Enterprising Developments

Cloud Security is the Customer's Responsibility

Joe McKendrick
Insurance Experts' Forum, October 15, 2012

When it comes to cloud computing, and data center management in general, F5's Lori MacVittie is the probably one of the most knowledgeable people around. So a post with the title “If Security in the Cloud Were Handled Like Car Accidents” really ought to resonate with insurance executives seeking to understand the do's and don'ts of security in their cloud projects.

MacVittie posted this advisory last year, but now more than ever, it hits home. MacVittie urges executives to look at the scenarios for ultimate responsibility in car accidents—a couple of definitions that P&C insurance executives probably know by heart.

• “Contributory negligence is a system of fault in which the injured party can only obtain compensation for injuries and damages if he or she did not contribute to the accident in any way.”

• “In comparative negligence, the injured party can recover damages even if she was partially at fault in causing the accident. In a pure comparative system, the plaintiff’s award is reduced by the amount of her fault in the accident. Some states have what is called modified comparative fault. This is where there is a cap on how much responsibility the injured party can have in the accident.”

The same definitions and onus of responsibility can be applied to security incidents in the cloud. “For example, a customer has no control over the network and management framework of an IaaS provider,” MacVittie illustrates. “The customer has no authority to modify, change or configure network infrastructure to ensure an agreeable level of network-security suitable for public-facing applications. Only the provider has the means by which such assurances can be made through policy enforcement and critical evaluation of traffic. If data security in a cloud computing environment is breached through the exploitation or manipulation of infrastructure and management components wholly under the control of the provider, then the fault for the breach falls solely on the shoulders of the provider.”

However, MacVittie continues, if a breach “is enabled by poor coding practices or configuration of application infrastructure which is wholly under the control of the customer, then the customer bears the burden of fault and not the provider.”

Often, she points out, cloud customers—who usually can neither change, modify nor otherwise impact the security of a network switch—should not be responsible for its security. Conversely, the cloud provider cannot be held responsible for bearing the burden of responsibility for securing an application that the provider had no input or control over.

Ultimately, both cloud consumers and providers need to share responsibility for security, MacVittie points out. But if you are a customer, and you turn over responsibility to a cloud provider, you still bear ultimate responsibility to understand how the provider handles security: “Ultimately, the data is yours; it is your responsibility to see it secured and the risk of a breach is wholly yours. If you choose to delegate—implicitly or explicitly—portions of the security responsibility to an external party, like the driver of a car service, then you are accepting that the third party has taken acceptable reasonable precautions.”

If the third party has not taken reasonable precautions, then it is the customer’s responsibility to find a provider that does.

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

How Insurers Can Develop Thoroughly Modern Mainframes

The user experience can make or break an application. Here are five ways to measure whether itís positive or negative.

The Peer-to-Peer Economy and the Uberization of Insurance

Insurance is about risk sharing, so what better model to bring in technology and make that risk sharing as efficient and effective as possible?

Rethinking Commercial Lines Underwriting Automation

The value an insurer can achieve from the powerful combination of a modern policy system and a complete suite of advanced underwriting solutions will far outweigh any effort involved.

Students are Pushed to Look Past Obstacles, and so Should We

Student teams, in the space of a few weeks, developed a variety of fresh ideas leveraging unique technologies that could help build products and services for insurance customers.

The Best Policy Administration System I Have Ever Seen

So many systems we view look like they screens were designed by a programmer and, worse, could only be used by a programmer.

Living with the Internet of Things (and crowd funding)

The Internet of Things has itís teething problems.