4 steps to keeping data safe in the cloud
Cyber hygiene: The cloud is more secure than on-premise systems, but only when the right protocols and approaches are implemented.
Migrating from on-premise to the cloud is becoming a widely accepted business trend in Insurance and many other industries. According to a recent Novarica report, cloud adoption in insurance has more than tripled over the last three years, growing from 20% to 70%. This trajectory is expected to continue, enabling insurers to alleviate the burden of maintaining and upgrading expensive IT infrastructure while increasing the agility and flexibility of business operations.
However, some insurers are still hesitant to take advantage of the cloud because of data security concerns. The latest Ping Identity survey found it to be the highest barrier of cloud and SaaS adoption with 43% citing the issue. The reality is that the cloud is more secure than on-premise systems, but only when the right protocols and approaches are implemented. Below are some fundamental practices that can improve cyber hygiene.
Step 1: Employing the principles of ‘Security by Design’
Not too long ago, software developers primarily built solutions with the focus on features and performance, with security more of an afterthought. With security testing much farther down the delivery model, the testing meant it was reactive and fixes were costly to rework. With an increase in cloud and SaaS adoption, it has become commonplace to use a “security by design” approach. Software engineers are baking security protocols and features directly into the product or service in the design phase and at each developmental milestone to reduce human error and vulnerabilities, while also making security settings more user-friendly. Adopting a ‘Security by Design’ approach should be considered a necessity for all insurers from the outset, to minimize their risk of post-production vulnerabilities that are costly to remediate.
Step 2: Security awareness training
Cybersecurity threats are ever-changing, and as a result, the focus on protecting data from new threats must also change accordingly. Insurers should institute an obligatory and intensive security training program on a quarterly basis to continuously enforce the latest protocols and keep up-to-date on the latest methods of cyber attacks.
Typically, the chief information security officer or person charged with keeping data safe should develop the training strategy and materials. Training should be tailored to each stakeholder group based on their focus areas. It can be performed in-person for smaller companies or issued online for employee bases. For example, insurers can start with material focused on identifying email phishing or malware and then move on to highlighting web browser security in subsequent training sessions. KMPG and Oracle found that 92% of companies noted they are concerned about employees following their own security policies which are designed to protect sensitive data. Training is essential to improving confidence and enabling users to protect corporate assets and data.
Step 3: Security testing and monitoring
Cloud security best-practices are continually evolving. Insurers should entrust the security of their data to dedicated staff whose sole purpose is to research, monitor and implement new security tools and strategies.
In modern software design, dynamic and static application testing (DAST & SAST) have become table-stakes as part of the SDLC to prevent vulnerabilities in production. There are plenty of considerations for protecting data in the cloud, including preventing critical data loss, encrypting data at rest and in transit, and creating a robust backup and disaster recovery strategy to ensure minimal downtime should a server terminate. SaaS providers need to employ experts in continuously monitoring their environments to locate potential occurrences of sensitive data leakage from logging and monitoring services, backups, and decommissioned applications. Many breaches occur because sensitive data was stored in legacy applications.
Step 4: Encrypt data in transit and at rest
To ensure data is protected at all times, insurers must encrypt both data in transit and at rest. Data in transit refers to information transferred between systems, whether between internal staff, independent agents, or policyholders. Insurers can either encrypt data prior to transfer, or encrypt the connections themselves (i.e., HTTPS, SSL, TLS, FTPS). For data at rest, insurers can choose to encrypt each file prior to storage, encrypt at the database tier, encrypt at the storage tier itself and in some cases a combination of these to support different protection requirements.
In order for insurers to benefit from this new digital era of insurance, cloud hosting and cloud computing are a necessity. Cybersecurity should be considered the gateway to innovation because the digital environment cannot be trusted without a high level of confidence that the stored in the cloud data is secured and protected. There is no silver bullet to cyber hygiene, but by following these steps, insurers can confidently migrate to the cloud to offer their policyholders a more agile, digital experience.
Jonathan Victor (Jonathan.victor@insurity.com) is the chief information officer of Insurity. These opinions are his own.
See also: