Beyond the normal discussion about how companies need to "design for failure" (re: applications) when using public clouds, someone brought up that SLAs will need to evolve before companies can better mitigate risk. Most people tended to dismis this, since SLAs usually only compensate customers for the service value of the outage window (eg. $/hour of compute time), not for any value related to lost business due to downtime, lost data or a security breach.
So this got me thinking about what it might mean to obtain an insurance policy to protect against "loss" as a result of a public cloud service. My initial thoughts fell into a couple buckets:
- What would/could be included in that "loss"?
- Do companies today have any idea how to measure the value of what an individual IT service means to their business?
- Are there any companies that offer an insurance policy that covers public Cloud Computing today?
- How is data captured for companies offering Cloud Computing insurance?
- Will Cloud providers sell their operational data to insurance companies? Should Cloud providers sell their operational data to insurance companies?
- Are there markets and derivatives to Cloud insurance that could evolve if this model of risk management begins to grow?
In today's 24x7x365 world, the breadth of a "loss" could potentially include some or all of the following items. Measuring some of these could be quite difficult:
- For transactional applications (taking website orders), this could be an average amount of sales for the given time period.
- For applications that enable external functionality to customers or partners, a company may need to protect themselves from "failure to meet SLAs" claims. For example, Company X couldn't perform their business action because your companies service was not available.
- Given the abundance of alternative online services and short attention spans (the #FAIL culture), a company may attempt to claim a loss of "community trust" (or other term) from existing customers that went elsewhere.
- It's possible that "loss or corruption of data" could be included, but there are plenty of backup and disaster-recovery solutions available today to cover those situations.
Do companies today have any idea how to measure the value of what an individual IT service means to their business?
I suspect the answer to this question, in many cases, is "no". Should value be measured in lost productivity for workers, or lost market opportunities for the business, or via some other factor.
It's very likely that a company has attempted to measure the operational cost of running a specific application, especially if they have it running in a public Cloud service instead of in an internal data center.
Are there any companies that offer an insurance policy that covers public Cloud Computing today?
When I asked this question, I was pointed to a few different companies, individuals and blogs. These included:
- Cloud Insure (@CloudInsure; http://www.cloudinsure.com/home/)
- GigaOm Pro - "How to Insure the Cloud and Protect Everyone's Assets"
- Drew Bartkiewicz
Not a lot at this point. With Cloud Computing still being such an early, rapidly changing and expanding market, I suspect that it's very difficult for risk managers to begin to accumulate enough historic data to begin to create the actuarial tables (and other risk management tools) needs to evaluate risk levels and price that risk accordingly.
It appears from some basic research that there aren't actual insurance companies offering policies for Cloud Computing yet, but that companies like CloudInsure are beginning to work with several public Cloud providers to better understand their operations models. This knowledge is then being put into risk models that translate into the language that Insurance companies speak.
How is data captured for companies offering Cloud Computing insurance?
This is an area that I don't have any details about today. It's possible that it could come directly from the Cloud providers themselves, if they were willing to share it. Or it could indirectly come from companies that provide various types of Cloud management services (enStratus, Righscale, CloudPassage, Cedexis, etc.) or carrier-indepdent Service Providers (eg. Equinix), albeit using smaller sample sizes. A third source could be sentiment analysis from various public sources (media outlets, social media, etc.) that mention outages
Will Cloud providers sell their operational data to insurance companies? Should Cloud providers sell their operational data to insurance companies?
This is an area that could begin to go down multiple slippery slopes very, very quickly.
First of all, the operational data would need to be normalized across multiple clouds. This would need to take into consideration various tiering levels they offer, associated redundancy models offered within those tiers, how frequently measurements of uptime are taken, plus a list of other variables.
Second, the data would need to be anonymized so that provider-customer relationships could be kept confidential (if they weren't already excluded from such services contractually).
Third, the insurance provider would need to somehow create logical firewalls between insurer-provider teams so that details of a providers operations were not shared with other providers, potentially creating unplanned competitive situations are a result of data leakage.
Fourth, there would need to be a reliable way for the insurer to validate customer accounts with the Cloud provider, which means opening up records of who is using the service.
Fifth, the insurer would need to be able to perform the equivalent of forensic analysis on the provider when claims were made by their customers, to determine the cause of failures and potentially the party that is to blame. The insurer would want to be protected against "Moral Hazzard" situations.
Whether or not Cloud providers will sell their data to insurance companies will probably be directly tied to customer demand for increased risk-management when using public cloud services. This would obviously be balanced by:
[a] Cloud providers determining the additional costs to provide the data (people, equipment, lawyers, etc.) - this would be balanced against the additional revenues the Cloud provider would receive from all the insurance companies competing for that data
[b] their trust in insurance providers to maintain privacy of that data since it represents the operations of the Cloud provider
[c] the competitive environment for the Cloud provider - is a lack of reporting (and hence insurability) impacting it's ability to be competitive in the marketplace
Are there markets and derivatives to Cloud insurance that could evolve if this model of risk management begins to grow?
This is potentially the most interesting aspect of this whole question, although it has less to do with Cloud Computing and more to do with my interests in economics and markets. Never the less, here's a few thoughts that have come to mind
[a] I have no doubt that a company like CloudInsure could find multiple financial institutions to back the insurance claims they write for companies, but will companies feel comfortable until their are many Cloud insurance companies building competitive offerings? It's somewhat of a chicken and egg scenario - which comes first - the insurance companies or the market demand for insurance companies?
[b] Will we see Cloud companies taking their data directly to financial institutions to back the policies they (Cloud provider) offer directly to their customers? They are already building predictive operational models themselves, so do they have the best insight? What conflicts of interest does this create?
[c] How difficult will it be to determine the cause of an outage? How difficult will it be for a customer to collect, if the verification process by the insuring company is extremely complex?
[d] If Cloud insurance begins to grow in the market, does this increase the demand for development organizations to command higher fees to create better "design for failure" applications to actually compete with the Cloud insurance companies?
[e] How do we avoid situations like the mortgage/financial markets have, where derivates get created and there is the possibility that a 3rd-party (hacker organization) can't create a policy on behalf of a legitimate company - and then collect when the hackers take down that businesses applications? This is essentially what happened in the mortgage crisis of 2008, with financial institutions being able to bet (multiple times) on any tranche of mortgages failing, without actually owning those assets. The equivalent of CDOs for Cloud services.
What's next in Cloud insurance?
I suspect that I've only scratched the surface on how insurance will play a role in helping companies manage business risk as they begin to adopt more public Cloud Computing services. I would be very interested in hearing what others have learned; about companies that are exploring these areas, and what lessons have been learned over the last couple years. It's definitely not a "do" or "don't" question, as it involves business risk, technology evolution, financial markets and potentially many other groups.