworks and
methodologies, such as the transform methodology, cloud reference architecture, cloud
components map, application profiling framework and cloud migration programme tracker
during the entire project for ensuring efficient delivery.
Impact/potential impact
All business and system applications at NH were migrated to the Azure cloud in a span of two
months. The key impacts are outlined below:
l At least 40% cost savings in IT infrastructure
l Ninety per cent reduction in the infrastructure procurement cycle-from days to hours
l Fifty per cent improvement in overall productivity and responsiveness
l Reduction of proof of concept (PoC) execution time from months to 3-4 days, thus fostering
innovation
l Drastic improvement in satisfying 3,000+
HINAI end-users at NH
Moreover, cloud adoption has paved the way
for NH to adopt digital technologies in the
healthcare space and ensure that critical
healthcare services are delivered to the reach
the common masses at an affordable cost.
Comments on scalability
HINAI being the core business application at
NH, the scalability considerations were duly
noted during the cloud architecture design to
ensure that the application and underlying
cloud infrastructure is able to sustain
additional loads without affecting the
performance.
Best practices
Here are the best practices which were
followed in the execution of this project:
l Workload characterisation: Conducting assessments and benchmarking the application
infrastructure performance and utilisation levels during the initial phases of the project to
determine the optimum workload requirements in the cloud
l P0C: Conducting PoC tests across multiple public cloud platforms for selecting the cloud
vendor
l Cloud standards: Defining enterprise-wide standards to be followed at NH pre- and post-
migration to the cloud
l Architectural principles: Defining architectural principles covering enterprise, operations
and security requirements
l Design and architecture: Investing considerable time on developing the optimum
architecture design along with its associated components
l SME validation: Conducting multiple rounds of validation of architecture design and its
associated components by the respective SMEs before venturing into implementation and
migration
l Migration planning: Investing a significant amount of time in migration planning to develop
a comprehensive migration tracker; identifying application dependencies to define
application move groups with pre- and post-migration checklists and downtime
requirements by benchmarking data transfer time
l Security: Putting in place a comprehensive strategy to ensure the security of business
critical workloads deployed on the cloud. Some of the controls implemented include
conducting a detailed mapping of all ingress and egress ports for each application and
configuring these in the security controls provided in the cloud, thereby ensuring that no
unauthorised traffic goes into or out to the Internet; and enabling a firewall on all the systems
as an added layer of security
l Update IT service delivery and management processes: Existing IT service delivery and
management processes were updated to incorporate the cloud and the same were
documented and formalised
l Communication: Strengthening communication with the stakeholders since it is the key to a
successful migration exercise. Regular communications were sent to the relevant
stakeholders during the entire exercise.
Lessons learned
The key lessons learned include the following:
l Laying the foundation: It is necessary to invest time to lay the foundation for the migration
in terms of design and architecture at the later stages of migration, and building a scalable
and robust platform
l Processes post-cloud migration: It is important to understand that the set of processes and
standards relevant in a pre-cloud environment will not hold well in a post-cloud scenario.
Hence, cloud-specific standards and processes for IT service management and delivery
needs to be developed.
l Communication: For enterprise-wide migration initiatives, it was important to ensure that
regular communication goes out to all the responsible and associated stakeholders involved.
As mentioned earlier, regular communication was key to the success of the entire initiative.
l Change management: Cloud adoption will be a game changer for most enterprises. Hence,
managing the change is critical, right from the initial stages, and involvement of the senior
management is essential to drive this change.
The (PwC) team offered their extensive capabilities from a domain and technical standpoint in the form of methodologies, cloud accelerators, best practices, architecture standards and programme management. With the help of these accelerators, we were able to successfully benchmark the application performance across service providers, select a service provider based on our requirements and migrate our applications with little or no downtime. The team displayed excellent technical knowledge combined with domain expertise which, in turn, helped us achieve our strategic objective.
Migration to the cloud should not be considered as a lift and shift programme but as a journey towards digital transformation, and by partnering with PwC we have taken the first steps towards t h e s a m e . ' — Ku m a r K r i s h n a m u r t h y Venkateswaran, VP and CIO, Narayana Health (NH).
3736
Key people
l Kumar Krishnamurthy Venkateswaran, VP and CIO, NH
l Jagadeesh Ramasamy, VP and Lead, Business Applications Services
l Sridharan Subramaniam, Senior Manager and Lead , Core Infrastructure Services
Case study #2: SAP on cloud (AWS)
*The content of the case study has been provided by AWS.
Company
Macmillan India
Project
SAP on cloud (AWS)
Project description
In 2011, Macmillan India got a new senior management team, changed its business strategy
and restructured operations in India. The reorganisation prompted them to update the SAP
business suite enterprise resource planning solution, which the company used to manage the
sale and distribution of textbooks across India. The infrastructure in the on-premise data centre
in Chennai had several problems that affected the system's availability.
Challenges faced
The reorganisation prompted Macmillan India to update its SAP Business Suite enterprise
resource planning solution, which the company used to manage the sale and distribution of
textbooks across India. The infrastructure in the on-premises data centre in Chennai had
several problems that affected system availability: old hardware nearing end of life resulting in
frequent breakdown, utility (electricity) shortfall resulting in downtime, networking issues
causing outages and affecting productivity. These issues meant that the SAP solution operated
with 90 percent or less system availability, when the company needed 99 percent or more
availability. Macmillan India realised this situation was unsustainable and started looking for
alternative infrastructure options.
Impact or potential impact
After analysing various solutions, Macmillan India found that migrating its infrastructure to an
external cloud service, and specifically to AWS, would enable the company to achieve its
objectives and avoid the expenses and management load of employing in-house IT
administrators. It then set about moving its core applications-the SAP modules, a Drupal online
learning system, and a customer relationship management (CRM) system-from the Chennai
data centre to AWS. The company engaged PricewaterhouseCoopers (PwC) to design an SAP
solution on AWS that would meet the technical and cost requirements, and comply with the
Indian government regulations. Macmillan India and PwC initially moved several SAP modules-
Recommendations to the government
With the adoption of cloud picking up in India, it is critical for the government to define
standards and policies around cloud hosting, data privacy and security. Independent bodies
like the Cloud Security Alliance (CSA) have defined standards around cloud security and data
privacy–the government may take cue from this and align the policies with these standards to
ensure standardisation.
Suggestions to other companies
Cloud migration is more than a matter of mere lift and shift. It is advisable to start the cloud
journey with a strategy exercise followed by laying the foundations through extensive planning
and design. NH worked with PwC for three months to define the architecture principles, the
target cloud architecture on Azure along with its associated components, and the standards
and best practices to be followed by NH pre- and post-migration to the cloud. These were
subsequently validated with the Microsoft Azure SMEs as well. Owing to the rigorous planning
and design, we were able to migrate all of NH's business and system applications within two
months, with minimal business downtime.
The entire journey can be broken down into the following phases:
a) Assess
b) Design
c) Construct
d) Implement
e) Operate and review
The above-mentioned phases need to be aligned around strategy, structure, people, process
and technology. This has been outlined below.
Structure
Strategy
Process
People
Technology
Programme delivery
Change management
Dri
vin
gch
an
ge
Deli
veri
ng
cha
ng
e
Assess Design Construct Implement Operate
and review
Develop target
architecture
blueprint
followed by
detailed design
Build the cloud
environment
along with the
associated
components and
controls
Migrate
applications to
the cloud
Operate the
cloud
environment
and identify
areas of
optimisation
Assess current IT
applications and
infrastructure
landscape; determine
cloud readiness
3938
Key people
l Kumar Krishnamurthy Venkateswaran, VP and CIO, NH
l Jagadeesh Ramasamy, VP and Lead, Business Applications Services
l Sridharan Subramaniam, Senior Manager and Lead , Core Infrastructure Services
Case study #2: SAP on cloud (AWS)
*The content of the case study has been provided by AWS.
Company
Macmillan India
Project
SAP on cloud (AWS)
Project description
In 2011, Macmillan India got a new senior management team, changed its business strategy
and restructured operations in India. The reorganisation prompted them to update the SAP
business suite enterprise resource planning solution, which the company used to manage the
sale and distribution of textbooks across India. The infrastructure in the on-premise data centre
in Chennai had several problems that affected the system's availability.
Challenges faced
The reorganisation prompted Macmillan India to update its SAP Business Suite enterprise
resource planning solution, which the company used to manage the sale and distribution of
textbooks across India. The infrastructure in the on-premises data centre in Chennai had
several problems that affected system availability: old hardware nearing end of life resulting in
frequent breakdown, utility (electricity) shortfall resulting in downtime, networking issues
causing outages and affecting productivity. These issues meant that the SAP solution operated
with 90 percent or less system availability, when the company needed 99 percent or more
availability. Macmillan India realised this situation was unsustainable and started looking for
alternative infrastructure options.
Impact or potential impact
After analysing various solutions, Macmillan India found that migrating its infrastructure to an
external cloud service, and specifically to AWS, would enable the company to achieve its
objectives and avoid the expenses and management load of employing in-house IT
administrators. It then set about moving its core applications-the SAP modules, a Drupal online
learning system, and a customer relationship management (CRM) system-from the Chennai
data centre to AWS. The company engaged PricewaterhouseCoopers (PwC) to design an SAP
solution on AWS that would meet the technical and cost requirements, and comply with the
Indian government regulations. Macmillan India and PwC initially moved several SAP modules-
Recommendations to the government
With the adoption of cloud picking up in India, it is critical for the government to define
standards and policies around cloud hosting, data privacy and security. Independent bodies
like the Cloud Security Alliance (CSA) have defined standards around cloud security and data
privacy–the government may take cue from this and align the policies with these standards to
ensure standardisation.
Suggestions to other companies
Cloud migration is more than a matter of mere lift and shift. It is advisable to start the cloud
journey with a strategy exercise followed by laying the foundations through extensive planning
and design. NH worked with PwC for three months to define the architecture principles, the
target cloud architecture on Azure along with its associated components, and the standards
and best practices to be followed by NH pre- and post-migration to the cloud. These were
subsequently validated with the Microsoft Azure SMEs as well. Owing to the rigorous planning
and design, we were able to migrate all of NH's business and system applications within two
months, with minimal business downtime.
The entire journey can be broken down into the following phases:
a) Assess
b) Design
c) Construct
d) Implement
e) Operate and review
The above-mentioned phases need to be aligned around strategy, structure, people, process
and technology. This has been outlined below.
Structure
Strategy
Process
People
Technology
Programme delivery
Change management
Dri
vin
gch
an
ge
Deli
veri
ng
cha
ng
e
Assess Design Construct Implement Operate
and review
Develop target
architecture
blueprint
followed by
detailed design
Build the cloud
environment
along with the
associated
components and
controls
Migrate
applications to
the cloud
Operate the
cloud
environment
and identify
areas of
optimisation
Assess current IT
applications and
infrastructure
landscape; determine
cloud readiness
3938
including SAP business intelligence (BI), SAP sales and distribution, SAP materials
management, SAP financial accounting and controlling and SAP human resources-to AWS and
tested SAP performance under a range of scenarios. PwC completed the migration of the project
in about six months. Macmillan India benefitted from the AWS pay-as-you-go model, which
allowed the company to consume only the resources needed to support peaks and declines in
the demand. The company was able to lower their capital expenditure by nearly 100% and
expected to achieve reductions in operating cost by about 30% in one year.
Comments on scalability
The company has reduced the time needed to provision a new environment from six weeks to 30
minutes, which engineers can scale up and down at the click of a mouse. Furthermore,
Macmillan India can automate its backups and meet recovery time objectives. Additionally,
Macmillan India has been able to take advantage of robust security and data protection controls
to protect its environment. Availability of their SAP applications has improved from 90% to
almost 100% since moving to AWS as per their estimates.
Case study #3
*The content of the case study has been provided by AWS.
Company
Manipal Global Education Services (MaGE)
Project
MaGE uses AWS to save 25% on infrastructure
Project description
MaGE offers numerous services including corporate programmes, skills training, assessment
services, certification programmes, student enrolment and placement services. Most of these
are delivered online, and with the number of students growing every year, traffic to MaGE's web
applications increased by up to 60% per year, with demand spiking exponentially during
admission, examination, and result-publishing cycles. It is also the operator of university
campuses in Malaysia, Antigua in the Caribbean, Dubai, and Nepal and services and supports
more than 400,000 learners, many of them through its award-winning technology platform,
EduNxt™.
Challenges faced
Until 2013, MaGE hosted its applications in an on-premises data centre that could not meet its
dynamic business needs. Application performance was a challenge, page-load time was slow,
and availability was running at 98.5 to 99 percent with the business experiencing downtime of a
few days per year. The company also identified a potential risk with its critical SAP system,
which did not adequately provide for disaster recovery. In the event of a disaster, recovering the
system would take a few weeks, which had the risk of having significant business impact.
Furthermore, the on-premise infrastructure was expensive and complex to maintain. Several
team members were needed to configure and deploy infrastructure resources for new
workloads, and scaling the data centre for growth could take several weeks, which restricted
MaGE's ability to respond quickly to changing business needs.
Impact or potential impact
MaGE was convinced by the agility and elasticity that cloud computing provided and decided
to build a robust and 'future-ready' technology platform to support business growth. Based on
the success of the initial deployments, MaGE decided that the time was right to move to a
'cloud-first' strategy and began a massive shift to the cloud. MaGE has moved nine applications
and systems-including campaign management and digital marketing, student management,
learning management, assessment, and websites-into AWS. By early 2015, Manipal was
running 70% of its workload in AWS and had adopted a policy that any new applications have to
be delivered as a service from the cloud. The business is also running a disaster recovery
environment for its SAP student management system within AWS. After moving to the AWS
cloud, the availability of customer-facing applications and student services climbed to 99.9%,
and page-load time fell by 30%, improving the end-user experience. The business now has the
ability to recover from any disaster impacting their SAP environment in hours, minimising
disruption to the business operations. While realising all these benefits, Manipal has also seen
reductions in operational costs of around 20–25%.
Comments on scalability
During seasonal peaks, these systems handle 100,000 internal assessment uploads per day on
EduNxt', 450,000 result hits per day on the student portal for distance learning programmes, and
three million hits on their website with around 10 TB of data transferred each month. MaGE is
now operating a virtual data centre within AWS that can support sustained business growth
and expansion, as well as maintain availability and performance when demand peaks occur
during admission and exam period. The business can scale the infrastructure up or down to
manage seasonal peaks and only pays for the resources it consumes. With instant provisioning,
the company is able to support new business demands within hours, compared to four to five
weeks previously with the traditional data centre approach.
Case study #4
*The content of the case study has been provided by SAP.
Company
National Center for Tumor Diseases (NCT), Heidelberg University Hospital, Heidelberg
(Germany)
Project
Gaining medical insights and enhancing cancer care for patients
4140
including SAP business intelligence (BI), SAP sales and distribution, SAP materials
management, SAP financial accounting and controlling and SAP human resources-to AWS and
tested SAP performance under a range of scenarios. PwC completed the migration of the project
in about six months. Macmillan India benefitted from the AWS pay-as-you-go model, which
allowed the company to consume only the resources needed to support peaks and declines in
the demand. The company was able to lower their capital expenditure by nearly 100% and
expected to achieve reductions in operating cost by about 30% in one year.
Comments on scalability
The company has reduced the time needed to provision a new environment from six weeks to 30
minutes, which engineers can scale up and down at the click of a mouse. Furthermore,
Macmillan India can automate its backups and meet recovery time objectives. Additionally,
Macmillan India has been able to take advantage of robust security and data protection controls
to protect its environment. Availability of their SAP applications has improved from 90% to
almost 100% since moving to AWS as per their estimates.
Case study #3
*The content of the case study has been provided by AWS.
Company
Manipal Global Education Services (MaGE)
Project
MaGE uses AWS to save 25% on infrastructure
Project description
MaGE offers numerous services including corporate programmes, skills training, assessment
services, certification programmes, student enrolment and placement services. Most of these
are delivered online, and with the number of students growing every year, traffic to MaGE's web
applications increased by up to 60% per year, with demand spiking exponentially during
admission, examination, and result-publishing cycles. It is also the operator of university
campuses in Malaysia, Antigua in the Caribbean, Dubai, and Nepal and services and supports
more than 400,000 learners, many of them through its award-winning technology platform,
EduNxt™.
Challenges faced
Until 2013, MaGE hosted its applications in an on-premises data centre that could not meet its
dynamic business needs. Application performance was a challenge, page-load time was slow,
and availability was running at 98.5 to 99 percent with the business experiencing downtime of a
few days per year. The company also identified a potential risk with its critical SAP system,
which did not adequately provide for disaster recovery. In the event of a disaster, recovering the
system would take a few weeks, which had the risk of having significant business impact.
Furthermore, the on-premise infrastructure was expensive and complex to maintain. Several
team members were needed to configure and deploy infrastructure resources for new
workloads, and scaling the data centre for growth could take several weeks, which restricted
MaGE's ability to respond quickly to changing business needs.
Impact or potential impact
MaGE was convinced by the agility and elasticity that cloud computing provided and decided
to build a robust and 'future-ready' technology platform to support business growth. Based on
the success of the initial deployments, MaGE decided that the time was right to move to a
'cloud-first' strategy and began a massive shift to the cloud. MaGE has moved nine applications
and systems-including campaign management and digital marketing, student management,
learning management, assessment, and websites-into AWS. By early 2015, Manipal was
running 70% of its workload in AWS and had adopted a policy that any new applications have to
be delivered as a service from the cloud. The business is also running a disaster recovery
environment for its SAP student management system within AWS. After moving to the AWS
cloud, the availability of customer-facing applications and student services climbed to 99.9%,
and page-load time fell by 30%, improving the end-user experience. The business now has the
ability to recover from any disaster impacting their SAP environment in hours, minimising
disruption to the business operations. While realising all these benefits, Manipal has also seen
reductions in operational costs of around 20–25%.
Comments on scalability
During seasonal peaks, these systems handle 100,000 internal assessment uploads per day on
EduNxt', 450,000 result hits per day on the student portal for distance learning programmes, and
three million hits on their website with around 10 TB of data transferred each month. MaGE is
now operating a virtual data centre within AWS that can support sustained business growth
and expansion, as well as maintain availability and performance when demand peaks occur
during admission and exam period. The business can scale the infrastructure up or down to
manage seasonal peaks and only pays for the resources it consumes. With instant provisioning,
the company is able to support new business demands within hours, compared to four to five
weeks previously with the traditional data centre approach.
Case study #4
*The content of the case study has been provided by SAP.
Company
National Center for Tumor Diseases (NCT), Heidelberg University Hospital, Heidelberg
(Germany)
Project
Gaining medical insights and enhancing cancer care for patients
4140
Case study #5
*The content of the case study has been provided by SAP.
Company
Sun Communities Inc., Southfield, Michigan (USA)
Project
Reducing manual processes for new hires
Business context
With a primary focus on creating exceptional on-site customer experiences, completing
mandated onboarding requirements was not previously top of mind for hiring managers. Sun
Communities was ready to break free from the challenges on manually onboarding new
employees. What Sun needed was an onboarding solution that would be intuitive and
accessible via mobile devices, would automate paperwork, and could also facilitate and track
mandated training.
Objectives
l Build a foundation for success and make a positive impression with new employees.
l Complete new-hire processes and mandated training before employees start on the job.
l Integrate recruiting and on boarding data across the enterprise for a complete view of talent
acquisition.
SAP Solution
l Implemented SAP Success Factors On boarding
l Empowered new hires to complete requirements with user-friendly mobile tools
l Simplified complex systems and standardised processes with one solution for better overall
HR efficiency
Why SAP Success Factors
l Strong, flexible, core HR foundation with SAP ® Success Factors® HCM Suite from Success
Factors, an SAP company
l Ability to combine the tactical components of onboarding, such as orientation, paperwork
and compliance training, with strategic aspects that would set up new hires for success
using the SAP Success Factors Onboarding solution
l Scalable software-as-a-service infrastructure in the cloud
Benefits
l More time for hiring managers to focus on productivity and customer service
Objectives
l Start treating cancer patients by establishing a protocol on Day 1 that is tailored to their
specific genetic profile.
l Generate ideas for future trials based on analysis of patient attributes, including genetic
variations and mutations.
l Extract biomarker data from patient evaluation letters written by physicians.
Why SAP HANA
l The SAP HANA® platform enables consolidation of and real-time access to various
structured data sources, such as tumour documentation, medical records and clinical trials,
in addition to unstructured data sources, such as physician evaluation letters, treatment
guidelines, trial reports and medical publications.
l It offers fast, ad hoc reporting of treatment histories by patient attributes and survival rates
from a central data warehouse.
Benefits
l Real-time identification of cancer types to enable the grouping of patients by relevant
characteristics
l Insight into treatment response and outcome probability by diagnoses
l Detailed view of previous treatment activities, including, for example, diagnosis,
chemotherapy, surgery, and home visits
l Real-time visibility into current and upcoming clinical trials to match patients for
participation based on profile data and treatment needs
Achievement of objectives
l Faster diagnosis: More than 10,000 new patients evaluated each year since 2011
l Greater visibility: Detailed view of patient history extracted from both structured and
unstructured data sources
l High data volume: 150,000 data sets in combination with 3.6 million data points successfully
analysed during a proof of concept test
l Faster matching: Quickly match patients for participation in right clinical studies.
Customer testimonial
l The project showed that we could integrate various data sources, extract relevant
information and present it to physicians in a way that enables surprising new insights. In the
future, we would like to use SAP HANA at every diagnostic and therapeutic step, because
every case of cancer is different and can vary immensely from one patient to the next.”
Dr. Christof von Kalle, Head, National Center for Tumor Diseases (NCT) Heidelberg
4342
Case study #5
*The content of the case study has been provided by SAP.
Company
Sun Communities Inc., Southfield, Michigan (USA)
Project
Reducing manual processes for new hires
Business context
With a primary focus on creating exceptional on-site customer experiences, completing
mandated onboarding requirements was not previously top of mind for hiring managers. Sun
Communities was ready to break free from the challenges on manually onboarding new
employees. What Sun needed was an onboarding solution that would be intuitive and
accessible via mobile devices, would automate paperwork, and could also facilitate and track
mandated training.
Objectives
l Build a foundation for success and make a positive impression with new employees.
l Complete new-hire processes and mandated training before employees start on the job.
l Integrate recruiting and on boarding data across the enterprise for a complete view of talent
acquisition.
SAP Solution
l Implemented SAP Success Factors On boarding
l Empowered new hires to complete requirements with user-friendly mobile tools
l Simplified complex systems and standardised processes with one solution for better overall
HR efficiency
Why SAP Success Factors
l Strong, flexible, core HR foundation with SAP ® Success Factors® HCM Suite from Success
Factors, an SAP company
l Ability to combine the tactical components of onboarding, such as orientation, paperwork
and compliance training, with strategic aspects that would set up new hires for success
using the SAP Success Factors Onboarding solution
l Scalable software-as-a-service infrastructure in the cloud
Benefits
l More time for hiring managers to focus on productivity and customer service
Objectives
l Start treating cancer patients by establishing a protocol on Day 1 that is tailored to their
specific genetic profile.
l Generate ideas for future trials based on analysis of patient attributes, including genetic
variations and mutations.
l Extract biomarker data from patient evaluation letters written by physicians.
Why SAP HANA
l The SAP HANA® platform enables consolidation of and real-time access to various
structured data sources, such as tumour documentation, medical records and clinical trials,
in addition to unstructured data sources, such as physician evaluation letters, treatment
guidelines, trial reports and medical publications.
l It offers fast, ad hoc reporting of treatment histories by patient attributes and survival rates
from a central data warehouse.
Benefits
l Real-time identification of cancer types to enable the grouping of patients by relevant
characteristics
l Insight into treatment response and outcome probability by diagnoses
l Detailed view of previous treatment activities, including, for example, diagnosis,
chemotherapy, surgery, and home visits
l Real-time visibility into current and upcoming clinical trials to match patients for
participation based on profile data and treatment needs
Achievement of objectives
l Faster diagnosis: More than 10,000 new patients evaluated each year since 2011
l Greater visibility: Detailed view of patient history extracted from both structured and
unstructured data sources
l High data volume: 150,000 data sets in combination with 3.6 million data points successfully
analysed during a proof of concept test
l Faster matching: Quickly match patients for participation in right clinical studies.
Customer testimonial
l The project showed that we could integrate various data sources, extract relevant
information and present it to physicians in a way that enables surprising new insights. In the
future, we would like to use SAP HANA at every diagnostic and therapeutic step, because
every case of cancer is different and can vary immensely from one patient to the next.”
Dr. Christof von Kalle, Head, National Center for Tumor Diseases (NCT) Heidelberg
4342
l Configurable workflows that consider geography and job functions to ensure proper forms,
orientation, and compliance training are completed
l Mass onboarding process for the acquisition of properties that is simple, clear, and well
organised
l Faster background checks with data integration
Achievement of objectives
l 100,000 USD in annual labour savings by reducing data entry on new hires
l 100% of paperwork for new hires completed before each employee's first day
l 100% completion rate for compliance-related training
l 6.5 weeks of annual person-hours saved by automating paperwork
l 48% faster statutory verification of employment eligibility (2.7 days down to 1.4 days)
l 29.4% faster average time to fill positions and reach productivity (34 days down to 24 days)
Customer quote
l New hires have access to our system within hours and can take courses and connect with the
right people in our organisation. They are set up for success and can hit the ground running.”
Marc Farrugia, Vice President of Human Resources, Sun Communities Inc.
44
l Configurable workflows that consider geography and job functions to ensure proper forms,
orientation, and compliance training are completed
l Mass onboarding process for the acquisition of properties that is simple, clear, and well
organised
l Faster background checks with data integration
Achievement of objectives
l 100,000 USD in annual labour savings by reducing data entry on new hires
l 100% of paperwork for new hires completed before each employee's first day
l 100% completion rate for compliance-related training
l 6.5 weeks of annual person-hours saved by automating paperwork
l 48% faster statutory verification of employment eligibility (2.7 days down to 1.4 days)
l 29.4% faster average time to fill positions and reach productivity (34 days down to 24 days)
Customer quote
l New hires have access to our system within hours and can take courses and connect with the
right people in our organisation. They are set up for success and can hit the ground running.”
Marc Farrugia, Vice President of Human Resources, Sun Communities Inc.
44
The Confederation of Indian Industry (CII) works to create and sustain an environment
conducive to the development of India, partnering with industry, the government and civil
society through advisory and consultative processes.
CII is a non-government, not-for-profit, industry-led and industry-managed organisation that
plays a proactive role in India's development process. Founded in 1895, India's premier business
association has over 8,000 members from the private as well as public sectors, including SMEs
and MNCs, and an indirect membership of over 2,00,000 enterprises from around 240 national
and regional sectoral industry bodies.
CII charts change by working closely with the government on policy issues, interfacing with
thought leaders, and enhancing efficiency, competitiveness and business opportunities for
industry through a range of specialised services and strategic global linkages. It also provides a
platform for consensus building and networking on key issues.
Extending its agenda beyond business, CII assists industry in identifying and executing
corporate citizenship programmes. Partnerships with civil society organisations carry forward
corporate initiatives for integrated and inclusive development across diverse domains,
including affirmative action, healthcare, education, livelihood, diversity management, skill
development, empowerment of women and water.
The CII theme for 2016–17, Building National Competitiveness, emphasises industry's role in
partnering with the government to accelerate competitiveness across sectors, with sustained
global competitiveness as the goal. The focus is on six key enablers: human development,
corporate integrity and good citizenship, ease of doing business, innovation and technical
capability, sustainability, and integration with the world.
With 66 offices, including 9 Centres of Excellence, in India and 9 overseas offices in Australia,
Bahrain, China, Egypt, France, Germany, Singapore, the UK, and USA, as well as institutional
partnerships with 320 counterpart organisations in 106 countries, CII serves as a reference
point for Indian industry and the international business community.
Confederation of Indian Industry
The Mantosh Sondhi Centre
23, Institutional Area, Lodi Road, New Delhi - 110 003 (India)
T: 91 11 45771000/24629994-7 | F: 91 11 24626149
E: [email protected] | W: www.cii.in
Reach us via our Membership Helpline: 00-91-11-435 46244 / 00-91-99104 46244 • CII Helpline Toll free No: 1800-103-1244
Follow us on :
www.mycii.infacebook.com/followcii twitter.com/followcii
