Topics:

Q&A: What if cloud providers offered insurance for downtime or security breaches?

Tools

Handing one's data over to a cloud computing service presents the possibility of cost savings, but when it comes to the really important data, information executives still prefer to keep it in-house. There are worries about portability and interoperability, but most often you voice concerns about security. You're in charge of keeping the data safe, and you want to be in control of it. But would you feel differently if the security of your data in the cloud were insured?

Dr. Alexander Pasik, CIO for the IEEE, recently floated the idea of creating an insurance paradigm for cloud services. Cloud providers offer SLAs for reliability, so why couldn't they offer insurance for security? In an interview with FierceCIO, Pasik explained why he thinks insurance might be the missing piece of the cloud computing puzzle.

FCIO: Explain the idea of establishing an insurance paradigm to increase the adoption of cloud computing services.

Pasik: The concept of data security has been one of the stumbling blocks for organizations in moving to the cloud. It has been an issue in my previous roles as advisor to CIOs and to investors in technology for many years, back to the late 1990s. Even back then, when I was discussing this with clients, they would always say they were worried about security.

The reason to go to the cloud is purely economic. Eventually, it is the right answer for just about all of IT. It has made sense to go to the cloud for 10 years, but adoption has been so slow. The answer always comes back to concerns about security. Organizations don't realize they have the same concerns in-house. Why is it that people don't buy into the argument that providers are going to put more investment into security than they do? It's like comparing why you keep money in the bank versus at home. If you are a provider of cloud services, it behooves you to be on top of all of the security issues, perhaps even more so than an individual company. 

Despite those arguments over 15 years, the issue of security keeps coming up. If you could provide an insurance capability to the client that would adequately mitigate the perceived risk of security, it may be the last piece of the puzzle.

FCIO: So is this argument for insurance an admission that data cannot be safeguarded in the cloud?

Pasik: It's not that data cannot be safeguarded in the cloud--it is theoretically impossible to safeguard data, period. No matter how many locks you put on the door, there will always be a way in. Most importantly, it is not about the cloud. The cloud does not introduce additional problems of security. We're only in a game of leapfrog with the attackers. It's an arms race. It is unlikely, if not impossible, to guarantee 100 percent security. The issue is, at what level do you need insurance? In this spectrum of levels, can an insurance paradigm be put in place? 

FCIO: Could you elaborate on how the insurance framework would work?

Pasik: If you have an SLA that says I will compensate you by this dollar amount for this amount of downtime, that, in effect, is insurance that the service provider is providing. I have not seen any SLAs that address the issue of security breaches. A provider is unlikely to say it is going to cover the costs of a security breach without [spreading the risk]. 

Suppose you have [your own corporate] data center that's running at three nines [reliability]. You feel that you have to consider whether you want to put in the investment to take it to four nines. That is an investment question. How much additional revenue do you think you're going to get from taking it to four nines? An insurance paradigm would enable multiple players in cloud services to come in and say, we have implemented x, y and z standards for security, while another one might say, we've only implemented x and y, but if you get hacked we're going to pay you for every record that's been exposed because we have insurance.

FCIO: Who would provide the insurance?

Pasik: Traditional insurance companies, start-ups or the cloud providers themselves.

FCIO: Should providers be required to have insurance?

Pasik: No. I think that would be market-driven.

FCIO: Would an insurance paradigm create a disincentive for providers to use best practices and make the security investments they should make? The Federal Deposit Insurance Company hasn't exactly prevented the banking industry from reckless and irresponsible lending behavior.

Pasik: I wholly agree. What you're pointing out is an example where the concept of insurance was drastically abused and that's a real problem. Suppose we do have cloud insurance and the insurance companies really ratchet up the premiums. That would encourage the cloud providers to do a better job on security. All of this will feed into improving security. I pay less car insurance because I put my car in a garage.

I'm a person who is very skeptical about insurance, so it's almost strange that this idea is coming from me. When did I cancel my life insurance? Once my children were old enough that I'm confident they could support themselves financially. Insurance companies are not in business to lose money. You know that when you pay insurance it is unlikely you are going to benefit from it. You do it to protect against catastrophe.

FCIO: By concentrating and centralizing IT services and data, doesn't cloud computing increase the magnitude of potential catastrophe?

Pasik: Yes because the provider becomes more of a target, and no because the provider's resources [for security] are far greater than an individual company's. And behind the scenes, its infrastructure is very distributed and very resilient. You would think you would have more people interested in bank robberies than home burglaries, but you don't.