Emerging mobile technologies, social networking tools and cloud computing promise operational, and even cost benefits, but present a wealth of challenges to those tasked with securing enterprise data.
"There is no doubt that with every new technology there is a new type of risk," says Ty Sagalow, EVP and chief innovation officer of Schaumburg, Ill.-based Zurich NA. "As general rule, software and hardware are never perfect."
While data security issues precede the information technology infrastructure of the modern insurance company, recent advances in technology inflate their scope and severity far beyond the historical norm. For many years, the theft of large amounts of company data was circumscribed by physical limitations. In the mainframe era, insurers could more or less construct a moat around the enterprise with little worry of it being breached. Now, in the era of ubiquitous wireless Web access and 32GB USB flash drives, the only limits on data theft are the ingenuity and avarice of those seeking to steal it - be they internal or external.
"It used to be most of your users were within the enterprise," says Fred Kost, director of security solutions marketing for San Jose, Calif.-based Cisco Systems. "Now, a lot of people who need access to applications, data or the network are outside your corporate perimeter. It changes your ability to lock down access."
Further exacerbating this trend are technologies such as cloud computing and the use of mobile devices, which move data traditionally garrisoned within the enterprise outside its walls.
"Historically, no technology has been developed that has proven to provide absolute protection against hackers, and this is especially true of insider threats," adds Sagalow. "New types of business models such as cloud computing generally have new risks [associated with them] because they haven't been thoroughly tested."
The Rethink
Over the last decade, organizations have largely focused on protecting the perimeter with firewalls and restricted access. The looming threat of negative publicity, coupled with the tight regulatory environment under which insurers operate, no doubt reinforces the consequences of cyber risk. Additional security concerns may come from the business side of the house about protecting customer information. "We've done an awful lot to protect client information and secure our perimeter," says Bob Zandoli, chief information security officer, at New York-based MetLife.
Yet, in the modern enterprise, the perimeter itself is not as clearly demarcated as it once was. "Security is evolving, just like technology is evolving." Zandoli says.
Nothing demonstrates this new ambiguity more than cloud computing. Ask two knowledgeable people to define cloud computing and you'll probably get two different answers - and both are likely to be correct. (For the purposes of this article, we'll forego a definition and use cloud computing to refer to any abstracted, on-demand computing model.)
Leaving such philosophical and etymological discussions aside, most would agree that perimeter security is going to become harder as cloud becomes more prevalent. "With cloud computing, you don't know where your information is," says Zandoli. "If there is a breach, how you do conduct computer forensic investigations in the cloud?"
Yet, far from being the next big thing, some would assert that cloud computing is little more than a rebranding of the application service provider concept, and presents many of the same sort of challenges you face with any type of outsourcing.
Ellen Carney, senior analyst with Cambridge, Mass.-based Forrester Research, contends many of the security issues surrounding cloud computing will sort themselves out in time. "As cloud computing and Software as a Service (SaaS) matures in the insurance industry, you will see more companies proceeding this way," she says. "Over time, there will be an increased level of comfort about putting data in the netherworld."
Carney points to customer relationship management software provider Salesforce.com as an indication that security issues can be properly addressed. "We haven't heard anything about security breaches there," she says.
Tse Wei Lim, an analyst in the insurance practice at New York-based Novarica, agrees that cloud computing has broad security implications but argues that it is not widely adopted enough in the insurance industry to have immediate ramifications. Rather, he sees the widespread use of analytics as a more pressing security concern. "The next big thing that CIOs will need to worry about is the increasingly pervasive use of analytics and BI tools at all levels of their organization," he says. "As insurers begin to see the benefits of analytics, and the tools become more powerful and more affordable, IT departments will begin to see greater demand from the business side for more data to be made more widely available. The security challenge then will be for CIOs to work out how to satisfy this demand while keeping that data secure."
Consumerization
Another broad trend pushing out the security perimeter is the adoption of technologies incubated in the consumer space. The proliferation of mobile devices, means information security officers have to figure out how to exert control on a variety of end-user devices from laptops to smartphones. Though consumerization is not something to which IT is accustomed, Cisco's Kost says business requirement and productivity issues often trump security concerns. "It's a reality, and not something most companies can avoid," he says. "Mobility is just another avenue. We can secure it."
Indeed, one high-profile vote of confidence for mobile security happened in 2009. "We have our first president with a BlackBerry smartphone," Sagalow says.
While the threats presented by mobile security may be becoming more manageable, the questions about those posed by Web 2.0 technologies remain, as social networking sites, have become fertile ground for data thieves.
Be the first to comment on this post using the section below.