3. Content
1 Foreword....................................................................................................................02
2 Introduction...............................................................................................................03
3 Rise of the New IT Platform.....................................................................................04
4 Word of caution .........................................................................................................06
5 Cloud computing: Laying the foundation for a global digital .............................07
ecosystem for a new form of business
6 Privacy and data security concerns........................................................................15
7 Addressing security, privacy and regulatory concerns in healthcare.................23
8 Addressing security, privacy and regulatory concerns in financial services.....26
9 State of data protection and privacy laws in India ...............................................30
10 Conclusion.................................................................................................................32
11 Appendix ..................................................................................................................34
01
4. The fact that today's business landscape is changing
faster than ever has become a cliché. Things that
were relevant a few years back or are relevant today
will not be so in the near future. Digital technology has
become the foundation of this transformation. It holds the
key-right from strategy formulation to execution. Companies
will need to adapt quickly to these changes to achieve
growth, meet disparate consumer needs, reach out to
markets, compete and succeed.
With cloud computing being perceived as the platform for
digital transformation, its adoption is fast transforming from
hype to reality across industries. Two industries in particular-
healthcare and financial services-where security is a key
concern due to the sensitive nature of data that is transacted
and which have traditionally been subjected to stringent
regulations and compliances, are experiencing a rise in the
adoption of cloud services.
Yet, data privacy and security threats have always been the
dark side of the cloud and remain a cause for concern among
these industries. However, it is interesting that healthcare
and financial services companies that have adopted cloud
computing are finding that security and compliances
delivered by cloud service providers exceed their needs.
As cloud services continue to mature, companies as well as
governments are placing trust in service providers and are
migrating data and applications to the cloud. One of the best
examples of this new-found trust is the US federal
government's adoption of cloud-based solutions for cabinet-
level agencies, including the Department of Homeland
Security, which is pursuing both public and private cloud solutions. The Indian government has
also published a comprehensive policy report for its adoption and usage of cloud services.
This joint CII-PwC report covers the benefits and challenges faced in the adoption of cloud
computing in the healthcare and financial services industry in India. It highlights the best
practices being followed globally by companies in industries that have successfully adopted
the cloud, and recommends an approach for future adoption. The report also assesses the
current state of data protection and privacy laws in India and proposes an approach to formulate
and enforce newer laws and regulations that are relevant to the current context.
1
Foreword
S Premkumar
Chairman, CII Sub-Committee on
Cloud Computing and Executive Vice
Chairman and Managing Director,
HCL Infosystems Ltd
Chandrajit Banerjee
Director General
Confederation of Indian Industry
02
5. 2
Introduction
1
A clipped compound of 'development' and 'operations’
Digital technologies are impacting industries and
businesses alike. Social, mobile, analytics and cloud
(SMAC), along with agile, continuous integration and
1
development practices like DevOps and Internet of things
(IOT), are having an unforeseen impact as enablers of
business. Businesses today are relying heavily on
technology. With new-age start-ups changing the market
dynamics with digital technologies, the message to
incumbents is clear-either you innovate or you perish.
Cloud computing in particular promises significant
transformational benefits across industries and is seen as the
foundation for digital business transformation. Though
enterprises have been adopting the cloud at a rapid pace,
concerns like data security and privacy continue to hinder the
migration of the core business-critical workloads to cloud.
Given the rapid changes in the current economic scenario
and market structure in India, cloud computing assumes
particular significance in multiple sectors, including
technology, healthcare and financial services. With the
launch of the Digital India programme by the government,
cloud computing, along with other technologies like mobility,
analytics and IoT, will be key to implementing the vision of
transforming the country into a digitally empowered
knowledge economy. However, before organisations can fully
leverage the benefits of cloud technologies, they need to
understand the impact of this shift on their business model.
Moving the infrastructure to the cloud is not merely an IT
change but also a total transformation that needs to be
assessed across strategy, structure, people, process and
technology. As cloud computing brings in business and
financial benefits, it also needs to be addressed from the
viewpoints of business strategy, finance, regulations,
compliance, tax, enterprise architecture and, most
importantly, culture.
In order to understand the state of cloud adoption in the financial services and healthcare
sectors, PwC and CII conducted a joint survey. This report identifies the adoption trends among
Indian enterprises across the two sectors and highlights the factors that are driving cloud
adoption and the key challenges or areas of concern.
Finally, the report analyses the legal scenario with regard to data security and privacy globally
vis-à-vis the Indian context, and defines a way forward for setting up a robust legal and
regulatory structure in the country with regard to cloud adoption.
Arnab Basu
Partner, Technology Consulting
and Digital
PwC
Dipankar Chakrabarti
Executive Director, Advisory
PwC
03
6. Rise of the New IT Platform
The past one-and-a-half years have experienced tremendous advancement of technology,
particularly in the digital space. This has been fuelled by the opportunities these
technologies provide to change the traditional business and operating model through
the development of more effective ways to engage with stakeholders, fine-tune operational
effectiveness and strengthen risk management strategies. High on the agenda for any
enterprise today is transforming the IT organisation to meet the needs of businesses today. In
addition, with the advent of new age technology start-ups that are changing the market
dynamics, the message to incumbents is loud and clear: disrupt or get disrupted!
The convergence of digital technologies is leading to
2
the rise of what we call the New IT Platform, where
the IT organisation within an enterprise is being
transformed to meet the growing needs of the
business and its stakeholders, including customers,
employees, partners and suppliers. In this model,
the IT organisation is no longer a centralised
authority; rather, it is an orchestrator of business
services. Further, the chief information officer (CIO)
serves as a catalyst for digital conversations
throughout the enterprise, and is responsible for
creating a tightly integrated and secure environment
that enables anyone to plug into the enterprise anytime and across any device.
‘Organisations that have been able to
think differently about the role of IT and
the use of technology to enable business
are achieving higher performance
compared to those organisations that are
maintaining the IT status quo.'
- Mike Pearl, PwC's Technology
Consulting and Global Cloud
Computing Leader
1
PwC. (2015, May). Reinventing information technology in the digital enterprise - PwC's new IT platform: Achieve high velocity
IT in a digital world. Retrieved from http://www.pwc.com/us/en/increasing-it-effectiveness/publications/new-it-platform.html
3
04
New IT Platform approach
Professional and managed services
Build
Cloud services
Consume
Cloud services
CIO / Broker
Traditional IT
Private cloud Virtual Private Cloud Public cloud
Optimised workload placement, secure, tightly
integrated and rapid delivery
Applications, information, business processes
7. These developments are leading to a new
trend-IT spend and IT resources are rapidly
shifting outside the traditional IT
organisation. According to our 6th Global
Digital IQ Survey, 47% of the total enterprise
IT spend is outside the CIO budget. Also, an
3
International Data Corporation (IDC) study
shows that 8% of department personnel are
now dedicated to IT. Needless to say, this is a
clear deviation from what we have
traditionally experienced.
Implications for the IT organisation
l The IT governance model must reflect this shift
in technology decision rights.
l Technology sourcing must mature to avoid
duplication of costs and suboptimal vendor
agreements.
l Enterprise architecture and integration must
become critical IT competencies to avoid silos.
l IT must provide the foundation for enterprise
data, master data, analytics and security.
l IT must provide the foundation for enterprise
PwC expects this trend to continue in the future as well, irrespective of industry, and we expect
4
that business units will get more involved in technology decisions.
3
Whalen, M., Anderson, C., & Smith, K. (2013). The six implications of the 3rd platform on IT staffing. Retrieved from
http://www.idc.com/getdoc.jsp?containerId=243452
4
PwC. (2015). PwC's 6th Annual Digital IQ Survey. Retrieved from https://www.pwc.in/publications/digital-iq-survey.html
Total enterprise IT spend outside
CIO budget
47% 8%
Average departmental technical
make-up
Source: PwC’s 6th Annual Digital IQ Survey
IT spending outside the CIO’s budget
43%
46%
48%
51%
52%
53%
Energy and mining
Automotive
Healthcare
Entertainment, media
and communications
Business and
professional
services
Retail and
consumer
Industrial
products
Hospitality
and leisure
Power and
utilities Technology Financial
services
Source: PwC’s 6th Annual Digital IQ Survey
47% overall
39% 39%
42% 42%
43%
05
8. As technology reshapes all industries,
enterprises will continue to make sizeable
investments. In order to understand
whether increased technology spending leads to
improved financial performance, we recently
5
analysed 250 global companies. Our results clearly
show no direct correlation between technology
investments and profitable growth; that is, spending
more on technology does not necessarily lead to
better financial performance. This by itself is not a
revelation, but our research further shows a strong
correlation between technology and profitable
growth if the investments are focussed on targeted
capabilities, and augmented with the right operating model and implementation skills.
We believe successful IT organisations of the future will be those that evaluate new
technologies with a discerning eye and cherry-pick those that will help solve their most
important business problems. Those who merely jump on the technology bandwagon will
quickly become mired in expensive gadgetry that only creates more complexity.
Word of caution
Four key steps for maximising value
from IT investments are as follows:
1. Alignment between IT spending and
business capabilities
2. The technological capacity to execute
IT initiatives
3. The ability to assess the potential
value from a particular IT initiative
relative to its risk
4. An optimal IT operating model to
sustain results from the new
technology
5
Strategy &. (2015, November). Maximizing the value from technology investments: Spending smart instead of just spending
big. Retrieved from http://www.strategyand.pwc.com/reports/maximizing-value-technology-investments
4
06
9. Cloud computing: Laying the foundation
for a global digital ecosystem for a
new form of business
Cloud computing is a model for enabling
convenient, on-demand network access to a
shared pool of configurable computing
resources such as networks, servers, storage,
applications and services that can be rapidly
provisioned and released with minimal management
effort or service provider interaction.
5
Cloud computing is a model for enabling
convenient, on-demand network access
to a shared pool of configurable
computing resources such as networks,
servers, storage, applications and
services that can be rapidly provisioned
and released with minimal management
effort or service provider interaction.
Source: National Institute of Standards
and Technology (NIST)
33
5
8
14
14
13
10
12
14
10
6
4
8
21
7
11
15
5
67
66
61
50
49
49
52
49
44
48
49
49
44
32
43
34
29
36
0
28
31
36
37
37
38
39
41
42
46
47
47
47
49
55
56
59
0 20 40 60 80 100
Other (please specify)
Open source infrastructure
Open source applications
Virtual meeting and collaboration…
Sensors, sensing technologies,…
Social media for internal communication
Simulation, scenario modelling tools
Data visualisation
Mobile technologies for employees
Data mining and analysis
Digital delivery of products/services
Data security
Social media for external communication
Gamification
Private cloud
Public cloud applications
Public cloud infrastructure
Mobile technologies for customers
Will invest less Will invest the same amount Will invest more
Source: PwC’s 6th Annual Digital IQ Survey
Which technologies are you planning to invest in?
07
10. The advent of high-speed network connectivity and the ability to deliver traditionally complex
services on demand are contributing to increased cloud adoption. Businesses are moving to the
cloud at a rapid pace in order to differentiate and compete. This rapid pace of cloud adoption
presents both opportunities and challenges across the enterprise. These can be classified
across three areas of technology, operations and services.
Key area Opportunity Challenge
Technology Companies can drive business
growth through transforming
their IT department/
organisations into a strategic
driver of business services.
As companies shift from legacy
systems to the New IT Platform,
executives need to adapt to this
change to stay relevant. They
need to manage hybrid
architecture and adopt a
services culture. They may run
into key skills shortages for
cloud management capabilities.
Operations Companies can scale the
business, decrease time to
market and enhance
collaboration with the cloud.
Integration and migration of
legacy systems with cloud-
based solutions, together with
the orchestration and
governance of the entire
landscape, can be daunting.
Governance, risk management
and compliance of data
managed by cloud providers are
also important.
Services Companies can innovate and
create new products and
services to better engage their
customers and communities,
and generate new sources of
revenue.
Companies must adapt their
business models, change their
go-to-market strategies and
shift to a services-based culture
to leverage the true power of
the cloud.
Cloud market statistics update
Cloud computing continues to be among the top investment priorities for organisations and is
becoming increasingly integral to an enterprise's overall IT landscape. According to a Forbes
6
study conducted last year, globally, around 42% of IT decisions concern a planned increase in
spending on cloud computing.
Though private clouds continue to dominate in terms of overall installed workloads, public
clouds are growing at a much faster rate. In addition, 74% of enterprises have a hybrid cloud
7
strategy and more than half of them are already using both public and private clouds.
6
Forbes. (2015). Roundup of cloud computing forecasts and market estimates, 2015. Retrieved from
http://www.forbes.com/sites/louiscolumbus/2015/09/27/roundup-of-cloud-computing-forecasts-and-market-estimates-q3-
update-2015/#16a5a0416c7a
7
Right Scale. (2014). Cloud computing trends: 2014 State of the Cloud Survey. Retrieved from
http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2014-state-cloud-survey
08
11. With regard to the growth rate of cloud service models, at the aggregate level, though
infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) initially accounted for the
largest workload share, software-as-a-service (SaaS) workloads are growing at a much faster
pace. By 2019, 59% and 11% of the total cloud workloads will be SaaS and PaaS workloads, up
8
from 45% and 13% respectively in 2014.
8
Cisco. (2015). Cisco Global Cloud Index: Forecast and methodology, 2014–2019. Retrieved from
http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.pdf
Source: Cisco Global Cloud Index, 2013-18
Public cloud workloads are
going to grow at 33% CAGR from
2013 to 2018.
Private clouds will grow at a
slower rate of 21%.
33% 21%
180
160
140
120
100
80
60
40
20
0
Growth in Public vs. Private Cloud Workloads
Source: Cisco Global Cloud Index, 2013-2018
Public Cloud Data Center (33% CAGR) Private Cloud Data Center 21% CAGR
InstalledWorkloadsinMillions
31%
69%22%
78%
2013 2014 2015 2016 2017 2018
180
160
140
120
100
80
60
40
20
0
2014 2015 2016 2017 2018
Growth in cloud workloads by service model
SaaS (33% CAGR) laas (13% CAGR) PaaS (21% CAGR)
InstalledWorkloadsinMillions
2013
13%
28%
59%15%
44%
41%
09
12. Currently, cloud adoption in India is in a growth
phase. The various initiatives launched by the
government under the National e-Governance Plan
(NeGP), such as the State Wide Area Network
(SWAN), State Data Centres (SDC), State Service
Delivery Gateway (SSDG) and e-Portal, have led to
the buildout of ICT infrastructure both at the Centre
and state level. In addition, other initiatives like the
National Fibre Optics Network (NOFN) and launch of
the National Cloud under the umbrella of the
9
MeghRaj initiative show the Indian government's
commitment to promote cloud computing in both the
public and private sector.
Gartner's estimates are indicative of the potential of the cloud computing market in India. It
predicts that the total market for public cloud services in India is expected to reach 1.7 billion
10
USD in 2018. Though SaaS will dominate public IT cloud services spending, followed by IaaS,
PaaS will experience fast growth, primarily due to cloud adoption by the developer community
11 12
and big data driven solutions. Other estimates are equally upbeat -according to IDC, 3.5
billion USD will be spent on cloud services in India by 2016-a growth of over 400% from 2012. In
addition, Forrester expects the SaaS market in particular to roughly double in value between
13
2014 and 2020, when it will be worth 1.2 billion USD.
State of cloud adoption in the financial services and healthcare industry:
PwC-CII joint survey
In order to understand the state of cloud adoption in the financial services and healthcare
industry, PwC and CII conducted a joint survey. This section highlights the survey findings.
The fact that the cloud is increasingly being recognised as the platform of the future is clear, as
almost a quarter of the organisations surveyed suggested that more than 15% of their IT budget-
21% for financial services and 23% for healthcare-was devoted towards cloud computing.
9
In order to enable governments (both at the Centre and states) to leverage cloud computing for the effective delivery of e-
services, the Government of India embarked upon an ambitious and important initiative—GI Cloud, which has been named
MeghRaj. Under this initiative, the Department of Electronics and Information Technology (DeitY) announced two cloud policy
reports, which have been approved by the Minister of Communications and IT: the 'GI cloud strategic direction paper' and 'GI
cloud adoption and implementation roadmap'.
10
Gartner. (2014). Forecast analysis: Public cloud services, worldwide, 2012-2018, 1Q14 update and forecast: Public cloud
services, worldwide, 2012-2018, 1Q14 update. Retrieved from http://www.gartner.com/newsroom/id/2721517
11
Gens, F. (2014). Worldwide and regional public cloud IT services 2014-2018 forecast. Retrieved from
https://www.idc.com/getdoc.jsp?containerId=251730
12
US Department of Commerce and Industry & Analysis (I&A). (2015). 2015 top markets report - cloud computing. Retrieved
from http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf
13
International Trade Administration. (2015). 2015 top markets report – cloud computing. Retrieved from
http://trade.gov/topmarkets/pdf/Cloud_Computing_Top_Markets_Report.pdf
With the aim of transforming the entire
ecosystem of public services through the
use of information technology, the
Government of India recently launched
the Digital India programme. The vision is
to make India a digitally empowered
society and knowledge economy.
PwC believes cloud computing will be at
the core of the Digital India programme
and will provide a definite push towards
cloud adoption in the country.
10
13. In terms of cloud adoption, more than half of the financial services organisations (57%) surveyed
and almost two-third of the healthcare organisations (64%) surveyed stated that they have
implemented cloud-based services.
However, despite the positive outlook, concerns remain. Data security and trust, followed by
legal and regulatory compliances, are the key issues. In addition, 50% and 36% of respondents
from the financial services and healthcare industry respectively stated that lack of knowledge is
one of their barriers to cloud adoption. Thus, there is further scope for this technology if the
knowledge gaps are addressed suitably.
36%
29%
14%
0
21%
27% 27%
9%
14%
23%
Less than
2%
Between
2% and 5%
Between
5% and 10%
Between
10% and 15%
More than
15%
Financial services Healthcare
Q. What percentage of your organisation’s IT budget is devoted towards the cloud?
Source: PwC-CII joint survey, 2016
Financial services
57%
14%
29%
We are at the discussion stage or currently evaluating
the option of the cloud.
We are in the process of implementing the cloud.
We have implemented the cloud and are currently using the same.
We are at a discussion stage or currently evaluating
the option of the cloud.
We are in the process of implementing the cloud.
We have implemented the cloud and are currently
using the same.
Not applicable
Healthcare
14%
14%
64%
8%
Q. At what stage is your organisation vis-à-vis cloud adoption?
Source: PwC-CII joint survey, 2016
11
14. Private cloud and SaaS are the most widely adopted deployment and service models in
organisations in the financial services and healthcare industry.
The cloud brings pricing flexibility. This, along with cost savings, infrastructure and application
scalability, and speedier deployment of infrastructure and application, is the key driver for cloud
adoption.
50%
29%
36%
50%
29%
36%
18%
36%
59%
45%
Lack of
knowledge
Indecision about
which apps to move
into the cloud
Lack of clarity on
costing models
Data security
and trust
Legal and regulatory
compliance
Financial services Healthcare
Q. What do you think are the major barriers to adopting the cloud?
Source: PwC-CII joint survey, 2016
14%
57%
36%36%
50%
27%
Public cloud Private cloud Hybrid cloud
Financial services Healthcare
7%
21%
50%
36%
14%
64%
IaaS PaaS SaaS
Financial services Healthcare
Q. Which cloud deployment model(s) has your organisation adopted?
Source: PwC-CII joint survey, 2016
Q. Which cloud service model(s) has your organisation adopted?
Source: PwC-CII joint survey, 2016
12
15. While performance of the cloud platform or solutions and overall security are the key
considerations for choosing the preferred cloud service provider, data ownership, backup,
recoverability and service availability are the major considerations while negotiating a service-
level agreement (SLA).
14%
36%
21%
21%
57%
57%
64%
18%
23%
32%
23%
59%
68%
73%
Ability for IT department to focus on innovation and
core business issues rather than operational aspects
Increased IT efficiency and utilisation
Improved business agility
Robust disaster recovery mechanisms
Speedier deployment of infrastructure and application
Infrastructure and application scalability
Cost savings and pricing flexibility
Healthcare Financial services
Q. What are your organisation’s key drivers for cloud adoption?
Respondents who rated within the top 3
Source: PwC-CII joint survey, 2016
43%
57%
71%
64%
79%
45%
50%
32%
82%
91%
Adherence to standards and compliances
Quality of service
Application portability
Enterprise grade security
Performance
Healthcare Financial services
Q. What parameters does your organisation consider when evaluating cloud solutions?
Respondents who rated within the top 3
Source: PwC-CII joint survey, 2016
13
16. Q. Which of the following do you consider when negotiating an SLA with a cloud service provider?
Respondents who rated within the top 3
Source: PwC-CII joint survey, 2016
7%
29%
43%
21%
64%
79%
57%
23%
23%
23%
23%
73%
73%
64%
Multi-tenancy disclosure
Data location
Retention or destruction of records
Legal hold or e-discovery
Availability of service
Backup and recovery
Ownership of data and associated metadata
Healthcare Financial services
14
17. Privacy and data security concerns
Data privacy and security have been key concerns and a regular topic of discussion when
it comes to the cloud. However, in order to closely analyse this issue, we need to
classify it into two major areas:
1. Technical issues related to security of data in a cloud environment
2. Regulatory, compliance and legal issues to consider when moving to the cloud
Technical issues related to security
Historically, technical aspects of security have
inhibited cloud adoption-the primary concerns
being the security of virtual machines, trust in the
cloud service provider, commingling of data with
that of another customer/tenant, intrusion detection
and prevention in the cloud, etc. However, with cloud as a technology becoming more stable
and with increased maturity, cloud service providers have begun to provide more insights into
their security controls, governance and regulatory compliance processes. This is increasing the
confidence of businesses in cloud technology. The results are evident: According to a Forrester
study on cloud security, from 2011-2013, there was a 24 percentage point decrease in the
number of respondents who found security and privacy to be concerns in a virtualised or cloud
14
environment.
6
With the overcoming of the technical
hurdles of security, cloud computing is fast
moving from a stage of evaluation to value
creation and realisation.
14
PwC presentation at Wales & West CIO Forum, 2015
70%
60%
50%
40%
30%
20%
10%
0%
2011 2012 2013
67%
59%
43%
Source: Forrester report on cloud security as prepared for PwC, August 2014
Security and privacy concerns in virtualisation or cloud environments
15
18. Not inherently insecure
The point we want to highlight here is that, technically, there are no reasons that should restrict
the migration of private data to the cloud. Risks have to be managed, as in the case of any on-
15
premise or in-house system. A report published by the Information Security Forum (ISF)
highlighted five major findings with regard to data privacy and the cloud. These are discussed
below.
l Cloud-based systems are here, and organisations are using them: Organisations cannot
avoid the cloud. According to the ISF survey report, 90% of organisations achieve projected
savings and 80% increase their competitive advantage with the cloud. Information subject to
privacy regulations (known as personally identifiable information [PII]) will inevitably move
to the cloud.
l The risk of putting private data on the cloud is not always considered or addressed: Cloud-
based systems are seen to be complicated; the same is true for privacy regulations. This
combination of complexity creates barriers to managing the risk of private data on the cloud,
thereby increasing organisational risk.
l The cloud can be suitable for PII: There are no inherent reasons for not moving private data
to the cloud; the risks have to be managed as in any other case. The process will be made
easy if organisations first cut through the perceived complexity, take advantage of existing
information risk management approaches and enhance them where necessary to manage
risks.
l Cloud complexity can be simplified: Cloud-based systems are not as complicated as many
people consider them to be, and understanding the basics makes complying with privacy
requirements easier. The various cloud deployment and service models provide different
levels of control to the purchasing organisation, accordingly creating a different degree of
inherent risk.
l Privacy obligations are the same for both cloud and non-cloud based systems: Privacy
obligations do not change when information moves into the cloud. This means that most
organisations' efforts to manage privacy and information risks can be applied to cloud-based
systems with only minor modifications, once cloud complexity is understood. This can
provide a low-cost starting point to manage cloud and privacy risks.
Going by the above findings, what enterprises need to do is identify the common areas in
security that need to be addressed from a technology perspective, develop use cases
specifically for cloud security based on their individual requirements, create a comprehensive
information security strategy to address security concerns with respect to the cloud, and embed
the same throughout the enterprise's cloud life cycle.
Several components need to be addressed to provide comprehensive cloud security. In addition,
the cloud security strategy must be aligned with an enterprise's overall IT security policies and
guidelines. We have identified six technical domains that need to be considered while
formulating a cloud security strategy: data, governance, user and identity management,
infrastructure, platform and software, and integration.
15
Information Security Forum (2013, February). Data privacy in the cloud. Retrieved from
http://www.infosecurityeurope.com/__novadocuments/107034?v=635780175741100000
16
19. Common cloud security use cases
Based on the above recommended cloud security domains, PwC has developed some common
cloud security use cases that can act as guidance for identifying the key requirements of an
enterprise when adopting cloud computing. Each of these use cases has been supplemented
with key security and privacy issues that an enterprise must address and the associated
recommendations to address the same from a technology point of view.
#Use case Common issues faced by
enterprises
Recommended approach
1 SaaS migration How do I assess and address
the risk of SaaS adoption before
and after migration?
l Perform vendor risk
assessment, including SaaS
architecture and security, to
develop a repeatable
assessment framework
l Educate/work with
procurement on contract
terms
l Develop a SaaS/cloud
security services layer for
SaaS (security information
and event management
[SIEM], identity access
management [IAM], data
loss prevention [DLP],
encryption, etc.); consider
security as a service
Data
Integration Governance
Users and identity
Infrastructure
Platform and
software
Cloud security
strategy
• Data loss prevention
• Secure storage, secure disposal
• Audit and forensics
• Roles and authorisation levels and
authentication
• Evaluation/monitoring of usage
patterns
• Programme awareness and
education
• Entitlement stores and role-based
access control
l Security functionality
l Network configuration
l Cloud hardening
l Vulnerability management
l Infrastructure operations
• Data classification
• Data backup, retention
•Data ownership, segregation
•Risk assessments
•Encryption/tokenisation
• Interoperability
• Lock-in/portability
• Security analytics
• Administration console
• Public/private/hybrid models
• Secure connection to other systems
and data
• Event management
• Threat and vulnerability
identification in software
development life cycle (SDLC),
deployment, upgrade of the
application
• Access control
• Monitoring/management
• Application vulnerability management
and remediation
• Define processes and policies
(ownership, connectivity, privacy,
audit/wipe)
• Legal (NDA, SLA, licensing)
• Audit and compliance
• Identifying preferred suppliers/service
level for business
• Business continuity
• Training and awareness
• Clear security control framework
17
20. #Use case Common issues faced by
enterprises
Recommended approach
2 Internal private/hybrid cloud
infrastructure buildout
How do I build and operate a
private/hybrid infrastructure
service securely?
l Assess private cloud
security architecture using
an environment and
solution-specific framework
(e.g. modified Cloud Security
16
Alliance [CSA],
International Organization
17
for Standardization [ISO],
National Institute of
Standards and Technology
18
[NIST], adapted to your
architecture, implementation
and operations)
l Develop cloud security
architecture to address gaps;
on-premise security may
suffice (but look at security
as a service if also using
public IaaS)
3 Sensitive data security and
compliance across SaaS
environments
How do I detect and
protect/respond to what is
already on the cloud?
l Perform SaaS inventory and
data discovery risk
assessment
l Develop SaaS environment
risk assessment capability
using customised data
protection policies and
purpose-built tools
l Design and implement
training, awareness, and
response processes
4 Identity and access
management for the cloud
We need cost-effective and
easy-to-deploy IAM for portals,
mobile, and SaaS/cloud
environments. What should we
do?
l Develop the IAM strategy
refresh while looking at
where/how best to adopt
identity-as-a-service (IDaaS)
to drive business and IT
value
l Develop/revise an IAM
roadmap and select an IDaaS
vendor
l Execute the roadmap
16
CSA is the world's leading organisation dedicated to defining and raising awareness of best practices in order to help ensure
a secure cloud-computing environment. It has developed the Cloud Controls Matrix (CCM), a controls framework that gives a
detailed understanding of security concepts and principles that are aligned to CSA guidance. It also operates the most popular
cloud security provider certification programme, the CSA Security, Trust & Assurance Registry (STAR), a three-tiered provider
assurance programme of self-assessment, third-party audit and continuous monitoring.
17
ISO is responsible for ISO 9000, ISO 14000, ISO 27000, ISO 22000 and other international management standards.
18
NIST is the federal technology agency that works with industry to develop and apply technology, measurements and
standards.
18
21. 19
This can include the cloud tenant or the consumer, cloud service provider, cloud broker and other members in the cloud
service providers' supply chain.
20
Hogan Lovells. (2010). Cloud computing: A primer on legal issues, including privacy and data security concerns. Retrieved
from http://www.cisco.com/c/dam/en_us/about/doing_business/legal/privacy_compliance/docs/CloudPrimer.pdf
#Use case Recommended approach
5 Shadow IT and cloud
governance
l Develop policies to
address/guide non-IT
managed tech securely
l Develop cloud inventory and
risk assessment capability
(see SaaS data security)
l Develop data detection
and/or encryption
capabilities for cloud
environments
6 Data centre migration to IaaS l Develop a migration risk and
operational assessment
framework
l Assess the IaaS vendor for
native risk/security
capabilities with specific
end-state architecture in
mind; design controls to
address gaps
l Implement cost and risk-
appropriate controls in a
phased/strategic manner
Common issues faced by
enterprises
We cannot protect what we do
not know. How do we detect
and govern shadow IT use of
the cloud?
How should risk and security
play into migration decision-
making, architecture, and
operations?
Regulatory, compliance and legal issues to consider when moving to the
cloud
The regulatory, compliance and legal issues related
to cloud privacy are another major challenge for
businesses planning to move their workloads to
cloud environments. Moreover, the changing nature
of the legal and regulatory landscape around cloud
computing creates a practical challenge in
understanding how a law applies to the different
19
parties under various scenarios. Regardless of the
cloud service or the deployment being used, an
enterprise will also need to consider the issues
surrounding the data collected, stored and
processed in the cloud. Some of these concerns are
related to a specific industry and some to where the
data is stored or transferred, or both.
The key challenges enterprises face with regard to the various regulatory, compliance and legal
20
issues in cloud computing services are outlined below:
Cloud computing that employs a hybrid,
community or public cloud model 'creates
new dynamics in the relationship
between an organization and its
information, involving the presence of a
third party: the cloud provider. This
creates new challenges in understanding
how laws apply to a wide variety of
information management scenarios.'
Source: Security guidance for critical areas
of focus in cloud computing, published by
the CSA
19
22. l Compelled disclosure to the government
l Data security and disclosure of breaches
l Transfer of, access to, and retention of data
l Location of data
The table below summarises the above concerns and identifies the applicable or related laws,
regulations and standards in the US, UK and India.
21
Ibid
22
Mohammed, A. T., AlSudiari, T., & Vasista, T. G. K. (2012, March). Cloud computing and privacy regulations: An exploratory
study on issues and implications, Advanced computing: An international journal (ACIJ), 3(2).
23
ECPA was enacted by the United States Congress to extend government restrictions on wire taps from telephone calls to
include transmissions of electronic data by computers. New provisions were added to prohibit access to stored electronic
communications (i.e. the Stored Communications Act, 1986).
24
SCA addresses voluntary and compelled disclosure of 'stored wire and electronic communications and transactional records'
held by third-party Internet service providers.
25
The US Patriot Act is an Act of Congress that was signed on 26 October 2001 and amended in 2005. It allows the Federal
Bureau of Investigation (FBI) access to certain business records with a court order. The law limits the ability of cloud providers
to reveal that they received an order-hence, cloud users may not even know about a disclosure.
# Concerns
21
Description Related laws, regulations and
22
standards
1 Compelled
disclosure to the
government
l Information stored on the
cloud is subject to different
protections (primarily
jurisdictional) than
information stored in-house
In the US
l Electronic Communications Privacy
23
Act (ECPA), (1986)
l Stored Communications Act (SCA),
24
1986
25
l USA Patriot Act, 2001
l Federal Trade Commission (FTC) Fair
Information Practice, 1973
In the UK
l Regulation of Investigatory Powers
Act (RIPA), 2000
In India
l Right to information (RTI) Act, 2005
l Information Technology (Reasonable
Security Practices and Procedures
and Sensitive Personal Data or
Information) Rules, 2011
20
23. # Concerns Description Related laws, regulations and
standards
2 Data security and
disclosure of
breaches
l How does a cloud provider
protect a cloud consumer's
data?
l When the law (primarily
industry specific) imposes
data security requirements
on a cloud consumer, how
can it ensure compliance
when in-house storing the
information on the cloud?
l If the cloud's security is
breached, must the cloud
provider give notice of the
breach?
In the US
l Family Educational Rights and
26
Privacy Act (FERPA)
27
l Gramm-Leach Bliley Act (GLBA)
l Health Insurance Portability and
28
Accountability Act (HIPAA)
l Health Information Technology for
Economic and Clinical health
29
(HITECH) Act
30
l Sarbanes-Oxley Act (SOX), 2002
l State laws and regulations (for data
breach notification)
31
l Section 5 of the FTC Act, 1914
In the UK
32
l Data Protection Act (DPA), 1998
l The Privacy and Electronic
Communications (EC Directive)
(Amendment) Regulations (PECR),
2011
l Directive 95/46/EC (data protection
33
directive)
In India
l No specific laws but IT Act, 2005, and
2008 amendments (cyber law) can be
helpful
l Recently, the Information Technology
(Reasonable Security Practices and
Procedures and Sensitive Personal
Data or Information) Rules, 2011,
provides regulation on collection,
disclosure, transfer and storage of
sensitive personal data, and widens
the scope of the regulation in section
43A of the 2000 act.
26
FERPA is a federal law that affords parents the right to have access to their children's education records, the right to seek to
have the records amended, and the right to have some control over the disclosure of personally identifiable information from the
education records.
27
GLBA requires financial institutions-companies that offer consumers financial products or services like loans, financial or
investment advice, or insurance-to explain their information-sharing practices to their customers and to safeguard sensitive
data.
28
HIPAA is a US legislation that provides data privacy and security provisions for safeguarding medical information.
29
The HITECH Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, was signed into law on 17
February 2009 to promote the adoption and meaningful use of health information technology.
30
The SOX Act of 2002 is a legislation passed by the US Congress to protect shareholders and the general public from
accounting errors and fraudulent practices in the enterprise, as well as improve the accuracy of corporate disclosures.
31
Section 5 prohibits entities from engaging in unfair or deceptive acts or practices in interstate commerce
32
DPA is an Act of the Parliament of the UK and Northern Ireland which defines the UK law on the processing of data on
identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK.
33
The Data Protection Directive (officially, Directive 95/46/EC on the protection of individuals with regard to the processing of
personal data and on the free movement of such data) is a European Union (EU) directive adopted in 1995 which regulates the
processing of personal data within the EU. It is an important component of the EU's privacy and human rights law.
21
24. # Concerns Description Related laws, regulations and
standards
3 Transfer of, access
to, and retention of
data
l Will companies and
consumers have access to
data on the cloud?
l Can the data (stored in the
cloud) be destroyed by the
cloud provider or should it
be returned to the cloud
consumer?
In the US
l Freedom of Information Act (FOIA),
34
1967
l Payment Card Industry Data Security
35
Standard (PCI DSS)
l FTC Fair Information Practice, 1973
In the UK
l The 'Safe Harbour' agreement (for
data transfer between the EU and
36
US)
In India
l No specific laws in India, but the RTI
Act, 2005, can be helpful
4 Location of data l The physical location of the
(cloud) server storing the
data may have legal
(jurisdictional) implications.
In the US
l National Association for Regulatory
Administration (NARA) regulations
(Title 36 of the code of federal
regulations)
l PCIDSS
l Sarbanes–Oxley (SOX) Act, 2002
l FTC Fair Information Practice, 1973
In the UK
l Compliance with EU Data Protection
Directive (EC/95/46) (the directive) is
required
In India
l No specific laws in India but the IT
Act, 2008, can be helpful
The above sections highlight the fact that businesses need to deliberate upon a number of
considerations from a technical, regulatory compliance and legal perspective before migrating
to the cloud. The task might seem daunting; however, following a structured approach with
initial due diligence can help address the above issues.
We have identified two industries which have stringent data privacy and security
requirements-healthcare and financial services-to drive the point that security and privacy
should not be an issue hindering cloud adoption if an enterprise follows a structured approach
with proper due diligence and adheres to industry best practices.
34
FOIA is a law that gives you the right to access information from the federal government.
35
PCI DSS is a widely accepted set of policies and procedures intended to optimise the security of credit, debit and cash card
transactions, and protect cardholders against misuse of their personal information.
36
EU privacy law forbids the movement of its citizens' data outside the EU, unless it is transferred to a location which is deemed
to have 'adequate' privacy protections in line with those of the EU. The Safe Harbour agreement that was made between the EC
and the US government essentially promised to protect EU citizens' data if transferred by American companies to the US.
22
25. Addressing security, privacy and
regulatory concerns in healthcare
Technology is disrupting the healthcare industry-never have patients been so involved in
their healthcare. According to our Customer Experience in Healthcare survey, 55% of
patients trust the Internet more than a doctor, 75% want to move from informed consent
to shared decision-making and 74% of the consumers are open to virtual doctor visits.
We believe technological advances will continue
in the future, and the healthcare industry will see
adoption of more and more disruptive
technologies. These advancements will be at the
heart of revolutionising the healthcare industry
that we know today. Technology will become a
key driver of change and a solution for creating
greater efficiency and value. Technological
advances are creating new care delivery models
and the most interesting fact is that consumers
are responding to the same. According to a report
37
published by PwC, about 49% of the patients
said they expect mHealth to change how they
manage their overall health and 59% said mHealth has changed how they seek information on
health issues. Further, another 59% of the patients said mHealth services have replaced some
visits to doctors or nurses. Technology is clearly empowering patients to take greater
accountability for their care.
The revolution in the healthcare industry is giving rise to a new health economy. In this new
economy, the traditional notion of 'how, where and by whom care is delivered' is changing.
Consumers are ready to receive care in new ways and in new places. This is forcing
organisations to re-examine their current business models to demonstrate value. According to
PwC's 17th Annual Global CEO Survey, 94% of healthcare CEOs plan to alter their customer
growth and retention strategies, and 84% plan to alter their channels to market. The top three
global trends that healthcare CEOs believe will transform their business the most over the next
five years include technical advances, demographic shifts and a shift in global economic power.
The areas where the CEOs believe a change is already underway are the use and management
of data and data analytics, technology investments, and R&D and innovation capacity.
7
Some characteristics of the healthcare
revolution we are experiencing today:
l Emergence of new business models
l New entrants expanding and reshaping
the health system
l Rebalance of the public and private sectors
in the financing and delivery of care
l Greater focus on reward for outcomes
instead of volume of activity
l Shift in trend from inpatient care to
outpatient services
l Industrialising of the healthcare sector
36
PwC. (2014). Emerging mHealth: Paths for growth. Retrieved from
https://www.pwc.com/gx/en/healthcare/mhealth/assets/pwc-emerging-mhealth-full.pdf
23
26. The cloud is foundational to this healthcare transformation. Be it mHealth, virtual healthcare,
telemedicine, leveraging big data analytics for bulk data management or trying to make sense
of the online medical chatter-the cloud is the fundamental building block which provides
secure, robust, scalable infrastructure or a platform with literally infinite computation and
storage capacity. The global cloud computing market is thus poised to witness unprecedented
interest from the healthcare services sector and will register a compound annual growth rate
(CAGR) of 21.3% between 2012 and 2018. The global cloud computing market size for healthcare
38 39
is estimated to be 6.79 billion USD by 2018. According to industry estimates, the total
addressable opportunity for cloud solutions in the Indian healthcare industry (hospitals) could
be around 600 million USD by 2020. Further, cloud solutions may account for close to 40% of the
total annual healthcare IT spending in India.
With the potential cloud holds for the healthcare transformation, healthcare providers are taking
measured steps toward the cloud. They remain circumspect about data privacy, security and
service levels. This is primarily due to the numerous challenges being faced by the healthcare
providers-primarily in terms of the need to comply with the HIPAA and HITECH Act for
meaningful use of information, recovery audit tracker (RAC) audits, International Classification
of Diseases (IDC)-10, and the mandate of providing improved care while protecting patient
health information (PHI).
The most common use cases of the cloud in healthcare include electronic medical records
(EMRs), radiology information systems (RISs), picture archiving communication systems
(PACs), backup and disaster recovery, virtual desktops, and consumer and patient portals that
streamline communications with external and internal parties. In addition, the cloud is ideal for
managing and maintaining integrated population health and clinical information by using care
collaboration tools and deploying big data analytics solutions-data analysis, data warehousing
and health information exchanges (HIEs).
Contrary to popular belief, the cloud provides a more robust and secure environment and
ensures easier compliance with the HIPAA or HITECH Act.
Our experience of working with multiple healthcare organisations has enabled us to come up
with the following best practices that need to be followed for cloud planning and migration:
38
Transparency Market Research. (2015). Cloud computing market: Global industry analysis, size, share, trends and forecast
2012–2018. Retrieved from http://www.transparencymarketresearch.com/healthcare-cloud-computing.html
39
Zinnov Management Consulting. (2010). Indian healthcare poised to harness the cloud. Retrieved from
http://www.indiatechonline.com/special-feature.php?id=64
Use and management of data
and data analytics
Technology investments
R&D and innovation capacity
Recognise need to change
Source: PwC’s 17th Annual Global CEO Survey
Developing strategy to change
Concrete plans to implements change programmes
Change programme underway or complete
% Planning Doing
12
11
12
15
22
26
32
27
26
36
33
25
24
27. # Category Recommended best practices
1 Assessment l Assess the current IT infrastructure and applications landscape to
identify applications/services that can be migrated to the cloud
l Determine the appropriate cloud deployment model-private, public
or hybrid
l Determine the appropriate cloud service model-IaaS, SaaS, PaaS
l Understand the data security, privacy and risk implications of the
above cloud models and their respective combinations
l Conduct cost-benefit analysis for the chosen model and build a
business case
2 Integration l Determine integration requirements
l Determine data flow model between applications
l Clearly outline security and compliance requirements for each
application
l Develop a comprehensive security strategy for cloud
3 Migration planning l Develop a migration plan
l Develop a pre- and post-migration checklist
l As part of the migration plan, also develop a checklist for vendor
evaluation:
n Tier III data centre that is Service Organization Controls (SOC) II
and III and Statement on Standards for Attestation Engagements
(SSAE) 16-certified
n HIPAA and PCI compliant
n Determine SLAs that address the main components of availability:
security, network, cloud platform and storage
4 Vendor due l Conduct rigorous vendor evaluation
diligence l Choose a vendor that satisfies the following requirements:
n Is HIPPA compliant and ready to sign a HIPAA business associate
agreement
n Supports SOC2, SSAE16 and HIPAA compliances
n Provides defined SLA with response times based on organisational
risk classification (emergency, urgent, standard, and so on)
n Flexibility to provision additional cloud services as necessary
n Deliver 24X7X365 live healthcare-level support
n Focus on healthcare industry and list of existing clients
5 Solid implementation l Develop an implementation plan with a clear focus on the following:
process n Clearly defined project management plan
n Performance monitoring
n Roll-back plan if critical applications/services need to be reverted
temporarily to the old infrastructure
n Organisational change management and training
n Defined schedule of deliverables with roles and responsibilities
n Project progress and issue-tracking mechanism
25
28. The financial services industry is at a
crossroads. CEOs are generally optimistic
about the economy and their own company
prospects, but are concerned about the impact of
factors beyond their control, such as regulatory change and geopolitical instability, along with
industry disruption from new entrants. The uncertainty and change that lie ahead are reflected
in the fact that 61% of industry leaders believe there are more opportunities for growth than
40
there were three years ago. However, almost as many (58%) believe there are more threats.
Technological advancements in this sector are
reshaping the relationship between
customers and companies by lowering the
barriers to entry that had existed traditionally.
Global megatrends identified by PwC-
41
demographic and social change, rapid
42
urbanisation and shift in global economic
43
powers -are enabling the proliferation of new
business model adoption. In addition,
customer behaviours and expectations are
changing, driven by experiences outside the
financial services industry.
This intersection of the financial services and technology sectors has led to the emergence of a
new breed of companies, which are termed as fintech. The key driver for fintech is the
convergence of retail financial services with social
media, mobile, analytics and cloud technology. This
is making the business leaders of the incumbent
financial services organisations question the very
business they are in as they are forced to reassess
how their organisation's differentiating capabilities
can be better used to negate the threat of fintechs
and solve customer problems.
Addressing security, privacy and
regulatory concerns in financial services
'We are a technology company…'
– Lloyd Blankfein, Goldman Sachs
40
PwC. (2015). 18th Annual Global CEO Survey. Retrieved from https://www.pwc.com/gx/en/ceo-agenda/ceosurvey/2016.html
41
By 2020, millennials will form 50% of the global workforce and by 2020, 78 million baby boomers born between 1946 to1964
will hit retirement age. Source: PwC. (2014). Anticipating problems, finding solutions. Global Annual Review. Retrieved from
https://www.pwc.com/gx/en/global-annual-review/assets/pwc-global-annual-review-2014.pdf
42
Currently, 50% (and growing) of the world's population lives in urban areas. Source: PwC. (2012). Insurance 2020: Competing
for the future. Retrieved from https://www.pwc.com/gx/en/insurance/pdf/pwc-life-insurance-2020-competing-for-a-future.pdf
43
The global middle class is projected to grow by 180% over the next 25 years. Source: PwC. (2010). Asset management 2020: A
brave new world. Retrieved from https://www.pwc.com/gx/en/asset-management/publications/pdfs/pwc-asset-management-
2020-a-brave-new-world-final.pdf
8
Key fintech highlights:
l Global financial services revenue potentially
impacted by Fintech companies: ~4.7 USD
trillion
l Year-on-year funding growth to fintech
companies from private equity and venture
capital firms from 2010 to 2014: ~45.8%
l Number of fintech companies on AngelList as
of May 2015: ~4,000
Source: The future of finance, volumes 2 and 3, Goldman
Sachs, March 2015, and FinTech Week London, 2015
Why you should consider the cloud
in the financial services industry:
l Accelerate time to market
l Innovate with the business
l Respond rapidly to changes in demand
l Optimise cost and usage of assets
26
29. Cloud-based solutions can create remarkable opportunities across the enterprise as they
present strategic ways to strike a balance between enabling business growth and innovation
and lowering costs while continuing to provide operating efficiencies. CIOs are now looking at
cloud solutions to transform a traditional IT department into a business growth engine, revamp
operations to achieve scale and enhance speed and collaboration, and spark innovation around
new products and services to generate new sources of revenue.
Through our interaction with leading financial services companies globally, we continue to see
key financial services firms push to gain time to market and cost optimisation benefits from the
cloud. However, data security and privacy concerns, regulations, legacy infrastructure and
migration costs seem to counter-act the business case and are a major reason for preventing a
faster adoption rate. Data security concerns continue to remain the foremost concern among
cloud users in the financial services industry, and regulatory restrictions are a major obstacle to
the adoption of cloud computing within financial services. Around 60% of financial institutions
rank data confidentiality as their biggest security concern, followed by loss of control of data
(57%) and data breach (55%). Another 71% of financial companies consider compliance as a
44
reason to keep controls in-house and not migrate data to public cloud services.
44
CSA. (2015, March). How Cloud is Being Used in the Financial Sector: Survey Report. Retrieved from
https://downloads.cloudsecurityalliance.org/initiatives/surveys/financial-
services/Cloud_Adoption_In_The_Financial_Services_Sector_Survey_March2015_FINAL.pdf
5%
6%
4%
7%
9%
6%
6%
4%
3%
5%
6%
4%
4%
7%
6%
4%
8%
14%
11%
9%
18%
15%
4%
4%
15%
17%
13%
5%
25%
8%
16%
14%
26%
25%
30%
19%
11%
12%
30%
29%
30%
7%
40%
27%
30%
40%
25%
31%
19%
33%
22%
28%
25%
25%
28%
25%
24%
55%
42%
25%
29%
29%
27%
29%
60%
51%
24%
25%
25%
56%
0% 20% 40% 60% 80% 100%
User activity monitoring/visibility
Data breach
Data loss
Lack of auditing features
Malicious insider
Secure deletion
Availability
Integrity
Data confidenciality
Compliance and legal issues
Isolation failures
Provider lock-in
User account control
Loss of control over data (governance)
1 2 3 4 5
Low High
Source: Cloud Security Alliance, March 2015
27
30. We have listed some of the major data regulations that can have a significant impact on financial
services organisations seeking to remain compliant with domestic and international
regulations. It is critical for financial services organisations to be aware of the various country-
specific regulations prevalent in the industry and to have a clear idea of the implications of each
and the steps required to ensure compliance. The point we want to highlight is that the
regulatory requirements for financial services institutions may vary because of the use of the
cloud, but the fact that compliance with regulatory requirements requires usage of a specific
type of technology only is a misconception. This false assumption mainly stems from the
complex nature of these regulations and lack of clarity surrounding them.
Country/ region Regulation Data type Guidelines to meet the regulatory requirements
Worldwide PCI DSS Credit card l Protect credit card details like card number,
expiry date, service code and cardholder's
name from logical or physical access
l Implement a role-based access control
mechanism to provide separation of duties
between administrators and users accessing
credit card information
l Secure storage of encryption keys and
implement a strong key management procedure
(like dual control)
l Establish a logging mechanism for access and
administration of encryption keys and sensitive
data
l Document your process and protection
measures
The US GLBA Corporate l Ensure security and confidentiality of customer
finance records and information
l Protect against any anticipated threats or
hazards to the security or integrity of such
records
l Protect against unauthorised access to or use of
such records or information which could result
in substantial harm or inconvenience to any
customer
Europe EU Data Personal l Notice: That personal data is being collected
Protection information l Purpose: Data should only be used for stated
Directive of purposes
1995 (46/EC) l Consent: Data should not be disclosed without
and Internet the subject's consent
Privacy Law l Security: Collected data should be kept secure
of 2002 from any potential abuses
(58/EC) l Disclosure: Subjects should be informed about
who is collecting their data
l Access: Subjects should be allowed to access
their data and to make corrections to any
inaccurate data
l Accountability: Data subjects should have a
method available to them to hold data
collectors accountable for following the above
principles
28
31. Based on our experience of helping major financial institutions achieve a transformation
through technology, we have developed a set of best practices for the financial services sector to
address the issue of data security, protection and regulatory compliances while adopting cloud
computing.
# Steps High-level recommendations
1 Assess Before moving sensitive financial or customer-related information to the cloud,
conduct a detailed assessment to identify the following:
Stakeholders (internal and external) who should or should not have access to thel
data
Develop a mechanism to define content that is sensitive or non-sensitive,l
proprietary or not, and is or can be subjected to regulations or not
Identify where in the cloud the data will reside, and the respective regional orl
country-specific data protection, privacy, disclosure and other laws that might be
applicable
2 Design Once the assessment is complete, develop practical system designs and identify
effective tools to protect sensitive information in order to ensure the following:
Unauthorised users are not able to access, leak or disclose protected and sensitivel
data
Ability to apply the appropriate level of security to specific data types to thel
required level of granularity, including encryption, tokenisation, data loss
prevention and malware protection
Complete visibility and reporting over data that is entering and leaving the cloudl
environment. This is critical because effective monitoring and audit of activities in
the cloud are a must to demonstrate compliance with regulations.
3 Build Build and implement appropriate solutions around your cloud environment to ensure
the following:
Data sanctity is maintained in terms of formats, fields and functions; meta data isl
maintained both for structured and unstructured data
Searching, sorting, indexing and reporting of data while it is secured in the cloudl
A unified platform that supports any type of cloud application and integrates withl
the existing third-party enterprise tools used in the on-premise environment
4 Review Implement mechanisms and associated solutions to ensure ongoing monitoring of
data and information flowing in and out of the cloud and provide detailed visibility,
application awareness and understanding of the context of business information by
ensuring the following:
Granular reporting and visibility of cloud application usage, with a focus on userl
roles, content and accessibility to specific types of data
Monitoring of data loss prevention policies, violations and actions taken tol
address any anomalies occurring in the system
Integration between multiple cloud applications to ensure seamless data flow andl
provide consistent controls across the enterprise
29
32. Like the global market, cloud computing is set to transform the business and operating
model of Indian organisations and move them up the digital value chain. According to
Gartner, cloud computing will constitute the bulk of IT spending by 2016 and in India
alone, it is predicted that the cloud market will reach over 3 billion USD by this year-an almost
fivefold increase from 2012. Though the cloud story will be led primarily by small and medium
businesses (SMBs) and the growing start-up community in the country, we believe enterprises
will also have a major role to play in this space. With major cloud service providers like Microsoft
and Amazon setting up their data centres in India, the future for the cloud looks promising.
The roll-out of the Digital India initiative by the Government of India will provide a major push
for Indian organisations to switch to the cloud model. However, the lack of specific legislations
on privacy and data protection in India continues to remain a key concern for organisations in
this space. Moreover, the global and distributed nature of the cloud makes it even more difficult
to ensure that all laws and regulations applicable to a given case are complied with.
A summary of data protection laws in India that may be relevant to the cloud has been provided
below:
l Under the IT Act, 2000, a network service
provider or an intermediary is liable for any
known misuse of third-party information or
data, or for not exercising due diligence to
prevent the offence. The IT Act, 2000,
covers offences and contraventions
committed outside India as well,
irrespective of the offender's nationality, as
long as the computer system or network is
located in India.
l In India, the IT Act, 2000, deals remotely
with the issue of privacy in cloud
computing. Section 72 of the IT Act lays
down the penalty for breach of
confidentiality and privacy. This section is
one of the few provisions which apply in the
case of breach of privacy. The offence is
punishable with imprisonment up to two
years and a fine up to 1 lakh INR.
l Apart from section 72, we have section 80 of
the IT Act, 2000, which deals with the
search and seizure of computer data on
connected systems if there is reasonable
justification to do so.
State of data protection and
privacy laws in India
9
Recent developments
In 2011, the Indian government introduced the
Information Technology (Reasonable Security
Practices and Procedures and Sensitive Personal
Data or Information) Rules, 2011, which provide a
list of items which will be treated as 'sensitive
personal data' and include various provisions
which govern the collection of such information
by a body corporate. Further, the rules impose a
mandate upon the entities to implement a privacy
policy for dealing with the relevant issues.
According to these rules, a body corporate shall
seek the consent of the concerned provider before
disclosing the sensitive data to a third party,
unless such disclosure was agreed upon by the
parties through any contract. However, the rules
also state that such information can be shared
without any prior consent with government
agencies mandated under law, or with any other
third party by an order under the law, who shall be
under a duty not to disclose it further.
In addition, there is the Privacy (Protection) Bill,
2013, which this is still in the draft stage (the third
draft has been updated) and has not yet been
passed as a rule or law. However, this new bill
remains silent on the issue of location of data and
focusses primarily on the protection of personal
data.
30
33. l Recently, the concept of due diligence requirements has been prescribed by the Information
Technology (Intermediaries Guidelines) Rules, 2011. The cyber law due diligence
requirements oblige all companies and intermediaries to ensure that privacy is maintained
and respected in the cloud. Intermediaries need to take proper measures to maintain and
safeguard all information that is stored in the cloud from unauthorised access. In particular,
they need to put more emphasis on cloud services dealing with monetary transactions.
Further, if cloud service providers fail to provide or observe due diligence, then they will be
subject to legal action.
l Similarly, under section 69 of the IT Act, 2000, the government has the authority to monitor as
well as decrypt any information shared through a computer resource in the cloud.
31
34. Clearly, data privacy and protection
laws in India with regard to the cloud
are still at a nascent stage and there
has not been much progress in comparison
with other developed nations. Many countries
have managed to ensure that the data in the
cloud is protected by implementing certain
geographical restrictions which disallow
45
cross-border data interchange. Such
measures have put a check on the data being
saved in the cloud from unwarranted access
and usage. Given the existing regulations
around the world to protect privacy, we feel
there is a serious lack of regulations and
legislations around data privacy and
protection in the cloud in India. Though the
46
Government Cloud Policy, published by the
Government of India in 2013, highlights security and privacy as a potential area of risk for cloud
adoption and acknowledges the need for standardised policies and guidelines for data security
and privacy in the cloud for the country, none have been published till date.
PwC recommends a four-pronged approach for defining policy guidance around data protection
and privacy for cloud and cyber security in India.
Conclusion
10
In the US, the Patriot Act gives the government
broad latitude to intercept suspicious electronic
data that comes through the country. In the EU,
the data protection directive imposes stringent
standards on the collection of electronic data by
the government and by any other entity. In the UK,
the Information Commissioner's Office (ICO) has
published clear guidance which outlines the
responsibilities of companies storing the data of
their customers in the cloud. As part of this
guidance, full responsibility for security of the
data lies with the company that owns the data,
rather than the company taking care of it. Hence, if
an organisation with customer data (stored and
processed in the cloud) suffers a data breach, it
will not be able to blame the third party (i.e. the
cloud service provider).
# Steps Recommendations
1 Identify l Identify the data protection and privacy laws relevant to cloud computing and
cyber security being enforced globally
l Determine gaps in the current state of laws and regulations related to data
protection and privacy in India
l Define areas that need to be addressed and draft high-level policy principles
2 Formulate l Elaborate on the policy principles to draft detailed policies
l May require formulating new policies and/or making amendments to existing
policies and acts
3 Enforce l Develop a framework for policy enforcement
4 Review l Develop a review mechanism
l Conduct regular reviews of the relevance of the enforced laws and regulations
l Make amends as required
45
Sen, K. (2013). India: Privacy issues in cloud computing with reference to India. Retrieved from
http://www.mondaq.com/india/x/279070/Data+Protection+Privacy/Privacy+Issues+In+Cloud+Computing+With+Reference
+To+India
46
DeitY, Government of India. (2013, May). Government of India's GI cloud (MeghRaj) strategic direction paper. Retrieved from
http://deity.gov.in/content/gi-cloud-initiative-meghraj
32
35. It must be noted that the last step of the above approach-i.e. review-is a critical step because,
given the rapid pace of advancements in the space of cloud computing, a law or regulation that
is relevant today may not be relevant in a few years. In addition, participation from the industry
is recommended while drafting the policies.
33
36. Case study #1: Application migration to the Azure cloud
*The content of the case study has been provided by Narayana Hrudayalaya.
Company
Narayana Hrudayalaya, also known as Narayana Health (NH)
Project
Application migration to the Azure cloud
Challenges
NH has been expanding its national and international presence significantly through a
combination of greenfield projects and acquisitions. It used to host its mission critical
applications-Health Information Management System (HINAI), enterprise resource planning
(ERP), ICU monitoring and its related applications out of a managed data centre service
provider facility in India. The on-premise infrastructure and its related applications suffered
from performance bottlenecks and service downtime along with governance, process, and
compliance issues. All these factors caused multiple unscheduled outages, which resulted in
poor end-user experience and negative customer feedback.
In 2013, PwC had conducted a data centre and application architecture assessment across its
entire applications landscape across multiple service areas at NH. Several issues such as lack of
high availability (HA), disaster recovery (DR) and workload characterisation were identified
and the application performance issues were fixed.
The intent for PwC was not only to address the current challenges faced at NH but also to lay
down a roadmap for the technological transformation. As recommended, major and minor
initiatives were undertaken over a 3-6-12 month period of as part of the digital transformation.
Some of the key initiatives included the following:
l Migrating HINAI (along with other business applications) from its current virtualised
environment to a true cloud infrastructure
l Developing enterprise-wide policies and standards for operations in the cloud
l Formulating and implementing IT service management processes for the cloud
infrastructure environment
l Adopting a continuous application delivery approach to operationalise high-frequency
release cycles
Project description
Based on PwC's recommended roadmap, NH decided to embark on the cloud journey. PwC was
engaged for programme management and was appointed as the implementation partner for the
cloud migration. The approach taken by PwC was as follows:
Appendix
11
34
37. l Assessing and benchmarking NH's application infrastructure performance and utilisation
levels
l Setting up a managed test area (MTA) for HINAI, Oracle eBS, iKare, TruMobi and SAP on both
AWS and Azure platforms
l Assisting the respective application teams for the creation and implementation of
application-wise test plans, success criteria, and testing methodologies
l Executing integrated infrastructure testing and generating relevant test reports for the MTA
platforms. Based on the test results, the Azure cloud was selected by NH as the preferred
cloud platform.
l Defining the standards and best practices to be followed by NH, pre- and post-migration to
the cloud covering regulatory requirements, locational feasibility, application latency, user
experience, cost, ownership, vendor relationship management, service level agreements
(SLAs), technical support, contract, billing, licensing, IP addressing, workload segregation,
network connectivity, redundancy, security, baseline hardening, storage provisioning and
configuration.
l Defining architectural principles ranging from enterprise (self-service, metering and
chargeback), operations (resiliency, modularity, elasticity, scalability, flexibility,
performance assurance, automation, orchestration and workflow, failover/HA, agility and
business continuity) and security (role-based access control, isolation, policy enforcements,
audit, compliances, monitoring and reporting) requirements
l Designing NH's target cloud deployment architecture and validating the same with the
architects from Microsoft Azure and obtaining a sign-off on the design from the client
l Building, constructing and configuring the designed target cloud environment in Azure and
providing cloud infrastructure support to the respective applications team during the
application/database setup and configuration
l Preparing the application migration plan with defined move groups, migration wave
timelines, pre- and post-cutover requirements and communications plan
l Working closely with the applications team and providing the required cloud infrastructure
support during production cutover
l Defining, documenting and formalising the IT service management framework for the
following key processes to be followed in the cloud environment: incident management,
problem management, change management (aligning it with the existing process at NH),
availability management and vendor relationship management
l Defining, documenting and formalising the standard operating procedure (SOP) with
detailed steps, process flow, and flowcharts for the following areas: managed network and
firewall services, application user provisioning, desktop-laptop request, local administrator
access, IT asset management, desktop-laptop-standard operating environment, IT
47
peripherals request, SSL VPN access, cloud instance provisioning, cloud instance de-
provisioning, infrastructure power checks and core infrastructure resource request
l Providing day-to-day operations support and coordinating with multiple stakeholders
within NH for programme management
35
38. In addition, PwC leveraged its internal IPs in terms of accelerators, frameworks and
methodologies, such as the transform methodology, cloud reference architecture, cloud
components map, application profiling framework and cloud migration programme tracker
during the entire project for ensuring efficient delivery.
Impact/potential impact
All business and system applications at NH were migrated to the Azure cloud in a span of two
months. The key impacts are outlined below:
l At least 40% cost savings in IT infrastructure
l Ninety per cent reduction in the infrastructure procurement cycle-from days to hours
l Fifty per cent improvement in overall productivity and responsiveness
l Reduction of proof of concept (PoC) execution time from months to 3-4 days, thus fostering
innovation
l Drastic improvement in satisfying 3,000+
HINAI end-users at NH
Moreover, cloud adoption has paved the way
for NH to adopt digital technologies in the
healthcare space and ensure that critical
healthcare services are delivered to the reach
the common masses at an affordable cost.
Comments on scalability
HINAI being the core business application at
NH, the scalability considerations were duly
noted during the cloud architecture design to
ensure that the application and underlying
cloud infrastructure is able to sustain
additional loads without affecting the
performance.
Best practices
Here are the best practices which were
followed in the execution of this project:
l Workload characterisation: Conducting assessments and benchmarking the application
infrastructure performance and utilisation levels during the initial phases of the project to
determine the optimum workload requirements in the cloud
l P0C: Conducting PoC tests across multiple public cloud platforms for selecting the cloud
vendor
l Cloud standards: Defining enterprise-wide standards to be followed at NH pre- and post-
migration to the cloud
The (PwC) team offered their extensive
capabilities from a domain and technical
standpoint in the form of methodologies, cloud
accelerators, best practices, architecture
standards and programme management. With the
help of these accelerators, we were able to
successfully benchmark the application
performance across service providers, select a
service provider based on our requirements and
migrate our applications with little or no
downtime. The team displayed excellent
technical knowledge combined with domain
expertise which, in turn, helped us achieve our
strategic objective.
Migration to the cloud should not be considered
as a lift and shift programme but as a journey
towards digital transformation, and by partnering
with PwC we have taken the first steps towards
the same.' — Kumar Krishnamur thy
Venkateswaran, VP and CIO, Narayana Health
(NH).
36
39. l Architectural principles: Defining architectural principles covering enterprise, operations
and security requirements
l Design and architecture: Investing considerable time on developing the optimum
architecture design along with its associated components
l SME validation: Conducting multiple rounds of validation of architecture design and its
associated components by the respective SMEs before venturing into implementation and
migration
l Migration planning: Investing a significant amount of time in migration planning to develop
a comprehensive migration tracker; identifying application dependencies to define
application move groups with pre- and post-migration checklists and downtime
requirements by benchmarking data transfer time
l Security: Putting in place a comprehensive strategy to ensure the security of business
critical workloads deployed on the cloud. Some of the controls implemented include
conducting a detailed mapping of all ingress and egress ports for each application and
configuring these in the security controls provided in the cloud, thereby ensuring that no
unauthorised traffic goes into or out to the Internet; and enabling a firewall on all the systems
as an added layer of security
l Update IT service delivery and management processes: Existing IT service delivery and
management processes were updated to incorporate the cloud and the same were
documented and formalised
l Communication: Strengthening communication with the stakeholders since it is the key to a
successful migration exercise. Regular communications were sent to the relevant
stakeholders during the entire exercise.
Lessons learned
The key lessons learned include the following:
l Laying the foundation: It is necessary to invest time to lay the foundation for the migration
in terms of design and architecture at the later stages of migration, and building a scalable
and robust platform
l Processes post-cloud migration: It is important to understand that the set of processes and
standards relevant in a pre-cloud environment will not hold well in a post-cloud scenario.
Hence, cloud-specific standards and processes for IT service management and delivery
needs to be developed.
l Communication: For enterprise-wide migration initiatives, it was important to ensure that
regular communication goes out to all the responsible and associated stakeholders involved.
As mentioned earlier, regular communication was key to the success of the entire initiative.
l Change management: Cloud adoption will be a game changer for most enterprises. Hence,
managing the change is critical, right from the initial stages, and involvement of the senior
management is essential to drive this change.
37
40. Recommendations to the government
With the adoption of cloud picking up in India, it is critical for the government to define
standards and policies around cloud hosting, data privacy and security. Independent bodies
like the Cloud Security Alliance (CSA) have defined standards around cloud security and data
privacy–the government may take cue from this and align the policies with these standards to
ensure standardisation.
Suggestions to other companies
Cloud migration is more than a matter of mere lift and shift. It is advisable to start the cloud
journey with a strategy exercise followed by laying the foundations through extensive planning
and design. NH worked with PwC for three months to define the architecture principles, the
target cloud architecture on Azure along with its associated components, and the standards
and best practices to be followed by NH pre- and post-migration to the cloud. These were
subsequently validated with the Microsoft Azure SMEs as well. Owing to the rigorous planning
and design, we were able to migrate all of NH's business and system applications within two
months, with minimal business downtime.
The entire journey can be broken down into the following phases:
a) Assess
b) Design
c) Construct
d) Implement
e) Operate and review
The above-mentioned phases need to be aligned around strategy, structure, people, process
and technology. This has been outlined below.
Structure
Strategy
Process
People
Technology
Programme
delivery
Change
management
DrivingchangeDeliveringchange
Assess Design Construct Implement Operate
and review
Develop target
architecture
blueprint
followed by
detailed design
Build the cloud
environment
along with the
associated
components and
controls
Migrate
applications to
the cloud
Operate the
cloud
environment
and identify
areas of
optimisation
Assess current IT
applications and
infrastructure
landscape; determine
cloud readiness
38
41. Key people
l Kumar Krishnamurthy Venkateswaran, VP and CIO, NH
l Jagadeesh Ramasamy, VP and Lead, Business Applications Services
l Sridharan Subramaniam, Senior Manager and Lead , Core Infrastructure Services
Case study #2: SAP on cloud (AWS)
*The content of the case study has been provided by AWS.
Company
Macmillan India
Project
SAP on cloud (AWS)
Project description
In 2011, Macmillan India got a new senior management team, changed its business strategy
and restructured operations in India. The reorganisation prompted them to update the SAP
business suite enterprise resource planning solution, which the company used to manage the
sale and distribution of textbooks across India. The infrastructure in the on-premise data centre
in Chennai had several problems that affected the system's availability.
Challenges faced
The reorganisation prompted Macmillan India to update its SAP Business Suite enterprise
resource planning solution, which the company used to manage the sale and distribution of
textbooks across India. The infrastructure in the on-premises data centre in Chennai had
several problems that affected system availability: old hardware nearing end of life resulting in
frequent breakdown, utility (electricity) shortfall resulting in downtime, networking issues
causing outages and affecting productivity. These issues meant that the SAP solution operated
with 90 percent or less system availability, when the company needed 99 percent or more
availability. Macmillan India realised this situation was unsustainable and started looking for
alternative infrastructure options.
Impact or potential impact
After analysing various solutions, Macmillan India found that migrating its infrastructure to an
external cloud service, and specifically to AWS, would enable the company to achieve its
objectives and avoid the expenses and management load of employing in-house IT
administrators. It then set about moving its core applications-the SAP modules, a Drupal online
learning system, and a customer relationship management (CRM) system-from the Chennai
data centre to AWS. The company engaged PricewaterhouseCoopers (PwC) to design an SAP
solution on AWS that would meet the technical and cost requirements, and comply with the
Indian government regulations. Macmillan India and PwC initially moved several SAP modules-
39
42. including SAP business intelligence (BI), SAP sales and distribution, SAP materials
management, SAP financial accounting and controlling and SAP human resources-to AWS and
tested SAP performance under a range of scenarios. PwC completed the migration of the project
in about six months. Macmillan India benefitted from the AWS pay-as-you-go model, which
allowed the company to consume only the resources needed to support peaks and declines in
the demand. The company was able to lower their capital expenditure by nearly 100% and
expected to achieve reductions in operating cost by about 30% in one year.
Comments on scalability
The company has reduced the time needed to provision a new environment from six weeks to 30
minutes, which engineers can scale up and down at the click of a mouse. Furthermore,
Macmillan India can automate its backups and meet recovery time objectives. Additionally,
Macmillan India has been able to take advantage of robust security and data protection controls
to protect its environment. Availability of their SAP applications has improved from 90% to
almost 100% since moving to AWS as per their estimates.
Case study #3
*The content of the case study has been provided by AWS.
Company
Manipal Global Education Services (MaGE)
Project
MaGE uses AWS to save 25% on infrastructure
Project description
MaGE offers numerous services including corporate programmes, skills training, assessment
services, certification programmes, student enrolment and placement services. Most of these
are delivered online, and with the number of students growing every year, traffic to MaGE's web
applications increased by up to 60% per year, with demand spiking exponentially during
admission, examination, and result-publishing cycles. It is also the operator of university
campuses in Malaysia, Antigua in the Caribbean, Dubai, and Nepal and services and supports
more than 400,000 learners, many of them through its award-winning technology platform,
EduNxt™.
Challenges faced
Until 2013, MaGE hosted its applications in an on-premises data centre that could not meet its
dynamic business needs. Application performance was a challenge, page-load time was slow,
and availability was running at 98.5 to 99 percent with the business experiencing downtime of a
few days per year. The company also identified a potential risk with its critical SAP system,
which did not adequately provide for disaster recovery. In the event of a disaster, recovering the
40
43. system would take a few weeks, which had the risk of having significant business impact.
Furthermore, the on-premise infrastructure was expensive and complex to maintain. Several
team members were needed to configure and deploy infrastructure resources for new
workloads, and scaling the data centre for growth could take several weeks, which restricted
MaGE's ability to respond quickly to changing business needs.
Impact or potential impact
MaGE was convinced by the agility and elasticity that cloud computing provided and decided
to build a robust and 'future-ready' technology platform to support business growth. Based on
the success of the initial deployments, MaGE decided that the time was right to move to a
'cloud-first' strategy and began a massive shift to the cloud. MaGE has moved nine applications
and systems-including campaign management and digital marketing, student management,
learning management, assessment, and websites-into AWS. By early 2015, Manipal was
running 70% of its workload in AWS and had adopted a policy that any new applications have to
be delivered as a service from the cloud. The business is also running a disaster recovery
environment for its SAP student management system within AWS. After moving to the AWS
cloud, the availability of customer-facing applications and student services climbed to 99.9%,
and page-load time fell by 30%, improving the end-user experience. The business now has the
ability to recover from any disaster impacting their SAP environment in hours, minimising
disruption to the business operations. While realising all these benefits, Manipal has also seen
reductions in operational costs of around 20–25%.
Comments on scalability
During seasonal peaks, these systems handle 100,000 internal assessment uploads per day on
EduNxt', 450,000 result hits per day on the student portal for distance learning programmes, and
three million hits on their website with around 10 TB of data transferred each month. MaGE is
now operating a virtual data centre within AWS that can support sustained business growth
and expansion, as well as maintain availability and performance when demand peaks occur
during admission and exam period. The business can scale the infrastructure up or down to
manage seasonal peaks and only pays for the resources it consumes. With instant provisioning,
the company is able to support new business demands within hours, compared to four to five
weeks previously with the traditional data centre approach.
Case study #4
*The content of the case study has been provided by SAP.
Company
National Center for Tumor Diseases (NCT), Heidelberg University Hospital, Heidelberg
(Germany)
Project
Gaining medical insights and enhancing cancer care for patients
41
44. Objectives
l Start treating cancer patients by establishing a protocol on Day 1 that is tailored to their
specific genetic profile.
l Generate ideas for future trials based on analysis of patient attributes, including genetic
variations and mutations.
l Extract biomarker data from patient evaluation letters written by physicians.
Why SAP HANA
l The SAP HANA® platform enables consolidation of and real-time access to various
structured data sources, such as tumour documentation, medical records and clinical trials,
in addition to unstructured data sources, such as physician evaluation letters, treatment
guidelines, trial reports and medical publications.
l It offers fast, ad hoc reporting of treatment histories by patient attributes and survival rates
from a central data warehouse.
Benefits
l Real-time identification of cancer types to enable the grouping of patients by relevant
characteristics
l Insight into treatment response and outcome probability by diagnoses
l Detailed view of previous treatment activities, including, for example, diagnosis,
chemotherapy, surgery, and home visits
l Real-time visibility into current and upcoming clinical trials to match patients for
participation based on profile data and treatment needs
Achievement of objectives
l Faster diagnosis: More than 10,000 new patients evaluated each year since 2011
l Greater visibility: Detailed view of patient history extracted from both structured and
unstructured data sources
l High data volume: 150,000 data sets in combination with 3.6 million data points successfully
analysed during a proof of concept test
l Faster matching: Quickly match patients for participation in right clinical studies.
Customer testimonial
l The project showed that we could integrate various data sources, extract relevant
information and present it to physicians in a way that enables surprising new insights. In the
future, we would like to use SAP HANA at every diagnostic and therapeutic step, because
every case of cancer is different and can vary immensely from one patient to the next.”
Dr. Christof von Kalle, Head, National Center for Tumor Diseases (NCT) Heidelberg
42
45. Case study #5
*The content of the case study has been provided by SAP.
Company
Sun Communities Inc., Southfield, Michigan (USA)
Project
Reducing manual processes for new hires
Business context
With a primary focus on creating exceptional on-site customer experiences, completing
mandated onboarding requirements was not previously top of mind for hiring managers. Sun
Communities was ready to break free from the challenges on manually onboarding new
employees. What Sun needed was an onboarding solution that would be intuitive and
accessible via mobile devices, would automate paperwork, and could also facilitate and track
mandated training.
Objectives
l Build a foundation for success and make a positive impression with new employees.
l Complete new-hire processes and mandated training before employees start on the job.
l Integrate recruiting and on boarding data across the enterprise for a complete view of talent
acquisition.
SAP Solution
l Implemented SAP Success Factors On boarding
l Empowered new hires to complete requirements with user-friendly mobile tools
l Simplified complex systems and standardised processes with one solution for better overall
HR efficiency
Why SAP Success Factors
l Strong, flexible, core HR foundation with SAP ® Success Factors® HCM Suite from Success
Factors, an SAP company
l Ability to combine the tactical components of onboarding, such as orientation, paperwork
and compliance training, with strategic aspects that would set up new hires for success
using the SAP Success Factors Onboarding solution
l Scalable software-as-a-service infrastructure in the cloud
Benefits
l More time for hiring managers to focus on productivity and customer service
43
46. l Configurable workflows that consider geography and job functions to ensure proper forms,
orientation, and compliance training are completed
l Mass onboarding process for the acquisition of properties that is simple, clear, and well
organised
l Faster background checks with data integration
Achievement of objectives
l 100,000 USD in annual labour savings by reducing data entry on new hires
l 100% of paperwork for new hires completed before each employee's first day
l 100% completion rate for compliance-related training
l 6.5 weeks of annual person-hours saved by automating paperwork
l 48% faster statutory verification of employment eligibility (2.7 days down to 1.4 days)
l 29.4% faster average time to fill positions and reach productivity (34 days down to 24 days)
Customer quote
l New hires have access to our system within hours and can take courses and connect with the
right people in our organisation. They are set up for success and can hit the ground running.”
Marc Farrugia, Vice President of Human Resources, Sun Communities Inc.
44
47.
48. The Confederation of Indian Industry (CII) works to create and sustain an environment
conducive to the development of India, partnering with industry, the government and civil
society through advisory and consultative processes.
CII is a non-government, not-for-profit, industry-led and industry-managed organisation that
plays a proactive role in India's development process. Founded in 1895, India's premier business
association has over 8,000 members from the private as well as public sectors, including SMEs
and MNCs, and an indirect membership of over 2,00,000 enterprises from around 240 national
and regional sectoral industry bodies.
CII charts change by working closely with the government on policy issues, interfacing with
thought leaders, and enhancing efficiency, competitiveness and business opportunities for
industry through a range of specialised services and strategic global linkages. It also provides a
platform for consensus building and networking on key issues.
Extending its agenda beyond business, CII assists industry in identifying and executing
corporate citizenship programmes. Partnerships with civil society organisations carry forward
corporate initiatives for integrated and inclusive development across diverse domains,
including affirmative action, healthcare, education, livelihood, diversity management, skill
development, empowerment of women and water.
The CII theme for 2016–17, Building National Competitiveness, emphasises industry's role in
partnering with the government to accelerate competitiveness across sectors, with sustained
global competitiveness as the goal. The focus is on six key enablers: human development,
corporate integrity and good citizenship, ease of doing business, innovation and technical
capability, sustainability, and integration with the world.
With 66 offices, including 9 Centres of Excellence, in India and 9 overseas offices in Australia,
Bahrain, China, Egypt, France, Germany, Singapore, the UK, and USA, as well as institutional
partnerships with 320 counterpart organisations in 106 countries, CII serves as a reference
point for Indian industry and the international business community.
Confederation of Indian Industry
The Mantosh Sondhi Centre
23, Institutional Area, Lodi Road, New Delhi - 110 003 (India)
T: 91 11 45771000/24629994-7 | F: 91 11 24626149
E: info@cii.in | W: www.cii.in
Reach us via our Membership Helpline: 00-91-11-435 46244 / 00-91-99104 46244 • CII Helpline Toll free No: 1800-103-1244
Follow us on :
www.mycii.infacebook.com/followcii twitter.com/followcii