crawford & company cloud computing – changing nature of risk in the 21 st century clive...
Post on 22-Dec-2015
216 views
TRANSCRIPT
Crawford & Company
Cloud Computing – Changing Nature of Risk in the 21st Century
Clive NichollsSenior Vice President,
Global MarketsCrawford & Company
Cloud Computing:Changing Nature of Risk
in the 21st Century
Crawford & Company
• Challenges for our profession
• Challenges for insurers
• Changing technology landscape
• Cloud computing
• Understanding the changing risk
• New Insurance Cover?
• Discussion?
Crawford & Company
Challenges for our profession
• The whole world has changed beyond recognition since the forerunners to the CILA met in 1940 to form the Fire Loss Adjusters Association
• Average age of loss adjuster is 40+??
• We are well versed in traditional risks and their effect
• But much has changed over the past 10 years?
• Not all about fire, flood and storm!
Crawford & Company
Challenges for insurers
•General insurance market static
•Growth of alternative risk transfer
•Corporate world & increasingly personal worldnature of risk is fundamentally changing
An Osborne Executive portable computer, from 1982, and an iPhone, released 2007. The Executive weighs 100 times as much, is nearly 500 times as large by volume, costs 10 times as much, and has 1/100th the clock frequency of the iPhone
•Can we insure what really matters?
Crawford & Company
Changing technology landscape
Crawford & Company
Crawford & Company
Cloud Computing
Crawford & Company
Cloud Computing Road Trip
Cloud Computing
Crawford & Company
The Cloud is Fantastic, but…• How can I maintain control of my data in the cloud?
• What if I want to change cloud vendors? How can I verify my data is
“destroyed” when terminating a service provider?
• What happens if my service provider goes out of business?
• How can I comply with security best practices, internal governance and
compliance rules in the cloud?
• How can I guarantee only I have access to my data?
Crawford & Company
Public Cloud Service Models
Software as a Service (SaaS)• Use provider’s application over the Internet• Proprietary infrastructure
Platform as a Service (PaaS)• Deploy enterprise-created applications to a cloud • Proprietary infrastructure
Infrastructure as a Service (IaaS)• Rent processing, storage, network capacity, and
other fundamental computing resources• Full access to infrastructure stack with basic security
services (Firewall, Load Balancers etc.)
Crawford & Company
Cloud Services Market Evolution: 25% CAGR Growth
Source: “Cloud Computing 2010: An Update”, IDC 29 September 2009
IaaS represents the largest piece of the cloud services market
Crawford & Company
Servers Virtualisation & Private Cloud
Public CloudPaaS
Public CloudIaaS
End-User (Enterprise) Service Provider
Public CloudSaaS
Who has control?
Crawford & Company
7.2. Security. We strive to keep Your Content secure, but cannot guarantee that we will be successful at doing so, given the nature of the Internet. Accordingly,
without limitation to Section 4.3 above and Section 11.5 below, you acknowledge that you bear sole responsibility for adequate security, protection and backup of Your Content and Applications. We strongly encourage you, where available and
appropriate, to (a) use encryption technology to protect Your Content from unauthorised access, (b) routinely archive Your Content, and (c) keep your
Applications or any software that you use or run with our Services current with the latest security patches or updates. We will have no liability to you for any unauthorised access or use, corruption, deletion, destruction or loss of any of
Your Content or Applications.
http://aws.amazon.com/agreement/#7 (3 March 2010)
Amazon Web Services™Customer Agreement
The cloud customer has responsibility for security and needs to plan for protection.
Crawford & Company
Challenges for Public Cloud
Shared StorageShared
Firewall
Virtual Servers
Shared network inside the firewall
Shared firewall – Lowest common
denominator – less fine grained control
Multiple customers on one physical server –
potential for attacks via the hypervisor
Shared storage – is customer segmentation secure against attack?
Easily copied machine images – who else has
your server?
Internet
Crawford & Company
Data Security Challenges in the CloudEncryption rarely used: - Who can see your information?
Storage volumes and servers are mobile: - Where is your data? Has it moved?
Rogue servers might access data: - Who is attaching to your storage?
Audit and alerting modules lacking: - What happened when you weren’t looking?
Encryption keys tied to vendor:- Are you locked into a single security solution? Who has access to your keys?
Storage volumes contain residual data: - Are your storage devices recycled securely?
Name: John DoeSSN: 425-79-0053Visa #: 4456-8732…
Name: John DoeSSN: 425-79-0053Visa #: 4456-8732…
Crawford & Company
Perimeter
Public CloudDatacenter
Strong perimeter securityNo shared CPU
No shared networkNo shared storage
Weak perimeter securityShared CPU
Shared networkShared storage
Traditional “outside-in” approach is inadequate in an “inside-out” cloud world full of strangers
Hypervisor
Company 1
App 2
App 1
App 3
App 1
App 2
App 3
App 4
App 5
App n
Company 2
Company 3
Company 4
Company 5
Company n
Hypervisor
…
Crawford & Company
Shared StorageShared
Firewall
Virtual Servers
Shared network inside the firewall
Shared firewall – Lowest common
denominator – less fine grained control
Multiple customers on one physical server – potential for
attacks via the hypervisor
Shared storage – is customer segmentation secure against attack?
Easily copied machine images – who else has your server?
Doesn’t matter – the edge of my virtual machine is protected
Doesn’t matter – treat the LAN as public
Doesn’t matter – treat the LAN as public
Doesn’t matter – They can start my server but only I can unlock
my data
Doesn’t matter – My data is encrypted
Internet
The Private Security Answer
Crawford & Company
Users access app
Image ensures data is always encrypted and
managed
Host defends itself from attack
Encrypted Data
Encrypted Data
Encryption keys controlled by you
DC1, LAN 1
Cloud 2, LAN 1
DataData
Cloud 1, LAN 2
DC2, LAN 2
DataData
Public CloudDatacenter
Benefits•Facilitates movement between datacenter & cloud•Delivers security compliance through encryption•Avoids service provider lock-in•Enables data “destruction”
DataData
Crawford & Company
Security Breach
• Every breached security system was once thought infallible
• SaaS (software as a service) and PaaS (platform as a service) providers all trumpet the robustness of their systems, often claiming that security in the cloud is tighter than in most enterprises. But the simple fact is that every security system that has ever been breached was once thought infallible.
• Google was forced to make an embarrassing apology in February when its Gmail service collapsed in Europe, while Salesforce.com is still smarting from a phishing attack in 2007 which duped a staff member into revealing passwords.
• While cloud service providers face similar security issues as other sorts of organisations, analysts warn that the cloud is becoming particularly attractive to cyber crooks.
• "The richer the pot of data, the more cloud service providers need to do to protect it," says IDC research analyst David Bradshaw.
Crawford & Company
• Zurich Insurance must pay an enormous £2.3m fine for losing thousands of British people's personal data.
• The fine was imposed not by the Information Commissioner's Office but by the Financial Services Authority.
• Zurich Insurance lost 46,000 customer records including some bank details when a tape back-up went missing between two sites in South Africa.
• Even worse, it took a year for Zurich UK to hear about the loss.
Security Breach
Crawford & Company
• However, according to Datamonitor's Trifković, the cloud is still very much a new frontier with very little in the way of specific standards for security or data privacy. In many ways he says that cloud computing is in a similar position to where the recording industry found itself when it was trying to combat peer-to-peer file sharing with copyright laws created in the age of analogue.
• "In terms of legislation, at the moment there's nothing that grabs my attention that is specifically built for cloud computing," he says. "As is frequently the case with disruptive technologies, the law lags behind the technology development for cloud computing.“
• What's more, many are concerned that cloud computing remains at such an embryonic stage that the imposition of strict standards could do more harm than good.
Understanding changing risk
Crawford & Company
Why is this such a hot topic?
– Change in Regulatory Environment, especially within the EU.
– Several High Profile, Well-Publicised Incidents over last couple of years;
– Increased Dependency on Technology;
– More “Paperless” Work Environments;
– New Contractual Requirements. (Always check for specific obligations within contracts)
22
Increased Profile
Crawford & Company
Industry-specific legislation
– 1996 – Health Insurance Portability and Accountability Act (HIPAA)– 1999 – Gramm-Leach-Bliley Act (GLBA)
American Recovery and Reinvestment Act (ARRA)
– 2009: Health Information Technology for Economic and Clinical Health Act (HITECH)
State Legislation
– 2003 – California Senate Bill 1386 (CA SB 1386)– Subsequent state legislation (currently 46 states, with two pending)
23
US Legislation
Crawford & Company
• Only applicable to Telecommunications companies:
Passed Nov 2009, to be enacted by May 2011
BUT
• Recent ENISA report stated that almost all Data Protection Authorities were in favour of extending this to all sectors.
• Justice Minister (Viviane Reding) is highly supportive
AND…
24
EU Legislation
Crawford & Company
• Privacy legislation is undergoing a full review.
• E.U. Commission will finalise proposals in 2011
• These will include a “right to be forgotten”
• Data controllers remain fully liable and will need to prove they keep the data (shift of duty from data subjects)
• Rules will apply irrespective of the location of the data (esp. US & India)
• Total transparency for the data subject will be the guiding principle
25
Proposed US Legislation
Crawford & Company
• USPer Breach US$7,200,000Per Record US$21463.78% (Source: Ponemon Institute 2010)
• UK• Per Breach GB£1,681,000
Per Record GB£6445% (Source: Ponemon Institute 2009)
26
Typical Breach Costs
Crawford & Company
• Privacy Breach
– an unauthorised disclosure or loss of:• Personal Information in the care, custody or control of any
Insured or Service Provider; or
• Corporate information in the care, custody or control of any Insured or Service Provider that is specifically identified as confidential and protected under a nondisclosure agreement or similar contract; or
– a violation of any Privacy Regulation.
27
Typical Insurance Cover
Crawford & Company
Reasonable and Necessary Costs, Fees and Expenses incurredwithin twelve (12) months of a Privacy Event, including:
• Computer Forensic Analysis
• Determination of Indemnification/Notification Obligations
• Costs of Compliance with any Privacy Regulations
• Notification of Affected Individuals
• Implementation and Execution of a Public Relations Campaign
• Procure Credit Monitoring Services
• Ensure the trigger is loss of data, not a Claim & Definition of Claim not tied to breach of legislation!
28
Typical Insurance Cover
Crawford & Company
• Be able to demonstrate a robust Breach Response Policy (outsourcing is acceptable).
• Implement:Data leakage protectionEncryption for all mobile devices and portable mediaAccess managementTraining against social engineering
• Demonstrate an awareness of and willingness to work towards 27001/2
29
Basic Risk Management
Crawford & Company
• Insurance language is old, tried & tested (high degree of certainty)
• Cloud computing is new (is it really or an aggregation of what we are familiar with?)
• There is the potential for uncertainty from both a material damage point of view and liability point of view. Some might say we like that but is it good for our customers?
• Is data properly valued? Is it where you thought it was? If there is a loss are the economic circumstances sufficiently well known? Damage in one place loss in another? Are there jurisdictional issues? Do the service contracts provide adequate protection? Will they be found to be reasonable?
• All of the above can be dealt with or at least understood if recognised in advance. Problems can arise where covers “made to fit” the event
• We haven’t seen any volume of claims yet so outcomes not yet known
Claims Point of View
Crawford & Company
Questions