Page 1 of 2
International Computer Security Association Labs is working on a new initiative aimed at helping cyber liability insurance companies more accurately assess risk associated with cloud computing.
An independent division of Verizon, ICSA Labs has built a reputation around testing and certification criteria to measure product compliance and performance.
"We are teaming with the insurance industry to provide insurability certifications around cloud," explained Vinny Sakore, the organization's program manager for cloud security. "This is a focus for 2013, and we expect to go public with an announcement sometime during the first quarter."
[Related: Cyber Monday: Can the Internet Be Taken Down By A Massive DDoS Attack?]
Although cyber liability insurance has been protecting against risks associated with data breaches and network interruptions at the customer premises for several years, the advent of cloud computing has caused challenges in assessing the risk.
"The insurance companies are concerned with cloud providers for two reasons," explained Sakore. "First is the incredible amount of data that's being aggregated by these carriers. The second concern is that cloud computing companies typically won't assume any liability. So, the insurance company inevitably takes on more liability they would, even in the traditional outsourcing model."
In addition, the insurance provider not only is faced with liability associated with the cloud providers themselves but also carries risk from the customers of those cloud providers who also happen to be customers of the insurance provider.
"Let's say an Amazon or a Terremark each have a $250 million insurance policy with your company," said Sakore. "But let's say you also have a thousand customers working within that cloud provider, and each of those has a $100 million policy. Now you're talking about billions of dollars in potential liability, not just $250 million. Therefore, assessing the size of the risk can be difficult and complex."
The ICSA is currently grappling with this issue as well as a host of other factors that should be calculated into the risk assessments. Examples include privacy implications for data stored in transiting international borders, the effects of virtualization, how denial-of-service attacks are handled, and requirements for compliance through standards such as PCI and ISO-27001. These and other factors roll up into a score that the insurance company can then use as a tool for setting the price of coverage and related terms. Elements would be weighted differently, based on the relative importance.
"They also need to determine how much sensitive information is being stored by the cloud provider," Sakore continued. "This can change over time, so at the point of renewal, they will need to assess how much data, and what types of data have been moved to the cloud because your entire risk posture with that customer might have changed since the last time you engaged in this process. So it is critically important to monitor those types of developments."
