Protecting Information in the Cloud

IT and business executives need to apply a risk-management approach that balances economic value against risks.

Insurance Networking News, January 2, 2013

James Kaplan, Chris Rezek, and Kara Sprague

The use of highly scaled, shared, and automated IT platforms—known as cloud computing—is growing rapidly. Adopters are driven by the prospects of increasing agility and gaining access to more computing resources for less money. Large institutions are building and managing private-cloud environments internally (and, in some cases, procuring access to external public clouds) for basic infrastructure services, development platforms, and whole applications. Smaller businesses are primarily buying public-cloud offerings, as they generally lack the scale to set up their own clouds.

As attractive as cloud environments can be, they also come with new types of risks. Executives are asking whether external providers can protect sensitive data and also ensure compliance with regulations about where certain data can be stored and who can access the data. CIOs and CROs are also asking whether building private clouds creates a single point of vulnerability by aggregating many different types of sensitive data onto a single platform.

Blanket refusals to make use of private- or public-cloud capabilities leave too much value on the table from savings and improved flexibility. Large institutions, which have many types of sensitive information to protect and many cloud solutions to choose from, must balance potential benefits against, for instance, risks of breaches of data confidentiality, identity and access integrity, and system availability.

 

The Cloud is Here to Stay

Refusing to use cloud capabilities is not a viable option for most institutions. The combination of improved agility and a lower IT cost base is spurring large enterprises to launch concerted programs to use cloud environments. At the same time, departments, work groups, and individuals often take advantage of low-cost, easy-to-buy public-cloud services—even when corporate policies say they should not.

 

High Growth and Value Expectations

Corporate spending on third-party-managed and public-cloud environments will grow from $28 billion in 2011 to more than $70 billion in 2015, according to IDC. However, total spending on the cloud is much larger than these estimates indicate because the figures do not reflect what enterprises spend on their private-cloud environments. Eighty percent of large North American institutions surveyed by McKinsey are planning or executing programs to make use of cloud environments to host critical applications—mostly by building private-cloud environments. At several of these institutions, executives predict that 70 to 75 percent of their applications will be hosted in cloud environments that will enable savings of 30 to 40 percent compared with current platforms.

Using external cloud offerings can yield even more pronounced savings. Some executives cite examples of 60 to 70 percent savings by replacing custom-developed internal applications with software-as-a-service alternatives sourced from the public cloud. In addition, according to recent McKinsey research, 63 percent of business leaders who responded agreed that the cloud can make their entire organization more business agile and responsive.

 

The Rise of Bottom-up Adoption

Truly cloud-free organizations are extremely rare—and in fact may not exist at all. If you think you are the exception, you are probably wrong. Regardless of any “no cloud” policy, the democratized nature of cloud purchasing reduces the middleman role played by traditional IT departments and makes central control difficult. Users are subscribing directly to cloud services, from online storage and backup to media services and customer-relationship management solutions, paying via credit card. Developers are using infrastructure-as-a-service and platform-as-a-service solutions for testing code and sometimes for hosting applications.

Ironically, forbidding cloud offerings may lead to users subscribing to less secure solutions. An employee using a credit card may not be sufficiently security inclined or aware to purchase the enterprise-class version of cloud software. That same individual might have been perfectly willing to use cloud service providers endorsed by his or her organization had they been available.

 

Risks and Opportunities

Using the cloud creates data-protection challenges in public-cloud services as well as private-cloud environments. However, traditional platforms at most organizations have significant information risks that actually can be mitigated by moving to a more highly scaled and automated environment.

 

Risk of Contracting for Public Cloud

Decades of experience matured the practice of writing contracts for telecommunications network services and traditional outsourcing arrangements. Terms and conditions exist for allocating liability for security breaches, downtime, and noncompliance events between providers and enterprises. They may be unwieldy, but they are well understood by providers, law firms, and—in many cases—CIOs and CROs.

For more information on related topics, visit the following channels:

• Data Management