Cloud security - how worried should insurers really be?

Information security has never been a risk-free premise. The traditional thought has been that sensitive material is generally secure stored inside a data center, protected by a firewall. Now, the assumption that on-premise solutions are the leading option security-wise is being tested in light of recent cyberattacks on financial services providers, notably Anthem, a health insurer, and JPMorgan Chase, the world’s fifth-largest bank.

With the cloud poised to become a major disruptive force in the financial services industry, there are legitimate questions about the role of cloud software in managing information security risk.

There is widespread concern over the ability of cloud providers to keep sensitive material safe. Critics point out a seeming lack of visibility of where software and data are located, and note that users of cloud software trade off some degree of control over their data, despite the fact that users can ‘shop around’ for transparent and open provider.

Less common among critics of the cloud, however, is an acknowledgment that security is relative, and that working in the cloud can have some advantages over traditional enterprise software, even though neither are free of all risk. Isolating data and locking it behind a firewall only goes part of the way; what’s needed is the ability and motivation to invest in the necessary human expertise and policy in order to be able to implement sound controls over data.

So, a key reason why cloud software may have advantages over an on-premise solution boils down to economics, rather than technical differences. Cloud providers are simply in a much stronger position to invest in information security, both in terms of technical tools and in the sense of people and policy. Because the cost to develop a secure environment is spread amongst a large group of clients, cloud providers can afford to spend significantly more, making it less likely that security will be traded off against financial or other constraints.

Good information security experts are expensive, so spreading costs also means that cloud providers can afford to buy a higher calibre of information security expertise. A cloud provider’s purchasing power might even allow it to partner with a top-tier security company to procure the best advice and guidance.

Of course, cloud providers don’t just face lesser financial constraints - they also have a stronger incentive to do all they can to secure their service. Whereas upgrading and researching information security might be one of a number of competing priorities for an insurer, information security is at the core of a cloud provider’s business.

The cloud also has advantages over traditional data centers when it comes to protecting data from unintentional loss and outages, as opposed to black-hat threats. Of course many businesses are already well-prepared for these risks, regularly backing up data and perhaps instituting business continuity measures. However, in the context of competing priorities, mitigating less foreseeable future threats may sometimes be neglected to prioritise what are seen as more pressing action points. Storing and regularly updating a complete mirror of the business’ data offsite can be expensive and time consuming, as is maintaining an up-to-date set of hardware for use in an emergency.

In contrast to this, stability and business continuity in the face of an unforeseen event or natural disaster is a key selling point for many cloud providers. Cloud providers can service multiple contingencies that an individual firm may not be able to afford. Moreover, the ability to access key business processes remotely means that access to key business tools is maintained even if the office network is down.

The cloud is of course not a panacea for security, and adopting some cloud services does not mitigate the requirement for firms to understand the security risks that they face and respond by implementing good controls over their data. Information security is a relative concept; for some applications, security and controls over data in the cloud will often exceed those which are implemented in a traditional setting.