As the adoption of cloud services increases, insurers must employ tried-and-true approaches to IT governance and security in advance of a transition.
By Paul Maher, Chief Technology Officer, Life Technology Solutions, Milliman.
We have gotten to a point in enterprise technology where cloud services—those delivered from shared datacenters over the Internet—hardly need an introduction. According to the RightScale 2017 State of the Cloud Report, 89% of businesses are using public cloud in some fashion, and the perception that there are significant barriers to cloud adoption continues to decline.
However, with this acceleration comes a certain amount of risk. In the rush to gain the benefits of the cloud, many insurers could potentially leave behind their tried-and-true approaches to IT governance and security, leaving them unprepared for the transition. Due diligence and careful planning are as or more important than they ever were. In this series, we will be looking at some of the things insurers should consider when it comes to cybersecurity and the cloud to help you gain the benefits without increasing risk.
Cloud services are driving innovation
Cloud services empower you to gain essentially limitless computing power and storage space at low prices with little more than a credit card and a few mouse clicks. You don’t have to buy servers or software licenses, or pay for capacity you don’t use.
For example, in the global life insurance market, the cloud is a compelling proposition for building business solutions at unprecedented performance and scale never before possible. When contemplating a move to the cloud, security must be a primary consideration and integral within any solution.
Too slow, too fast—or just right?
Many insurers have been relatively slow to adopt cloud services because they operate in highly-regulated industry with a significant responsibility to protect the privacy and security of policyholders’ personal information. Today, most have come to recognize that enterprise services from the major cloud vendors are capable of providing even better security and uptime than self-managed datacenters. Additionally, many cloud infrastructure and software-as-a-service providers have focused on obtaining certifications to assist with regulatory compliance.
However, even the most impressive list of security certifications only tells you that the platform is secure. It is not a license to cut corners on the software you run on that platform, which must follow governance and security best practices. The security a cloud vendor provides is not a panacea, but part of a new partnership, where your developers and users gain access to additional tools. It remains your responsibility to leverage them securely.
After all, neither the cloud, nor any datacenter is invulnerable. Even the most trusted and heavily secured services can have flaws. In February of 2017, Cloudflare, an Internet services and security company that handles 10% of Internet requests, was discovered to have a vulnerability that would have allowed anyone who noticed it to collect highly personal information about Internet users. The error was discovered and patched, but only after it was live for five months.
This demonstrates that IT governance remains critical, and that, while the cloud simplifies some things, it makes others more complex. For example, it can be challenging these days to know where your data and applications are stored, which networks they use, and who has access to them. As companies focus on business and technology innovation, there is a need to innovate approaches to security and governance, as well, and to partner with cloud vendors to build safe, secure, and reliable solutions in the cloud.
The IT department must evolve
The cloud has broken past the early adopters and is now present in one form or another in most enterprises. As the cloud becomes a bigger part of our IT environments, companies will find genuine value in having IT professionals ensure that services are configured and used appropriately.
In the traditional on-premises world, IT acts as the gatekeeper for datacenter resources. By default, usage, configuration, and security are handled by those with the right expertise. The business users, especially those whose expectations are shaped by consumer technology, may perceive these IT precautions as an impediment to their aims. The cloud enables them to spin up their own “shadow IT” services cheaply and easily—outside of the carefully-crafted mechanisms of control.
To find the right balance, the role of IT needs to shift and evolve from building and owning all services to one of selection and curation, providing the benefits of speed with the security of good governance. This is as much an organizational and mindset shift as it is a technological one, in many cases requiring new skills beyond what was required of the IT department in the past.
More to come
In subsequent posts, we will examine several aspects of cloud cybersecurity for insurers in greater detail, such as the responsibilities of vendors versus those of customers, the use of personally identifiable information in the cloud, and what goes into developing a secure cloud application. With the right approach, you can maximize the speed, agility, performance, and cost benefits while minimizing risk.