The cloud is hardly new for most industries, but insurance is still in its early days with respect to widespread adoption. While solid progress is being made—a recent report from Novarica shows that more than 70% of insurers now use cloud computing (more than triple the last few years)—most have implemented it only in segments of their businesses, and not enterprise-wide.
By and large, insurers are still at the tip of the iceberg with cloud computing, and security is one of their most significant reasons for caution. Accenture found 65% of insurers see security risk as a main concern. However, there are steps that insurance chief information security officers (CISOs), and their cloud solution providers, can take to mitigate the risk during the migration to the cloud and ensure that all involved parties are aligned and collaborating effectively.
Maintaining Security in a Cloud Environment
One of the issues insurance CISOs face when migrating their on-premise systems to the cloud is overcoming common assumptions about the migration. Many of the 250+ insurers we’ve worked with initially assume existing infrastructures and technologies can simply be “lifted and shifted” to the cloud, leaving architecture and connected processes intact—only now off-site. Most insurers are also used to having all sensitive customer data parked behind their corporate firewalls. But it’s a necessity to build a path beyond the corporate edge for web-enabled applications and to select the appropriate framework and operating model for each unique migration. Therefore, security can no longer be an afterthought and should be addressed upfront and continuously at every stage of the migration process.
In fact, a public cloud infrastructure can actually offer additional benefits if architected with security in mind. Operating in the public cloud typically provides the opportunity to take advantage of a highly specialized and mature security team that understands the risks that exist in the environment. This can include leveraging comprehensive logging and security tools that are often not available in legacy on-premise data centers. Security domains such as IAM (Identity and Access Management) are often built into the cloud-based platform and provide granular control over the environment, which can ease some of the day-to-day security needs. Another example is enhancing the network stack of a traditional data center environment—a project which typically requires hours of downtime, physical presence, and specialized expertise to configure and implement. In a public cloud setting, a network appliance can be rapidly added and implemented in minutes.
Regardless of whether insurers use a private, public, or hybrid cloud, CISOs must embrace a shared responsibility model. Instead of having a single in-house team responsible for controlling sensitive data, insurers must become comfortable trusting public cloud providers, such as Amazon Web Services (AWS) or Microsoft Azure, or MSPs—an experience that can initially be jarring. It is also common to underestimate the impact that this shift has on the importance of a well-structured data access management plan. It is a critical step for insurers of all sizes to mitigate security risks resulting from human error.
Ensure SaaS Providers Employ Industry-Leading Information Security and Regulatory Compliance Practices
To safely run core systems in the cloud, insurers must ensure their partners abide by the appropriate set of corporate, industry, and regulatory standards. During the early stages of vetting potential cloud service providers, CISOs should ensure these providers meet the following standards.
- Corporate information security controls that govern user management, data access, authentication, and encryption to ensure the insurer’s data is protected.
- Information security standards such as SOC (Service Organization Controls) which evaluate an organization’s maturity with regard to availability, confidentiality, privacy, and security. In addition, providers should also comply with NIST standards, cyber risk governance best practices, and HIPAA standards where applicable.
- Regulatory and compliance standards which vary region-by-region (as is the case with GDPR), or state-by-state (as is the case with NY DFS in New York and CCPA in California.) These IT standards govern controls for privacy and security, and have mechanisms that must be followed to avoid substantial fines.
Application security must also be reviewed on a broad basis as systems are moved from on-premise to cloud. The optimal method for secure authentication, leveraging technologies such as multi-factor authentication and/or single sign on, should be considered and evaluated. Data encryption standards and application and network penetration testing should be mandated as part of the security framework put in place for the migrated application.
A final consideration during migration is to ensure that interfaces and their associated business workflows in the cloud environment are well-defined and approved by business stakeholders.
Taking into consideration the above areas and continually refining the overall security framework will enable insurance CISOs to keep their cloud environments secure over time as the threat landscape continues to evolve.
Whether insurers are taking their first step into the cloud, or expanding their existing cloud footprint, security is largely dependent upon knowing what questions to ask upfront and ensuring that the right “boxes” are checked during the implementation and run phases of a migration project. Following the information security considerations listed above will enable a significant first step towards ensuring sound security practices as insurers begin or continue their journey into the cloud.
Jonathan Victor, CIO of Insurity
