A smart approach for the integration of master data systems into the cloud

(1)

This article is an extract from Performance, Volume 5, Issue 3, August 2013. The full journal is available at

www.ey.com/performance

A smart approach

for the integration of

master data systems

into the cloud

The unstoppable globalization and networking of organizations

that goes along with it, are demanding higher requirements of

current and prospective master data systems. We outline how

master data systems can be successfully integrated into the

cloud on the basis of service-oriented architecture while data

security, data privacy and compliance are guaranteed.

(2)

Authors

André Wiedenhofer, MBA Manager Advisory Services

EY, Germany

Alexander Reddehase Senior Consultant Advisory Services

EY, Germany

Vincent Schwarz Senior Consultant Advisory Services

EY, Germany

Sören Leder Consultant Advisory Services

(3)

A smart approach for the integration of master data systems into the cloud

C

hanges in data privacy policies, security requirements and international regulations (e.g., Sarbanes-Oxley Act, Basel II, Basel III and IFRS) call for adjustments to be made to existing master data systems.

Data integration is crucial to business success but decentralized, redundant, poor quality and heterogenic data poses a big barrier to making progress. Effective and efficient handling of master data is made challenging due to the commonly observed IT landscapes comprising a variety of different technologies, beside the differences in data itself. An additional challenge is ever-expanding data volume.1

Conventional master data systems are unable to cope with the above challenges and, hence, a fresh perspective is required on devising new strategies to handle today’s master data.

The challenge of data

management

Nowadays, there are various requirements for the administration and provision of data. On the one hand, data has to be accessible and easily available to different users, but on the other hand, it has to be of a good enough quality taking into account time restrictions. In particular, if master data is used transnationally, the challenges in data management rise because aspects such as data privacy and compliance have to be taken into consideration.

For a better understanding of the classification types of master data, see Figure 1.

The approach described in this article focuses primarily on the handling of master data. Where applicable, however, other types of data are also considered.

Figure 1. Different data types

Focus

Property

oriented Master data_►_{Client data (name, address, account} number, etc.)

►Contractor data (company, address, etc.)

►Product data (number, name, size, weight, etc.)

►Account data (account number, account type, etc.)

Variable data

►Address change of clients ►Address change of contractors ►Changes in size or weight of a product ►Account number change

Quantity

oriented Inventory data_►_{Account inventory} ►Stock of products ►Warehouse stock

Dynamic data

►Accounting

►Increase in stock of products ►Reduction in warehouse stock

(4)

Types of master data systems:

an overview

There are four main architecture types for master data systems:

► Leading system: the architecture of a leading system consists of individual components that take over specific tasks (e.g., administration of products, clients or contractors). Users can connect to the components of the system to read and write data using defined interfaces. The degree of harmonization of data is low in a leading system.

► Central repository: in this case, the central repository does not have its own master data, but instead, it refers to appropriate sources. This means that the user receives a reference to the searched data through the central repository. Again, for this type of architecture, harmonization of data is only partly possible.

► Peer-to-peer (P2P): with this

approach the individual communicating components of systems are mostly independent of each other. The

harmonization of data is realized by adapters in front of their respective components. The adapters take over the role of a “translator.”

► Central master data management

system: the architecture of this system allows an integral service. All operations on master data are executed over the same interface. Through these interfaces, applications without proper data holding reach indirectly for data, whereas applications with proper data holding regularly synchronize their data.

Master data systems and

service-oriented architecture

(SOA)

SOA fosters seamless interaction between business processes and the supporting IT systems.2_{The introduction of SOA moves}

a company away from a technical, silo-orientated IT view to a functional, process-orientated IT view. By doing so, the entire company is ultimately affected.3

Core elements of an SOA are reusable services, which encapsulate the logic and functionality of an IT system behind an interface. Through service operations, service capabilities can be used and become visible to the “outside.”4_{Figure 2}

shows how SOA allows IT based business process activities to be supported via services rather than being directly linked via IT systems.

Operationally, business processes are supported by business services (e.g., human resource management), which are offering certain functionalities (e.g., creating a new personal profile). Business services use IT services, which provide the IT infrastructure’s technical capabilities (e.g., authorization service). IT infrastructure also includes central master data (e.g., employee data), which is made readily available by IT services at any time. The advantage of SOA is that it enables a transparent platform and development environment for its service users. In this way, it is easy to integrate legacy applications into the IT landscape. Figure 2. Enterprise business processes supported by services, with SOA

Business process

IT infrastructure Database Enterprise network Server Business service

IT

service serviceIT serviceIT serviceIT

Business service

1. R.L.Villars and L. Borovick, Big Data and the Network, White Paper, IDC, 2011.

2. Trend Report: IAM und SOA 2008, Eine Studie zum Verhältnis zwischen Identity Management und serviceorientierten Architekturen, EY, 2008. 3. G. Engels, A. Hess, B. Humm, O. Juwig, M. Lohmann, J. P.

Richter, M. Voß, and J. Willkomm, Quasar Enterprise: Anwendungslandschaften serviceorientiert gestalten, dpunkt Verlag, 2008.

4. W. Dostal, M. Jeckle, I. Melzer and B. Zengler,

Serviceorientierte Architekturen mit Web Services: Konzepte — Standards — Praxis, Spektrum Akademischer Verlag, München, 2005.

(5)

SOA differentiates between three

participating roles: service provider,

service user and service repository.5_A

service provider sets a service description in machine readable form into a service

repository. Then service users search for

this service description in the repository.

If successful, a service user will receive

a reference to the service provider from which they can query the service

description. The service description

comprises information about provided service functionalities and how to access them.6_{Subsequently, the service user is}

able to use the service.

The main benefit of SOA is that it better allows IT support to improve business

processes.7_{Adaption or expansion of}

business processes is more easily achieved

in an SOA-oriented IT landscape. Businesses

can reach their full potential in an environment where services are faster and

better connected. Moreover, standardized interfaces reduce the complexity of the IT

landscape thus reducing resources needed for maintenance and operation of systems.

Cloud computing as a concept

for contemporary

IT landscapes

The US’s National Institute of Standards and Technology (NIST) defines cloud computing as “enabling ubiquitous, convenient,

on-demand network access to a shared pool

of configurable computing resources (e.g., networks, servers, storage applications and services) that can be accessed with

Businesses can reach

their full potential in

an environment where

services are faster and

better connected.

5. W. Dostal, M. Jeckle, I. Melzer and B. Zengler,

6. OASIS SOA-RM Technical Committee, Service Oriented Architecture Reference Model, http://docs.oasis-open.org/ soa-rm/v1.0/ (dated June 2013), OASIS, 2006. 7. W. Dostal, M. Jeckle, I. Melzer and B. Zengler,

8. P. Mell, T. Grance, The NIST Definition of Cloud Computing, http://csrc.nist.gov/publications/nistpubs/800-145/ SP800-145.pdf (dated June 2013), National Institute of Standards and Technology, 2011.

9. C. Boos, Cloud Computing: Die Herausforderung für etablierte Unternehmen, http://clouduser.de/ meinungen/ cloud-computing-die-herausforderung-fur-etablierte-unternehmen-6472, (dated June 2013), 2012. 10. M. Hoffman, Top Cloud Computing Benefits for Your Small

Business, http:// smallbusinessblog.infostreet. com/2011/04/top-10-list-top-cloud-computing-benefitsfor-your-small-business/ (dated June 2013), 2011. 11. IT Business Breakfast: How can a customer trust that the

service offered by a cloud service provider is secure, EY, 2011.

(6)

minimal management effort or service

provider interaction.”8

Figure 3 shows the five characteristics,

three service models and four operating models that comprise cloud computing.

Different accounting models enable

the use of cloud computing. As a result,

there is a sensible cost reduction realizable for the service user without any loss of performance (a reduction of investment in

IT assets of more than 80% is possible).9

In addition to the potential for cost

reduction through cloud computing, there are other advantages, such as better scalability of IT systems and the possibility

of remote access.

Moreover, success-critical IT processes can be shifted into the cloud and, by doing so, are centralized.10

Accordingly, the concept of cloud

computing suits perfectly the integration of master data.

Integration of master data

systems into the cloud

We recommend an SOA as a basis for the transformation of master data systems

into the cloud (see Figure 4). With this approach, the cloud service provider (CSP) would make various services available (e.g., application, business and orchestration services) instead of “classical software applications.”

Figure 3. Characteristics, service and operating models of cloud computing11

Operating model Characteristics

IaaS is abstracted from the hardware system. Users individually decide on the required computing power and storage, which can be drawn out of the cloud, if necessary. PaaS enables the user to define the programming environment or runtime environment. Capacities of computer and data can be ﬂexibly adapted depending on demand. SaaS cloud is accessed via the provider’s applications (e.g., Microsoft Office products). User ﬂexibility decides which cloud software to use.

Business service Private cloud Community cloud

Public cloud Hybrid cloud On-demand self-service

Broad network access Resource pooling Rapid elasticity Measured service Service model System infrastructure service Application infrastructure service Application service Information service Managemen t and s ec urit y SaaS (software as a service) XaaS (everything as a service) PaaS (platform as a service) IaaS (infrastructure as a service)

Hybrid cloud is a mix of the above models. Here, different clouds are bundled through standard or proprietary technologies, enabling data and application exchange. Public cloud is not limited to a specific user group. Typical examples are email services, where every person can have their own email account without the need for a proper email server.

Community cloud is limited to a certain user group but this group is larger than in private clouds. Community clouds are mostly used by a group of companies with similar goals (e.g., security and compliance requirements). Private cloud is limited to an exclusive group of users, e.g., only company employees. Cloud administration can be regulated by the company, a third party or both. Measured service: resources are

automatically optimized by the cloud service and usage can be monitored, providing transparency for provider and user.

Rapid elasticity: resources are ﬂexible in their availability, scaling up and down depending on demand and giving the impression of being unlimited.

Resource pooling: resources are pooled and accessible by multiple users. Generally, the physical location of a resource is not known to users. Broad network access: enables access via different platforms (e.g., smartphones, tablets, laptops). On-demand self-service: resources can be used as much as the individual needs without having to interact with the service provider.

(7)

The advantage of this approach is the benefits won from the SOA’s agility together with high scalability and cost efficiency. And because charges billed for the use of cloud services can be directly linked to the relevant business processes, there will also be increased cost transparency. Furthermore, redundancies can be avoided and data quality improved. However, the integration of master data systems into the cloud using an SOA is complex. Beside technical issues, there are organizational and procedural challenges to manage. The involvement of business departments early on in the process is recommended as, often, IT departments cannot convince business departments of a reasonable master data usage.12

In addition, factors such as industry drivers, size and IT assets of the

organization as well as business

requirements and safety directives will have a huge impact.13

Legal challenges, especially privacy regulations, also play a vital role when outsourcing into the cloud and are considered in the next section.

It requires a well-thought-out plan to face the challenges and take appropriate actions (see Figure 5).

Privacy challenges in

outsourcing to the cloud

According to the European Data Protection Directive, legal permission is required for collection, processing and usage as well as the transmission of personal data. This permission is provided by the law for some activities, and for other activities has to

be obtained directly from the affected person. Therefore, outsourcing into the cloud always raises the question of whether legitimacy is ensured. There are two forms of outsourced data processing: data processing on behalf of a client (commissioned data processing (CDP)) and transmission to third parties.

Under CDP, which is regulated in Directive 95/46/EC article 16, the contractor solely acts bound by instructions from the principal. This kind of data flow is not classified as a transmission to third

In addition to the

potential for cost

reduction through

cloud computing, there

are other advantages,

such as better

scalability of IT systems

and the possibility of

remote access.

Figure 4: Master data systems in the cloud

Business process

Software as a service (SaaS)

 Orchestration services

 Business services

 Application services

Infrastructure as a service (IaaS)

 Virtual database entities

Service Service Service

Order processing Production Acquisition Product development

Service

Products Suppliers Clients

12. R. Scheuch, Datenqualität sichern: Stammdaten-Management braucht Ordnung, http://www. computerwoche.de/software/bi-ecm/2516260/, (dated June 2013), 2012.

13. Business briefing: insights on IT risk. Ready for takeoff:

(8)

parties and the principal remains solely legally responsible for the processing of data.

To realize a CDP contract, the provisions according to Directive 95/46/EC article 17(3) have to be stipulated. The CDP privilege does not apply for recipients outside the European Economic Area (EEA). This constitutes an obstacle for the applicability of CDP and cloud computing, as there are no reasons for sticking to territorial borders from a technical point of view. Quite the contrary, services are being relocated to non-European countries to take advantage of cost savings.

If the provisions for CDP cannot be fulfilled, a transmission of data to third parties in terms of the Data Protection Directive is executed and has to be tested on legitimacy. The recipient of the data becomes accountable and is responsible for checking and minding all regulations of the directive.

The Data Protection Directive offers multiple approaches to legitimately transfer data abroad to non-EEA countries. The European Commission has determined an appropriate standard for data protection and data privacy for several states, namely Canada, Argentina, Switzerland, Guernsey, Isle of Man and Israel. Data may be transferred to these countries within the scope of the directive.

A further important aspect of cloud computing is the access to data by third parties. While this is usually a data security concern about illegal access by third parties, people often forget that there also exists a legal access by third parties. Especially in cases of outsourcing to Figure 5. Challenges and recommendations for an SOA approach

Challenges Recommendations

Strategy alignment ►Operationalization of the IT strategy

►IT business alignment

Compliance and risks ►Identification and analysis of legal risk

►Benchmarking

Involvement of business

departments ►►Stakeholder managementCoaching and training

Reorganization of the master data management system

►Definition of new master data management processes

►Determination of solid competences

Integration of the master data system into the existing IT landscape

►Analysis of existing IT landscapes including interfaces

and services

(9)

foreign countries, government bodies, as

law enforcement agencies or intelligence

services, can obtain wide-ranging access

possibilities. Encryption of data would

not be helpful, since certain laws exist

that oblige service providers to surrender private keys if authorities request access to encrypted data.

Identify, assess and respond to

privacy risks

If a company plans to outsource parts

of its IT organization to the cloud, a risk

analysis marks a crucial step in the early planning phase. It is necessary to identify

existing risks, how they are to be assessed

from a business point of view and how to

face them. Legal questions that have to

be addressed are what kind of data will be

processed in the cloud, which regulatory

framework conditions apply and what measures have to be taken to legitimately outsource the data.

If a company plans to outsource parts

of its IT organization to the cloud, a

risk analysis marks a crucial step in

the early planning phase.

(10)

This approach is integrated in different

analysis methods to help the company

make a more holistic decision. There are standardized tools, for example the Cloud Controls Matrix14_{(CCM), developed by the}

Cloud Security Alliance (CSA), which is

tailored closely to industry standards such

as ISO 27001 and COBIT.

Supplementary security can be achieved

by external auditing and certification of cloud providers. For example, an SOC 2 Report, that includes coverage of IT security and compliance issues, can be used. This report evaluates internal controls

of a service organization and creates transparency and trust between provider

and user. According to the Office of the

Data Protection Commissioner

Schleswig-Holstein, however, attention should be

paid to the fact that such a report alone is

insufficient to meet the requirements of the

Data Protection Directive.15

Privacy challenges: conclusion

and outlook

The European legal and regulatory

environment strictly regulates the outsourcing of personal data into the cloud. Cloud computing has to face this challenge if it is to prove itself as a

solution to cost and efficiency pressure. To assure quality and mitigate risks, auditing and certifications of cloud solutions are inevitable. In the context of data protection,

legal consultation should be obtained before a shift of data into the cloud is

conducted. These arrangements can smooth the way, allowing master data to

take advantage of the cloud.

Conclusion

The advantages of the changes to master data management discussed here, can only be realized if influencing factors

and risks to successful transformation are fully taken into account. One thing is

certain, master data is fundamental to the success of a company and its management, therefore, needs to be a serious,

strategic consideration.

In addition, there are factors such as risk management, compliance, integration and standardization of business processes,

which all require a strategic approach when it comes to data management.

Depending on the legal environment

a company is subject to, there are strict

requirements regulating what kind of data can be moved into the cloud and what additional measures have to be taken.

Therefore, master data management is a far-reaching, interdisciplinary cross-cutting issue, in which relevant business

departments have to be involved. 

One thing is certain,

master data is

fundamental to the

success of a company

and its management,

therefore, needs to be

a serious, strategic

consideration.

14. Cloud Security Alliance, Cloud Controls Matrix, https:// cloudsecurityalliance.org/cm.html (dated June 2013), 2013.

15. T. Weichert, Cloud Computing und Datenschutz, https:// www.datenschutzzentrum.de/cloud-computing/ (dated June 2013), 2010.