Accountability in the Cloud

Michael Stoeckert, CTO, ProAssurance

Michael Stoeckert, CTO, ProAssurance

I am consistently surprised when cloud service providers do not require Service Level Agreements (SLAs) with financial penalties in their contracts. Privately held cloud vendors seem to have a pattern of not including mutual indemnification, data breach motivation and SLAs in their standard Master Services Agreements. Unless buyers hold them accountable by requiring standard safeguards in contracts, we won’t see improvement until the state and federal regulatory bodies take action.

"This SLA usually includes the Recovery Time Objective (RTO) which is the time it takes from the point of disaster to fail, over to the secondary operation and resume production processing"

Recoverability timeframe SLAs should be included in the cloud services contract. Every company needs the full assurance that their entire data environment is recoverable. To do that, an effective disaster recovery plan must lay the groundwork for creating a robust, multi-form system of back-ups and redundancy. A recovery plan must be comprehensive enough to cover on-the-ground data centers and the cloud. Additionally, the recovery strategy needs to be supple enough to have online and offline capabilities at another cloud site. Offline capabilities help remediate the risk of paying ransom after a ransomware attack.

Providers must build these four service levels into a dependable recovery plan:

1. Availability: A company’s business will grind to a halt if connections to the cloud are severed. Therefore, it is vital that a vendor provides an SLA outlining availability, reliability, and redundancy. This usually includes the Recovery Time Objective (RTO), or the time it takes from the point of disaster to fail, to the secondary operation and resumption of production processing. The Recovery Point Objective (RPO), or the maximum time that data could be lost should also be included.

2. Capacity: One of the greatest benefits of cloud computing is its elasticity; capacity can be expanded and contracted on demand. To ensure this benefit, the SLA should articulate how much-added capacity is guaranteed to be available for periods of peak usage— along with the accompanying tiered pricing model.

3. Storage: Managed storage with integrated backup and restoration capabilities is critical. Understanding the replication architecture of the storage is also required to assess the offline capabilities which help remediate the risk of paying ransom after a ransomware attack.

4. Logs: The expanding regulatory environment includes logs of successful and unsuccessful access to systems with nonpublic data. Thus, specifying access to logs which are located in the cloud providers’ infrastructure, along with verbosity (level of detail within the logs) is an important SLA. Solutions known as Cloud Access Security Brokers (CASB) can help log how the end-consumer is accessing the cloud providers’ solutions. However, a log from the cloud providing accessible via an admin portal is always preferred. If a portal does not exist, an SLA that provides verbose logs upon request is a good substitute.

Roles and Responsibilities

It can be a confusing forensic nightmare if there is not a clear understanding of responsibilities in all types of infrastructures. This is especially true in hybrid cloud environments which include on-premise and private or public cloud. All critical parties must know their specific roles and responsibilities and these should be managed according to your control structure. Reviewing and approving the SLA will clarify who is responsible at every point in the network. To aid in this effort, the European Network and Information Security Agency (ENISA) provided a number of best practice directives to security officers. For example, ENISA advises that:

• Customers should review and update disaster recovery capabilities regularly, taking into account changes, past incidents, and results of tests and exercises

• Customers should retain the right to perform second party audits where it is deemed necessary from a risk perspective and define responsibilities regarding the maintenance, operation, and ownership of assets

• Establish cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, and partners)

• Information security roles and responsibilities are coordinated and aligned with internal roles and external partners

To be secure in the cloud, an organization must work with their vendor to design a fail-safe SLA. This will go a long way toward ensuring adequate resilience and back-up capacity, as well as capabilities for data restoration and disaster recovery.

Not All Cloud Service Providers are Created Equal

Bearing in mind that all technology requirements frequently change over time, a company should look for a third-party vendor with a broad portfolio of other investment-related services to accommodate new business growth. A third-party vendor with a wide array of technological and financial services can help keep a financial firm on the path to best practices as it evolves over time.

Cloud Provider Checklist for Companies

Whatever cloud-based solution a company chooses, the provider should have strong capabilities in these critical areas:

• Deep understanding of your respective industry
• Knowledge of compliance and regulatory issues
• History of providing cloud-based services
• Cloud provider does not outsource the responsibility of passing an audit to a third-party technology vendor
• Responsible for cloud technology
• Robust business continuity planning model with adequate data centers for back-up
• Automatic upgrades by way of the cloud
• Predictable payments without a large up-front cost
• Capability for hybrid solutions to integrate the cloud with local installations if needed
• Willingness to customize solutions for the company
• Security and privacy protections that meet or exceed internal IT and data security policies
• Quickly scalable up and down as resources are needed
• Clear explanation about where data is stored and how it is handled
• Comprehensive set of SLAs that meet or exceed organization’s needs and requirements
• Proven financial stability
• A track record of successes, including references


Today’s realities make cloud computing a logical fit for both financial firms and their clients—who demand a combination of flexibility, efficiency, and support for the completion of large workloads at high speed.

For financial firms, cloud computing does not delegate accountability to cloud providers but requires a partnership grounded in clear requirements, expectations, roles, and responsibilities. Having these expectations included by way of SLAs in a contract will help ensure long-term success. Reputable providers will not add language to contracts that they cannot commit to.

Having these expectations included in the firm’s contract review process and in the implementation of services will help prevent confusion and support the service levels that business is accustomed to being provided by internal IT. This further solidifies that a company’s internal IT division is an advocate and vital contributor to the success of all services used by the business.

See Also: Medium | CIO Review

Weekly Brief

Read Also

Protect or Innovate? Cutting Through the Noise When Evaluating Predictive Models

Protect or Innovate? Cutting Through the Noise When Evaluating Predictive Models

Tom Fletcher, PhD, VP, Data Analytics, North America Life, PartnerRe
Optimizing Innovation Initiatives by Artfully Managing Change

Optimizing Innovation Initiatives by Artfully Managing Change

Lori Pon, Director, Claim Contact Center and Claim Handling Unit at AAA-the Auto Club Group
 Digital Ecosystems and Insurance - A Winning Partnership

Digital Ecosystems and Insurance - A Winning Partnership

Sean Ringsted, Chief Digital Officer, Chubb
Data Governance Systems Undergoing Ongoing Evolution

Data Governance Systems Undergoing Ongoing Evolution

Paul Pries, Director – Data Governance, West Bend Mutual Insurance Company
People as Decision-Makers; Technology  as an Enabler

People as Decision-Makers; Technology as an Enabler

Ralph LaSpina, EVP, Chief Marketing & Underwriting Officer, FCCI Insurance Group