Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

Cloud computing adds to data storage security risks

Reprints
Cloud computing adds to data storage security risks

Proponents of cloud computing contend that by turning computing into a utility akin to electricity or water, enterprises that rely on it can save money and focus on their business.

While the term is nebulous, the value proposition of cloud computing to businesses is pretty straightforward: The on-demand computing model offers customers the prospect of lower up-front costs, rapid scalability and ease of implementation, while also eliminating the expense related to buying and maintaining physical infrastructure.

The utility computing model appealed to Alan Gutowski, risk finance manager for the City of Albuquerque, N.M., for these and other reasons when the city replaced its aging claims administration system this year.

Mr. Gutowski's team opted for PCIS ClaimsVISION, a software-as-a-service offering from New York-based P&C Claims Inc.

“It saves on the bottom line, not having to have the hardware, servers and updates to worry about,” Mr. Gutowski said, who added that the browser-based application adds convenience because his staff can access it remotely.

Yet his enthusiasm for cloud computing contains one large caveat—data security.

“There's always that question in the back of your mind, "Where's my data?'” Mr. Gutowski said.

Peter Ennen, risk manager for the city, said it is imperative for businesses considering cloud offerings to cast a critical eye on the data storage practices of potential providers.

%%BREAK%%

“Our decision to go this way was on the advice of our (information technology) department because that's the way they are going now,” Mr. Ennen said.

While the hype around cloud computing may make the technology seem exotic, the reality is that it is ubiquitous. Anybody who has a Google Inc. Gmail account is familiar with software-as-a-service (see related story). The customer relationship management software from Salesforce.com also is delivered via SaaS.

Cloud computing also is prevalent in disaster recovery services, where companies mirror their servers in off-site data centers.

“A lot of companies may be in the cloud and not even know it,” said Claudia McCarron, general counsel at Blue Bell, Pa.-based law firm Nelson Levine de Luca & Horst L.L.C.

The inherent intermediary aspect of cloud computing is problematic from a risk management perspective. “As someone concerned about risk management, you are now one entity removed from where your data truly resides,” Ms. McCarron said. “You really have no clue about where your data is truly sitting.”

While cloud computing providers invest heavily in security measures, Ms. McCarron said there are reasons to be concerned about data loss or theft.

“If you are transferring medical or legal documents or anything that has a Social Security number or personal identity info, it's a legitimate concern, not fear mongering,” she said.

A primary benefit of the cloud model is that it eliminates the need for a large up-front capital expenditure, enabling smaller firms to compete with larger rivals with better-funded IT departments. Nonetheless, Ms. McCarron warned that the cloud model does not absolve smaller firms from being concerned about areas such as data encryption.

%%BREAK%%

“A lot of middle-market companies are just not equipped to do encryption,” Ms. McCarron said. “They fail to appreciate that somewhere their sensitive information is sitting unencrypted, accessible to anybody who can hack into the server.”

So how can companies leverage cloud computing while mitigating their risks?

Much can be done at the contractual level, said Mr. Gutowski. For example, a forward-thinking company could stipulate security measures in its service agreement with a cloud provider (see related story).

Ms. McCarron also recommends explicit confidentiality clauses, indemnification and hold-harmless provisions in any contract with a cloud provider. Customers also should ask to see the agreement between the cloud computing provider and outside companies with which it works.

“There's a lot of proprietary information in those contracts that they don't want to share, but they will share some of it,” Ms. McCarron said. “You can at least see what the confidentiality and security arrangements are between service provider and the entity that actually hold the data. Until you've asked, you can't even be sure what country your data is residing in.”

Becky Swain, a founding member of the Cloud Security Alliance—a nonprofit group with members that include some of the largest cloud providers such as Hewlett-Packard Co., Microsoft Corp. and Oracle Corp.—agreed that secure use of cloud computing requires knowing the company's business partners.

“With cloud (computing) comes a supply chain,” she said.

%%BREAK%%

On its website, the alliance has a free cloud-control matrix to help businesses understand how to employ cloud computing safely.

“You can think of it as a baseline set of controls that allow a customer and provider to agree on what requirements need to be established in that relationship within the context of compliance rules,” Ms. Swain said.

The alliance recently added the Security Trust and Assurance Registry, which lists cloud providers that have completed security questionnaires.

“Ultimately we want to see a reduction in cycle time for the due diligence companies do to select a cloud provider,” she said. “We want to see a trusted cloud ecosystem with better transparency.”

Another effective risk-shifting mechanism for cloud computing is insurance, but uncertainty exists about whether the typical general liability policy provides coverage for these risks, Ms. McCarron said.

“There are dedicated cyber policies, but they are relatively new products and they haven't been interpreted by the courts,” Ms. McCarron said. “It's a risk where a lot of companies may be bare on insurance coverage.”

Meghan Hannes, co-founder and managing director of New Smyrna Beach, Fla.-based Cloud Insure, also sees typical cyber security policies as being inadequate to deal with the risks surrounding cloud computing.

“All of the policies in the cyber liability market today assume that the infrastructure ownership is at the insured level,” she said. “In cloud computing, you have transfer of risk to the third party that doesn't own the infrastructure. These policies are not intended to extend beyond the IT department's walls.”

Read Next