Insurance will not make clouds more trusted; cost-effective, secure results will
Article first published as Insurance is NOT the Answer for the Cloud on Technorati.
Two weeks ago Dr. Alexander Pasik, CIO of IEEE, posited that businesses would be more inclined to use cloud services if service providers carried insurance against data breaches. I could not disagree more. I do not disagree that providers (cloud-based and internal) need to pro-actively manage the operational (security, availability, and scalability) risks to their computing platforms. What I disagree with is the use of insurance to do this.
The very definition of risk management is selection of the right strategy based on the nature of the risk you are facing. In general, there are four different strategies to manage risk:
- Avoidance: Reducing or eliminating the chance that a risk will occur. An everyday life example of this is driving carefully to avoid an accident.
- Mitigation: Reducing the damage that a risk will cause if it occurs. When you wear a seat belt in your car you are mitigating accident risk.
- Transfer: Moving fungible damage from a risk to a third-party. Buying automobile insurance to pay accident-related bills is a use of risk transfer.
- Acceptance: Actively deciding to accept the consequences of a risk, if it occurs. Those who drive over the speed limit are accepting the risk of getting a ticket.
Use of insurance – a risk transfer strategy – is the wrong approach to manage the operational risks of computing (cloud or on-premise). Why? Because techniques like these only transfer the fungible portion of the risk to a third party. Unfortunately, much of the damage a risk can cause is not fungible. As a result, risk transfer strategies often fail to sufficiently manage risk, creating a false sense of risk security for those who rely on them.
Data breaches, massive system downtime and long periods of slow performance are brand-damaging risks. Regardless of whether they are caused by your own systems or a cloud provider, you cannot transfer the effects of these to a third party. Just imagine briefing your Board on a big loss of customers and a “black eye” to your company’s reputation and saying, “It’s o.k. We got a big check to compensate us.”
Instead, computing providers (on-premise and cloud) should use a combination of risk avoidance and risk mitigation techniques (e.g., use of highly distributed systems with redundancy, reserve capacity, real-time fail-over and multi-layer security) to reduce the risk of data breaches, outages, slowdowns and capacity over-runs. Cloud providers – due to their specialization and economies of scale – are well positioned to do this more efficiently than most customers can do themselves.
Use of insurance is not the answer to reducing cloud risk. Requiring cloud providers to provide all the benefits of cloud computing – with information security, business continuity and recovery service levels that are better than enterprises can provide internally – is the answer.