《普華永道：2024云服務價值最大化-風險與控制的關鍵作用分析報告（英文版）（18頁）.pdf》由會員分享，可在線閱讀，更多相關《普華永道：2024云服務價值最大化-風險與控制的關鍵作用分析報告（英文版）（18頁）.pdf（18頁珍藏版）》請在三個皮匠報告上搜索。

1、Maximising cloud valueThe essential role of risk and controlsTransformation2PwC|Maximising cloud valuePwCs latest EMEA Cloud Business Survey reveals that cloud-powered companies outperform other businesses by a significant margin on key aspects.These include revenue growth,productivity,the ability t

2、o respond to cyber threats,and faster recovery from incidents.But what really sets these cloud-powered pioneers apart from the rest?Our analysis shows these pionneers share several distinctive traits.One of the most strinking aspects is that they attach much higher importance than other companies to

3、 the maturity of their cloud governance and internal control framework.As a result,these companies are taking a more mature approach to cloud transformation,including involving a wider range of functions across the business;adopting leading practices in cloud controls;forging stronger and closer rel

4、ationships across all C-suite executives to facilitate collaboration around cloud;and making more effective use of automation and artificial intelligence(AI).These approaches are key to obtain and deliver a higher realisation of sustainable value from cloud technologies.While the benefits deriving f

5、rom cloud are evident,the downside of failing to focus sufficiently on cloud risks and controls is equally clear and common.Aside from undermining value creation from cloud,it increases the risks of cybersecurity breaches,business interruption,regulatory violations and budget overruns.Organisations

6、that recognise the need to evolve traditional risk and control frameworks as part of their cloud journey achieve benefits such as a reduction in the time it takes to manage compliance,wider control coverage and improved responsiveness to business demand and change.To help organisations develop and m

7、aintain this focus,we have identified six points that support the existence and the importance of cloud risks and controls being embedded in a control framework.For each point described below,we have developed a set of related actions which can be taken to strengthen cloud governance.An effective cl

8、oud control framework is no longer an option but a crucial tool in the cloud transformation journey to improve governance,data security,operational resilience and business continuity throughout a period of change and uncertainty for an organisation.”Reggie Kelley Partner,PwC UK1Six reasons why cloud

9、-specific risks and controls are required and related actions for each4PwC|Maximising cloud valueOur research reveals a direct correlation between an organisations overall cloud maturity and the maturity of its cloud governance.The vast majority of cloud-powered companies have implemented formal con

10、trols to enhance operational efficiency,supported by a common control framework tailored to new cloud services,and have documented their shared responsibilities with their cloud service providers(CSPs).Crucially,most have also allocated ownership of cloud-related controls for governance,risk and com

11、pliance to a single business function with its own dedicated resources.The business payback from taking these steps is clear and unambiguous.An overwhelming 83%of cloud-powered businesses in EMEA have increased their revenue over the past six to nine months(compared with 67%of other businesses),and

12、89%expect to increase their revenue over Figure 1How would you assess the maturity of your organisations cloud controls across the following areas?1.Mature governance,risk and controlscan generate major business benefitsthe next 12 months(compared with 78%of others).Additionally,60%have implemented

13、an enterprise-wide transformation,compared with 42%of others.That said,almost all businesses still have opportunities to make further improvements in adopting leading practices in cloud governance,risk and controls.This is an area that deserves specific focus in cloud to ensure negative consequences

14、 are minimised and controlled.This is an area that deserves specific focus in cloud to ensure negative consequences are minimised and controlled.70%65%26%25%Technically-upskilled resources dedicated to our cloud governance,risk and controls environment.A cloud governance,risk and controls framework

15、that is owned by a single business function.Formal cloud controls that are separate and distinct from our other compliance and/or controls framework.Cloud controls designed to optimise workloads(e.g.,increased automation,reduced lag in processing),availability and resilency of workloads.Cross-functi

16、onal stakeholder agreement on our cloud governance,risk and controls framework.A common controls framework tailored to consider cloud risk and controls.Robust evaluation of shared responsibilities between our organisation and our cloud service providers that is documented.Policies and procedures tha

17、t are tailored to cloud risk and controls.70%70%68%64%22%25%25%63%26%28%63%23%Source:PwCs EMEA Cloud Business Survey 2023Cloud-powered companiesOther companiesTellingly,around 1/3 of1/3 3/4 of cloud-powered companies and of non cloud-powered companies have yet to implement cloud-specific controls5Pw

18、C|Maximising cloud valueKey takeaways:as part of implementing mature governance,risk and controls,organisations should Embrace a shared responsibility model,with accountabilities clearly allocated.CSPs will often manage some,but not all,of the controls(e.g.security,data,resilience and others),requir

19、ed in a cloud environment,depending on the cloud services being subscribed for,such as PaaS,IaaS or SaaS.It is essential that organisations have a good understanding of the responsibilities they share with their CSPs,and translate their own responsibilities into their control strategy and playbooks.

20、Companies should also document the processes and activities outsourced to the CSPs,including contractual arrangements and exit strategies.Implement robust data encryption and security governance procedures to ensure sensitive and/or personal data remain protected,both in transit and at rest.Organisa

21、tions should also put in place a strong Identity and Access Management(IAM)strategy and access control framework to oversee users access to the cloud.These provisions and processes may well be different from those already in place for on-premise systems,given that some responsibilities are now share

22、d with the CSPs.Invest in comprehensive employee training to ensure a smooth transition to the cloud,taking into account the resulting changes to processes and workflows.0102036PwC|Maximising cloud valueMigrating to cloud is much more than just a technology change.It affects and involves senior lead

23、ers and their respective business units or functions across the entire organisation from Finance to Risk,from Talent to Procurement,and more.To effectively identify all cloud-related risks,it is critical to engage other disciplines and business functions at the earliest point possible.Failing to do

24、this will result in having to bolt on controls later through remediation work that is both labour-intensive and costly,and which may even hamper the development of new applications.2.Executives must collaborate early to incorporate and address cloud risksMany organisations still struggle to promote

25、effective collaboration and engagement between technology and business teams.By proactively engaging with management and senior stakeholders at the planning stages of their cloud journey,cloud-powered organisations improve their chances of success.In almost half of the cases,our research shows that

26、companies are currently waiting until the design or implementation phases of their cloud transformation before engaging with leaders from other business areas.As well as delaying cloud-related benefits,this misses an opportunity to co-create flexible cloud solutions with respective controls that can

27、 meet differing needs instead of creating a proliferation of point solutions that need rework to be realigned.Figure 2At which stage,if at all,in a cloud transformation project,do you start to collaborate with the leaders or team responsible for each of the following:37%23%29%10%2%36%24%29%8%3%34%24

28、%27%12%3%32%20%30%12%5%32%26%31%9%3%32%24%32%10%3%30%25%32%10%3%30%26%30%11%4%29%29%30%9%3%Source:PwCs EMEA Cloud Business Survey 2023FinanceRiskTaxData and analyticsOperationsCustomer/marketing/front officeTalentProductsMost senior executive responsible for ESGPlanning(including budgeting and requi

29、rement gathering)We do not consult on this issue in cloud transformation projectsDesignUnsure/not applicableImplementation7PwC|Maximising cloud valueKey takeaways:to enable early and successful collaboration around the cloud transformation,organisations should Create an overall cloud executive leade

30、rship steering committee from day one with strong CEO sponsorship.This committee should include representatives from all the relevant functions,with different members taking the lead depending on the nature of the specific risk at hand.Assess cloud readiness and the overall risk profile before begin

31、ning your cloud journey and/or before you deploy new workloads.Validating the controls environment for compatibility with the chosen cloud model(public,private,or hybrid)and any industry-specific compliance requirements or regulatory standards that will impact the migration,such as the EUs Digital O

32、perational Resilience Act(DORA)in financial services.This means conducting a readiness assessment against relevant standards and determining what controls will be needed in both the transitional period and the target environment.Ensure that the cloud strategy and plans are aligned with the existing

33、IT architecture,as well as with the organisations business and technology capabilities and targets.A properly designed control environment will need to take these elements into account,since risks can be present across the whole IT estate and impact business areas across the organisation.0102038PwC|

34、Maximising cloud valueThis reflects the fact that multi-cloud offers several benefits such as higher flexibility and robustness,by enabling enterprises to choose the right CSP for each workload and select from a wide array of software-as-a-service(SaaS)providers to enable specific business processes

35、.However,there is also a downside:alongside the benefits,the adoption of multi-cloud introduces higher levels of complexity and risk,requiring organisations to develop a security and controls model that can be applied across different CSPs.Many companies have struggled to create such a model,since e

36、ach CSP has its own approach to security and governance and uses different security tools,all of which make consistency difficult to achieve.3.Risk and controls become more complex with multi-cloud infrastructures73%of the companies in our survey are taking a multi-cloud approach to their cloud tran

37、sformation,with only 25%using one CSP exclusively for all workloads.9PwC|Maximising cloud valueKey takeaways:to help equip the risk and control framework for a multi-cloud environment,organisations should Perform an overall assessment of the internal control framework of the chosen CSPs including as

38、pects such as risk taxonomies,control framework,approach to resilience and continuity management prior to making (or renewing)any contractual agreement.Adopt strategies to facilitate the monitoring of complex multi-cloud security frameworks through single pane of glass”solutions that bring multiple

39、tools together.Defining technology risk in a cloud-agnostic way gives organisations the ability to mandate common controls regardless of vendor or technology stack used.Supplementing these with vendor-specific technology risks gives organisations the detail needed to define specific controls to moni

40、tor and manage risk.Move at the speed of the team rather than the speed of the control replacing legacy controls with automated controls lowers the cost of compliance and improves coverage.Cloud infrastructure is shared and allocated dynamically,requiring new controls and control ownership that can

41、keep pace with modern accelerated software engineering and platform delivery practices.By taking advantage of new cloud workflows,organisations have introduced automated controls for change,release,deployment,configuration,capacity and incident management.Combined,these reduce reliance on manual app

42、roaches and free up teams to deliver at speed while demonstrating control.010203 Rigorously address network security and monitoring by implementing cloud-native security solutions that are scalable and adaptable to the dynamic nature of cloud infrastructure.These solutions can provide comprehensive

43、insights into network traffic across both cloud and on-premises environments.A Zero Trust security model and collaboration with CSPs are integral components.Mitigate the risk of vendor lock-in by assessing options from a range of CSPs when procuring new products and/or services.Vendor lock-in can re

44、sult in a complicated,costly,and operationally challenging transition to other provider(s)and make it more difficult to implement changes to the underlying cloud architecture or landing zone.040510PwC|Maximising cloud valueCloud-powered companies tend to have stronger alliances between their C-suite

45、 colleagues across both technology and business roles,including risk functions such as 1st and 2nd Line of Defense.These close relationships foster early engagement and facilitate a collaborative approach to leadership and decision-making throughout the cloud transformation journey.4.Strong relation

46、ships betweenCIOs and risk and securityleaders are imperativeBecause risk officers ultimately oversee the effectiveness of the cloud risk and control framework,their involvement is critical from the outset.It is also important to include the 3rd Line of Defense Internal audit since the cloud transfo

47、rmation and implemented cloud platforms should form part of the periodic audit-testing reviews.Figure 3Which of the following best describes your relationship with each of these executives specifically in relation to achieving your cloud transformation goals?Source:PwCs EMEA Cloud Business Survey 20

48、2380%64%80%63%80%59%79%64%78%61%77%63%77%61%75%64%73%61%69%52%69%52%Chief operating officer(COO)Chief Information Security Officer(CISO)Chief Financial Officer(CFO)Chief Data Officer(CDO)Chief Marketing Officer(CMO)Chief Risk Officer(CRO)Chief Human Resources Officer(CHRO)Chief Exexcutive Officer(CE

49、O)Mostsenior executive responsible for ESGThe BoardTax LeaderCloud-powered companiesOther companies11PwC|Maximising cloud valueKey takeaways:to strengthen and optimise relationships across the C-suite,organisations should Ensure strong support from the ExecutiveLeadership and Board to foster thecont

50、inuous collaboration requiredto address cloud risk issues and preventthem from recurring.Make your Chief Information SecurityOfficer(CISO)and Chief Data Officer(CDO)part of the overall CloudLeadership to help lay the groundwork forsecurity and privacy throughout the cloudinfrastructure.Security team

51、s and ITteams should have formal playbooksfor working together to secure the cloud.Institute and facilitate regular discussionsbetween between the CIO,CISO,CROand the different Lines of Defenses.Involve the COO/Chief Product Officer and Chief Legal Officer assessingthe impact of the cloud transforma

52、tion on the contractual customer commitment of both the CSP and the organisation.Engage the Executive Leadership incharge of the ESG strategy to ensurethey understand and capitalise on thesustainability impacts and opportunitiespresented by cloud computing.010203040512PwC|Maximising cloud valueRegul

53、ations around the use of cloud are continually changing including the complexity of complying with them,in particular when dealing with different regulations across several EMEA countries.As an example,multinational organisations operating in Europe need to consider the different data privacy regula

54、tions in force across the 27 EU member states,as well as the General Data Protection Regulation(GDPR),the overarching EU data regulation.Across EMEA,the diversity of regulations is even greater.5.Evolving the cloud approach in line with advancing regulations enables companies to stay ahead of genera

55、l and industry-specific compliance risksThere are also industry-specific regulations that companies must comply with.A prime example,already mentioned,is the EUs DORA in financial services,which requires financial institutions to follow specific rules around the protection,detection,containment,reco

56、very and repair capabilities against ICT-related incidents.Regulations like DORA are acting as accelerators for cloud controls and cloud maturity across EMEA mirroring the effect in the US of regimes like the Federal Risk and Authorization Management Program(FedRAMP)and Health Insurance Portability

57、and Accountability Act(HIPAA).13PwC|Maximising cloud valueKey takeaways:to keep pace with data regulation and stay in compliance with industry requirements,organisations should Ensure resilience in complianceis maintained with the evolutionof regulations,such as DORAincident response and operational

58、resilience program tailored to yourcloud environment.Implement a comprehensive testingprogramme to prove the effectivenessof incident response and operationalresilience capability,and implementcontrols to monitor resilience throughboth small and major changes.Build and adopt a consistent digital dat

59、amodel,taking into account keycompliance issues as well as interfaces,maintenance facilities,and traceability.Define and plan the cloud solutionsto adopt ahead of the migrationor deploying of new workloadsto ensure there is no infringementof local regulations.For example,employee analytics obtained

60、throughcloud solutions or people performancemeasurement based on employeespersonal data is not permittedin some territories.Involve the relevant C-suite(i.e.Chief Financial Officer,Chief Compliance Officer,Chief Data Officer)when issues related to regulatory risk arise.010203040514PwC|Maximising clo

61、ud valueBased on PwCs 27th CEO survey,70%of respondents said that GenAI will significantly change how their organisation creates,delivers and captures value in the next three years.AI has the potential to enhance productivity within enterprises however,without data,there is no AI;and without cloud,o

62、rganisations will struggle to scale AI and unlock value.Clearly,therefore,AI adoption will increase cloud adoption and influence an organisations cloud strategy.This could lead to the development of a multi-cloud infrastructure for access to the latest models,or rapid migration towards a single clou

63、d provider to reduce cost.6.Generative AI(GenAI)will drivecloud adoption,but effectiveintegration will necessitate the needfor stronger governanceThe adoption of AI will create new vulnerabilities and could heighten existing risks in areas such as data,cybersecurity,and technology.These risks range

64、from new threat vectors to uncontrollable cloud expenses associated with operating AI.While cloud-based AI deployment amplifies existing risks like cloud vendor lock-in,there are also new AI components to consider,such as vector databases that may store sensitive data requiring protection.Additional

65、ly,AI-specific risks such as hallucinations and the need to comply with new AI regulations like the EU AI Act must be considered,alongside other horizontal and sectoral regulations.15PwC|Maximising cloud valueKey takeaways:Unlocking the value from AI requires a strong governance frameworkAssess the

66、new and heightened risksfrom adopting and using AI.Alongsideyour cloud governance framework,integrate and adapt existing controls toprotect value from your AI investments.Consider your cloud service providersethical and Responsible AI practices,when selecting a third-partycloud-based AI vendor.Imple

67、ment data and security controlson your GenAI cloud platform.Monitor cloud costs,as these canbe exacerbated by the use of AI.Enhance your governance frameworksto effectively manage cloud resourcesand mitigate the risks of cloud sprawl.01020304Responsible AI(RAI)is an approach that promotes both risk

68、management and value maximisation in the deployment of AI-based solutions.It involves adopting practices that ensure AI technology is aligned with ethical standards,maximises value,and mitigates risks.This dual focus enables organisations to harness the full potential of AI while being prepared for

69、emerging regulations.2Conclusion:your best next step implementeffective controlsin your cloudenvironment17PwC|Maximising cloud valueAs the experience of cloud-powered companies shows,cloud risks and controls should not be treated as an afterthought to be handled by the technology team only.The organ

70、isations which are most advanced in their progression towards cloud maturity are those that adopt a holistic,embedded and integrated approach to risks and controls from day one.This correlation is no coincidence.Effective cloud controls are the vital enabler of any successful cloud transformation en

71、hancing governance,data security,operational resilience and business continuity through and beyond the transformation journey.Cloud controls should be embedded within the organisation to support innovation and harness the full potential of cloud technology,while addressing the security and complianc

72、e/regulatory risks that the transformation brings.Cloud risk and controls must be a high-priority focus across the C-suite from day one,addressed through a collaborative,multi-function approach and a clear governance framework,defining the shared responsibilities between the company and the CSPs it

73、uses.”Benjamin Zenati Director,PwC France18PwC|Maximizing cloud valueTo find out more about how PwC can help you get your cloud risk and controls strategy right,please contact:Reggie KelleyPartner PwC UK Benjamin ZenatiDirector Cloud Risk&Regulatory PwC FranceEleonora Bruni DirectorPwC UKIvan Frain

74、Director Cloud TransformationPwC F 2024 PwC.All rights reserved.Not for further distribution without the permission of PwC.PwC refers to the network of member firms of PricewaterhouseCoopers International Limited(PwCIL),or,as the context requires,individual member firms of the PwC network.Each membe

75、r firm is a separate legal entity and does not act as agent of PwCIL or any other member firm.PwCIL does not provide any services to clients.PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way.No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firms professional judgment or bind another member firm or PwCIL in any way.RITM16921445About the authors