Ransomware, Insurance Apps and the Public Cloud; Lessons for the Cloudless
By Adam Stern | Insurance Tech Insider
In May of last year, the ransomware worm WannaCry fueled a massive attack that paralyzed some 300,000 computers in 150 countries, disabling systems at public hospitals throughout the U.K. along with those connected to Telefonica, the Spanish telecom provider, among other victims.
The WannaCry ransomware wreaked havoc – but, tellingly, not at the big public cloud providers like Microsoft Azure, Amazon’s AWS, IBM and Rackspace. And not at smartly managed midsize public cloud providers, either.
In this turn of events is a counterintuitive lesson about what was indeed a major hack. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. The WannaCry ransomware attack makes a compelling argument that the cloud is in fact the safest place to be in a cyber hurricane. Internal IT departments, fixated on their own in-house mixology, were affected big-time, raising the very legitimate question of why some roll-your-own brokerages (and other organizations) devote precious resources – including, with WannaCry, Bitcoins — to those departments in the belief that the cloud is a snakepit.
Here’s the takeaway: your insurance agency – that is, your data — is considerably safer in the cloud than beached on equipment under someone’s desk. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. And that’s just for openers.
Cloud security isn’t what it used to be – and that’s a profound compliment to the cloud industry’s maturity and sophistication. What once was porous is now substantially better in every way, which isn’t to deny that bad actors have raised their game as well. Some aspects of cloud migration have always been threatening to the old guard. Here and there, vendors and other members of the IT community have fostered misconceptions about security in the cloud – not in an effort to thwart migration but in a bid to control it. Fear fuels both confusion and dependence.
It’s absolutely vital to install Data Loss Prevention (DLP), the standard software methodology to determine if a breach has occurred, but DLP isn’t a panacea and it can monitor only so much.
At the risk of trotting out a hoary cliché, forewarned is forearmed. To truly recover from a data breach, it’s more important to act before it happens, by implementing snapshot technology, intrusion detection and prevention systems (IDPS), and breach notification policies.
Every small and midsize insurance agency wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and IDPS. In the cloud’s infancy, cloud hosting providers touted scalability, initial cost savings and speed. But the prospect of enhanced security in the cloud – indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop – has altered the conversation.
Agencies assessing cloud service providers can now seek out those whose security controls mitigate the risks of moving to the cloud. Increasingly, businesses of all stripes are facing the challenge of dealing with outdated modes of storage and finding affordable, practical, secure solutions that meet their needs.
When considering a move to cloud hosting, check for audits of a provider’s security controls. Look for providers who have passed the Standards for Attestation Engagements (SSAE) No. 16 Type II audit, one of the most rigorous auditing standards for hosting companies. The audit confirms the highest level of service and reliability attainable for a cloud hosting company. To be SSAE compliant, a hosting provider should offer SSL capability, enterprise-level, application level protection, hardware firewall, IP-restricted FTP, managed backups with 14-day retention, advanced monitoring and multi-level intrusion prevention.
The cloud has been a liberating force, breaking IT out of the exclusive domain of the geek intelligentsia. Users in insurance and virtually every other sector – real people, not professional technologists – can now deploy their own apps and manage their own security. Increasingly, they want to embrace cloud-hosted computing as the preferred way to maintain cost-effective, 24×7 support.
The market is now awash in IaaS tools and technologies, empowering businesses that may lack traditional IT resources to still benefit of remarkably robust products and platforms – and perhaps gain a little independence from vendors. Savvy virtualization providers have already done the heavy lifting for some brokers, with solutions that they can deploy largely on their own. This class of vendor knows enough to stay out of the way. From a data management perspective, servers and prefab packages effectively take the place of technology professionals and mostly keep vendors on the sidelines — a huge benefit for agency owners and a quantum leap toward improved ROI.
The cloud may be easier than advertised but it isn’t free. Still, compute horsepower is finally a virtual – or, perhaps more appropriately, a virtualization — bargain. It’s entirely possible to spend $10K a month and tap enough compute power to drive a 1,000-user organization (and the principle applies, no matter the size of your budget). That’s less than the cost of hiring a single engineer. For those who’ve logged time in large enterprises, the prospect of living without a lifeline to the vendor is unthinkable. That was the conventional wisdom, anyway, but the market has expanded “downward,” to businesses that typically don’t include line items for info tech professionals, other than a random consultant here and there.
Sounds like the right kind of mobility to me.