Insurers Become More Comfortable With SaaS

mgoodside.jpg

Over the past year, the concepts of Software-as-a-Service (SaaS) and cloud computing have been hot properties. They have been the "it" topic at industry conferences, and vendors have been scrambling to release their own takes on both.

The concepts-similar but not synonymous-each offer numerous compelling advantages. Cloud computing enables end-users to avoid up-front purchases of expensive hardware and software licenses in favor of monthly or incremental payments. SaaS also allows users to pay as they go, and pay for only those portions of applications they use. Each keeps the onus for maintenance, upgrades and other onerous and disruptive tasks on the vendor, rather then the customer.

Recent survey results confirm SaaS' popularity. For example, surveys conducted this year and last year by hosting provider Rackspace Hosting Inc., San Antonio, Texas, found that 51% of companies it spoke to already used a SaaS application, and 72% of those SaaS users are considering additional SaaS applications. Moreover, 69% of respondents see SaaS as the preferred software delivery method of the future, while 34% of respondents that are not currently using a SaaS application are considering it.

However, is SaaS appropriate for the insurance industry, which has more intense rigorous uptime and security requirements? Are data security and availability showstoppers? Industry IT executives and experts see potential for SaaS within limited roles and, so far, there have been few complaints about security. However, it's still unclear whether carriers would feel comfortable having mission-critical and data-intensive applications, such as policy or claims management, delivered from an offsite SaaS provider. Indeed, even in the mainstream, most SaaS deployments are centered on productivity or edge-of-the-enterprise functions. The most popular applications found in the Rackspace survey include customer relationship management software, used by 65% of respondents, followed by e-mail and business productivity applications (such as spreadsheets, document creation), with 48% of respondents. Another 23% employ SaaS-style applications for accounting and financial functions.

LINGERING DOUBTS

Beyond productivity or niche applications, some observers don't see a massive uptake of SaaS-based applications within the insurance industry anytime soon. "I don't see it happening," says Michael Goodside, enterprise architect for Jersey City, N.J.-based Insurance Services Office Inc. (ISO). "SaaS is less applicable to the insurance industry than it is to some other industries."

However, Randy Rodriguez, VP of Bluewolf Inc., a large New York provider of professional services for SaaS, sees things differently, saying there is great potential for insurers. For example, he says, "Salesforce.com has done a great job in addressing data security, with best in class enterprise security for SaaS solutions. As a result, major financial institutions, such as Merrill Lynch and CitiGroup, have adopted SaaS and Salesforce solutions. Because of this, the insurance industry should be confident that adequate security controls are built into SF and SaaS solutions."

Goodside argues that he doesn't see the capabilities in SaaS to effectively handle high-volume data loads required by insurers. Instead, as confirmed by the Rackspace survey mentioned above, he sees SaaS taking off for smaller, productivity-oriented applications, such as e-mail or document management-areas where data loss or corruption is not as critical an event. "Software-as-a-Service favors the simple things: low volume, pay for what you use, generic, low security," he relates. "It's not suited for specialized tasks where reliability is critical, proprietary information is involved and data volumes are large-the all-night batch job. At a very high level, I just don't see SaaS as a good mesh for the insurance industry."

Scott Fraser, CTO of Portico Systems, Blue Bell, Pa., says there are three main risk areas with the SaaS approach. First, he says, is security. "Is the enterprise opening itself up to new risk, or decreasing risk?" Then there are the risks behind availability. "Will the service be there when needed? What are the impacts of downtime?" The third risk factor is agility. "Is the solution providing an adequate amount of IT agility to enable business to not only respond to, but exploit rapid change as a competitive advantage?"

Concern over data security and availability is one that cuts across all industry categories. In the Rackspace survey, for example, 64% of respondents expressed high levels of concern about security, making this the leading category of unease. A related issue, data backup, was another top concern among respondents. In addition, a separate survey of 252 executives conducted by Midvale, Utah-based Burton Group ranked "greater information security risks" as the leading risk to SaaS. Moreover, 18% of respondents reported they have already "experienced" this risk over the past 24 months.

MORE SECURE

Data security is perhaps the most important consideration in SaaS engagements but, in some cases, security levels may be higher at SaaS provider sites than within companies' internal operations. "SaaS applications often are more secure than the customer's own environment," says Bill Nadal, SVP and CTO for Full Capture Solutions Inc., East Hartford, Conn. However, this level of added assurance doesn't come automatically. Companies need to become deeply engaged with their provider to ensure that security remains at a high level. This involvement may need to be hands on.

Barrie Parker, CTO for Pharmacists Mutual Insurance Co., Algona, Iowa, says he is closely engaged with his company's online query tool provider, iPartners Inc., Atlanta, as a member of its customer advisory board. He adds that the thorough vetting his company conducts on iPartners probably provides greater security than depending on internal IT staff.

iPartners "has the security on their end where their people can only see the monthly reports, they can't see the actual data itself," Parker says. "They have more security than a normal IT shop would put in place. They limit the amount of exposure more than you would for internal staff. It's a higher degree of security."

It's a natural reflex for IT executives to perceive that data is vulnerable once it leaves the building, agrees Jason King, director of financial services for Hyland Software Inc., Westlake, Ohio. "But it's actually more risky to keep data internally versus outsourcing it with SaaS," he says. The reason, King says, is the physical security at outsourced data centers, where security is priority one.

"There is the routine - on-site security guards, fire detection and suppression, airflow cooling and power redundancy. Then, there are more advanced layers, including closed-circuit video and biometric palm readers. In addition, SaaS providers have more buying power to build a better network - one that is more redundant, more secure, more reliable and more available than most IT departments can afford to build," he adds.

A strictly one-on-one relationship with the SaaS vendor also was the rule when Sapient Financial Group, a San Antonio-based agency for MassMutual Financial Group, Springfield, Mass., piloted a SaaS-based program that manages document imaging and data storage. Sapient originally maintained the application on an onsite server, but recognized the advantages of moving to a SaaS arrangement with the vendor, Digitech Systems Inc., Greenwood Village, Colo. The approach is gradually being rolled out to MassMutual's 85 other agencies, says Bill Weirich, COO for Sapient. "We were interested in offering greater accessibility," he explains. "We have detached offices scattered across south Texas."

Digitech maintains a dedicated server and application that restricts access to Sapient agents and agency personnel, Weirich says. "MassMutual is a stickler for data security. There is no outside access to our server. The way that it is indexed, the agent only has access to his files. They cannot get in, or cross-reference, or look at anyone else's- they can only look at their own."

There are several measures IT executives can take to ensure that their SaaS providers are ensuring the highest levels of security possible. First of all, security begins at home. "SaaS by itself does not promote or demote security," remarks Phil Dayalu, director of information technology at Kaplan Compliance Solutions, Indianapolis. "The policies and procedures a company puts in place, or requires of their service provider, determines whether or not the service is secure."

Prasenjit Saha, VP and global head, enterprise security solutions for Wipro Technologies, Bangalore, India and East Brunswick, N.J., cautions that most products and solutions that were designed for traditional enterprise requirement cannot be easily adopted in an SaaS environment. "These applications and products need to be specifically designed for multi-tenancy, and should be hardened enough to be exposed over the Internet."

Saha goes on to advise industry executives to apply the "CIA" formula to SaaS-based services-confidentiality, integrity and availability. "It's important for the insurers to ascertain that security controls cover various CIA aspects," he says. "How does the vendor ensure the identity of persons accessing the application dashboard? What are the security mechanisms to protect from various Internet malware? How is the online security taken care of? How secure is the data in transit? How secure is the stored data? How the data is segregated from the competitors? What is the back-up and recovery strategy? What are the data security regulations that apply? Is the data center SAS 70 audited?"

SAS 70, formally known as the Statement on Auditing Standards (SAS) No. 70 Type II certification, was developed by the American Institute of Certified Public Accountants (AICPA). Adhering to a standard such as SAS 70 "is critical to ensure the security of a SaaS-based application," says Dayalu. "SAS 70 is recognized throughout the industry as a gold standard, because it represents that a service organization or provider has demonstrated that they have adequate controls and safeguards when they host or process data belonging to their customers. The SAS 70 Audit Report documents and attests to the adequacy and completeness of the SaaS vendor's internal controls for protecting data."

Ultimately, it's critical that the carrier's security policies be reviewed with the SaaS vendor for compliance and implementation. Security is "an on-going process of education, planning, auditing, technology and implementation of best practices," says Nadal. "Joint technical security reviews can be done. Contractual language can enforce levels of security compliance and indemnification and, depending on the sensitivity of the data, various policies and controls may need to be enforced by the SaaS vendor."

The onus for security may be on the SaaS provider, but it also is on the IT executive to hold a vendor's feet to the fire. "Insurance company managers should demand a mix of controls- physical and network security and data center redundancy," says King of Hyland Software. Examples include high-security firewalls, intrusion detection and data and password encryption, King says. "Managers should demand regular data replication to geographically different sites. And, they need to be sure that protection from reconnaissance and attacks on the application, system and network are in place. All of these precautions help to keep valuable data in and the wrong people out."

(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.

Lost in the CloudsMuch like Supreme Court Justice Potter Stewart's famous admission that he couldn't define obscenity but "knew it when he saw it," it's probably easier to identify instances of cloud computing, than to clearly define it.

The problem is that the term "cloud computing" encompasses many other broad technological trends that are familiar to those in the insurance industry including grid computing, virtualization and Software-as-a-Service.

David Mitchell Smith, a VP and fellow at Stamford Conn.-based Gartner Inc., says the distinction is important. "The term cloud computing has come to mean two very different things: a broader use that focuses on 'cloud,' and a more-focused use on system infrastructure and virtualization," he says. "Mixing the discussion of 'cloud-enabling technologies' with 'cloud computing services' creates confusion."

Lately, the popular connotation of cloud computing seems to have shifted as behemoths such IBM, Amazon.com and even Microsoft announced major initiatives that would offer a variety of computing services from the clouds. See page 40 for more information on cloud computing.

—Bill Kenealy

(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.

For reprint and licensing requests for this article, click here.
Analytics Data and information management Policy adminstration
MORE FROM DIGITAL INSURANCE