• United States

The cloud’s Achilles’ Heel is that it’s uninsurable

Mar 11, 20113 mins
Cloud ComputingMicrosoftSecurity

Risk expert warns industry has no model for calculating risk

While companies like Microsoft were touting the growth and benefits of cloud computing at the recent Cloud Connect conference here in Silicon Valley, one speaker gave what he called his “wet blanket” presentation warning of a big hole in the cloud business model.

The cloud computing industry lacks a method for calculating the risk of a cloud computing accident and a mechanism for sharing that risk, said Drew Bartkiewicz, CEO and founder of CyberFactors, a risk assessment service that rates cloud providers on risk and also helps companies determine the risk of moving their data to the cloud.

A cloud provider may tout the advanced security and reliability it offers to try to prevent a cyber attack or a service outage, but that doesn’t mean an accident won’t happen anyway, any more than putting nine seat belts in a car will prevent it from crashing, Bartkiewicz said.

I came away from his presentation thinking that the cloud industry needs to address this problem if it’s going to obtain any real growth going forward. It’s not simply a matter of gaining the trust of cloud customers by touting security; there has to be some serious financial security behind it as well.

“Cloud computing needs insurance so bad, it just doesn’t know it yet because cloud customers will demand … shared risk and shared responsibilities,” he said.

Service level agreements aren’t the same as insurance because if a network outage results in the cloud provider giving the customer a $10,000 credit on their service, that won’t fully compensate the customer if the outage results in a $1 million loss of revenue, he said.

“If you’re a cloud computing provider and you don’t understand the economics of risk and you’re not working on a strategy to bring risk into your model, you’re not going to win,” Bartkiewicz said. “Even if the cost to use your cloud goes to almost zero, but the customer perceives that the cost to fail in that cloud is very high, they’re never going to move more data to your cloud.”

Cloud providers don’t have the tools to evaluate the risk of a cloud mishap, calculate how to price that risk and build it into their business model, he said, and they don’t have the expertise to process claims. Every other business in the physical world has a means of sharing risk, but the cloud industry has no equivalent. For example, a car rental agency sells insurance to the renter or has them assume the risk personally or with their own car insurance.

Bartkiewicz said he’s already heard cloud providers report symptoms of slower growth in cloud adoption that he attributes to this lack of a mechanism to provide insurability. But the risk needn’t be borne only by the providers. If a company going to the cloud is saving, say $100,000, versus the cost of running their own data center, they should consider using 20 percent of that savings to buy a $5 million insurance policy.

A cloud provider can spend all it wants to on security but it can’t outspend risk. A resolution to the problem of risk management will make sure that cloud computing has a sustainable future.