Clouds on the Horizon

There is no shortage of opinions when it comes to cloud computing: some information technology vendors say it is the way of the future; a recent survey of corporate information technology managers finds the practice risky; at least one commercial broker reports that some underwriters are introducing endorsements intended to reduce related exposure; and some technology vendors and brokers contend it can actually reduce the risk related to business interruption and security breaches.

Services such as IT outsourcing, web hosting and data hosting predate the “cloud” moniker, notes Thomas Srail, senior vice-president of financial and executive risks and the cyber and errors and omissions team at Willis Group Holdings plc’s North America unit.

“Everything old is new again,” Mike Strople, chief operating officer of Allstream Inc., the Toronto-based telecommunications carrier formerly known as AT&T Canada, says of cloud computing, essentially using someone else’s computer server and storage hardware for their own applications.

Cloud computing is similar to mainframe computing, Strople suggests. “If you think about some of the risks that you have… it’s the failure of hardware, failure of software or a security event.”

Also new is that prices are dropping for access to the high-speed networks that can connect companies to the servers and computer storage devices held in the cloud providers’ data centres, and that underwriters are taking a harder look at to whom policyholders are outsourcing computer services.

Frost & Sullivan, a San Antonio, Texas-based market research and consulting firm, breaks cloud computing into two categories. The first, public cloud infrastructure as a service, involves an organization outsourcing the equipment it would use to support computer operations – including storage, hardware, servers and networking components – while the cloud provider would host, run and maintain the equipment, as well as allocate resources among clients who run their own software on the provider’s servers. The second, software as a service, is similar, but the cloud computing company also provides the software.

A 2012 survey from Frost and Sullivan’s Stratecast division, based on interviews with 308 information technology decision-makers about the risks posed by cloud computing compared to the risk of using their own infrastructure, identified five different risks, says Michael Suby, Stratecast’s vice-president of research. The risks were as follows: cyber attacks; data loss; weak access control; an inability to perform compliance audits; and an inability to support forensic investigations.

“What we’re finding from the survey of IT decision-makers is they are less confident that the cloud represents less risk than hosting their own servers in their own private data centres,” says Suby. “The fear is that as you move outside your own, on-premise private data centre, the risks for those vulnerabilities increase… you have less control as to who has access,” he adds.

“No matter what it is, as soon as you can’t have something that you can go into the corner and hug, you tend to be uncomfortable,” suggests Mike Sharun, managing director for Canada for EMC Corp., a vendor based in Hopkinton, Massachusetts whose products include disk arrays that store electronic data. “It takes time for people to change and accept new ways of doing things.”

LEVEL OF SERVICE

Sharun advises that companies considering cloud computing should do some research on their prospective vendors if they want to get a handle on potential business interruption risk. “Make sure that you get the service level agreements (SLAs) that you want in writing,” he cautions. “If it’s going to be up 99.999% of the time, how are they ensuring that? What’s their track record against that SLA and also, what are the penalties that they’re willing to stand to if they don’t meet their SLAs?”

Strople agrees that SLAs are critical, especially when there could be several different providers responsible for different parts of the telecommunications network that connect a customer to a cloud provider. Policyholders who are outsourcing critical computer services should ask for SLAs that guarantee a certain level of “uptime,” not only for the servers and storage on the cloud provider’s site, but also for the telecommunications networks in between.

Kevin Kalinich, vice-president of Aon Risk Solutions’ professional risk solutions practice, says the company has found “that cloud providers have much better IT security and much lower exposure on an individual basis than an individual company does.” Notes Kalinich, “That goes for each one of the exposures, such as a security breach, a privacy breach, downtime, business interruption, the forensics investigation and notification costs.”

This is the case because a cloud computing firm’s core business is information technology, but IT is a “sideline” for policyholders whose core business is not technology, he suggests.

Zeus Kerravala, founder of ZK Research in Westminster, Massachusetts, agrees. “Obviously, if you’re going to go to a public cloud service, you have to consider security and privacy issues,” says Kerravala. “If somebody hacks into the cloud, then they, of course, have access to your information,” he says, but adds the same argument can be made if someone hacks into a company’s network.

This is especially true for a client who is not very thorough with regard to “daily hygiene,” or installing security updates as soon as the software vendors provide them, suggests Kashif Ansari, EMC’s manager of presales for Canada. “Patches come up constantly, so if your staff is small, and you’re busy with other stuff, those are the things that get overlooked, and it’s when (a security problem with one type of software) gets exposed that you realize you’re behind in keeping your systems up to date,” Ansari cautions.

FAR-REACHING BREACH

With cloud computing, a policyholder can mitigate some risks, says Srail, but suggests a client could be in trouble if either its cloud computing provider – or one of the cloud provider’s other clients – suffers a computer security breach. “Because they use the same cloud, they may get attacked, and so your cloud provider, in theory, could suffer a denial of service attack,” he explains. “You could be impacted by that security and outage risk, just because you went with a vendor who happened to host others customers who were a target.”

There is concern among some carriers, he adds, that such a situation could increase their exposure from one incident if they insure the cloud provider and several of its clients. “That could be a catastrophic loss for one underwriter who doesn’t pay attention to that,” Srail warns.

To mitigate clients’ security risk, Kerravala advises asking cloud providers about their hiring practices; to mitigate their business interruption risk, he suggests that clients ask providers what they do to back up their clients’ data and how quickly they can “fail over” to a disaster recovery site.

That site should be redundant with the primary site and far enough away so that one natural disaster, such as a tornado, will not destroy both the primary and the back-up, suggests Dan Petlon, chief information officer of Enterasys Networks Inc., whose products include computer networking switches and routers.

Petlon points out his company’s data centre is located in Salem, New Hampshire, as is corporate headquarters, but the disaster recovery site is almost 3,000 kilometres away in Irving, Texas.

“I would say the public cloud service provides higher uptime than using an internal private server,” Kerravala says. “The security risks can be higher as well. I don’t necessarily know if one is better than the other. I just think there are different risks and it comes down to which one the insurance company is willing to take on,” he adds.

For example, carriers are covering the risk of business interruption caused by incidents in which data and computer applications become unavailable, says Srail. But some underwriters are limiting coverage to failures of the policyholders’ systems rather than those of their service providers, he reports. “In practice, those lines begin to blur very quickly.”

Commercial brokers need to “take a close look” when underwriters are limiting coverage for losses caused by what carriers consider to be the outsourced computer system, rather than the policyholder’s system, he says. This will help to ensure underwriters are not “inadvertently adding sub-limits or restrictions on our available business interruption and data restoration coverage that otherwise might be there.”

Despite the perceived risks, more and more companies are moving to the cloud, reports Sharun. “They can turn up their own server environments, grab their own network resources, provision their own storage and really operate independent from IT,” he says. “It’s just like plugging something into a wall… and that’s how IT is going to be over the next few years.”