
Beyond the normal discussion about how companies need to "design for failure" (re: applications) when using public clouds, someone brought up that SLAs will need to evolve before companies can better mitigate risk. Most people tended to dismis this, since SLAs usually only compensate customers for the service value of the outage window (eg. $/hour of compute time), not for any value related to lost business due to downtime, lost data or a security breach.
So this got me thinking about what it might mean to obtain an insurance policy to protect against "loss" as a result of a public cloud service. My initial thoughts fell into a couple buckets:
- What would/could be included in that "loss"?
- Do companies today have any idea how to measure the value of what an individual IT service means to their business?
- Are there any companies that offer an insurance policy that covers public Cloud Computing today?
- How is data captured for companies offering Cloud Computing insurance?
- Will Cloud providers sell their operational data to insurance companies? Should Cloud providers sell their operational data to insurance companies?
- Are there markets and derivatives to Cloud insurance that could evolve if this model of risk management begins to grow?
In today's 24x7x365 world, the breadth of a "loss" could potentially include some or all of the following items. Measuring some of these could be quite difficult:
- For transactional applications (taking website orders), this could be an average amount of sales for the given time period.
- For applications that enable external functionality to customers or partners, a company may need to protect themselves from "failure to meet SLAs" claims. For example, Company X couldn't perform their business action because your companies service was not available.
- Given the abundance of alternative online services and short attention spans (the #FAIL culture), a company may attempt to claim a loss of "community trust" (or other term) from existing customers that went elsewhere.
- It's possible that "loss or corruption of data" could be included, but there are plenty of backup and disaster-recovery solutions available today to cover those situations.
Do companies today have any idea how to measure the value of what an individual IT service means to their business?
I suspect the answer to this question, in many cases, is "no". Should value be measured in lost productivity for workers, or lost market opportunities for the business, or via some other factor.
It's very likely that a company has attempted to measure the operational cost of running a specific application, especially if they have it running in a public Cloud service instead of in an internal data center.
Are there any companies that offer an insurance policy that covers public Cloud Computing today?
When I asked this question, I was pointed to a few different companies, individuals and blogs. These included:
- Cloud Insure (@CloudInsure; http://www.cloudinsure.com/home/)
- GigaOm Pro - "How to Insure the Cloud and Protect Everyone's Assets"
- Drew Bartkiewicz
Not a lot at this point. With Cloud Computing still being such an early, rapidly changing and expanding market, I suspect that it's very difficult for risk managers to begin to accumulate enough historic data to begin to create the actuarial tables (and other risk management tools) needs to evaluate risk levels and price that risk accordingly.
It appears from some basic research that there aren't actual insurance companies offering policies for Cloud Computing yet, but that companies like CloudInsure are beginning to work with several public Cloud providers to better understand their operations models. This knowledge is then being put into risk models that translate into the language that Insurance companies speak.
How is data captured for companies offering Cloud Computing insurance?
This is an area that I don't have any details about today. It's possible that it could come directly from the Cloud providers themselves, if they were willing to share it. Or it could indirectly come from companies that provide various types of Cloud management services (enStratus, Righscale, CloudPassage, Cedexis, etc.) or carrier-indepdent Service Providers (eg. Equinix), albeit using smaller sample sizes. A third source could be sentiment analysis from various public sources (media outlets, social media, etc.) that mention outages
Will Cloud providers sell their operational data to insurance companies? Should Cloud providers sell their operational data to insurance companies?
This is an area that could begin to go down multiple slippery slopes very, very quickly.
First of all, the operational data would need to be normalized across multiple clouds. This would need to take into consideration various tiering levels they offer, associated redundancy models offered within those tiers, how frequently measurements of uptime are taken, plus a list of other variables.
Second, the data would need to be anonymized so that provider-customer relationships could be kept confidential (if they weren't already excluded from such services contractually).
Third, the insurance provider would need to somehow create logical firewalls between insurer-provider teams so that details of a providers operations were not shared with other providers, potentially creating unplanned competitive situations are a result of data leakage.
Fourth, there would need to be a reliable way for the insurer to validate customer accounts with the Cloud provider, which means opening up records of who is using the service.
Fifth, the insurer would need to be able to perform the equivalent of forensic analysis on the provider when claims were made by their customers, to determine the cause of failures and potentially the party that is to blame. The insurer would want to be protected against "Moral Hazzard" situations.
Whether or not Cloud providers will sell their data to insurance companies will probably be directly tied to customer demand for increased risk-management when using public cloud services. This would obviously be balanced by:
[a] Cloud providers determining the additional costs to provide the data (people, equipment, lawyers, etc.) - this would be balanced against the additional revenues the Cloud provider would receive from all the insurance companies competing for that data
[b] their trust in insurance providers to maintain privacy of that data since it represents the operations of the Cloud provider
[c] the competitive environment for the Cloud provider - is a lack of reporting (and hence insurability) impacting it's ability to be competitive in the marketplace
Are there markets and derivatives to Cloud insurance that could evolve if this model of risk management begins to grow?
This is potentially the most interesting aspect of this whole question, although it has less to do with Cloud Computing and more to do with my interests in economics and markets. Never the less, here's a few thoughts that have come to mind
[a] I have no doubt that a company like CloudInsure could find multiple financial institutions to back the insurance claims they write for companies, but will companies feel comfortable until their are many Cloud insurance companies building competitive offerings? It's somewhat of a chicken and egg scenario - which comes first - the insurance companies or the market demand for insurance companies?
[b] Will we see Cloud companies taking their data directly to financial institutions to back the policies they (Cloud provider) offer directly to their customers? They are already building predictive operational models themselves, so do they have the best insight? What conflicts of interest does this create?
[c] How difficult will it be to determine the cause of an outage? How difficult will it be for a customer to collect, if the verification process by the insuring company is extremely complex?
[d] If Cloud insurance begins to grow in the market, does this increase the demand for development organizations to command higher fees to create better "design for failure" applications to actually compete with the Cloud insurance companies?
[e] How do we avoid situations like the mortgage/financial markets have, where derivates get created and there is the possibility that a 3rd-party (hacker organization) can't create a policy on behalf of a legitimate company - and then collect when the hackers take down that businesses applications? This is essentially what happened in the mortgage crisis of 2008, with financial institutions being able to bet (multiple times) on any tranche of mortgages failing, without actually owning those assets. The equivalent of CDOs for Cloud services.
What's next in Cloud insurance?
I suspect that I've only scratched the surface on how insurance will play a role in helping companies manage business risk as they begin to adopt more public Cloud Computing services. I would be very interested in hearing what others have learned; about companies that are exploring these areas, and what lessons have been learned over the last couple years. It's definitely not a "do" or "don't" question, as it involves business risk, technology evolution, financial markets and potentially many other groups.
I would be very interested in hearing what others have learned; PPI help
ReplyDeleteIn terms of Cloud Computing and its perceived avenue of insurance, we can summarize it to the platform called disaster recovery where backup via virtual memory will avoid much data loss.
ReplyDeleteIndividual culpability insurance coverage, also referred to as individual outdoor patio umbrella insurance coverage, is a different item most of us use and keep the belongings inside courtesy. Because most of us are now living in some sort of litigious community, most of us believe that it's actually a excellent strategy to have insurance coverage which could resist some sort of monetary blunder caused by legal action.insurance agents directory
ReplyDeletePre-production is usually very critical in order to video clip production. Begin every online video media production from identifying, while in extensive research, the company’s competitive advantage IN ADDITION TO benefits to help include Using your video clip production. explainer-video-production
ReplyDeleteAlthough outdoor patio umbrella insurance coverage can be looked into inside context associated with specific legal responsibility, it is vital with the stableness of your company. A few of the crucial exposures a company encounters might be offset by outdoor patio umbrella policy, just you may not possibly recognize that consequently. This post explains the different kinds of Trucking Insurance open to company to manage outside pitfalls and the risk associated with not need the outdoor patio umbrella insurance cover.
ReplyDeleteThis information addresses 5 factors you need to know with regards to legal responsibility insurance plan. From industrial common legal responsibility insurance plan for your company, to be able to professional legal responsibility insurance plan regarding suppliers regarding professional insurance Agents, discover the actual different types of legal responsibility protection along with exactly how an independent broker can assist you find the best coverage for your particular needs.
ReplyDeleteYour work is very good and I appreciate you and hopping for some more informative posts. happy new year 2016 new year 2016 bonne année 2016 happy new year 2016 images feliz año nuevo 2016 imagenes de año nuevo 2016 feliz año 2016 bonne annee 2016
ReplyDeleteYour Site Is Very Good and The Post is Well On Topic, Thanks for Sharing it with us.
ReplyDeleteNew Romantic Songs 2016
Meredith Vieira Show
Latest Tips and Tutorials 2016
Chris Brown is a suspect in another case
free iphone 7
Peshawar Zalmi PSL Matches T20 Live
urdu best poetry 2016
New Songs 2016
copyright free music for videos 2016
This is great do you have a catologue if so I would love one to share with friends and family.
ReplyDeleteKings XI Punjab Team Squad Captain Name
KKR New Players List
Mumbai Indians Jersey and Logo Images