Cloud Computing:
Changing Nature of Risk
Cloud Computing – Changing Nature of Risk in the 21 Century
in the 21st Century
st
Clive Nicholls
Senior Vice President,
Global Markets
Crawford & Company
Crawford & Company
• Challenges for our profession
• Challenges for insurers
• Changing technology landscape
• Cloud computing
• Understanding the changing risk
• New Insurance Cover?
• Discussion?
Crawford & Company
Challenges for our profession
• The whole world has changed beyond recognition since the forerunners to
the CILA met in 1940 to form the Fire Loss Adjusters Association
• Average age of loss adjuster is 40+??
• We are well versed in traditional risks and their effect
• But much has changed over the past 10 years?
• Not all about fire, flood and storm!
Crawford & Company
Challenges for insurers
•General insurance market static
•Growth of alternative risk transfer
•Corporate world & increasingly personal world
nature of risk is fundamentally changing
An Osborne Executive portable computer, from 1982,
and an iPhone, released 2007.
The Executive weighs 100 times as much,
is nearly 500 times as large by volume,
costs 10 times as much,
and has 1/100th the clock frequency of the iPhone
•Can we insure what really matters?
Crawford & Company
Changing technology landscape
Crawford & Company
Crawford & Company
Cloud Computing
Crawford & Company
Cloud Computing
Cloud Computing Road Trip
Crawford & Company
The Cloud is Fantastic, but…
• How can I maintain control of my data in the cloud?
• What if I want to change cloud vendors? How can I verify my data is
“destroyed” when terminating a service provider?
• What happens if my service provider goes out of business?
• How can I comply with security best practices, internal governance and
compliance rules in the cloud?
• How can I guarantee only I have access to my data?
Crawford & Company
Public Cloud Service Models
Software as a Service (SaaS)
• Use provider’s application over the Internet
• Proprietary infrastructure
Platform as a Service (PaaS)
• Deploy enterprise-created applications to a cloud
• Proprietary infrastructure
Infrastructure as a Service (IaaS)
• Rent processing, storage, network capacity, and
other fundamental computing resources
• Full access to infrastructure stack with basic security
services (Firewall, Load Balancers etc.)
Crawford & Company
Cloud Services Market Evolution:
25% CAGR Growth
SaaS, 2009,
49%
PaaS, 2009,
10%
IaaS, 2009,
41%
SaaS, 2013,
38%
PaaS, 2013,
13%
IaaS, 2013,
49%
Source: “Cloud Computing 2010: An Update”, IDC 29 September 2009
Crawford & Company
SaaS
PaaS
IaaS
IaaS represents
the largest piece
of the cloud
services market
Who has control?
Servers
Virtualisation &
Private Cloud
End-User (Enterprise)
Crawford & Company
Public Cloud
IaaS
Public Cloud Public Cloud
PaaS
SaaS
Service Provider
Amazon Web Services™
Customer Agreement
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that
we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you acknowledge
that you bear sole responsibility for adequate security, protection and backup of
Your Content and Applications. We strongly encourage you, where available and
appropriate, to (a) use encryption technology to protect Your Content from
unauthorised access, (b) routinely archive Your Content, and (c) keep your
Applications or any software that you use or run with our Services current with
the latest security patches or updates. We will have no liability to you for any
unauthorised access or use, corruption, deletion, destruction or loss of any of
Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
The cloud customer has responsibility for security and
needs to plan for protection.
Crawford & Company
Challenges for Public Cloud
Multiple customers on
one physical server –
potential for attacks via
the hypervisor
Shared network inside
the firewall
Internet
Shared
Storage
Shared
Firewall
Shared firewall –
Lowest common
denominator – less fine
grained control
Crawford & Company
Easily copied machine
images – who else has
your server?
Virtual
Servers
Shared storage – is
customer segmentation
secure against attack?
Data
Security
Challenges
in
the
Cloud
Encryption rarely used:
- Who can see your information?
Storage volumes and servers are mobile:
Name: John Doe
SSN: 425-79-0053
Visa #: 4456-8732…
- Where is your data? Has it moved?
Rogue servers might access data:
- Who is attaching to your storage?
Audit and alerting modules lacking:
- What happened when you weren’t looking?
Encryption keys tied to vendor:
- Are you locked into a single security solution?
Who has access to your keys?
Storage volumes contain residual data:
- Are your storage devices recycled securely?
Crawford & Company
Name: John Doe
SSN: 425-79-0053
Visa #: 4456-8732…
Datacenter
Public Cloud
Company 4
Company 5
App 3
App 4
App 5
…
App n
Company 3
App 2
Company n
Company 2
Strong perimeter security
No shared CPU
No shared network
No shared storage
App 1
App 3
App 2
App 1
Hypervisor
Company 1
Perimeter
Hypervisor
Weak perimeter security
Shared CPU
Shared network
Shared storage
Traditional “outside-in” approach is inadequate in an “inside-out”
cloud world full of strangers
Crawford & Company
The Private Security Answer
Multiple customers on one
physical server – potential for
attacks via the hypervisor
Shared network inside
the firewall
Doesn’t matter – the edge of my
virtual machine is protected
Doesn’t matter – treat
the LAN as public
Internet
Shared
Storage
Shared
Firewall
Shared firewall –
Lowest common
denominator – less fine
grained control
Doesn’t matter – treat
the LAN as public
Crawford & Company
Easily copied machine images
– who else has your server?
Doesn’t matter – They can start
my server but only I can unlock
my data
Virtual
Servers
Shared storage – is
customer segmentation
secure against attack?
Doesn’t matter – My
data is encrypted
Benefits
•Facilitates movement between
datacenter & cloud
•Delivers security compliance through
encryption
•Avoids service provider lock-in
•Enables data “destruction”
Users access
app
Datacenter
DC1, LAN 1
Image ensures data is
always encrypted and
managed
Encryption keys
controlled by you
Data
Data
DC2, LAN 2
Crawford & Company
Public Cloud
Host defends itself
from attack
Cloud 1, LAN 2
Encrypted
Data
Data
Cloud 2, LAN 1
Security Breach
• Every breached security system was once thought infallible
• SaaS (software as a service) and PaaS (platform as a service) providers all
trumpet the robustness of their systems, often claiming that security in
the cloud is tighter than in most enterprises. But the simple fact is that
every security system that has ever been breached was once thought
infallible.
• Google was forced to make an embarrassing apology in February when
its Gmail service collapsed in Europe, while Salesforce.com is still smarting
from a phishing attack in 2007 which duped a staff member into revealing
passwords.
• While cloud service providers face similar security issues as other sorts of
organisations, analysts warn that the cloud is becoming particularly
attractive to cyber crooks.
• "The richer the pot of data, the more cloud service providers need to do
to protect it," says IDC research analyst David Bradshaw.
Crawford & Company
Security Breach
• Zurich Insurance must pay an enormous £2.3m fine for losing
thousands of British people's personal data.
• The fine was imposed not by the Information Commissioner's
Office but by the Financial Services Authority.
• Zurich Insurance lost 46,000 customer records including
some bank details when a tape back-up went missing
between two sites in South Africa.
• Even worse, it took a year for Zurich UK to hear about the
loss.
Crawford & Company
Understanding changing risk
• However, according to Datamonitor's Trifković, the cloud is still very much
a new frontier with very little in the way of specific standards for security
or data privacy. In many ways he says that cloud computing is in a similar
position to where the recording industry found itself when it was trying to
combat peer-to-peer file sharing with copyright laws created in the age of
analogue.
• "In terms of legislation, at the moment there's nothing that grabs my
attention that is specifically built for cloud computing," he says. "As is
frequently the case with disruptive technologies, the law lags behind the
technology development for cloud computing.“
• What's more, many are concerned that cloud computing remains at such
an embryonic stage that the imposition of strict standards could do more
harm than good.
Crawford & Company
Increased Profile
Why is this such a hot topic?
– Change in Regulatory Environment, especially within the EU.
– Several High Profile, Well-Publicised Incidents over last couple of years;
– Increased Dependency on Technology;
– More “Paperless” Work Environments;
– New Contractual Requirements. (Always check for specific obligations
within contracts)
Crawford & Company
22
US Legislation
Industry-specific legislation
– 1996 – Health Insurance Portability and Accountability Act (HIPAA)
– 1999 – Gramm-Leach-Bliley Act (GLBA)
American Recovery and Reinvestment Act (ARRA)
– 2009: Health Information Technology for Economic and Clinical Health
Act (HITECH)
State Legislation
– 2003 – California Senate Bill 1386 (CA SB 1386)
– Subsequent state legislation (currently 46 states, with two pending)
Crawford & Company
23
EU Legislation
• Only applicable to Telecommunications companies:
Passed Nov 2009, to be enacted by May 2011
BUT
• Recent ENISA report stated that almost all Data Protection Authorities were
in favour of extending this to all sectors.
• Justice Minister (Viviane Reding) is highly supportive
AND…
Crawford & Company
24
Proposed US Legislation
• Privacy legislation is undergoing a full review.
• E.U. Commission will finalise proposals in 2011
• These will include a “right to be forgotten”
• Data controllers remain fully liable and will need to prove they keep the
data (shift of duty from data subjects)
• Rules will apply irrespective of the location of the data (esp. US & India)
• Total transparency for the data subject will be the guiding principle
Crawford & Company
25
Typical Breach Costs
• US
Per Breach
Per Record
63.78%
US$7,200,000
US$214
(Source: Ponemon Institute 2010)
• UK
• Per Breach
Per Record
45%
GB£1,681,000
GB£64
(Source: Ponemon Institute 2009)
Crawford & Company
26
Typical Insurance Cover
• Privacy Breach
– an unauthorised disclosure or loss of:
• Personal Information in the care, custody or control of
any Insured or Service Provider; or
• Corporate information in the care, custody or control of
any Insured or Service Provider that is specifically
identified as confidential and protected under a
nondisclosure agreement or similar contract; or
– a violation of any Privacy Regulation.
Crawford & Company
27
Typical Insurance Cover
Reasonable and Necessary Costs, Fees and Expenses incurred
within twelve (12) months of a Privacy Event, including:
• Computer Forensic Analysis
• Determination of Indemnification/Notification Obligations
• Costs of Compliance with any Privacy Regulations
• Notification of Affected Individuals
• Implementation and Execution of a Public Relations Campaign
• Procure Credit Monitoring Services
• Ensure the trigger is loss of data, not a Claim & Definition of Claim not tied
to breach of legislation!
Crawford & Company
28
Basic Risk Management
• Be able to demonstrate a robust Breach Response Policy
(outsourcing is acceptable).
• Implement:
Data leakage protection
Encryption for all mobile devices and portable media
Access management
Training against social engineering
• Demonstrate an awareness of and willingness to work towards
27001/2
Crawford & Company
29
Claims Point of View
• Insurance language is old, tried & tested (high degree of certainty)
• Cloud computing is new (is it really or an aggregation of what we are familiar
with?)
• There is the potential for uncertainty from both a material damage point of
view and liability point of view. Some might say we like that but is it good for
our customers?
• Is data properly valued? Is it where you thought it was? If there is a loss are the
economic circumstances sufficiently well known? Damage in one place loss in
another? Are there jurisdictional issues? Do the service contracts provide
adequate protection? Will they be found to be reasonable?
• All of the above can be dealt with or at least understood if recognised in
advance. Problems can arise where covers “made to fit” the event
• We haven’t seen any volume of claims yet so outcomes not yet known
Crawford & Company
Questions
Crawford & Company