Attitudes about cloud among insurance technologists are changing: skepticism and fear of the unknown are giving way to prudent but somewhat more aggressive steps towards adopting solutions that have zero footprint in the internal infrastructure environments. When considered against the burdens associated with internally hosted solutions, the benefits of the cloud are indisputable:
- Each internally developed and deployed solution requires an enormous size footprint in terms of supporting infrastructure. Setting up and supporting this environment requires significant financial and human resources, the latter with an ever-increasing sophistication level of skills. The environment setup alone is a project in itself.
- Beyond development and initial deployment, the environments of internally hosted solutions need to be managed and maintained 24/7, adding to the financial and human resource burden.
- Despite advancements in functionality, product development cycles are not getting any shorter. The products are getting more complex and so is the technology that supports them.
Having the platform in the cloud removes the a number of variables from the equation, namely the availability, stability and the optimization of the platform – provided the vendor has gone through the pain points and addressed the issues earlier in the adoption cycle.
Ready-to-use products are luring business and IT and are making adoption more attractive. Initial development cost can be offset faster because of the insurance product speed-to-market gained.
Good start up candidates include highly commoditized products, slow changing products, products with simplistic underwriting rules
As suggested above, the shortcomings of cloud-based solutions that concern insurance CIO concerns have been tamed significantly. However, some risks remain, so CIOs must take a skilled approach to cloud based implementations in order for the initiatives to be successful.
For example, security continues to be a concern, but the technology exists today to address even the most demanding privacy requirements. CIOs should consider the following as they evaluate the security of cloud-based solutions:
- Integration with the carrier’s active directory and dual factor authentication or identity management solutions are not easy to accomplish and may require additional investments to be made for specific utilities and tools.
- All of the above will need to be coupled with strong encryption solutions. Back-and-forth, carrier-to-cloud messaging traffic must be encrypted. Data must to be encrypted at rest, in transition, and for disposition. Key management remains a critical issue.
- Additional architectural considerations need to be put in place, data isolation being the most critical. Complete isolation of the solution will not only positively add to the business case but will also make it easier to insource the solution if the vendor fails to meet its SLAs.
- Cloud based solution providers must be able to comply with stringent requirements for financial transactions and be audited in various industry frameworks such as SAS70, WebTrust, etc.
Here are some standard criteria to apply:
Physical Security – Cyber security is not the only concern: the physical security around the infrastructure must be very tight. Who has access to the system? Logs, policies, procedures are a must.
User Access – Some of the most critical issues for cloud services are about access control, authentication, user management, provisioning, etc. Cloud environments are shared, so your data is in the same environment alongside data from other customers. Breaches can easily happen from one database to another. What standards does the cloud provider enforce? How are users provisioned? Who is responsible for credential management? How much control do you have? Is there a dedicated VPN? Is there a federated identity process and how’s that managed? Can OpenIDs be used for registration and authentication?
Network Security – Strong firewalls, IDS/IPS devices, event monitoring and correlation solutions, log managements must be in place to secure the cloud provisioning.
Virtualization Security – Almost all cloud providers use virtualization to provide economies of scale and optimal distributed architecture. Virtualization has its own set of security issues. You must audit the vendor’s security process. How are they testing for vulnerabilities and fixing them?
Vendor and Contractor Relationships –Integration with the partners onshore and offshore is the most vulnerable point. The vendors must enforce security processes for their integrations with third parties. Carriers should ask for certification processes to make sure that third party applications are secure.
Application Security – Security experts estimate that over 70 percent of attacks are through Web applications. Hence, application security is a critical piece in the overall cloud-based solution architecture. Security assessment, design and implementation should be part of the SDLC processes and practices. Does the vendor have standardized coding practices to protect from common vulnerabilities like XSS, SQL Injection, CSRF, Session Management etc.? How is API protected? Does the cloud provider do vulnerability scanning periodically? The carrier should run its own vulnerability assessment against the cloud based solution provider
Cyber security insurance is a Must — The provider must have solid and ample insurance from a reputable carrier.
Security is a big issue when it comes to cloud-based deployments, but it is a risk that can be managed. In recompense, carriers can save a lot of money and resources. The key is to do proper auditing and investigation of the cloud-based solution provider and to thoroughly understand their SLAs.
[For PHLY CIO Alfred Goxhaj's insights on policy administration replacement, see Making the Business Case: Seizing the Opportunity.]
Performance should be tested for hourly, daily, weekly, monthly and seasonal patterns that could inhibit the business transaction processing and frustrate the users, business partners and insured alike.
Integration is as much of a concern as for internally hosted solutions, but with the added headache of security concerns.
And make no mistake, though the benefits of cloud-based solutions are substantial, they still involve a significant financial burden. Over the short term it’s easy to make a good business case for cloud-based solutions, but costs become increasingly significant over the long haul. Capitalization rules do not apply easily with the cloud solutions and much of the initial cost will be counted as an operational expense. The expense cycle is shortened dramatically.
No advantages come without challenges, but the bottom-line is that cloud-based solutions are not only here to stay but are becoming a strong alternative especially for small to mid-size IT shops. The effect will be dramatic. The economic advantages of cloud will only accelerate the commoditization of the industry, and insurers’ ability to compete will favor the carriers that will be able to create flexible models with in-house, private cloud and public cloud solutions. Prudent pragmatism in solution adaption will replace the monolithic, risky-to-implement, slow-to-develop, and difficult-to-change internally hosted solutions. Blending in-house solutions with cloud-based options may be a prudent approach until the cloud becomes truly mainstream and secure and inarguably more economically viable than hosting within the carrier's own environment. .