Adoption of cloud computing continues to grow across allindustries, and Gartner predicts that by 2016 cloud deploymentswill represent the bulk of IT spending. However, insurers are anaturally risk-averse bunch and remain wary about cloudsecurity.

“Data security and privacy are two primary concerns we have,particularly in light of recent high-profile data breaches,” saysAndrew Peel, senior vice president and CIO, Philadelphia InsuranceCos.

“It's a control issue,” says Chad Hersh, managing director inNovarica's insurance practice. “Insurers are concerned with how toensure the safety of data that's not in their hands.”

Insurers' concerns are justified, Hersh says. “Any time you cedecontrol over anything, there are risks and consequences, bothpredictable and unforeseen,” he explains.

However, he adds that cloud offers insurers security advantagesas well.

“Think about the resources cloud providers throw at physicalsecurity and the investments they make in safeguarding theirenvironments—data centers whose locations are kept secret, armedguards and multiple layers of security, multiple certificationsthat have passed different levels of compliance audits. Cloudproviders go through a lot more scrutiny than a carrier's own datacenter,” he says.

“A lot of the uncertainty has been removed from the securitypicture with cloud,” agrees John Howie, COO, Cloud SecurityAlliance. “All the major cloud providers are rock solid today. Froman insurance perspective, cloud can actually give some addedcomfort around security.”

For instance, Philadelphia has enhanced its security aroundmobile device management wit a cloud-based solution fromAirWatch.

“Previously, if we lost devices we faced potential data loss.Now we can easily wipe those devices clean,” Peel says.

“Cloud providers also deliver around-the-clock monitoring, incontrast to being limited to the hours our own data center staffare there,” says Ed Kocur, Philadelphia's vice president ofinfrastructure services.

However, Howie cautions that comfort should not lead tocomplacency. “You can shift responsibility to the cloud provider,but you cannot shift accountability,” he says. “If something goeswrong, you are going to need to explain to regulators and yourpolicyholders what happened.”

Effective Evaluation Essential
Assessing cloud security starts with the basics of due diligence,including ensuring a cloud provider is financially viable andcollecting the alphabet soup of audits and certifications—SSAE 16(SOC 1), SAS 70 type II, ISO 27001. But a deeper dive into aprovider's security requires asking tough questions.

“We have come up with our own question set for cloud vendorsbased on our own experience, partnership with our internal auditdepartment and parent organization [Tokyo Marine Holdings Japan],plus research from advisory firms who really know who the bestproviders are,” Peel says.

For instance, in evaluating the AirWatch mobile devicemanagement solution, Philadelphia identified the flow ofinformation to the provider as a chief area of concern.

“Our security team worked with our IT infrastructure staff andthe business side to develop a whole set of questions around datato protect, access controls, monitoring, reporting, and othercomponents to be sure we were compliant. We then worked with legalto be sure we had the right non-disclosure agreements and dataprotection in place, and collected their SSAE 16 and otherdocumentation to be sure their housekeeping was in order,” Peelexplains.

To assist insurers in assessing the overall security of a cloudprovider, the Cloud Security Alliance offers a Cloud ControlsMatrix (CCM), which is currently in its third iteration. Built onindustry-accepted security standards, regulations, and controlframeworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST,Jericho Forum and NERC CIP, the CCM is freely available through theAlliance.

Vendor assessment needs to be an ongoingprocess. “Once we select a vendor we want to partner with, we buildan entire audit process around that relationship to be sure thatthe policies we initially put in place remain valid over time,”says Owen Williams, Philadelphia's vice president and CTO fortransformation.

Philadelphia uses more than two dozen applications on bothpublic and private cloud networks. The majority are cross-industrybusiness applications, such as Jive for enterprise collaboration,PowerSteering for project management, and Everbridge for crisismanagement and communication, among others.

“We want to focus on creating insurance-based solutions for ourown customers and look at cloud for generic process tools,” saysWilliams. “When you look at the cloud for core insurancesystems—policy administration, claims, other critical systems—youhave to consider not just the security risks, but the switchingcost and the total cost over time.”

“There will probably always be 'family jewels' within thecompany that we wouldn't want to have outside the protection ofcorporate firewalls,” Peel says.

However, Philadelphia does utilize a few non-core,insurance-specific cloud applications. The company has deployedLoss Control 360 for insurance inspection management, OneShield forbond management, Oden for policy termination documentation, andAutoIDWeb for online auto insurance cards.

Although many providers of core insurance processing systemstout cloud-based offerings, Philadelphia's non-core use of cloudreflects the general industry trend.

“We're still seeing a lot of companies keeping corefunctionality in house in house—anything that involves customerdata moving or being transferred outside of their [data center]environment,” observes David Mitzel, software architect atarchitectural consultancy X by 2.

Business Benefits Drive Adoption
Philadelphia has realized many benefits from cloudcomputing.

“Cost is a major driver,” Peel says. “Historically, we were verymuch a purchased and on-premise type of environment, but there arelimits as to how much software and infrastructure you can controlinternally and how much capital you can apply to it. Cloud gives usa variable cost, externally managed, pay-as-you go cost model.”

“Cost savings are really at the top of the benefit stack,” saysHowie. “Taking things like document production and CRMinfrastructure and moving those to the cloud allows insurers toimmediately realize savings and is relatively easy and simple todo.”

But there are advantages to cloud that go beyond cost. “Theother key benefit to cloud is speed to market—the ability to getsomething up much more rapidly than would be possible when hostedinternally. There are also applications where we don't have theskills in house to deploy them and it doesn't make sense to acquirethose skills,” Kocur says.

“We've also used cloud solutions to get into a market quicklyand with low cost of entry, see how the product performs, then movethe platform in house,” Peel adds. “We're also looking more atinfrastructure and platform in the cloud, including havingdevelopment environments on demand or storage on demand.”

In fact, platform as a service (PaaS) is one of the fastestgrowing areas of cloud, according to Howie.

“It [PaaS] allows insurers to take legacy applications, rewritethem for the cloud, and gain access to new functionality andfeatures as well as increased scalability and reliability,” hesays. “In rare cases where you have legacy apps that cannot berewritten, insurers can use infrastructure as a service [IaaS] tomove those applications to a virtualized environment, ideally in aprivate cloud,” he says.

Key benefits to PaaS are increased rigor of the environment aswell as easier maintenance, testing, and roll-back. IaaS offersadditional benefits in disaster recovery.

“By going to either a private or public cloud you can build morefault tolerance into your infrastructure, bring services back upautomatically, and withstand natural disasters more readily,” Howiesays.

Cloud also fits well with Philadelphia's IT model.

“We've created a shared infrastructure approach spanning thevarious companies, so the ability to have variable cost,consumption-based model supports that,” Peel says.

Good Governance
Effective cloud security is also connected to good IT governance.The problem of “shadow IT,” where users deploy technology withoutIT's knowledge, has been compounded by the increased availabilityof cloud solutions.

“I can't tell you how many times we've seen a marketing groupget signed up for Salesforce as a free or trial project and itwinds its way into being a full-on environment that IT only thenbecomes aware of,” Hersh says.

“We've always struggled with employees building their owndatabases or bringing in a server to run a particular function.That's been around since the erosion of the mainframe days. Thecloud has exacerbated that, but it's not really a cloud problem perse—it's a governance problem,” Howie says.

“Solving the problem of 'shadow IT' requires education,procedure, process,” Hersh says. “IT needs to let the business knowthat it won't get in the way of new capabilities, but it does needto address security concerns and offer to help the business in thedecision-making process.”

Also, identity and access management concerns, includingprovisioning and de-provisioning access as users join and leave thecompany, become more complicated when systems outside the corporatefirewall are involved.

“Companies will take employee badges away immediately when theyleave a company, but it can take companies days to terminateemployees' IT access, even for systems that are within a company'sown network,” explains Howie.

“That problem has grown more complex in the age of the cloud,because at many companies identity and access management is notmanaged centrally. As a result, when they terminate employee, theyare not able to de-provision employees in a timely fashion, whichmeans employees can keep downloading content from cloud services,”he says.

One solution is to turn to the cloud itself. “Companies canprovision identity and access management as a service,” Howiesays.

Cloud Continues
With risk management inmind, insurers will continue to expand their use of cloud.

“Insurers are looking to the cloud not just to reduce expenses,but to deal with constraints around short-term computing power,departmental-level IT issues, architectural nimbleness, and otherreasons,” Hersh says.

“The business drivers are very compelling—variable cost, speedof deployment, access to the latest technology. Especially with theshared services model that we have, those benefits resonate verywell,” Peel says. “We expect to use cloud a lot more in thefuture.”