For years, one of the biggest raps against cloud computing has been that it’s not secure enough for enterprise data, and that putting IT resources into the hands of an outsider such as a hosting provider was asking for trouble.
As more companies in a variety of industries shift resources such as applications and IT infrastructure components to cloud-based services, those fears are dissipating. Sure, there’s always risk with any kind of outsourcing and with putting trust in a service provider. But IT executives are coming to realize that not only are cloud services from reputable providers secure, they might even be safer than their own on-premise servers and networks.
Like other types of businesses, insurance companies appear to be coming to grips with their worries about security in the cloud. A recent report from research firm Ovum and enterprise software vendor SAP shows “a surging demand for cloud technology among retail banks and insurance companies.” Software-as-a-service (SaaS) offerings now are being considered for almost all new IT investment projects, the study says.
“We would typically hear from CIOs at insurance companies — even in countries where they were used to outsourcing — that the public cloud in particular was an obvious target for hackers,” says Craig Beattie, senior analyst at Celent, a research and consulting firm focused on the application of IT in the global financial services industry. “That was the story line for some time, but more recently they’ve had a much more pragmatic approach than that,” Beattie continues. “The insurance industry has become more familiar with how to do due diligence with the cloud, and how to adopt best practices for security. Now they’re looking at things like how to transfer data between their on-premises systems and off-premises systems, the challenges of moving data around.”
No Longer a Security Risk
Others agree that the cloud is no longer viewed as a major security risk for insurers. “In discussions with our clients and Research Council members, we’re finding that insurers are increasingly considering hosting and SaaS offerings during the vendor selection process for core systems,” says Tom Benton, a principal at insurance industry research and advisory firm Novarica.
“With pressure on insurance IT leaders to provide modern solutions and better manage IT operating costs, concerns about cloud security are decreasing,” Benton says. “Many are finding that the application or hosting provider can better keep up with the latest security threats and technologies than their internal staff can.”
The industry has moved slowly to the cloud because of fears about data privacy issues.
“Insurance is very risk averse; companies have a tendency to feel that they don’t want to put any sensitive customer information in the cloud and they want to have total control of security,” Benton explains. But as insurance IT executives are discovering that in many cases the cloud providers can handle security better than they can internally, they are starting to look into these kinds of services, he says.
That’s not to say security concerns are vanishing completely; they’re just becoming less of a roadblock to cloud services. Technology executives are looking into a variety of factors before launching cloud initiatives.
“With the increased consideration of cloud-based applications, insurance CIOs are concerned not only about security, but also about solution maintenance and costs,” Benton says. “They need to consider the same issues as when implementing an on-premises solution: security, disaster recovery, development life cycle, up- grades, etc., along with privacy and data protection policies and procedures.”
Overall, security “depends on all of these IT disciplines, and needs to be closely examined when considering a cloud-based solution,” Benton says.
Disaster Recovery in the Cloud
Those insurers that have deployed cloud services are taking pre- cautions to ensure their security.
US Assure is using cloud services from CDW as part of its disaster recovery program, says CIO Tim FitzGerald. The Jacksonville, Fla., company, which provides services such as billing, service centers and licensing to carriers and program administrators, as well as a number of construction and small commercial insurance offerings for its distributors, uses a CDW data center in Minneapolis as a backup to its own data center in Jacksonville.
After initially using a public cloud service from CDW and sharing a server farm and disk space with other companies, about two years ago US Assure switched to a private cloud-type service offered by CDW that it felt was more secure.
US Assure also is using a hosted agency management system from XDimensional Technologies and chose a hosted environment from MajescoMastek for its billing system. In addition, the insurer moved its telephony infrastructure to a cloud-based solution when it adopted a voice over IP (VoIP) and contact center software package from inContact.
“Our whole infrastructure can now be defined as hybrid,” with some components in the cloud and some in the company’s on-premises data center in Jacksonville, FitzGerald says. “But our server environment is virtualized.”
By relying on cloud-based applications, US Assure can add new functionality without growing its infrastructure or adding staff to its in-house IT department to develop and support applications such as billing systems.
According to FitzGerald, “There’s more variety in the platforms we’re leveraging, and if we had these platforms in-house we would have to have talent and backup talent for each skill set. The cloud helps to remove the technology gap. If you own a platform and it keeps changing, you end up spending an excessive amount of time training people [to accommodate] the changes.”
Cost savings are difficult to quantify, FitzGerald says, but the cloud allows the company to provide a broader base of services — including expanded service hours — by giving its employees full access to applications and data from their homes.
Other benefits include reducing the complexity of its IT infrastructure while increasing capabilities of its service center and allowing for a faster, more comprehensive recovery in the event of a disruption.
“We have a more flexible and scalable environment,” with the ability to use server and storage capacity as needed, FitzGerald explains. “And since the costs of these services tend to be fixed, it’s easier to project long-term spending requirements.”
US Assure, like many other insurers, was initially concerned about data security in the cloud. As a service provider itself, the company understood the importance of providing strong security and the need to demonstrate that to clients. So to allay those concerns, it took steps such as conducting security audits of CDW’s data centers and reviewing the security provisions and policies of the other companies that make up CDW’s supply chain.
Says FitzGerald, “If a breach occurs at CDW, we’re looking at CDW, but our [clients] are looking at us.” Overall, US Assure is satisfied with the level of security provided, but the company takes the additional step of having a nationally recognized firm perform an annual SSAE16 audit to ensure its systems and controls are of the highest integrity.
A Cautious Approach
Security concerns have other insurers taking a more cautious approach and employing cloud services in a more limited way. One health insurance carrier, which declined to be identified because of the sensitive nature of the topic, has deployed a private cloud to develop and test new products and services.
“This allows our new business development teams to spin things up quickly without having to make a huge capital investment,” says an executive with the company’s IT department.
But the health insurer has no plans to move its core, regulated business applications to the cloud, because of ongoing concerns about security and data privacy. “We decided we could handle that better internally with our own controls,” the executive says.
That does not mean, however, that the carrier won’t seek to make greater use of cloud services over time. Cloud-based applications that the firm would consider deploying include file storage, collaboration tools, social media tools and customer relationship management. But to ensure acceptable levels of security, the IT executive says the insurer will conduct its own assessments of the cloud providers’ security protocols and technologies.
As insurers gain more experience with the cloud, they may come to accept that it’s not as insecure as they once thought.
______________________
How to Stay Secure When Outsourcing to the Cloud
Practice due diligence when selecting a cloud service provider and drafting the service contract. Make certain that the service provider adheres to the latest security standards.
Determine whether the provider has a dedicated and qualified security staff experienced in dealing with the latest security threats.
Ascertain what type of security measures the provider employs, including the type of hardware and software that’s deployed.
Investigate the security posture of any third parties used by the provider to deliver its application hosting or other services.
Conduct reference checks and ask other customers if they are satisfied with the security levels or are aware of any security breaches.
Hire a security consultant to perform comprehensive audits of the cloud provider’s security procedures. These should be conducted at least once a year.
