Protecting Information in the Cloud

Insurance Networking News, January 2, 2013

James Kaplan, Chris Rezek, and Kara Sprague

Contracting for the cloud is different in many ways. Highly scaled, shared, and automated IT platforms, for example, can obscure the geographic location of data from both the provider and customer. This is a problem for institutions dealing in personally identifiable information because often they must keep some customer data in certain jurisdictions and face regulatory action if they do not. At this point, banking CIOs and CROs that we have interviewed largely do not believe that most public-cloud providers can give them the guarantees they require to protect their institutions from this type of regulatory action. Another novel challenge presented by the cloud is how to conform to regulatory and industry standards that have not yet been updated to reflect cloud architectures.

At some level, for the cloud, we are simply in the early days of contracting for enterprise-class services. How to draft the required terms and conditions will remain an open question until litigation has identified the critical issues and legal precedent has been established for resolving those issues.

 

Risk of Aggregation in Private-cloud Environments

The current state of data fragmentation at many enterprises provides a peculiar kind of risk-management benefit. Dispersing sensitive customer data across many platforms means that a problem in one platform will affect only a subset of a company’s information. Fragmentation may also limit the impact of a security breach, as different platforms often have varying security protocols.

In contrast, consolidating applications and data in shared, highly scaled private-cloud environments increases the honeypot for malevolent actors. There’s much more valuable data in one place, which raises the stakes for being able to protect data.

 

Risk-management Advantages of the Public and Private Cloud

Both public- and private-cloud solutions can provide data-protection advantages compared with traditional, subscale technology environments. Cloud solutions improve transparency—for example, the centralized and virtualized nature of the cloud can simplify log and event management, allowing IT managers to see emerging security or resiliency problems earlier than might otherwise be possible. Likewise, in cloud environments, operators can solve problems once and apply the solutions universally by using robust automation tools.

Perhaps more important, technology organizations can focus investments in security capabilities on a small number of highly scaled environments.

 

A Risk-management Approach to Exploiting the Cloud

In many large institutions, information security traditionally has been a control function that used policies limiting what IT managers and end users could do in order to reduce the likelihood of data loss, privacy breaches, or noncompliance with regulations. We believe that IT organizations must now adopt a business-focused risk-management approach that engages business leaders in making trade-offs between the economic gains that cloud solutions promise and the risks they entail. It is still the early days of cloud computing, and risk-management decisions are highly dependent on the specifics of the situation, so there are no hard-and-fast rules. However, some rough principles for managing cloud-information risk are emerging.

 

Consider the Full Range of Cloud Contracting Models

“Public cloud” and “private cloud” are useful simplifications, but there are other models that may provide attractive combinations of control and opportunities to tap vendor capabilities:

• One option is on-premises managed private-cloud services, in which third-party vendors provide a service that operates like an external cloud offering but is located in an enterprise’s own facility and is dedicated to the organization.

• Some flavors of virtual private clouds can be used; these are similar to public clouds in that the solution is externally managed, but like private clouds, they offer dedicated capacity, such as resource pools, that are reserved for each client.

• Community clouds feature infrastructure that is shared by several organizations and meets the needs of a specific community of users. Community clouds may, for example, provide industry-specific solutions that ensure compliance with relevant regulations.

For more information on related topics, visit the following channels:

• Data Management