There's been no shortage of excitement and hype around cloud computing in recent times, and it's likely to continue into the foreseeable future. Gartner gauges the cloud computing market at $47 billion, and estimates that it will triple in size over the next three to four years.

But is cloud computing the best path for the insurance industry? For insurers, the allure of cloud computing is compelling, but it may take time before it catches on as a pervasive computing strategy, especially for mission-critical systems.

The insurance industry, as it often does, its definitely taking a hard look at cloud, and evaluating how it is going to impact the business before moving aggressively," Jeff Goldberg, analyst with Boston-based Celent. "There's a lot of hype right now from the media and the vendors, but that doesn't always translate into the actual business value."

Some insurers are migrating applications and functions to the cloud, and the successful efforts reflect a thorough analysis of the needs of the business and the limitations of cloud. Pawtucket, R.I.-based Narragansett Bay Insurance Co. is moving operations to both internally and externally supported cloud-based systems as a way to consolidate and streamline its sprawling server infrastructure. "We have a virtual cloud run by our organization," says Michael Anselmo, CIO of Narragansett Bay. "As our business grows, we're going to expand the capacity of our cloud. And even though we have the cloud, it's all managed by our people-we're just borrowing the services and getting the cost benefit of that hardware and software while paying it over time."

At Columbus, Ohio-based Grange Insurance, the project management team turned to a cloud-based application offering to avoid adding more burdens to the company's busy IT department, as well as provide more flexibility for end users. Sarma Tekumalla, assistant VP for the project management office at Grange, has been employing a cloud-based project management solution to coordinate various projects moving through the company. Tekumalla was concerned about taxing the stretched resources of his company's IT department with yet another application to support and maintain. "Our IT department was stressed," he explains. "They had too many projects across the organization. We didn't want to add more software for them to maintain."

The online project management software, from Seattle-based Daptiv Inc., provides configuration and reporting features that can be managed by the company's 40 end users. "We were looking for highly configurable software for someone from outside IT to configure and maintain," Tekumalla says. IT was engaged at the outset of the cloud application selection "just to keep them informed," as well as vet security requirements, he explains. While other departments in the company were initially hesitant to bring in cloud-based applications, the project management office's success with its cloud is spurring other departments to look to cloud providers for solutions. "We're now ramping up other cloud applications outside of Daptiv," Tekumalla says.

WHAT ABOUT SECURITY?

While cloud is in fact delivering benefits to carriers' operations, the enthusiasm is tempered by concerns about online security, an issue that is particularly sensitive among insurance companies. "Security is the biggest concern," Goldberg says. "Many insurers are worried that if their information is kept in the cloud, it may not be as well taken care of as it would in their own internal data centers."

More than anything, the risks depend on the type of cloud computing arrangements made, and these can vary, says David Black, chief information security officer for Marietta, Ga.-based Aon eSolutions. "There are differences in the risks and exposures between different cloud types; we see different adoption based on risk appetite. For example, we see insurance companies beginning to utilize public cloud computing solutions for non-core business needs that do not include the use of personal identifiable information such as social security numbers or health care information. An example of this is using a CRM like Salesforce.com."

Another form of cloud computing is private clouds, where the cloud is either deployed within the insurer's own data center, or in a "cage" by a highly trusted partner that minimize the risks. "We see insurance companies using private cloud computing solutions for core business needs that may include personally identifiable information," Black adds.

Such is the case at Narragansett Bay, in which all cloud-based operations, even when turned over to an outside vendor, are administered as a private cloud. "We're taking the lessons learned from the data centers and their providers that would host our cloud," Anselmo says. "It's our own secure network, and no one else has access to our data. It's run in the cloud, but as an internal cloud. We contract for a specific amount of cores, memory and storage. And that's guaranteed to us. It's dedicated to our world."

Anselmo points out that his company's relationship with cloud providers goes far beyond a typical cloud agreement, in which space is rented as needed from a third-party service. "We have more of a dedicated cloud," he says. "It meets our physical criteria, it's exactly the same hardware that we run in our offices in Rhode Island. I would have a concern if they were on different model servers, or different storage devices. It's running on our equipment in a virtualized environment. We're much deeper with them-we've dealt with the actual engineers and we've seen the site. We even have a card key access to our cage that's running in the cloud."

Black agrees with the need to forge a deep relationship with cloud providers to better ensure security and availability. "The more you can understand the better," he says. "Understand the specifics of the service levels. Understand where the data is going to be located. In a private cloud, for example, your data is going to be in a specific data center. Also, understand the ramifications if there's a data breach. Also, is your contract going to be with a single provider that provides all the services, or is the provider outsourcing other pieces of that? If they are, understand what those pieces are, and what your protections are because it's more difficult to ensure that you're fully covered and protected when you're arms-length away and don't have direct contact to the cloud provider providing the infrastructure and the platform."

CLOUDY APPLICATIONS

Bill Hartnett, director of U.S. insurance solutions for Microsoft, Redmond, Wash., says he's seeing two levels of cloud implementations among his company's insurance clients. "As a first step, insurance companies are gravitating toward our cloud applications delivered as a service, as a way to deliver mission-critical applications, such as Microsoft Exchange, from the cloud," he says. "Customers running Microsoft Dynamics CRM Online in the cloud are not only getting the benefit of a CRM cloud application, but they can also run similar CRM apps in their data centers or with Microsoft partners alongside it."

There's a greater tendency to move more peripheral applications to the cloud model, but leave mission-critical applications within on-premise data centers. "Basic Web services, such as property mapping, report ordering or document management, lend themselves well to the cloud," says Hugh Anderson, industry principal for financial services and insurance at SAP America, Newtown Square, Pa. "Front-end business applications for managing sales, customers and distribution partners are also increasingly migrating to a Software-as-a-Service model."

However, Anderson adds, still to be tamed are the most mission-critical business applications, such as enterprise financial management and underwriting/policy issuance. "These applications are transaction intensive, and most are subject to legal and regulatory compliance," she says. "When exposed to the cloud, it must be with absolute assurance that the data is secure, and that scalability and performance is not compromised in any way."

An area where the cloud may be better suited is application development, says Rich Carreau, EVP of CSC's Financial Services Group. "The cloud is ideal for serving as a developer's sandbox for quickly initiating new projects without having to deal with the typical bureaucracy related to requisitioning a new server, getting capacity planning approval, obtaining software licenses, installing and testing the development environment," Carreau says. "Under that process, precious months of time can be lost. In comparison, you can get up and running on the cloud in a day using a company credit card, and you only pay for the computing time as you use it. It's the ideal environment for fostering creativity and new initiatives."

ADDRESSING STANDARDS UNCERTAINTY

Standards are another question mark in the cloud sphere, though industry observers feel this is something that will work itself out. Microsoft's Hartnett observes that there are some primary standards that already have been put in place for service-oriented architecture and Web services that underpin cloud interoperability. "The cloud will work with established network service standards, such as SOAP or REST," he says. "Within the insurance industry itself, we also have well-established standards, such as ACORD."

The important thing is that both the cloud provider and customer use the same standards, whatever they may be. At Narragansett Bay, common standards with cloud vendors are forged by a deep relationship that ensures security and uptime.

"We actually have access to our cloud," says Anselmo. "We've been in our 'cage,' we've seen the site. We know what the standards are, and we know what the hardware standards are."

Grange's Tekumalla isn't greatly concerned about the maturity of cloud standards, either. "I believe cloud standards will get worked out sooner or later," he says. "I see more and more applications going to cloud environments. People are becoming more comfortable putting their data out on the cloud."

Celent's Goldberg agrees that the standards needed to ensure cloud computing interoperability are already in place. "There are standards for a secure data center," he says. "There are standards that exist today because we're comfortable working with remote servers in different locations that need to communicate with each other. There are servers that communicate with each other across companies in organizations. It's just a matter of making sure that when you're working with cloud vendors, they are adopting those standards and that they're auditable, and can prove that they're conforming to them."

Other key standards by which cloud providers should abide are SAS 70, which verify that there are internal corporate controls, and ISO 27001, the international standard created specifically for information security management systems, Black says. However, standards are only part of the equation, he adds. "Some companies just make a decision that if that vendor has SAS-70, and they get a copy of that every year, they're covered," he says. "Others want to really dig in and go under the hood to make sure that the contract has language that should protect them and, on top of that, whatever else they want to do as part of their audit."

THE ONUS

Today, much of the responsibility for cloud vendor viability lies with the customer. "Currently, cloud service level agreements are a work in progress, and will evolve only when insurance companies demand them," says Imad Mouline, CTO for Lexington, Mass.-based Gomez, a division of Compuware. "The onus for testing, measuring and validating performance lies on the insurance companies considering or using cloud services. And, in fact, insurance companies need to monitor cloud-based applications and services as closely as they would monitor internally supported applications and services."

Anselmo agrees with this advice. When looking at a cloud, especially for a production environment, be sure to go through the same analysis you would go through for an in-house model. And if it doesn't pass, don't do it."

Joe McKendrick is an author and consultant specializing in information technology, based in Doylestown, Pa., and a regular blogger for www.insurancenetworking.com.

 

 

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access