However, he adds that cloud offers insurers security advantages as well.

“Think about the resources cloud providers throw at physical security and the investments they make in safeguarding their environments—data centers whose locations are kept secret, armed guards and multiple layers of security, multiple certifications that have passed different levels of compliance audits. Cloud providers go through a lot more scrutiny than a carrier's own data center,” he says.

“A lot of the uncertainty has been removed from the security picture with cloud,” agrees John Howie, COO, Cloud Security Alliance. “All the major cloud providers are rock solid today. From an insurance perspective, cloud can actually give some added comfort around security.”

For instance, Philadelphia has enhanced its security around mobile device management wit a cloud-based solution from AirWatch.

“Previously, if we lost devices we faced potential data loss. Now we can easily wipe those devices clean,” Peel says.

“Cloud providers also deliver around-the-clock monitoring, in contrast to being limited to the hours our own data center staff are there,” says Ed Kocur, Philadelphia's vice president of infrastructure services.

However, Howie cautions that comfort should not lead to complacency. “You can shift responsibility to the cloud provider, but you cannot shift accountability,” he says. “If something goes wrong, you are going to need to explain to regulators and your policyholders what happened.”

Effective Evaluation Essential
Assessing cloud security starts with the basics of due diligence, including ensuring a cloud provider is financially viable and collecting the alphabet soup of audits and certifications—SSAE 16 (SOC 1), SAS 70 type II, ISO 27001. But a deeper dive into a provider's security requires asking tough questions.

“We have come up with our own question set for cloud vendors based on our own experience, partnership with our internal audit department and parent organization [Tokyo Marine Holdings Japan], plus research from advisory firms who really know who the best providers are,” Peel says.

For instance, in evaluating the AirWatch mobile device management solution, Philadelphia identified the flow of information to the provider as a chief area of concern.

“Our security team worked with our IT infrastructure staff and the business side to develop a whole set of questions around data to protect, access controls, monitoring, reporting, and other components to be sure we were compliant. We then worked with legal to be sure we had the right non-disclosure agreements and data protection in place, and collected their SSAE 16 and other documentation to be sure their housekeeping was in order,” Peel explains.

To assist insurers in assessing the overall security of a cloud provider, the Cloud Security Alliance offers a Cloud Controls Matrix (CCM), which is currently in its third iteration. Built on industry-accepted security standards, regulations, and control frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP, the CCM is freely available through the Alliance.

Vendor assessment needs to be an ongoing process. “Once we select a vendor we want to partner with, we build an entire audit process around that relationship to be sure that the policies we initially put in place remain valid over time,” says Owen Williams, Philadelphia's vice president and CTO for transformation.

Philadelphia uses more than two dozen applications on both public and private cloud networks. The majority are cross-industry business applications, such as Jive for enterprise collaboration, PowerSteering for project management, and Everbridge for crisis management and communication, among others.

“We want to focus on creating insurance-based solutions for our own customers and look at cloud for generic process tools,” says Williams. “When you look at the cloud for core insurance systems—policy administration, claims, other critical systems—you have to consider not just the security risks, but the switching cost and the total cost over time.”

“There will probably always be 'family jewels' within the company that we wouldn't want to have outside the protection of corporate firewalls,” Peel says.

However, Philadelphia does utilize a few non-core, insurance-specific cloud applications. The company has deployed Loss Control 360 for insurance inspection management, OneShield for bond management, Oden for policy termination documentation, and AutoIDWeb for online auto insurance cards.

Although many providers of core insurance processing systems tout cloud-based offerings, Philadelphia's non-core use of cloud reflects the general industry trend.

“We're still seeing a lot of companies keeping core functionality in house in house—anything that involves customer data moving or being transferred outside of their [data center] environment,” observes David Mitzel, software architect at architectural consultancy X by 2.

Business Benefits Drive Adoption
Philadelphia has realized many benefits from cloud computing.

“Cost is a major driver,” Peel says. “Historically, we were very much a purchased and on-premise type of environment, but there are limits as to how much software and infrastructure you can control internally and how much capital you can apply to it. Cloud gives us a variable cost, externally managed, pay-as-you go cost model.”

“Cost savings are really at the top of the benefit stack,” says Howie. “Taking things like document production and CRM infrastructure and moving those to the cloud allows insurers to immediately realize savings and is relatively easy and simple to do.”

But there are advantages to cloud that go beyond cost. “The other key benefit to cloud is speed to market—the ability to get something up much more rapidly than would be possible when hosted internally. There are also applications where we don't have the skills in house to deploy them and it doesn't make sense to acquire those skills,” Kocur says.

“We've also used cloud solutions to get into a market quickly and with low cost of entry, see how the product performs, then move the platform in house,” Peel adds. “We're also looking more at infrastructure and platform in the cloud, including having development environments on demand or storage on demand.”

In fact, platform as a service (PaaS) is one of the fastest growing areas of cloud, according to Howie.

“It [PaaS] allows insurers to take legacy applications, rewrite them for the cloud, and gain access to new functionality and features as well as increased scalability and reliability,” he says. “In rare cases where you have legacy apps that cannot be rewritten, insurers can use infrastructure as a service [IaaS] to move those applications to a virtualized environment, ideally in a private cloud,” he says.

Key benefits to PaaS are increased rigor of the environment as well as easier maintenance, testing, and roll-back. IaaS offers additional benefits in disaster recovery.

“By going to either a private or public cloud you can build more fault tolerance into your infrastructure, bring services back up automatically, and withstand natural disasters more readily,” Howie says.

Cloud also fits well with Philadelphia's IT model.

“We've created a shared infrastructure approach spanning the various companies, so the ability to have variable cost, consumption-based model supports that,” Peel says.

Good Governance
Effective cloud security is also connected to good IT governance. The problem of “shadow IT,” where users deploy technology without IT's knowledge, has been compounded by the increased availability of cloud solutions.

“I can't tell you how many times we've seen a marketing group get signed up for Salesforce as a free or trial project and it winds its way into being a full-on environment that IT only then becomes aware of,” Hersh says.

“We've always struggled with employees building their own databases or bringing in a server to run a particular function. That's been around since the erosion of the mainframe days. The cloud has exacerbated that, but it's not really a cloud problem per se—it's a governance problem,” Howie says.

“Solving the problem of 'shadow IT' requires education, procedure, process,” Hersh says. “IT needs to let the business know that it won't get in the way of new capabilities, but it does need to address security concerns and offer to help the business in the decision-making process.”

Also, identity and access management concerns, including provisioning and de-provisioning access as users join and leave the company, become more complicated when systems outside the corporate firewall are involved.

“Companies will take employee badges away immediately when they leave a company, but it can take companies days to terminate employees' IT access, even for systems that are within a company's own network,” explains Howie.

“That problem has grown more complex in the age of the cloud, because at many companies identity and access management is not managed centrally. As a result, when they terminate employee, they are not able to de-provision employees in a timely fashion, which means employees can keep downloading content from cloud services,” he says.

One solution is to turn to the cloud itself. “Companies can provision identity and access management as a service,” Howie says.

Cloud Continues
With risk management in mind, insurers will continue to expand their use of cloud.

“Insurers are looking to the cloud not just to reduce expenses, but to deal with constraints around short-term computing power, departmental-level IT issues, architectural nimbleness, and other reasons,” Hersh says.

“The business drivers are very compelling—variable cost, speed of deployment, access to the latest technology. Especially with the shared services model that we have, those benefits resonate very well,” Peel says. “We expect to use cloud a lot more in the future.”