[BreachExchange] Insurance CISO Concerns With Cloud Migration

Destry Winant destry at riskbasedsecurity.com
Wed Aug 5 10:15:00 EDT 2020


https://securityboulevard.com/2020/08/insurance-ciso-concerns-with-cloud-migration/

With digital transformation a term most will be familiar with now, we
could say with some certainty that many industries have either already
adopted or are in the process of migrating to cloud technology. Yet,
the insurance sector is one industry in particular that is still in
its infancy when moving to the cloud. In fact, recent studies show
that while 70% of insurance providers are using the cloud, the
majority are only using partial elements and are not deploying
comprehensive cloud solutions throughout the entire enterprise.

Why would this be the case, you might ask? The value and efficiency of
cloud services certainly are not in question. The reason for this
situation encompasses two areas of concern: security and
misunderstandings.

While cloud services have brought in a new wave of functions and
processes in how data is being used, security for 65% of insurance
providers continues to be a major concern. Given that lapses in
security will lead to breaches of data, and further considering that
in this insurance context this data is extremely personal and
therefore valuable, CISOs are constantly searching for options to
mitigate risk and protect the enterprise and the sensitive information
stored within their systems. With such valuable data making up the
bulk of their datasets, some CISOs in the insurance industry may wish
to utilise hybrid environments in which some (usually more sensitive)
data remains on premise while the remainder winds up in the cloud.
Also, many business leaders may want to avoid being tied to one cloud
provider and so will leverage multiple cloud services to fit their
needs; after all, many options are certainly available.

Faulty assumptions

However, we need to point out that numerous faulty assumptions,
misunderstandings, or misconceptions as to how the cloud operates are
prevalent in the industry. Shifting to the cloud requires a degree of
precision, thought, and security when migrating operations from legacy
systems to the cloud services.

Furthermore, moving to the cloud also means organisations will be
increasing their digital attack surface due to the very distributed
nature of cloud, and we’ve all witnessed the unfortunate outcomes when
attackers have successfully targeted cloud databases, leaving data
precariously exposed and unprotected. Investigations have shown
situations in which enterprise cloud data was not protected adequately
and, shockingly in some cases, not protected at all. This does not
breed confidence from customers, and in the worst case, this oversight
is regulated by various data protection laws, with stiff fines,
potential sanctions, and brand and reputational damage as the
resultant punishment. As a minimum, organisations must enable the
basic security options provided by their chosen cloud provider. To
take the next step in securing data properly and effectively, though,
CISOs must deploy additional layers of security, with the most
sensible and important being a data-centric security solution that not
only protects the data but also allows the storage, analysis, and
transfer of that information regardless of where it is located in the
cloud.

It is a process

Migrating to the cloud is a constant journey with the intended
benefits and return on investment of the cloud achievable over time
rather than instantaneously upon cloud adoption. Reduced IT costs,
faster speed-to-market, more efficient service levels – you should
have no doubt that the cloud will accelerate innovation across every
industry, including insurance. This will certainly continue to be the
case with one strong caveat: data security cannot ever be considered
an afterthought or something to be dealt with in the future. The time
for the insurance industry to address data security is now.


More information about the BreachExchange mailing list