Although trust between business leaders and cloud services providers is increasing, insurers must assess how much liability their provider is willing to retain.
By Paul Maher, Chief Technology Officer, Life Technology Solutions, Milliman.
Businesses worldwide are adopting cloud services at an accelerating pace. That indicates a growing level of trust in cloud infrastructure providers, who are increasingly able to deliver the security and compliance assurances customers require. This is true even for highly regulated industries that handle sensitive personal data, such as insurance. In fact, some organizations feel cloud vendors can provide higher levels of security, availability, and reliability than traditional, company-owned data centers.
While this growing trust is enabling insurers to reap the business benefits of the cloud, it is critical not to walk into a relationship blindly. It’s easy—and common—to overestimate the liability providers are willing to accept, or to misunderstand where you are retaining responsibility.
A little cloud can do a lot of damage
Imagine the following scenario: a user, unwilling to wait for the traditional information technology (IT) provisioning process, uses a company credit card to open a cloud services account. That person plans to spend around $1,000—not enough to require a manager’s approval, but more than enough to store data and run applications.
The user gets an application up and running on the servers—with no security professional to verify that it has been correctly configured. Then, the user uploads a database containing personally identifiable information for analysis, trusting that the solution is protected. When the work is finished, the user leaves the application running—exposed to hackers, whose theft of the information is not discovered until months later.
Although the application was running on a cloud infrastructure, the cloud infrastructure vendor has zero liability in this case. The responsibility for configuring the application securely and controlling the data uploaded to the service was entirely with the customer. Without the right governance in place, the company had no visibility into these matters and was at the mercy of its rogue user.
Knowing what your responsibilities are and implementing proper governance and control measures are especially essential with cloud infrastructures because the resources available are virtually limitless and simple to deploy. It can be easy to lose track of what you’re running legitimately, let alone being able to detect unauthorized usage.
Running up your tab
Imagine another situation. This time, a former employee uses his or her identity information to access a cloud infrastructure. That person uses thousands of dollars’ worth of compute cycles to perform unauthorized activities. Because the former employer is consuming tens of thousands of dollars in services each month and runs several hundred virtual machines, it doesn’t even notice the “leakage” because it doesn’t look that closely at its bills each month.
Even though the criminal was using infrastructure services in an unauthorized manner, it was the responsibility of the customer to secure access. The former employer won’t have any recourse to recover the lost revenue, and may have enabled criminal activities to be perpetrated on its dime.
The lesson is that you can’t outsource the responsibility for good risk management. The cloud is a fantastic tool, but the security risks are real, and it pays to take them seriously. In a future post, we’ll take a look at some typical divisions of responsibility in cloud services relationships.