Compact Abril2012

8/2/2019 Compact Abril2012

1/52

2012year 39 www.comp

Compact_

International Edition


2/52

IT Governance, Performance & ComplianceOrder the hard-cover Compactinternational edition nowon www.compact.nl/special/bestelformulier.htm

248 full-colour pages

isbn 978-90-77487-64-8

The Compactjournal has been appearingor almost 40 years. In the Dutch-speakingterritories, Compactis the leading periodical inthe felds o IT auditing and IT advisory services.

To make articles published in this journalavailable to a broader public, a number othe most important articles in the areas oIT governance, perormance and compliance havebeen translated into English and published in this

book. The articles were written by authors whoare leading in their respective felds and theseauthors have revised and updated the articlesin question to accommodate the most recentdevelopments.

The articles in this book rom 2008 address theareas o IT Strategy & Governance, ERP Advisory,IT Attestation, IT Project Advisory, IT SecurityServices, IRM in the External Audit, andRegulatory & Compliance Services.


3/52Compact_ 2012 0

20120Year 39, number 0

Compact is published by

KPMG IT Advisory and

Uitgeverij kleine Uil.

This magazine is published

4 times a year.

The views expressed in this

magazine are not the ocial

views held by KPMG IT Advisory.

Compactmagazine is produced

with the utmost care. It is

possible, however, that the

inormation contained within

is not completely correct due

to the passage o time and/or

other causes. Neither KPMG,

KPMG IT Advisory, nor the

editors, nor Uitgeverij kleine Uil,

accept any orm o liability

whatsoever or any direct or

indirect consequences o the use

o the inormation provided.

Editors

J.A.M. Donkers (editor in chie)

B. Beugelaar

M.A. Francken

J.A.M. Hermans

D. Hoand

M.A.P. op het Veld

L.H. Westenberg

Editorial secretariat

Marloes Janssen

Jacqueline Hartman

Kai Hang Ho

[email protected]

Design, editing & typesettin

LINE UP boek en media bv,

Groningen, the Netherlands

Reproduction of articles

Reproduction and circulation

and other textual items is allo

with the publishers written c

issn 0920 1645

Contents

3Strategic choices for data centersHarry Boersen, Mark Butterho, Stean Peekel and Ruben de Wol

Recent developments regarding data centers and the underlying choices

that our clients make.

Contents

43A closer look at business transformatGuido Dieperink and Jeroen TegelaarThe concept o transormation, its characteristics, and guideline

successul fnish.

onlineIT a meaningful factor inevolving health care sectorStan Aldenhoven and Jan de Boer

Visit www.compact.nl or this article about the role that IT can

tackle challenges like rising demand or better and cheaper care

ing personnel shortages, more privatization and merit pay.

14Access tothe cloudEdwin Sturrus, Jules Steevensand Willem Guensberg

Trust is oen a major obstacle tothe adoption o cloud services.

22Social engineering:the art ofdeceptionMatthieu Paques

Methods, purpose, and (oen

surprising) results o hacker

tests.

30Toward a successfulTarget Operating ModelGerard Wijers, Rudol Lieers and Oscar Halhide

To govern outsourcing efectively attention must be given to designing

the right management model rom the very rst moment.

37Adaptive ITservice providersAlbert Plugge

An adaptive strategy will

enable IT service providers

to perorm better or their

customers.


4/52

2

From the editor-in-chief

Last years enthusiastic response worldwide to our international Compactspecial was the incentive

or us to publish an international edition again this year. To bring everyone up to date, rst somebackground inormation on Compact. KPMG IT Advisory has been publishing Compactor 39 years

now. What started as an internal magazine in the early seventies is now a leading magazine in the

Dutch marketplace. As we run a mature IT advisory practice, we wish to share our insights with ourworldwide clients, our current and uture workorce, and the community. All articles are writtenpersonally by KPMG sta and our clients. We continue to be grateul that our sta and our clients

are willing to share their expertise in this way.

We observe that the IT domain within organizations is still undergoing major developments. IT is

not only regarded as an expense that is consistently under scrutiny, it is also increasingly expectedto contribute to enhancing eciency and optimizing operational processes. This is clearly evident

during transormations, but we also encounter it in the annual discussion o the CIO agenda. It is

obvious that, with reerence to IT, the predominant credo is that success depends more than ever on

the capability to adapt to changes in ones environment.

We see CFOs, COOs and CIOs struggling with an appropriate positioning o IT and, this being the

case, our theme o Whats shaping the CIO agenda?, which has been eatured in several issues oCompact, is more topical than ever.

I am very proud to present you with this international edition oCompact, which covers a selection

o articles published in the Dutch Compacteditions during the last year. In this orm it is intended

to give you an update on recent developments in some o the elds that we are working on with our

clients. O course, this edition contains only a selection o such developments. It is by no meansintended to cover all o our activities.

I would like to thank all the authors as well as our editors and editorial secretariat or their contri-

bution to this international edition oCompact. I trust that you will all greatly enjoy reading thispublication, and we look orward to your eedback.

Hans DonkersKPMG partner, editor-in-chie oCompact

Compact_

Subscriptions

125,00 excl. VAT (132,50 incl.

VAT) or an annual subscription.

Single issues:

31,25 excl. VAT (33,13 incl. VAT).

Students subscriptions:

62,50 excl. VAT (66,25 incl. VAT)

or an annual subscription.

Subscriptions can be cancelled by

letter not later than one month

beore the start o the new subscrip-

tion year. I cancellations are too

late, the subscription is automati-

cally extended by one year.

Note: Compact is published in

Dutch. This is an international

issue.

Administration of subscriptions

CompactAweg 4/19718 cs Groningenthe NetherlandsFax: +31 50 318 20 26E-mail: [email protected]

All (temporary) changes o addressmust be notied at least 8 weeksbeore the date o issue.

Photography

Photos in this issue are placed

with permission

Photographers:

www.sxc.hu philipn(cover, p. 1, 2)

www.sxc.hu yenhoon(p. 3)

www.istockphotoInts Vikmanis

(p. 14)

www.sxc.hu Nico1 (p. 22)

www.sxc.hu zahal(p. 30)

www.sxc.hu SailorJohn(p. 37)

www.sxc.hu lizerixt(p. 43)

Image bank KPMG (cover III)


5/52Compact_ 2012 0

H.J.M. Boersenis a consultant atKPMG IT Advisory.

[email protected]

M.J. Butterhois a senior manager atKPMG IT Advisory.

[email protected]

S. Peekelis a manager atKPMG IT Advisory.

[email protected]

R. de Wolis a partner atKPMG IT Advisory.

[email protected]

Strategic choicesfor data centers

Harry Boersen, Mark Butterhof, Stean Peekel and Ruben de Wol

The emergence of cloud computing and the technological and market deopments that underlie this trend have prompted organizations to reevatheir data center strategy. There is no magic formula that clearly points modernization, redevelopment or outsourcing of data centers. The mottions for making these choices range from operational problems in legac

data centers to the promise of cloud computing lowering costs and provgreater exibility and cost elasticity.This article discusses the technical infrastructure in data centers and r

technological and market developments that have a signicant impact ostrategic choices that our clients make about the future of their data cenThe central theme is do more with less. Nonetheless, consolidation anmigration of data centers comes with signicant costs and risks.

Introduction

Data centers are the ganglion hubs o the nervous system

o our economy. In act, almost all automated data process-

ing systems are housed in data centers. Government andlarge enterprises alike are particularly dependent on these

data-processing actories.

A data center comprises not only the building with the

technical installations inside, but also the IT equipment

within the building that is used or the processing, storing

and transporting o data. Data centers have a useul lie oten to twenty years, while IT equipment must be replaced

about every ve years. The investment or a midsize data

center1 is at least one hundred million Euros. In contrast


6/52Strategic choices or data centers4

1 Midsize datacenter means a datacenter with a oor areao 5,000 square metersor more that is airconditioned. Large datacenters, usually or ITservice providers, mayhave tens o thousandso square meters o

oor space that is airconditioned.

The sequence o the layers indicates that each layer isnecessary or the layer above and that ideally technolog

choices can be made or each layer that are independent

the other layers. The ree market system and open stan-

dards means that several technological solutions or eacinrastructure layer are available on the market that o

the same unctionality. Consider, or example, the indu

try standards that support specic design ormats or IT

equipment and equipment racks, standard data transpoprotocols such as Ethernet and TCP/IP on dierent plat-

orms, storage protocols like CIFS, NFS and iSCSI, and

middleware solutions, databases and applications on th

various vendor platorms.

A data center includes one or more buildings with techn

cal installations or power and cooling o a ramework

network, storage and server equipment. These devices r

hundreds to thousands o soware applications, such aoperating systems, databases, and customized or standa

soware applications. The data center is connected via

(ber) networks to other data centers, oce locations or

production acilities.

With decentralized IT environments, the IT equipment

intended or end users or production sites must be close

hand. Given the small size and the decentralized naturethese spaces we do not reer to these as data centers but

Main and Satellite Equipment Rooms (MERs, SERs).

The technical installations and IT inrastructure in dat

centers are primarily dependent on the reliable supply oelectricity and dependent on the provision o water or

cooling and uel or emergency power supplies.

Technological developments

This section discusses some recent technological devel

opments that have a signicant impact on the strategi

choices that our clients make about the uture o their

data centers.

Virtualization

The virtualization o server hardware and operating sy

tems has a huge impact on how data centers are design

and managed. Using virtualization, it is possible to

consolidate multiple physical servers into one poweruphysical server running multiple operating systems or

instances o the same operating system running logica

servers in parallel. The motivation to use virtualiza-tion comes rom research showing that with respect to

time the load experienced on servers is about twenty

percent and on web servers is about 7.4 percent ([Barr0

[Meis09]). The crux o virtualization is to greatly increthe utilization o IT equipment and in particular serve

to the long lietime o a data center, technological develop-

ments and business objectives evolve at an extremely high

tempo. A data center strategy must ocus on uture require-

ments and the organizations capacity to change so it canadapt to these new technologies.

This article discusses recent technological and market

developments that have a signicant impact on the strate-

gic choices that our clients make about the uture o theirdata centers. We will also discuss the challenges that are

encountered on the path to the consolidation and migra-

tion o existing data centers.

What is going on in the data center?

More than one quarter o the annual IT spending o large

organizations is devoted to data centers. These costs are

urther divided up or the data center building and techni-cal installations or power supply and cooling (together

totaling eight percent) and server and storage devices

(seventeen percent) ([Kapl08]). The economic crisis hasput increasing pressure on IT budgets and investments sothat the data center has risen higher up on the CIO agenda

([Fria08]).

Figure 1 illustrates a greatly simplied layered model o a

technical IT inrastr ucture. A distinction is made betweenthe IT in rastructure that is physically concentrated in a

data center (le), the decentralized IT inrastructure or

commercial buildings such as workplace automation and

process automation in industrial environments (right)and the network connections between the data center and

distributed IT environments (middle).

ApplicationsInformation systems, standard packages & customization

Office automationMail, file & print servers, software distribution

Middleware and databasesDirectories, messaging systems, service bus, P2P interfaces

Operating systems, virtualizationWindows, UNIX, midrange, mainframes, OS virtualization

Server and storage hardware, virtualizationBlade centers, SANs, storage and hardware virtualization

Data center network and access pointsCore and storage network, redundant network segmentation

Electrical, cooling and air conditioningRedundant electrical, switching and air conditioning technology

Data center building and fysical securityArchitectural elements, location, access security

Public infrastructures for electricity, water and fuel

Monitoring,managementand

deve

lopmenttools

C

onnectionservices

WANservices,campu

snetworksandwirelessusernetworks

Localo

fficeautomation

DecentralizedKAfacilities

IT infrastructure in the datacenter DecentralizedIT infra-

structure

Figure 1. Simplied model of an IT infrastructure.


7/52Compact_ 2012 0

2 RAID is an aviation o RedunArray o IndepeDisks and is the

given to the meogy or physicaling data on hardwhere the data ied across disks, on more than onor both, so as toagainst data losboost data retriespeed. Source: hnl.wikipedia.orRedundant_ArrIndependent_D

Architecture

Combined with server virtualization, SANs not only allow

the quick replication o data to multiple locations, but

also allow simple replication o virtual servers rom onelocation to another. The article Business continuity using

Storage Area Networks in this Compact looks at SANs in

depth as an alternative to tape based data backup systems.

SANs and central storage equipment are among the most

expensive components within the IT inrastructure. A

data center strategy should thereore evaluate the invest-

ments in data storage systems and the associated qualita-

tive and quantitative advantages.

Cloud computing

By cloud computing is meant a delivery model providing

IT inrastructure and application management servicesvia the Internet. Cloud computing is not so much a tech-

nological development in itsel. Cloud computing is made

possible through a combination o technological develop-ments, including exible availability o network band-width, virtualization and SANs.

The main advantage o cloud computing is the shi rom

investments in inrastructure to operational costs or the

rental o cloud services (rom capex to opex), transpar-ency in costs (pay per use), the consumption o IT in ra-

structure services according to real needs (elasticity) and

the high eciency and speed with which inrastructure

services are delivered (rapid deployment by ully auto-mated management processes and sel-service portals).

Cloud computing diers rom traditional IT with respectto the ollowing characteristics ([Herm10]):

multi-tenancy (IT inrastructure is shared across

multiple customers)

rental services (the use o IT resources is separated rom

the ownership o IT assets)

elasticity (capacity can be immediately scaled up anddown as needed)

external storage (data is usually stored externally romthe supplier)

A cloud computing provider must have sucient pro-

cessing, storage and transportation capacity availableto handle increasing customer demand or capacity as it

occurs. In practice, the maximum upscaling is limited to a

percentage o the total capacity o the cloud and involvesan upward limit on elasticity.

Figure 3 illustrates the variety o orms o cloud services.

The main dierence between the traditional model oin-house data centers and a private cloud is the exibility

that the private cloud allows. The private cloud make use

Figure 2 illustrates how two physical servers can be con-solidated into one physical server using virtualization

techniques.

Virtualization greatly reduces the required number o

physical servers. Up to twenty ve servers on one physi-cal server to be virtualized depending on the nature o

the applications running on these servers. The use o

virtualization can cause a substantial drop in data center

operational costs because the management eort requiredis signicantly reduced by a actor o ve to twenty ewer

physical servers. However, this requires signicant invest-

ment and migration eorts. The data center strategy mustevaluate the magnitude o the investment in virtualiza-tion technology and the migration o existing servers to

virtual servers.

Data storage systems and Storage Area Networks

In recent years, data storage has become ully decoupledrom servers through the centralizing o storage and

servers using a Storage Area Network (SAN). The SAN is a

dedicated network between servers and data storage. These

data storage systems contain large numbers o hard disksand are equipped with specialized technologies or e-

cient redundant data storage.2

This centralization o data storage is transparent to the IT

inrastructure layers that support it. This means that theoperating system or application is unaware that the data

is stored centrally via the SAN system (see also the notes

to Figure 1). I data storage systems in var ious data center

locations are connected via a SAN, disk writes can be repli-cated in real time across multiple locations. Centralization

o storage systems has considerably increased the utiliza-

tion o the capacity o these systems.

Server hardware

Application

Operating system

Server hardware

Application

Operating system

Server hardware

Virtualization software

Application

Operating system

Virtual hardware

Application

Operating system

Virtual hardware

Figure 2. Virtualization makes it possible to consolidate

logical servers on one physical platform.



other organizations have invested in their own acilitie

rent rom an IT service provider.

The cost or these all-back acilities is relatively high. T

is primarily because o the extremely low utilization o

capacity. The previously described technological develo

ments oer cost eective alternatives or a disaster recoery set up.

A high degree o vir tualization and a ast ber optic net

work between two data center locations (twin data centare the main ingredients or guaranteeing a high level

o availability and continuity. Virtualization allows an

application to run in parallel without allocating the pro

cessing capacity on the backup site that would normallbe needed to run it. In a twin data center, synchronizati

occurs 24/7 or the data and several times a day or the

applications. In the event o a disaster, processing capac

must be rapidly ramped up and allocated or the respect

application(s) at the backup site and the users redirecteaccordingly.

The twin data center concept is not new. The Parallel Sy

plex technology rom IBM has been available or decadeThis allows a mainrame to be set up as a cluster o two

more mainrames at sites that are miles apart. The main

rames then operate as a single logical mainrame that

synchronizes both the data and processing between bolocations. A twin data center also allows you to implem

Unix and Windows platorms twice without incurring

double costs.

o standardized hardware platorms high availability and

capacity, virtualization and exible soware licensing

where operational costs are partly dependent on the actual

use o the IT inrastructure. The private cloud is not shared

with other customers and the data is located on site. Inaddition, access to the private cloud is not via the Internet.

The network inrastructure o the organization itsel can

be used. According to cloud purists, one cannot speak

about cloud computing in this case.

The internal private cloud uses the same technologies

and delivery models as the external private and public

cloud, but without the risk o primary data storage beingaccessed by a third party. The cost o an internal private

cloud may be higher than the other types. Nonetheless,

or many organizations, the need to meet privacy and data

protection directives outweigh the potential cost savings

o using the external private or public cloud.

The data center strategy should provide direction on when

and which IT applications will be deployed via cloud

services. Subsequently, it will not be necessary to reservecapacity or these applications in your own data centers.

New style of Disaster Recovery

Two thirds o all organizations have a data center that

serves as a backup site or the primary data center in case

o serious IT disaster. This is called a Disaster Recovery

Site. Hal o these organizations own such a data centerthemselves ([Bala07]). This means that about one third o

all organizations have no alternate location and that the

Internet

Internal private cloud

Customer A

IT

InternalIT customer A

IT

Provider

Internet

Service

External private cloud

Customer B

IT

Customer CCustomer A

Public cloud

Customer B Customer CCustomer A

IT

Provider

InternetInternet

ServiceService

IT

Service ServiceService Service

Internet

Figure 3. Overview of different types of cloud services ([Herm10]).


9/52Compact_ 2012 0

3 InormationTechnology Inrstructure Librarusually abbreviITIL, was develoa reerence ramor setting up mment processes an IT organizatihttp://nl.wikipeorg/wiki/InormTechnology_Inrastructure_

4 CMDB:CongurationManagement Da collection o dwhere inorma-tion relating to Conguration I(CIs) is recordeadministered. TCMDB is the ulo the ITIL manment processes

Architecture

Data center in a box

The concept o a data center in a box reers to the devel-

opment where processing, storage and network equipment

is clustered into logical units. Such a cluster is created

by linking racks o equipment together that have redun-dant provisions or guaranteeing power and cooling. A

data center in a box can also be constructed in existing

data centers. The equipment, power and cooling are har-

monized such that high-density devices can be placed inold-ashioned data centers.

The advantage o this concept is that physical changes are

not required aer the one-o installation o the clustertechnology until the maximum processing or storagecapacity is reached. This allows most management activi-

ties to be carried out entirely remotely.

A tting example o a data center in a box is container-based computing where just such a cluster is built into a

20 or 40 oot shipping container. Similar mini data centers

have been used or many years by the military as tempo-

rary acilities or use at remote locations. A more recent

development is the use o mini data centers in shippingcontainers as modules in a large scalable data center. A

ew years ago, Google even applied or a patent or this

method ([Goog10]).

A data center strategy should indicate what contribution

there will be rom the data center in a box concept.

Automation of IT operations processes

A signicant portion o the costs to operate a data centeris or personnel. In addition, the extensive automation o

deployment processes reduces the completion cycle o IT

projects rom months to weeks.

There is a noticeably strong trend to extensively auto-

mate IT operations processes in the -data center. This alsoincludes traditional management tools (workow tool-

ing or ITIL3 administration processes and the CMDB4)

integrated with tools or the modeling o the relation-ship between business processes, applications and the

underlying IT inrastructure (Business/IT alignment),

perormance monitoring, automated testing, IT costs

and resource planning, IT project and program planning,security testing and much more. An example o such an IT

operations tool suite is HPs Business Technology Optimi-

zation (HP BTO) ([HPIT]).

Cloud computing providers also oer specic servicesor disaster recovery purposes. An example o a Disaster

Recovery service in the cloud is remote backup. These

backups are no longer written to tape, but stored at an

external location o a cloud provider. These backups can berestored at any location there is an Internet connection.

Cost-eective Disaster Recovery is high on t he CIO agenda

and thus is a strong motivation to invest in data centers

and cloud initiatives. Accordingly, a data center strategyshould pay appropriate attention to how data center invest-

ments address the issue o Disaster Recovery.

High-density devices

Virtualization allows the consolidation o a large numbero physical servers on a single (logical) powerul server.

The utilization o this powerul server is signicantly

higher than on separate physical servers (on average eighty

percent or a virtual cluster o ser vers versus twenty per-cent or a single server). This means that a highly vir tual-

ized data center has signicantly higher processing capac-

ity per square meter. In recent years, the various hardware

vendors have introduced increasingly larger and morepowerul servers, such as the IBM Power 795, Oracle Sun

M8000/M9000 and HP 9000 Superdome. In the last twenty

years, there was a shi rom mainrame data processing tomore compact servers. It now seems there is a reverse trendtoward so-called high-density devices.

A direct consequence is a higher energy requirement per

square meter, not just to sustain these powerul servers

but also to cool them. Existing data centers cannot alwaysprovide the higher power and cooling requirements, so the

available space is not optimally utilized. In addition, the

weight o such systems is such that the bearing capacity o

oors in data centers is not always sucient and it may benecessary to strengthen the raised computer oor.

This makes it a challenge or data center operators to bal-ance the increasing density o the physical concentration

o IT equipment and virtualization with the availablepower, cooling and oor capacity. The paradox is that the

use o cost-eective virtualization techniques means that

the limits o existing data centers are quickly approached

and this gives rise to additional costs ([Data]).

A data center strategy must allow or the prospect o plac-

ing high-density devices in existing or new data centers.

Cost-eective Disaster Recovery is a

strong motivation or cloud initiatives



Ciscos data center vision ([Cisc]) species

increased exibility and operational ecien

and the breaking apart o traditional application silos. Cisco species a prerequisite, nam

ly, the improvement o risk management an

compliance processes in data centers to guar

tee the integrity and security o data in virtuenvironments. Cisco outlines a developmen

path or data centers with a highly heteroge

neous IT inrastructure going through several stages o

consolidation, standardization, automation o administtion and sel-service leading to cloud computing.

IBM uses modularity to increase the stability and ex-

ibility o data centers ([IBM10]) (pay as you grow). The

aim is to bring down both investment and operationalcosts to a minimum. Reducing energy consumption is

also an important theme or IBM because much o the

investment and operational costs aecting the constru

tion o a data center are energy related. IBM estimates thapproximately sixty percent o the investment in a data

center (particularly the technical installations or cooli

and redundant power supplies) and y to seventy-ve

percent o non-personnel operating costs (power consution by data center and IT equipment) or a data center a

energy related. According to IBM, the increasing energy

demands o IT equipment requires data center designs t

anticipate a doubling or tripling o energy needs over th

lietime o a data center.

Just like Cisco, Hewlett Packard (HP) has identied a de

opment path or data centers ([HPDa]) where there is a s

rom application-specic IT hardware to shared servicebased on virtual platorms and automated managemen

and then onto service oriented data centers and cloud

computing. In this context, HP promotes its Data Cente

Transormation (DCT) concept as an integrated set oprojects or the consolidation, virtualization and proces

automation within data centers.

The common thread in these market developments is

reduction in operational costs, increased exibility andstability o data center services by reducing the complex

o the IT inrastructure and a strong commitment to vi

alization and energy-ecient technologies. Cloud comp

ing is seen as a logical next step in the consolidation andvirtualization o data centers.

Challenges in data center consolidation

Data center consolidation is all about bringing together

a multitude o outdated and inecient data centers and

computer rooms into one or a limited number o modergreen data centers. At rst glance, this seems like a tech

cal problem involving not much more than an IT reloca

The extensive automation o IT operations processes and

the use o central storage and virtualization enables IT

organizations to manage data centers with a minimum opersonnel. Only the external hardware vendors still need

physical access to the computer oors in the data center

and only within tight maintenance windows. Otherwise,

the data center oor is unmanned. This is called the lights-out principle because the absence o the personnel in the

data center means that the lighting can be practically

turned o permanently. Again, this is not a new concept.

Nonetheless, the use o central storage and virtualizationreduces the number o physical operations on the data cen-

ter oor to a minimum, which brings us a great deal closer

to the lights-out principle.

The automation o IT operations processes has ar-reach-ing implications or the operational procedures, competen-

cies and ormation o IT departments. This should receive

sucient attention in the data center strategy.

Market developments

This section discusses the uture o data centers as seen byseveral trendsetting vendors o IT services and solutions.

IT service providers such as Atos Origin dene their data

center vision so as to enable them to better meet the needs

o their customers. Atos Origin denes the ollowing ini-

tiatives in its data center vision ([Atos]):

reduction in costs and aster return on investment

quicker response to (changing) business requirements(agility)

availability: the requirement has grown to 24/7 or-ever

security and continuity: increased awareness, partlydue to terrorist threats

compliance: satisy industry and government man-dated standards

increase in density requirements: the ability to manage

high-density systems that have vigorously increasing

energy consumption and heat production

increase in energy eciency: utilization o more ener-gy-ecient IT hardware and cooling techniques

We are a lot closer to

widespread use o

the lights-out principle


11/52Compact_ 2012 0 Architecture

A typical data center migration project consists o a thor-

ough analysis o the environment to be migrated, thor-

ough preparation where the IT inrastructure is brokeninto logical inrastructure components that will be each

migrated as a whole and subprojects or the migration o

each o the logical inrastr ucture components. Each migra-

tion project requires the development o migration plansand all-back scenarios, the perormance o automated

tests, and the comprehensive testing o each scenario. In

act, comprehensive testing and dry runs o the migration

plans in advance signicantly reduce the likelihood o theneed or a all-back during the migration.

Minute-to-minute plans must be drawn up because o

the importance o perorming all actions in the correct

sequence or simultaneously. Examples o such actionsare the deactivating and reactivating o hardware and

soware components. The scale and complexity o these

plans requires that these be supported by automated tools

that resemble the management o real-time processes in aactory.

Reducing migration risks

There are dierent methods involved in the migration o

applications and technical inrastructure. Each o thesemethods are illustrated in Figure 4 along with a brie list-

ing o their advantages and disadvantages.

A physical move, the li and shi method, has the inher-

ent risk that device hardware ailures may arise duringdeactivation, transport and reactivation. I these hardware

ailures cannot be resolved quickly, there is no all-backscenario to rely on.

In a physical migration (P2P), an equivalent IT inrastruc-

ture is built at site B and the data and copies o the system

congurations are transerred via a network migration.

The advantage o this method is the relative ease o migra-tion. The disadvantage is that there is no technological

progress and thus no eciency advantages such as the

higher utilization o servers and storage systems.

In the virtualization approach (P2V), a virtualizationplatorm is built at the new location B and the applications

are virtualized and tested. The actual data is then migratedover the network. The disadvantage o this scenario is the

uncertainties that are introduced because all applicationswill be virtualized. Changes in the production application

at location A should also be perormed in the vir tualized

environment on site B. The advantage is that a signicant

improvement in eciency can be achieved because thesame applications will need signicantly less hardware

aer the migration.

tion. Nothing is urther rom the truth. Organizationsare struggling with questions such as: How do we involve

the process owners in making inormed decisions? Do we

understand our IT inrastructure well enough to carry

this out in planned and controlled manner? How do I limitrisks o disruption during the migration? How large must

the new data center be to be ready or the uture? Or shouldwe just take the step to the cloud? What are the invest-

ment costs and the expected savings rom a data center

consolidation path?

In brie, it is not easy to prove that the benets o data cen-

ter consolidation outweigh the costs and risks. In the next

section, we briey discuss the challenges associated withdata center consolidation and the migration o IT applica-

tions between data centers.

Data center consolidations risks

Data center consolidation requires a large number o well-managed migrations within a short period o time. Simul-taneously, the shop must remain open. This makes these

endeavors highly complex and inherently risky:

The time available or a migration phase to complete is

limited and brie. High availability requirements orcesmigrations to be carried out within a limited number o

weekends in a year.

The migration or relocation o applications in a way

that does not jeopardize data or production requires

sophisticated all-back scenarios. These all-back sce-narios add additional complexity to the migration plans

and usually halve the time in which migrations can becarried out.

The larger the scale o migrations, the greater thecomplexity. The complexity o migration scenarios

increases with the number o underlying technical

components and the number o hardware, applications

and management services vendors. This increases the

risk incurred through lack o oversight and in makingoutright mistakes.

In the ollowing sections, we look at mitigation measures

within the migration method and organization that reducethe risks o data center migrations to a manageable level.

Reducing project risks

The complexity o a data center migration makes it criticalthat the migration project be set up in a structured man-

ner to reduce risk. The goal o this process is to identiy

risks in a continuous, proactive and uniorm way dur-

ing the project, weigh these in a consistent manner, andproactively manage them using the realized mitigation

measures.



Cost-benet assessments

Choosing the right mix o migration methods requires

nding a balance between migration costs and risks.

Heavily reducing the migration risks could lead to a noutcome where the same technical standards are used

as beore the migration. This limits the possibility o

achieving cost and eciency benets rom technologic

advances. Ideally, the technical architecture o the environment aer the migration aligns well with the techn

The virtual migration (V2V) assumes a high degree o

virtualization at location A so it is airly simple to transerdata and applications to a similar virtualization platorm

at location B. This migration approach is similar to howa twin data center replicates applications and data across

several sites. The disadvantage o this method is that not

all applications are virtualized.

In practice, a combination o these migration methods areused depending on the nature o the platorm that needs to

be rehoused.

Servers & storage

Network

Operating systems

MW, DBMS & Apps

Building & facilities

Public infrastructure



Physical relocation Lift and shiftExisting hardware physically relocated.

Cost efficient approachNo fall-back scenarioRisk of damage via cooling off, (dis)assembly and transport

+

Servers & storage

Network

Operating systems

MW, DBMS & Apps

Servers & storage

Network

Operating systems

MW, DBMS & Apps





Physical relocation Physical to physical (P2P)Equivalent hardware built at location B.Applications and data transferred.Fall-back scenario: revert to old environment.

Fall-back scenarioNo technological progress

Networkmigration

Location A Location B


+

Servers & storage

Network

Servers & storage

Network

Virtualization

App App App App

OS OS OS OS





Virtualization Physical to virtual (P2V)Virtualization platform built at location B.Data with virtualized applications transferred.Fall-back scenario: revert to old environment.

Fall-back scenarioTechnological progressSimple migrationVirtualization involves huge effortRelatively costly approach

Networkmigration


+++

App App App App

Servers & storage

Network

Servers & storage

Network

Virtualization





Virtual migration Virtual to virtual (V2V)Equivalant virtualization platform built at location B.Virtual applications and data transferred.

Fall-back scenario: revert to old environment.Fall-back scenarioExtremely simple migrationIT infrastructure is never 100% virtualizedNetwork

migration


++

App App App App

Virtualization

App App App App

Figure 4. Data center migration methods, advantages and disadvantages.



Cost considerations also play a signicant role in the

choice to construct a new data center. Although the utiliza-tion o housing and hosting services o third parties at rstseems nancially attractive, organizations always want

to convert recurring monthly expenses into revenue. This

is especially true i the return on investment is greater by

doing it yoursel than by utilizing housing and hosting.

Green IT is a major development that aects the choice

to construct a new data center. This is especially true or

large scale utilization o data center acilities. For manyorganizations, the choice o constructing and owning a

data center is more ecient and cost eective than that o

utilizing a provider.

2. Redevelopment of an existing data center

Although the redevelopment o an existing data center

may at rst appear to be lower in cost, redevelopment can

quickly turn into a huge complex project and eventually

cost millions more than a new constr uction project. Thecomplexity arises mainly because the IT inrastructure

must remain available while the redevelopment o the

data center space takes place. Work activities oen take

place close to the expensive hardware that is sensitive tovibration, dust and temperature uctuations. In addition,

sta o one or more contractors have access to t he data

center where the condential inormation o the organi-zation is stored, and this gives rise to additional securityrisks.

Nevertheless, the redevelopment o an existing data center

also has advantages. Redevelopment does not require

a detailed migration plan or moving hardware romlocation A to location B. Sometimes decisions go beyond

just cost considerations and technology motivations. I

management o an organization believes in maintaining

a competitive advantage by keeping the data center at theheadquarters location, management will be considerably

less likely to build a new data center at a new location.

3. Outsourcing (parts of) the IT infrastructure orusing cloud services

Outsourcing (parts o) the IT inrastr ucture can also be a

consideration in avoiding new construction or redevelop-

ment costs. However, the outsourcing o IT can cost just

as much i not more. Many organizations consider cloud

services rom third parties because they believe that therewill be signicant cost savings. In act, the time-to-market

is relatively short because there is no need or hardware

standards o the IT management organization. I the data

center management is outsourced then alignment shouldbe sought with the actory standards o the IT service

provider.

Managing too strictly on the basis o reducing migration

risks will lead to disappointment regarding the opera-tional cost savings aer the migration because there is

insucient alignment with the service provider stan-

dards. The migration scenario is thus a trade-o between

an acceptable migration risk, the requirements dictated byan application such as by the CIA classication (Conden-

tiality, Integrity, Availability) and the costs involved in the

migration itsel and the operational phase aerwards.

What data center strategy is suitable foryour organization?

The technological and market developments described in

this article may lead to a reevaluation o the existing datacenter strategy. One can construct a new data center, rede-

velop the existing data center, partially or entirely host IT

inrastructure with a third party, or in combination with

hosting o inrastructure also make use o cloud comput-ing services. By way o explanation, we have selected three

possibilities or making choices in data center strategies.

1. Constructing your own data center

Constructing large new data centers is a trend that is

particularly noticeable with contemporary Internet giants

such as Apple, Google and Facebook. Even though renting

space rom IT providers is relatively simple, the trend o

constructing own data centers continues. Enterprises nolonger want to be constrained by restrictions that may

result rom the placement o IT equipment with a third

party. In addition, organizations no longer want to be

dependent on service agreements, hidden limitations inthe services provided, or the everything at additional

cost ormula.

Another consideration when building your own data cen-ter is that organizations still want to keep their own data

close at hand. This is apparent not just rom the popular-

ity o private clouds, but that many organizations are still

struggling with concerns about security and control over

the underlying inrastructure. This is why organizationsthat predominantly earn their revenue by providing web

services or IT support services would rather remain the

owner o the entire IT inrastructure including data center.

The larger the scale o migrations,

the greater the complexity



in the sense o consolidating data centers and server arwith server virtualization. This also means that the samprocessing capacity requires less energy. Do more in t

sense o more processing capacity or the same money a

new opportunities to accommodate Disaster Recovery i

existing data centers.

These innovations require large-scale migration within

and between data centers and this is coupled with sig-

nicant investment, costs and migration risks. To reduthese risks to an acceptable level, proper assessments m

be made o the costs and risks taken during the migrati

and during the operational phase aer migration. The a

cle draws rom experience and provides a ew examplesdata center strategies, namely, the construction o a newdata center, the redevelopment o an existing data cente

and the outsourcing o data center activities.

selection and installation projects. However, recentresearch shows that outsourcing where new technology is

used does not necessarily reduces costs and deliver exibil-

ity in contrast to construction or redevelopment o your

own data center ([Koss10]).

Conclusions

Our experience shows that there is no magic ormula

that clearly points to modernization, redevelopment oroutsourcing o data centers. The principles o a good data

center strategy should be aligned with business objectives,

investment opportunity, and the risk appetite o theorganization. The technological and market developmentsdescribed in this ar ticle make long term decisions neces-

sary. The central theme is do more with less. With less

Examples of data center strategies

Data center strategy within the National Govern-

ment

In the letter Minister Donner sent to the House on

14 February 2011 ([Rijk]), he announced that within thescope o the Government Reduction Program, the num-

ber o data centers o the central government would bedrastically reduced rom more than sixty to our or ve.

Such a large-scale consolidation o data centers had not

previously been carried out in the Netherlands. This

involved many departments, benets agencies and alarge number o data centers working with European

or international standards. It was a singular challenge.

Edgar Heijmans, the program manager o Consolida-

tion Datacenters, states ([Heijm]) that this is a necessarystep toward the use o cloud services within the nation-

al government. In the long-term plan or the chosen

approach, he identied the steps: common data centerhousing, common data center hosting and nally the

sharing o an application store in a government cloud.KPMG has been involved both in preparing the busi-

ness case or data center consolidation or the govern-

ment, as well as a comprehensive analysis o the oppor-

tunities and risks o cloud computing within the state.

International bank and insurer

An international bank-insurer combination had a dat

center strategy where about een data centers in the

Benelux would be consolidated into three modernnewly constructed data centers. Some years ago when

this strategy was ormed, it was not yet known that th

crisis in the nancial sector meant growth projection

would have to be revised downwards. Or, that, in 2010the banking and insurance activities would be split

into two separate companies. The crisis and the divisio

had a signicant impact on the business case or the

planned data center consolidation. KPMG was involvewith an international team in the reassessment o the

data center strategy and the underlying business case.



[Heijm] http://www.digitaalbestuurcongres.nl/Uploads/Files/T05_20-_20Heijmans_20_28BZK_29_20-_20Consolidatie_20Datacenters.pd.

[Herm10] J.A.M. Hermans, W.S. Chung and W.A. Guensberg, Deoverheid in de wolken? De plaats van cloud computing in de publiekesector(Government in the clouds? The place or cloud comput-ing in the public sector), Compact 2010/4.

[HPDa] HP Data Center Transormation strategies and solutions,Go rom managing unpredictability to making the most o it:http://h20195.www2.hp.com/v2/GetPDF.aspx/4AA1-6781ENW.pd.

[HPIT] http://en.wikipedia.org/wiki/HP_IT_Management_Soware.

[IBM10] Modular data centers: providing operational dexterityor an increasingly complex world, IBM Global TechnologyServices, november 2010, p://public.dhe.ibm.com/common/ssi/ecm/en/gtw03022usen/GTW03022USEN.PDF.

[Kapl08] Kaplan, Forrest and Kindler, Revolutionizing Data CenterEnergy Eciency, McKinsey & Company, July 2008: http://www.mckinsey.com/clientservice/bto/pointoview/pd/Revolutionizing_Data_Center_Eciency.pd.

[Koss10] D. Kossmann, T. Kraska and S. Loesing, An evaluation oalternative architectures or transaction processing in the cloud,ETH Zurich, June 2010.

[Meis09] D. Meisner, B.T. Gold and T.F. Wenisch, PowerNap:Eliminating Server Idle Power, ASPOLOS 09, Washington DC,USA, March 2009.

[Rijk] http://www.rijksoverheid.nl/bestanden/documenten-en-publicaties/kamerstukken/2011/02/14/kamerbrie-uitvoering-sprogramma-compacte-rijksdienst/1-brie-aan-tk-compacte-rijksdienst.pd.

About the authors

H.J.M. Boersen is a consultant in the Inrastructure andArchitecture service line o KPMG Advisory. He is involved inconsulting assignments and audits related to IT inrastructure.He recently completed assignments within the context o datacenter consolidations, relocations, audits and stability problemsin large IT landscapes.

M.J. Butterhof is a senior manager in the Inrastructure andArchitecture service line o KPMG Advisory. His responsibilitiesinclude advisory assignments in the area o IT organizations, ITinrastructure, data centers and IT management processes.

S. Peekel is a manager in the Inrastructure and Architectureservice line o KPMG Advisory. He is oen involved in auditsand consulting assignments in the context o perormance andstability issues within IT inrastructures, management o ITorganizations and environments and preparing various types oIT business cases.

R. de Wol is a partner at KPMG responsible or services in thearea o IT inrastructure and Enterprise Architecture. As a lec-turer, he is involved in the Executive Masters program specializ-ing in IT Auditing (EMITA) at the University o Amster dam.

Reerences[Atos] http://www.atosorigin.com/en-us/services/solutions/atos_

tm_inrastructure_solutions/data_center_strategy/deault.htm.

[Bala07] Balaouras, Schreck and Forrester, Maximizing Data CenterInvestments or Disaster Recovery And Business Resiliency, October2007.

[Barr07] Barrosso and U. Hlze, The Case For Energy-ProportionalComputing, Google, IEEE Computer Society, December 2007.

[Cisc] Cisco Cloud Computing Data Center Strategy, Architectureand Solutions, http://www.cisco.com/web/strategy/docs/gov/CiscoCloudComputing_WP.pd.

[Data] Data Center Optimization, Beware o the Power DensityParadox, http://www.transitionaldata.com/insights/TDS_DC_Optimization_Power_Density_Paradox_White_Paper.pd.

[Fria08] Friar, Covello and Bingham, Goldman Sachs IT Spend Survey2008, Goldman Sachs Global Investment Research.

[Goog10] Google Patents Tower o Containers, Data CenterKnowledge, June 18th, 2010, http://www.datacenterknowledge.com/archives/2010/06/18/google-patents-tower-o-containers/.

European insurer

A ew years back when this major insurance companyoutsourced its IT inrastructure management activi-

ties to a number o providers, it was already knownthat its data centers were outdated. The insurer had

experienced all sorts o technical problems romleaky cooling systems to weekly power outages. The

strategy o this insurer was to accommodate the entire

IT inrastructure in the data centers o the provider

in the Netherlands and Germany. The migration osuch a complex IT inrastructure, however, required

a detailed understanding o the relationship between

the critical business chains, applications and under-

lying technological inrastructure. At the time othe release o this Compact, this insurer is currently

completing the project that will empty its existing

data centers and move these to its data center provider.They have chosen to virtualize existing systems and

to carry out the virtual relocation o the systemsand associated data in a limited number o weekends.

KPMG was brought into this project to set up the risk

management process.


16/52

14

Cloud computing is maturing past the hype stage and is considered by many organiza-

tions to be the successor to much of the traditional on-premise IT infrastructure. How-ever, recent research among numerous organizations indicates that the security of

cloud computing and the lack of trust therein, are the biggest obstacles to adoption.

Managing access rights to applications and data is increasingly important, especially as

the number and complexity of laws and regulations grow. Control of access rights

plays a unique role in cloud computing, because the data is no longer stored on devices

managed by the organizations owning the data. This article investigates and outlines

the challenges and opportunities arising from Identity and Access Management (IAM)

in a cloud computing environment.

Access to the cloudIdentity and Access Managementfor cloud computingEdwin Sturrus, Jules Steevens and Willem Guensberg

E. Sturrusworks as a consultant at

KPMG IT Advisory.

[email protected]

J. J. C. Steevensworks as a consultant atKPMG IT Advisory.

[email protected]

W.A. Guensbergis a partner at Label A.

[email protected]


17/52Compact_ 2012 0 Inormation security

Dierent types o cloud services are available. First and

oremost is Soware-as-a-Service (SaaS) where sowareis provided as a cloud service. There is also Platorm-as-a-

Service (PaaS) where a platorm (operating system, applica-

tion ramework, etc.) is oered as a cloud service. Finally,

there is Inrastructure-as-a-Service (IaaS) where an ITinrastructure or part thereo (storage, memory, process-

ing power, network capacity, etc.) is oered as a cloud

service.

What is Identity & Access Management?

Broadly speaking, IAM is the consolidated management o

users and corresponding authorizations via a centralized

identity register. IAM allows an organization to controlwho gets access to what and by what means. KPMG uses

the ollowing denition o IAM ([Herm05]): The policies,

processes and support systems to manage which users have access

to inormation, IT applications and physical resources and what

each user is authorized to do with it.

IAM is categorized as ollows ([KPMG09]):

User management:The activities related to managingend-users within the user administration.

Authentication management:The activities related to

the management o data and the allocation (and de-

allocation) o resources needed to validate the identity

o a person.

Introduction

In recent years, cloud computing has evolved rom rela-

tively simple web applications, like Hotmail and Gmail,

into commercial propositions such as SalesForce.com andMicroso Oce 365. Research shows that most organiza-

tions currently see cloud computing as the IT model o

the uture. The security o cloud computing and the lack

o trust in existing cloud security levels, appear to be thegreatest obstacles to adoption ([Chun10]). The growing

amount o data, users and roles within modern organiza-

tions, and the str icter rules and legislation in recent years

concerning data storage or organizations, have madethe management o access rights to applications and data

increasingly important and dicult. The control o access

rights plays a unique role in cloud computing, because

data stored in the cloud demands new, oen dierent

security measures rom the organizations owning thedata. Organizations must change how identities and access

rights are managed with cloud computing. For example,

many organizations have limited experience with the

management and storage o identity data outside the orga-nization. Robust Identity & Access Management (IAM) is

required to minimize the security risks o cloud comput-

ing ([Gopa09]). This article describes the challenges and

opportunities arising rom Identity & Access Managementin cloud computing environments.

What is cloud computing?

Although much has been published on the topic o cloud

computing, it remains dicult to orm a precise denitionor this term.

One o the commonly used denitions is the ollowing

([NIST11]): Cloud computing is a model or enabling conve-

nient, on-demand network access to a shared pool o confgurable

computing resources that can be rapidly provisioned and released

with minimal management eort or service provider interaction.

KPMG has taken this denition as a starting point and hasnarrowed it somewhat to the perspective o a recipient o

cloud services ([Herm10]):

Salesforce.com, Microsoft Office 365, GmailSoftware + Platform + Infrastructure

App Engine, Force.com, AzurePlatform + Infrastructure

Amazon EC2, Terremark, RackSpaceInfrastructure

SaaS

PaaS

IaaS

Cloud computing, rom the perspective o the user, is the usage o centralized computing resourc-

es on the Internet. Cloud computing diers rom traditional IT via the ollowing characteristics:

Multi-tenancy. Unlike traditional IT, the IT resources in the cloud are shared across multipleusers.

Paid services. The user only pays or the use o cloud services and does not invest in additional

hardware and soware.

Elasticity. The capacity can either increase or decrease at all times.

Internet dependent. The primary network or cloud services is the Internet.

On-demand services. Unlike the greater part o traditional IT, cloud services can be utilized prac-tically immediately.

Figure 1. Forms of cloud computing.


18/52Access to the cloud16

The next section elaborates on the various challengesrelated to the components o the IAM architecture in a

cloud computing environment.

IAM challenges in a cloud computingenvironment

The existing challenges in managing users and access

to inormation are complemented with new challenges

brought along with cloud computing. Originally, the or

nization itsel was responsible or all aspects o IAM. Thranged rom maintenance o user administration to the

propagation o user rights in the target systems and cheing usage based on logging and monitoring.

The introduction o cloud computing has made these acities more complex. The boundaries are blurring betwee

what user and IT resources belong to the customer an

what belongs to the cloud provider. Who owns what

resource and carries the accountability that goes with itWhat is the dierence between accountability and liab

ity? This section summarizes some o the challenges o

IAM.

Authorization management:The activities related to den-ing and managing the access rights that can be assigned

to users.

Access management:The actual identication, authenti-

cation and authorization o end users or utilizing the

target system.

Provisioning:The propagation o identities and authori-

zation properties to IT systems.

Monitoring and auditing:The activities required toachieve monitoring, auditing and reporting goals.

Federation:The system o protocols, standards andtechnologies that make it possible or identities to be

transerable and interchangeable between dierent

autonomous domains.

IAM plays a major role in securing IT resources. IAM aces

many challenges when cloud computing is used. IAMprocesses, such as adding a user, are managed by the cloud

provider instead o the organization owning the data. It

is dicult or the organization using the cloud service to

veriy whether a modication has been completed suc-cessully within the administration o the cloud provider.

Furthermore, it is harder to check whether the data stored

by the cloud provider is only accessible to authorized users.

AuthenticationManagement (1)

Access Management(4)

Employees,Suppliers,

Customers, etc.

User Management (2) Autorisation Management (

User ManagementServices

Provisioning ServicesData Management Services

MonitoringServices

AuditingServices

ReportingServices

AuthenticationManagement

Services

AccessManagement

Services

Approve userauthorizations

based onroles/rulesAutomated

trigger

UserLifecycle

Autorisationmodel

Desiredstate

AutoritativeSources

Data Management & Provisioning(5)

Systems and applications Monitoring & Audit (6)

Actualstate

Contract

Usage

Figure 2. IAM reference architecture.



integration with the cloud provider. SSO is a collection o

technologies that allow the user to authenticate or dier-

ent services once as a particular user, which allows accessto the other services.

Authorization management

Authorization management deals with the policies andactivities in relation to dening and administering autho-

rizations. This allows authorizations to be grouped into

a single role (based on so-called authorization groups).

Aer granting this role to a user, that user can carr y outa particular task or sub-task on certain objects. When a

manager welcomes a new team member, he has to grant

the appropriate role to the new user. Once the association

is made, the authorizations that belong to this role are nowavailable to the new user. As previously described, the

granting o these predened roles to users is car ried out

via user management.

Likewise or authorization management, there are newchallenges when the organization utilizes cloud services.

The cloud provider and the customer must agree upon

where the authorizations and/or roles are managed. The

IAM system must be capable o exchanging (automated)messages with the means o authentication that the cloud

provider uses. In many cases, the cloud provider and

customer use conicting role models and the maturity

o the role models dier. For example, the cloud providermay have switched over to centrally organized Role-Based

Access Control (RBAC), while the customer still uses direct

end-user authorizations that is administered in a decen-

tralized manner. In accordance with user managementprinciples, it is necessary to maintain a tr usted-relation-

ship on authorization management that is supported by

contractual agreements.

Access management

Access management deals with the (operational) processesthat ensure that access to IT resources is only granted in

conormance with the requirements o the inormation

security policies and based on the access rights associated

with the users.

The domain o access management has the ollowingnew challenges compared to the traditional on-premise

situation: access management requires agreements to be

made between the cloud provider, third parties and thecustomer, on how to appropriately organize access to the

target systems. For example, the exchange o authorization

data (user names, passwords, rights, and roles) must be ast

enough to grant or deny access instantly. The customerand the cloud provider can decide to establish a trusted-

relationship supported by certicates and/or a Public Key

Inrastructure (PKI).

User management

User management deals with the policies and activitieswithin the scope o administering the entire liecycle

o users in the appropriate registers (initial registration,

modication and deletion). For example, this could be the

HR system or the employees o an organization. The HRsystem records the recruitment, promotions and dismissal

o employees. In addition, user management controls the

policies and activities related to granting authorizations to

the users registered in the HR database.

An organization that utilizes cloud services may be aced

with challenges in user management that are new com-

pared to the traditional on-premise situation. Managing

the user lie cycle in the traditional IT environment is achallenge, it is even more so in a cloud environment. The

organization cannot always maintain control over user

administration via their own HR system (or other central-

ized resource). The cloud provider usually also maintainsa user administration system. What happens when users

update their inormation via the cloud provider? How are

the managers o the cloud services and their attributes

kept up to date? Which laws and regulations (possibly

outside own jurisdiction) apply to the storing o personalinormation? All these issues have to be dealt with again

in a cloud computing environment. The allocation o

authorizations is also a part o user management. The cus-

tomer and cloud provider must agree on who is responsibleor granting and revoking user rights.

Authentication management

Authentication management includes the processes and

procedures or administering the authentication o users.I particular data is very sensitive, stringent authentica-

tion may be required to access this data (or example, by

using a smart card). Dening and recording these require-

ments within objects in the orm o policies and guidelines

is part o authentication management. Authenticationmanagement also deals with the issuing and revocation o

authentication means (or example, username and pass-

word and smart cards).

The ollowing challenges in authentication management

are new compared to the traditional on-premise situation:the authentication means or dierent cloud providers

may vary. Sometimes, the cloud provider itsel may onlyuse mechanisms that do not match the (security) technical

requirements o the customer. It can also be complicated to

implement the level o authentication in a uniorm way. In

addition, synchronization o passwords can be a challenge,especially in environments where the user administra-

tion changes quickly or where users must change their

own passwords. Finally, it requires that a working Single

Sign-On (SSO) environment is maintained or technical



auditing compliance with the requirements o the appl

cable inormation security policies. One reason or this

is that the customer oen does not have insight in what

resources the cloud provider utilizes to manage and motor the IT resources. A consequence o this lack o trans

ency is that it may be dicult or a customer to achieve

ull compliance. In particular, the use o accounts with

high-level privileges is dicult to monitor.

Options for IAM in a cloud environment

Several options are available or managing identity and

access to cloud services ([Blak09], [Cser10]). The ownersho the various IAM processes and attendant monitoring

is dierent or each model. This has a signicant impac

on the relevant risks and challenges. The option preerr

thus depends on the requirements o the organization athe level o cloud service adoption in the organization.

Traditional model

I an organization utilizes part o its IT needs as a cloudservice, the components o the IAM ramework must w

together with the cloud provider. This may be achievedby linking the existing IAM with the cloud provider (se

Figure 3). In this case, the organization manages identi-ties and access rights locally and then propagates these

to the various cloud providers. For each cloud provider,

the authorized users must be added to the directory o t

cloud provider. There are several packages on the markethat automate the processes o creation, modication an

deletion by synchronizing the local directory with the

cloud. However, the connector that enables the synch

nization to occur must be separately developed and maitained or each cloud provider. A drawback is the added

complexity in management when there are multiple clo

providers.

Identication and authentication or cloud services occwith the cloud provider. Handing these processes over t

the provider requires strong condence in the provider

There are tools on the market that make it possible to li

with local SSO applications. With this method the userneeds ewer identities to access services. Checking iden

cation and authentication or cloud services is perorm

by the cloud provider. Strong condence in the cloud

providers and their policies is required.

Provisioning

IAM must ensure that aer a role is granted to a user, the

user is created in the relevant objects, and that this useris then granted the appropriate authorizations or cor-

responding objects. Within IAM, this process is called

provisioning. Provisioning deals with the manual and/or

automatic propagation o user and authorization data toobjects. In other words, provisioning consists o creating a

user and assigning authorizations to the user objects. Man-

ual provisioning means that a system manager creates a

user with authorizations on request. Automatic provision-ing means that the system automatically processes theserequests without any intervention by a system manager.

When a role is revoked rom a user then deprovisioning

has to take place, which means that the authorizations are

revoked rom the user.

Provisioning in a cloud environment has the ollowing

challenges: the propagation o accounts within the orga-

nization and also within the cloud provider is challeng-ing, since technologies and standards are oen dierent

or each cloud provider. As more cloud providers deliver

services to an organization, it becomes exponentially more

complex or the customer to implement provisioning. Thecreation and modication o accounts and rights on targetsystems is generally driven by business need. However,

it is oen the case that less attention is given to deletion

because it serves limited business need and it is believed

that the security r isk does not outweigh the additionaleort required to ollow through this deprovisioning pro-

cess eectively. With respect to the contract with the cloud

provider, customers oen orget to give sucient attention

to the ending o the relationship. It is then unclear whathappens to the data and user r ights when the cloud pro-

vider no longer provides paid services to the customer.

Monitoring and auditing

The nal piece in the IAM architecture is the monitoring

and auditing process. This process ocuses on checkingcompliance with policies utilized within IAM. This con-

sists o continuously monitoring and auditing the systems

and processes.

In the area o monitoring and auditing, the ollowing arenew issues compared to the traditional situation: it is a

challenge or many customers to set up monitoring and

The utilization o cloud services

creates new challenges or

authorization management



thus trusts the IAM o the customer and it is on that basisthat the users can utilize the services. Thus, in most cases,

duplication o accounts is unnecessary (unless or auditing

purposes).

I this option is used, the customer may continue to use

the existing access methods to manage the user activities.

A disadvantage or this option is that, when there are a

large numbers o cloud providers, it is necessary to makeagreements with each cloud provider about the conden-

tiality o the customers local IAM. In addition, or many

cloud providers, it is impossible to maintain trustworthy

and appropriate monitoring o the IAM o all customers.

This option is already actively used by a large Dutch

retailer that has linked the local IAM inrastructure to

their cloud provider o email and calendar services.

Trusted-relationship model

Another option to allow IAM to have the cloud provider

support the IAM o the customer (see Figure 4). The cus-

tomer manages the local identities and access rights. Theusers are stored locally in a directory and an access request

or a cloud service is authenticated locally. The cloud

provider checks the authorizations and validates these

using the directory o the customer. The cloud provider

IAM

Local

User

Resources

Directory

IAM

Directory

IAM

DirectoryApplication Application Data Data

CSP 1

Application

CSP 2

Application

UDS

UDS

UDS

UDS

Figure 3. Connecting with the cloud provider.

IAM

Local

User

Resources

Directory

IAM

Directory

IAM

DirectoryAppli cation Appl ication Data Data

CSP 1

Application

CSP 2

Application

UDS

UDS

UDS

UDS

Figure 4. Federated cooperation between customer and provider.



unctioning IAM cloud services available, but it is possi

that large IAM providers (or example, IBM, Microso a

Oracle) will enter this market in the coming years.

Conclusion

By using (public) cloud services, the organization will nto revise its control measures to maintain the required

level o security. Whilst security risks may well decreas

by transerring selected services to the cloud, risks are

likely to increase in certain areas such as IAM. To mini-

mize the risk it is necessary to properly set up the IAMramework. The implementation o necessary changes

IAM in a cloud environment is critical in providing an

adequate level o condence and guarantee security.

The act that some o the IT resources are no longer con-

tained in the organization itsel raises several questions

the IAM domain. Even though liability remains with th

organization utilizing services, keeping control o the Iprocesses is more dicult because these are oen part o

the cloud providers domain. For user management, it is

important that organizations veriy whether changes t

user data are taken over by the cloud provider. Organiza

tions must comply with company, national and international laws and regulations with regard to personal ino

mation. When considering authentication, it is importa

Identity service provider model

A third option or cooperation between the local IAM othe customer and the cloud provider is using an IdentityService Provider (IdSP) (see Figure 5). The IdSP is a provider

o identity services. As in previous models, the customer

manages the local identities and access rights. The IdSP is

responsible or validating the identity o the user. Both thecloud provider and the customer rely on this third party

to validate the identity o users. DigiD and Facebook are

examples o organizations that may act as an IdSP and

be able to veriy digital identities in the uture. There aretools on the market that use a third party to manage and

validate identities.

All-in-the-cloud modelThe last option is to outsource the entire IAM and utilize

it as a cloud service (see Figure 6). In this case, the organi-zation delegates all IAM systems and processes to a third

party operating in the cloud itsel. The link with all cloud

providers is managed and controlled by this third party.

Access to local IT resources will also be conducted via theIAM Ser vice. Eectively, all management and control o

IAM are outsourced to the cloud.

High trust in the IAM service is required. It is dicultor the customer to monitor the status o the processes or

either local or cloud services. Currently, there are no ully

IAM

Local

User

Resources

Directory

Appli catio n Appl ication Data Data

UDS

Identityvalidation

IdSP

IAM

CSP 1

Applicatie

IAM

CSP 2

Application

Figure 5. Utilization of an identity service provider.

The use o cloud services requires changes

in the IAM domain



that the authentication methods and requirements usedmatch those o the cloud provider. Furthermore, the autho-

rization models should align, so that the correct rights are

granted to the authenticated users. The processing o both

authorizations and authentications must be timely andaccurate in order or the partnering organizations to have

condence in the actual use o cloud services. Finally, it is

essential that the monitoring and auditing processes meet

the requirements o the applicable security policies.

Several options are available or managing identity and

access to cloud services. Firstly, the IAM ramework can

be connected with the cloud provider. The customer itselmanages and propagates users and the rights to the cloud

provider. It may be possible to automate this process. Iden-

tication and authentication occur in the cloud provider

domain. A second option is to allow the cloud provider to

support the customers IAM ramework. The use o thistrusted-relationship makes it unnecessary to propagate

user to all cloud providers. In addition, identication and

authentication occurs locally. A third option is to use an

IdSP. This is a third party which is trusted by both custom-ers and cloud services providers and validates the identity

o users. The last option is to outsource the entire IAM

stack and consume IAM as a cloud service altogether.

Which option is the most suitable depends on IAM

requirements o the organization and on the type and

number o cloud services consumed. The IAM ramework

should be properly established beore cloud services are

utilized to minimize risk exposure. Furthermore, it is veryimportant to align the IAM ramework with the cloud

landscape to allow eective cooperation with the cloud

provider and adequate security saeguards.

IAM

CSP 1

Application

IAM

CSP 2

Application

User

Resources

Appl ication Appl icati on Data Data

Organization

IAM

Directory

UDS

Figure 6. IAM as a cloud service.

Reerences

[Blak09] B. Blakley, The Business o Identity Services, Midvale, BurtonGroup, 2009.

[Chun10] M. Chung and J. Hermans, From Hype to Future: KPMGs2010 Cloud Computing Survey, KPMG Advisory, Amstelveen,2010.

[Cser10 A. Cser, S. Balaouras and N.M. Hayes, Are You Ready ForCloud-Based IAM?, Cambridge, Forrester Research, 2010.

[Gopa09] A. Gopalakrishnan, Cloud Computing IdentityManagement, SETLabs Briengs 7 (7), p. 45-54, 2009.

[Herm05] J. Hermans and J. ter Hart, Identity & Access Management:operational excellence or in control?, Compact 2005/3, p. 47-53.

[Herm10] J. Hermans, M. Chung and W. Guensberg, De overheidin de wolken?(The government in the clouds), Compact 2010/4,p. 11-20.

[KPMG09] KPMG, IAM Methodology, KPMG International, 2009.

[NIST11] NIST, The NIST Defnition o Cloud Computing, InormationTechnology Laboratory, Gaithersburg, National Institute oStandards and Technology, 2011.

About the authors

E. Sturrus works as a consultant at KPMG IT Advisory. He gives

advice in the domain o Identity and Access Management andis involved in IT Audit assignments. He recently completed hisresearch at Erasmus University Rotterdam about Identity andAccess Management and cloud computing.

J. J. C. Steevens works as a consultant at KPMG IT Advisory. Hespecializes in advising on Identity & Access Management inwhich authentication and authorization management plays amajor role. In addition to advising, he carries out IT audits onPublic Key Inrastructures (PKI) and the like.

W.A. Guensberg is a partner at Label A. Label A develops practi-cal and sexy apps and sites. Dummy-proo and high-tech, witha ocus on mobile and cloud technologies. Willem was a con-sultant at KPMG IT Advisory rom early 2007 to late 2011. Hegave advice in the domain o Identity and Access Management(IAM) and cloud computing. He completed his IT audit courseat Vrije Universiteit and received his CISA accreditation in 2009.In 2010, he worked or six months as a cloud computing consul-tant at KPMG in Boston (US).


24/52

22

Social engineering:the art of deceptionMatthieu Paques

In a typical penetration test (hacker test) attempts are made to gain unauthorized accesssystems or data by exploiting technical vulnerabilities. The weakest link in the informasecurity chain is often overlooked in these tests: users. It appears that this link has incringly become the target of attackers. The media have reported a large number of incideninvolving this type of attack ([security.nl]). This is reason enough to also put this link totest within the scope of an audit or security test. This act of hacking people is called sengineering. This article describes how social engineering tests are performed, providesreal-life examples, and discusses what measures can be taken against such attacks.

M.B. Paquesis a manager atKPMG IT Advisory.

[email protected]

What is a social engineering test?

KPMG IT Advisory has perormed social engineeringassignments or a large number o clients. The purpose

such tests is twoold:

identiy the risks to the organization being evaluate

make employees aware o these risks (training)

During the tests, attempts are made to manipulate emp

ees so that unauthorized access to condential inormation is obtained. These attempts vary rom a simple ph

call test in which employees are tricked into disclosing


25/52Compact_ 2012 0

being questioned. I his story is not credible, there is a

o being taken away in handcus. The employees o torganization or which the test is perormed are genenot inormed in advance about the test. Oen, only a

executives are aware o the test and even they do not

exactly when the test will be carried out. Security sta

is not meant to be put on the alert and take extra prections. This approach makes it possible to obtain a rea

impression o the risks. As a result o this approach s

rity personnel may take drastic measures i the teste

unmasked as an intruder (especially when he has ao condential documents in his possession).

The ingredients of a successful attack

There are two decisive actors that determine the suc

o a social engineering attack: inormationand timing.ough preparation is crucial. In such a test as much in

tionas possible is assembled about the target prior to

actual attack. About 90% o the time is spent to resea

and make preparations or the actual hit. Inormationgathered not only about the organization in scope (e.g

the corporate homepage, Google Maps, search eng

Documents

Compact Abril2012