Insurance is NOT the answer for the cloud


Share on LinkedIn

Insurance will not make clouds more trusted; cost-effective, secure results will

Article first published as Insurance is NOT the Answer for the Cloud on Technorati.

Two weeks ago Dr. Alexander Pasik, CIO of IEEE, posited that businesses would be more inclined to use cloud services if service providers carried insurance against data breaches. I could not disagree more. I do not disagree that providers (cloud-based and internal) need to pro-actively manage the operational (security, availability, and scalability) risks to their computing platforms. What I disagree with is the use of insurance to do this.

The very definition of risk management is selection of the right strategy based on the nature of the risk you are facing. In general, there are four different strategies to manage risk:

  1. Avoidance: Reducing or eliminating the chance that a risk will occur. An everyday life example of this is driving carefully to avoid an accident.
  2. Mitigation: Reducing the damage that a risk will cause if it occurs. When you wear a seat belt in your car you are mitigating accident risk.
  3. Transfer: Moving fungible damage from a risk to a third-party. Buying automobile insurance to pay accident-related bills is a use of risk transfer.
  4. Acceptance: Actively deciding to accept the consequences of a risk, if it occurs. Those who drive over the speed limit are accepting the risk of getting a ticket.

Use of insurance – a risk transfer strategy – is the wrong approach to manage the operational risks of computing (cloud or on-premise). Why? Because techniques like these only transfer the fungible portion of the risk to a third party. Unfortunately, much of the damage a risk can cause is not fungible. As a result, risk transfer strategies often fail to sufficiently manage risk, creating a false sense of risk security for those who rely on them.

Data breaches, massive system downtime and long periods of slow performance are brand-damaging risks. Regardless of whether they are caused by your own systems or a cloud provider, you cannot transfer the effects of these to a third party. Just imagine briefing your Board on a big loss of customers and a “black eye” to your company’s reputation and saying, “It’s o.k. We got a big check to compensate us.”

Instead, computing providers (on-premise and cloud) should use a combination of risk avoidance and risk mitigation techniques (e.g., use of highly distributed systems with redundancy, reserve capacity, real-time fail-over and multi-layer security) to reduce the risk of data breaches, outages, slowdowns and capacity over-runs. Cloud providers – due to their specialization and economies of scale – are well positioned to do this more efficiently than most customers can do themselves.

Use of insurance is not the answer to reducing cloud risk. Requiring cloud providers to provide all the benefits of cloud computing – with information security, business continuity and recovery service levels that are better than enterprises can provide internally – is the answer.

Republished with author's permission from original post.

Jim Haughwout
Jim Haughwout (pronounced "how-it") is passionate about creating technology that improves how people live and work. He is the Chief Technology Architect at Savi Technology and a General Partner at Oulixeus Consulting. His work has been featured by Network World, ZDNet, Social Media Today, the IBM Press, CIO Magazine, Fast Company, GigaOm and more.


Please use comments to add value to the discussion. Maximum one link to an educational blog post or article. We will NOT PUBLISH brief comments like "good post," comments that mainly promote links, or comments with links to companies, products, or services.

Please enter your comment!
Please enter your name here