Enterprising Developments

A Second, and Third, Look at Cloud Security

Joe McKendrick
Insurance Experts' Forum, August 15, 2012

For insurance companies, the cloud poses some difficult questions. While the value proposition of cloud is enticing—providing pay-as-you-go capabilities and freeing up resources away from data center maintenance—security has been a sticking point. For the highly risk-conscious insurance industry (who are in the risk business, after all), there has been no shortage of debate about this new IT deployment model.

Overall, across all industry groups, many organizations are going full-steam into cloud—a new study finds that 82 percent of organizations already transfer, or plan to transfer, sensitive or confidential data into the cloud environment. While it's not clear where insurance companies stand within this global study of 4,000 business and IT managers, I’m willing to bet the percentage is quite lower than the average. The survey was recently conducted by the Ponemon Institute and commissioned by Thales.

Overall, companies don't seem to be too worried. Only a minority say cloud presents major security issues: 39 percent of respondents believe cloud adoption has decreased their companies’ security posture. In addition, 64 percent say they rely on their cloud vendor to get security right. Is this a cue for insurance IT managers to relax their concerns about data security as well?

The best approach may be to recognize that the cloud is a resource that offers great advantages, but security is still a process—an obsession—that needs to remains with the customer—no matter how much vendors promise. Recently, when I have spoken with insurance company CIOs about cloud, there has generally been enthusiasm about what the cloud can offer, as well as a willingness to dig deep to understand how the cloud provider addresses security. Abiding by standards such as SAS-70 is positive, but doesn't tell the whole story.

In preparing a special report for INN on cloud, I spoke with Richard Hallman, CIO of Employers about the cloud security challenge. Do your homework thoroughly, and don’t accept assurances at face value, he advises.

“You need to understand your vendor's security model,” Hallman says. “You need to understand beyond their SAS-70, because SAS-70 is very limited in what they review from a security perspective. You need to have a better-detailed assessment on their internal procedures, their operations and their technical approaches... They’re a part of your staff, they’re a part of your overall business model, and you need to make sure that you have reliability and confidence.”

Still, other industry observers say we've come a long way in a short time with cloud security. As Stanton Jones, analyst with Information Services Group put it: Cloud security has matured greatly over the past one-to-two years, and furthermore, it's getting to the point where data may be more secure in the hands of an outside cloud provider than an internal IT department. "Major cloud providers know security is their business. If they can't prove that they have a secure platform, then they have no business," he says. "Not only are IT organizations getting more comfortable with cloud, I think sometimes they're finding that they're looking at their own operations and realizing that the cloud provider has a better security architecture and a better security footprint than they do."

Joe McKendrick is an author, consultant, blogger and frequent INN contributor specializing in information technology.

Readers are encouraged to respond to Joe using the “Add Your Comments” box below. He can also be reached at joe@mckendrickresearch.com.

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on www.insurancenetworking.com do not necessarily reflect those of Insurance Networking News.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

The Good, The Bad and The Ugly Of Enterprise BI

When IT can't deliver, business users build their own applications focusing on agility, flexibility and reaction times.

The IT-Savvy 10%

IBM survey reveals best practices of IT leaders.

The Software-Defined Health Insurer: Radical But Realistic?

Can a tech startup digitally assemble the pieces of a comprehensive, employer-provided health plan?

Data Governance in Insurance Carriers

As the insurance industry moves into a more data-centric world, data governance becomes more critical for ensuring the data is consistent, reliable and usable for analysis.

Fear This

Just days before this Issue, which contains our security cover story, went to press, we got some interesting news: 1.2 billion unique usernames and passwords and 542 million email addresses were reportedly stolen from 420,000 websites, according to The New York Times. The websites ranged from Fortune 500 companies down to small online retailers.

Should You Back Up Enterprise Data to the Cloud?

Six questions that need to be asked before signing on with an outside service.