A Second, and Third, Look at Cloud Security
Insurance Experts' Forum, August 15, 2012
For insurance companies, the cloud poses some difficult questions. While the value proposition of cloud is enticing—providing pay-as-you-go capabilities and freeing up resources away from data center maintenance—security has been a sticking point. For the highly risk-conscious insurance industry (who are in the risk business, after all), there has been no shortage of debate about this new IT deployment model.
Overall, across all industry groups, many organizations are going full-steam into cloud—a new study finds that 82 percent of organizations already transfer, or plan to transfer, sensitive or confidential data into the cloud environment. While it's not clear where insurance companies stand within this global study of 4,000 business and IT managers, I’m willing to bet the percentage is quite lower than the average. The survey was recently conducted by the Ponemon Institute and commissioned by Thales.
Overall, companies don't seem to be too worried. Only a minority say cloud presents major security issues: 39 percent of respondents believe cloud adoption has decreased their companies’ security posture. In addition, 64 percent say they rely on their cloud vendor to get security right. Is this a cue for insurance IT managers to relax their concerns about data security as well?
The best approach may be to recognize that the cloud is a resource that offers great advantages, but security is still a process—an obsession—that needs to remains with the customer—no matter how much vendors promise. Recently, when I have spoken with insurance company CIOs about cloud, there has generally been enthusiasm about what the cloud can offer, as well as a willingness to dig deep to understand how the cloud provider addresses security. Abiding by standards such as SAS-70 is positive, but doesn't tell the whole story.
In preparing a special report for INN on cloud, I spoke with Richard Hallman, CIO of Employers about the cloud security challenge. Do your homework thoroughly, and don’t accept assurances at face value, he advises.
“You need to understand your vendor's security model,” Hallman says. “You need to understand beyond their SAS-70, because SAS-70 is very limited in what they review from a security perspective. You need to have a better-detailed assessment on their internal procedures, their operations and their technical approaches... They’re a part of your staff, they’re a part of your overall business model, and you need to make sure that you have reliability and confidence.”
Still, other industry observers say we've come a long way in a short time with cloud security. As Stanton Jones, analyst with Information Services Group put it: Cloud security has matured greatly over the past one-to-two years, and furthermore, it's getting to the point where data may be more secure in the hands of an outside cloud provider than an internal IT department. "Major cloud providers know security is their business. If they can't prove that they have a secure platform, then they have no business," he says. "Not only are IT organizations getting more comfortable with cloud, I think sometimes they're finding that they're looking at their own operations and realizing that the cloud provider has a better security architecture and a better security footprint than they do."
Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.
Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at firstname.lastname@example.org.
This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.
The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.
Add Your Comments...
If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.
You must be registered to post a comment. Click here to register.