Cloud Trust as a Service (CTaaS)

Cloud Trust as a Service (CTaaS)

Team members

Dev Bahl (ISTD), Zenn Png Zhuang Yi (ESD), Noorbakht Khan D/O Mohammad Ayub Khan (ISTD), Syed Faizaanullah s/o Syed Kaleemullah (ASD), Ilya Haider (ESD), Chloe Tan (ESD), Jeff Neo Yu Xuan (ASD)

Instructors:

Bige Tunçer, Matthieu De Mari, Yue Mu

Writing Instructors:

Rashmi Kumar

Teaching Assistant:

Ataman Cem

Cloud Trust is part of the Risk Assurance arm of PwC Singapore and was established through the recognition of rising cloud services adoption, representing a paradigm shift in the technology space. The Risk Assurance practice helps clients to identify, manage and monitor risks across the risk landscape to protect and strengthen the cloud aspect of their business, from systems to strategy and business plans to business resilience.

The CT team helps clients to analyse, assess and address a wide range of risks by providing insights and assurance that is invaluable in today's high-risk business environment. They work with our clients to build trust across their digital/technology-enabled businesses and guides them throughout their cloud adoption journey via a holistic cloud approach to help them navigate the potential threats of cloud adoption and use cloud technologies with greater confidence.

For more information on Cloud Trust, click here.

The nascent stage of both team and industry posed two main challenges for the Cloud Trust team:

Firstly, there is a lack of knowledge transfer across client engagements, which creates numerous inefficiencies and inconsistencies across client engagements. This is especially apparent in cases where the Cloud Trust team has already encountered a client of similar background/industry and engages in repeated work.

Secondly, the current workflow is composed of numerous menial tasks that require a significant amount of manual labour, leading to a considerable amount of time spent on low-value tasks within their workflow. This gives them less time to do more value-added work with regards to their consulting practice.

CTaaS aims to be a panacea for these issues.

The overall workflow of CT team is broken down into the Off-Engagement and Engagement workflows.

The Off-Engagment workflow consists of the Uplift Process while the Engagement Workflow consists of the various stages of the Client Interaction Process.

The Engagement workflow begins with the Scoping phase, where a client engages a CT member who selects specific controls from the Master Cloud Trust Framework (CTF) to create an Engagement CTF. The Engagement CTF only contains the controls relevant to the client based on their company structure and cloud environment.

In the Request for Information (RFI) phase, CT members work closely with the client in evaluating the correspondence of evidence with the demands of specific controls in the Engagement CTF. If the evidence presented to the PwC representative corresponds with any of the aforementioned controls, the evidence is extracted from the client through screenshots or documents.

During the Evidence Evaluation phase, CT members compare the evidence acquired from the client with controls from the Engagement CTF to check for control compliance. This phase is particularly tedious as CT members conducting the evaluation have to cross-reference across numerous documents.

Lastly, the Report Generation phase outlines the documentation of the entire engagment for future reference.

In order to incorporate CTaaS into the CT team’s workflow, we had to envision what CTaaS could achieve and hence how it could fit into their current workflow. We had to do this in a way that minimised changes whilst eliminating the inefficiencies and pain points within the current workflow, that were highlighted to us in interviews and discussion with the CT team.

With the earlier analysis in mind, the proposed workflow, once CTaaS is incorporated, will introduce feedback nodes. This allows for any member of the CT team to give feedback that they may feel is relevant for the generation of Intellectual Property (IP), which could then be used to optimise and improve the workflow in the long run.

The reduction of man hours on monotonous and low-valued work is a big benefit of CTaaS. This is made possible by the ability of CTaaS to streamline the CIP, transfer knowledge between engagements and aid in the CTF Uplifting. Based on internal research done by the CT team, it is estimated that CTaaS is able to significantly reduce the man hours per engagement by 63%. This would benefit CT team members in both reducing their working intensity so they can have ample rest and increased work-life balance, as well as giving them more opportunities to do value-added work, which increases morale and provides CT members with the opportunity to upgrade themselves.

Another impact of CTaaS is the technological empowerment it can bring for PwC Singapore. With CTaaS, PwC will be moving towards embracing new technology and solutions, especially with the introduction of SwaS.

This will provide them with the tools, talent and secure landscape to successfully thrive in the direction of digital transformation which Singapore is moving towards, thus keeping them relevant and competitive.

This works to enhance their company appeal and culture to both current and potential employees.

As PwC Singapore's Cloud Trust relies on consultancy service as their main business operation, the CTaaS software acts as a support framework to enhance their service by adding value to their workflow. We call this model Service with a Software, otherwise known as SwaS Reversed. This is in contrast to other software-service business models in the industry such as Software as a Service (SaaS) and Software with a Service (SwaS). SwaS Reversed acts as a business model which keeps the PwC-CTaaS business competitive within the cloud assurance market by adopting the advantages of the SaaS and SwaS models, while adding extra value through the wide range of features within the CTaaS app.