Cloud use for insurers makes its case without cybersecurity included. Many insurers are in a must-move situation now. They must gain back competitive ground in the digital race for the customer and all roads that make sense … lead to cloud adoption.
Insurers who have been hesitant to move, however, might reconsider in light of recent hacking and ransomware headlines. Growing ransomware attacks should be the weights that tip the scales. T-Mobile was breached just last week. Half of its customers (105 million) now have their Social Security numbers, names and birthdates exposed. They are already up for sale. Last year, insurers and healthcare systems were hacked in greater numbers. Ransomware victims across all industries paid out $370 million in cryptocurrency in 2020, 336% more than in 2019.[i]
Vigilance in cybersecurity requires a different approach.
Cybersecurity is not optional. It is table-stakes. It’s no longer all about keeping the data and systems safe. It is about proactively looking out for and being able to nip potential vulnerabilities and hackers in the bud, before the hack actually happens. Vigilance is not reactive, it is proactive.
Pre-cloud security matched pre-cloud threats
It used to be that the typical trajectory of a security exercise within a company would be periodic business continuity and disaster recovery checks. You might also have audits that are mandated by a public service organization or you might have specific customers that request to be in conformance with SOC audits, etc.
That type of security practice has spun 180 degrees. What changed?
Anyone can hack now.
The increasing consumerization and democratization of data and technology tools has made nearly every citizen in the world a potential hacker. Any interested party with a high IQ is potentially someone that can hack into your systems. The new urgency and vigilance is no longer about conforming to audits, periodic checks or conforming to state or public sector driven regulations. It’s about continually being secure by examining your own insecurity. Cybersecurity is an enabler to doing business.
The frequency of hack-possible events is making security far more complex.
Insurers and vendors all have security measures in place. But cyber hackers are twice as fast at breaking solutions as the solution providers are at updating their security tools. This makes cybersecurity an ongoing process rather than an event-driven initiative. Hackers have also improved in their ability to handle complexity. Where hacks come from and who can be a perpetrator is always expanding. Corporate security teams are doing their best, yet they are still sometimes scratching their heads, asking themselves, “Just which part of our data and systems do we protect?” And the answer, of course is, ‘all’ and ‘everything.’ Nothing is truly safe. Cybersecurity is no longer a point-in-time exercise and it has to cover every part of your data and platform framework.
Answer = Cloud
Public cloud vendors answer these two related problems: expansion of the hacker community and the increasing complexity of protecting against hacking events. With public clouds, the large cloud vendor is doing the job of security for all of us — proactively taking responsibility for their customers.
Microsoft Azure is a great example. Microsoft invests more than $1 billion annually in cybersecurity research and development for Azure alone. This doesn’t include Microsoft Office or any of their own products. Microsoft Azure has more than 3,500 dedicated security experts. Their job, day in and day out, is to counsel their customers and close gaps. “Here is how well-architected your technology stack is against cybersecurity and this is what Azure can do for you.”
With the cloud, security is job zero.
If an insurer gets one takeaway from this blog, it should be this. Whether you’re using Majesco CloudInsurer® on Microsoft Azure or you’re using AWS, cybersecurity is job zero. It is not an add on. Security is intuitively and seamlessly interwoven into the service that we offer to our customers. They don’t need to spend any money, time, effort or thought about handling cloud security as a second project. If you have implemented your products in the Majesco CloudInsurer® as a part of “project number one,” you are also now secure.
When we talk about securing a customer’s stack, there are six key things that we should do for them. These are universally-adhered to principles for our role in security. They are interrelated, as you’ll see below.
- We implement a strong security foundation.
We must begin with role access. No matter who you are, your role is given only a certain sphere of access and that is all you can access. As a cloud software vendor, we ensure that level of identity foundation.
- Insuring traceability.
A traditional issue in security was that, until three or four years ago, when hacks happened, it could take months for companies to figure out the root cause. What was hacked? What was the precise level of leakage, especially in insurance companies? That could lead to billions of dollars in loss.
Insuring traceability, which includes monitoring alerts and audit action and changes to your environment, happens in the cloud in real time. You don’t need to wait two months for some IT guy to get into the old logs and figure out what has been lost or hacked. Your systems have real-time traceability.
- Security must be applied on all layers.
When you consider an organizational stack that resides in the cloud, that includes a client’s network, their servers, their websites, their applications, and databases. Everything is now in the cloud. When we say that we manage their security, we apply security at all of these layers as well. We aren’t just securing their database or their front end.
- Data must be protected both in transit and at rest.
This is a modern, cloud-driven cybersecurity attribute. If you think of a traditional insurance organization, volumes of data are stored in their archival systems, such as their legacy administration and billing systems. This is data at rest. But an incredible amount of data is in constant transfer between the insurer and brokers or the insurer and customers. That is data in transit. What a cloud-native environment does is to protect data both in transit and at rest.
- Least access as privilege.
This is a logistics issue related to role-based access. Another traditional problem within internal IT shops has been that there is not always transparency if an employee leaves or is fired. HR may take 24 hours before they notify IT. IT takes two hours to deactivate that person’s access from the respective systems. By this time, security has already been compromised. All cloud systems function on a different principle — the principle of least access privilege. A person only has access to the portion of the system that they are supposed to touch. There is no universal access. The CFO doesn’t automatically get access to everything. Cloud security functions on the basis of least access privilege. If a person needs greater access, they have to ask for it and gain permission before it is granted. This is paradigm shift in security that the cloud has brought about.
- Security guidance through the well-architected playbook.
Let’s say that your organization moves to the cloud to improve their digital presence and manage their data more effectively and to save additional expense. What you’re getting is so much more than that though. Integrated security is the “value-add.” You’re receiving protective security and security expertise. This is life in the cloud.
When you sign up, you get measured for how secure your full system is. The playbook has security design principles that will allow you to measure your system security. “Here’s how well-architected your systems are, based on key design principles. Here are some gaps that you need to fix.” The playbook also provides things like incidence response simulations. It has investigation policies and processes available as templates. It is a ready-to-use ‘security cookbook’ supported by subject-matter experts. It is less prescriptive and more actionable. “Here’s where you are. Here is what needs to happen for you to get where you need to be.”
And if that’s not enough…there’s the financial picture.
Cybersecurity costs money. If you are investing in internal security, you will likely spend more than if you are letting your environment be managed as a cloud-native environment where security is a part of the solution. The cloud hands you cost avoidance as a part of your business case or return on investment. The cloud provider is taking on this responsibility. This is intentional cost-avoidance on the part of the insurer.
In data-intensive organizations, such as financial, healthcare or insurance organizations, there is a significant amount of leakage every year due to security breaches. These aren’t necessarily data thefts; they are losses that are just eliminated by the cloud. The razor-sharp, stringent data security mechanisms that are in place for cybersecurity naturally fix other data leakage issues. This is an unintentional cost-avoidance, but it happens nonetheless.
Which brings us to our last point. The same real-time monitoring that can be used for security purposes will even help insurers to adopt better real-time monitoring for any issue. If you extend the concept, moving to the cloud forces the organization to whip its data and processes into shape enough to migrate, then the cloud takes over. The simple process of preparation is a beneficial exercise. Every aspect of cloud migration makes an excellent case for doing it now.
Of course, like we said at the start, the case for cloud is stronger than ever, even without the cybersecurity component. For a broader look at many of the key benefits of cloud adoption, be sure to view the Majesco and Microsoft webinar, New Normal: The Catalyst for Cloud Adoption, or read Denise Garth’s interview/blog with Manish Shah, President and Chief Product Officer, Majesco and Jonathan Silverman, Director of Insurance Industry Solutions, Microsoft, entitled Majesco CloudInsurer® Plus Microsoft® Azure: A True Insurance SaaS Platform.
[i] Javers, Eamon, The extortion economy: Inside the shadowy world of Ransomware payouts, CNBC, April 6, 2021