Cloud Technology for Insurers - Part 7
How to Ensure Business Continuity when Using the Public Cloud
When outsourcing IT infrastructure to the public cloud, insurers remain responsible for their compliance with all requirements under insurance supervisory law. One of these requirements is that outsourcing must not lead to a disruption of services for existing policyholders.
Cloud-specific Business Continuity Risks
Contracts with providers of public cloud services typically include clauses which entitle providers to suspend cloud services in the event of breaches of their terms and conditions. While the response to most breaches will be a gentle reminder from the provider rather than immediate suspension, providers of public cloud services are typically less tolerant when it comes to threats to the security of their cloud. For example, if a provider detects that a customer’s cloud resources have been hijacked by hackers and have become part of a botnet, they will suspend the affected resources immediately without prior warning.
Should the cloud customer fail to resolve the breach within the contractually agreed time, the cloud provider can terminate the contract. During the subsequent post-termination period, the customer has only a limited time window to migrate data and applications to another provider. The length of this period depends on the provider.
If an insurer is unable to resolve a breach within the time provided and is unable to migrate data and applications to another provider within the post-termination period, the insurer may suffer a business interruption, potentially leading to financial loss, reputational damage, or even regulatory intervention.
How to Manage these Risks
Insurers should therefore always try to negotiate with the cloud provider a sufficiently long post-termination period during which cloud services are still available, allowing for enough time to migrate to another provider without business interruption.
Minimizing vendor lock-in
Insurers using the public cloud for critical workloads should therefore endeavor to design their cloud architecture in such a way that they can migrate applications from the cloud of one provider to a new one within an acceptable period of time.
One factor which significantly influences the duration of a migration is the extent to which provider-specific services are used. As explained in a previous article , one of the advantages of using a public cloud from one of the leading providers is the agility gained from the broad range of PaaS or SaaS components that can be used with minimal administrative effort. The downside is that many of these services are provider-specific or sometimes even provider-exclusive, and thus may require significant re-architecting when migrating to another provider. In contrast, more generic cloud services (IaaS) can be migrated with significantly less effort, but require more effort for configuration and maintenance.
Insurers must therefore decide what trade-off they’re prepared to accept between minimizing their dependency on one specific provider and maximizing their use of the services the provider offers. Ideally the choice should be made separately for each application and cloud service, taking into account the benefit of a particular service, the criticality of the application, the availability of a similar service at an alternative provider, and the relationship between the time required and available for migration.
Enhanced support level
When operating critical workloads in a public cloud, an insurer should leverage a sufficiently high support level from the cloud provider. Depending on the provider, the maximum support level may include a dedicated technical account manager and the option of defining run books describing the interaction between the provider and the insurer in case of an incident.
Business continuity planning
Preparing for the worst case in the form of a business continuity plan can additionally reduce the risks described above. A business continuity plan is a step-by-step guideline outlining how to resume business as usual after a disruption or keep it running under impaired circumstances. The main objective is to limit the downtime after a disaster, and to help the company get back up and running.
Before using cloud services for critical workloads, insurance companies should develop a business continuity plan that enables critical applications to be migrated within the necessary timeframes in order to prevent service interruption. This plan should contain alternate providers, a mapping of the cloud services consumed from the current provider to corresponding services from alternative providers, and clear processes and responsibilities for the event that the cloud provider suspends the service or even terminates the contract.
In the next few articles in our series we will be discussing how insurance companies can meet the requirement to secure their right to audit their cloud providers. Stay tuned!
If you have questions on any article in this series, please feel free to contact us.