Microsoft has been talking about the processes, procedures and certification in their data centres – responding to the need to provide a level of trust and confidence for customers wishing to run their applications on the Microsoft cloud. The story was picked up by the Hoff where he ponders some of the detail, but it as a comment by Allen Baranov that caught my attention…
“…SAS70? Pah! I don’t care. Just pay my costs if my information is leaked. Put your money where your mouth is. And if you are not prepared to take the risk on your network - why should I?”
…which is a typical anti-cloud response. I have been thinking a lot recently about cloud security issues and how we can get people to understand that the cloud is not necessarily less secure than an on-premise data centre and will probably result in better security anyway due to the increased awareness and attention. So, moving all the geeks out of the way, how can you sit in front of the CIO and guarantee that your cloud solution is more secure? Without the geeks in the room the best way to back up your SLA is to give the CIO the warm and fuzzy feeling that all executives need – the ability to sue someone. So, could a cloud provider put their money with their mouth is and offer a cheque of, say, one million dollars, if there is any security breach or compromise?
…or ten, or twenty or whatever.
I think that if you could rustle up an agreeable underwriter with some clever actuaries you could find a way to create an insurance policy product around the risks of cloud computing. In terms of risk, it is probably not as risky as insuring sub prime mortgage derivatives, or life, which tends to have one guaranteed outcome. I know of an underwriter that has motor warranty insurance for TVR’s, which have a habit of breaking down all the way from your driveway to the mechanic – so if an underwriter has an appetite for that kind of risk then surely underwriting cloud risk is easy for the actuaries to figure out.
Basically such a product could insure:
- Losses from leakage of competitive information
- Costs to recover information
- Losses from downtime
- Payouts for claims against the company for exposing personal (or other) data
The underwriter could manage the risk by:
- Requiring that the data centre comply to industry accepted practices and certifications (such as ISO 27001)
- Requiring regular independent audits
- Requiring that the claimant prove their losses
- Requiring that a ‘proper’ SLA is entered into between the customer and the cloud provider
Insurance is more of a numbers game than a risk game. Actuaries assume that there are going to be claims and adjust the premiums according to how much they pay out in claims versus the income from premiums. I reckon that security breaches in the cloud will be minimal and even if they are, they would be difficult to prove even if they are discovered. But the idea of the cloud is to have a lot of customers, so the income from premiums would far exceed any claims – an insurance product that costs $1,000 per year for $1 million of cover could be quite profitable with as little as 10,000 customers if there are only one or two claims.
So cloud providers could give the assurance to their customers, farm out their risk and everybody is happy.
What do you think? Would you buy insurance against the risk? Could you sell it to the board? How much cover is needed? Does someone offer this already? (if not, any underwriters that think that this is a great idea, contact me directly for the address to send the royalty payments)
Simon
@simonmunro