3 Comments

Summary:

Last week’s outages at Microsoft and Amazon Web Services reiterated a very important lesson in cloud computing: Even the best-laid plans won’t stand up to an act of god or faulty electrical infrastructure. That’s why the burgeoning field of cloud insurance looks even better than ever.

insurance receipt

Last week’s possibly lightning-caused outages at Microsoft and Amazon Web Services reiterated a very important lesson in cloud computing: Stuff happens, and even the best-laid plans won’t stand up to an act of god or faulty electrical infrastructure. That’s why the burgeoning field of cloud insurance looks even better than ever. A well-thought-out insurance model will address the actual costs and risks of cloud outages or security breaches, for both customers and providers.

Consider the situation with AWS. April’s four-day outage and last week’s hours-long outage had entirely different causes. In the first instance, properly architected applications stayed up and running throughout or suffered only minimal downtime. AWS’s post-mortem of last week’s incident tells a story of root electrical-infrastructure problems that didn’t discriminate in who it affected. If the hardware that powers the cloud isn’t running, even certain high-availability and disaster-recovery strategies might be rendered ineffective.

In both cases, the compensation for affected customers was the same: 10-day service credits equal to 100 percent of their usage. That’s fantastic in terms of getting paid back — and then some — for the actual downtime, but what about the opportunity costs of going down? In the case of a prolonged outage, what about the costs of having to stand up alternative resources in order to get an application back online? Standard contracts from commodity cloud providers like AWS don’t provide for compensation beyond service credits, and for good reason.

Cloud providers also stand to benefit from an insurance system. Not only will the availability of policies allay some cautious potential customers’ concerns about moving to the cloud, but insurance policies for providers will help offset the cost of dealing with an outage. Those service credits cost money, after all, as do steps taken to investigate and resolve outages and implement improvements to prevent future incidents.

This doesn’t even touch upon the damages that can arise from a security breach that results in the exposure of sensitive data. State and (possibly soon) federal statutes might require both cloud providers and their customers to notify affected users of the data breaches and take other steps toward remediation. Lawsuits, fines and other legal issues might start piling up. As it stands right now, everyone’s costs are their own, which probably is fair, but for some, it might appear like a lot of risk to assume.

Cloud insurance to the rescue?

Thankfully, it looks like cloud computing insurance might actually be a reality in the near future. As I detailed in a recent GigaOM Pro piece (sub req’d), both the IEEE and private companies have recognized the importance of developing an insurance model custom-built for the cloud.

One particular company, CloudInsure, appears to have the right idea. At a high level, its approach involves vetting cloud providers, cloud customers and the value of the data, and then determining premiums accordingly. In practice (the company is still in its developmental phase), it should work a lot like auto insurance. Just like make, model, safety features, geographic location, miles driven and other factors affect car insurance premiums, so too will various factors around provider- and customer-side security and availability procedures, as well as the potential costs to resolve an incident, affect cloud insurance premiums.

However, anyone attempting to create an insurance model around the cloud really has to understand where risk lies and how the business model works. There aren’t yet any real standards in place for how to build secure, reliable, multi-tenant clouds that span geographic boundaries, or to build applications that run atop them. It might be easy to make draw inspiration from traditional outsourcing arrangements, but cloud computing with its standard contracts and on-demand resources aren’t traditional outsourcing.

For its part, CloudInsure already is working with a number of cloud providers, including AWS, Microsoft and Salesforce.com. That should help it better understand the unique aspects of cloud computing and its various models, such as Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service.

Ultimately, cloud insurance isn’t about acknowledging that cloud computing isn’t safe or reliable as much as it is about acknowledging that cloud computing is fallible like anything else. AWS, Microsoft and their customers can do everything right, then, BAM!, lightning strikes and everyone’s left counting their losses. It might be comforting to know that someone else will help foot the bill.

Feature image courtesy of Flickr user Laineys Repertoire.

  1. Interesting. This early in the cloud game, it seems like the damage done to the perceived reliability of public clouds in general and specific providers in particular is far greater than the direct financial losses attributable to an outage. In other words, the recent outages at Amazon will do more to harm the adoption of cloud computing than the availability of insurance/monetary compensation for outages can make up for.

    As you mentioned in your June research report, the number one inhibitor to cloud adoption according to your survey was security. Following that was reliability. While the idea of insurance for the cloud is interesting, it seems to me that there are a lot more important issues (reliability, security) that need to be addressed before insurance/monetary compensation will be able to have a real effect on moving more computing to the cloud.

    Share
  2. I work for a, somewhat, large insurer that offers policies for some forms of technology companies (in Canada). You have a number of different exposures: business interruption, property damage/loss, and data loss.

    Business Interruption:
    In some cases there may already be coverage in place as some insurance wordings provide coverage for “off-site power loss”. That being said there has to be an insured peril for the business interruption cover to trigger, i.e. you have to actually sustain a loss.

    Property Damage/Loss:
    This is more a concern for the provider of cloud services, have they protected their equipment, have they insured it, and how quickly can they recover from the loss.

    Data Loss:
    Data loss is the concern of both the provider (server) and user (client). Of course you want to prevent data loss but you also want to recover from it when it does occur and compensate people for their loss (post-loss risk management).

    I would suggest what is needed is an insurance broker who specializes in technology to work with this niche market to develop risk management (beyond simple insurance since insurance is only post-loss) to develop risk management plans and disaster recovery plans. Once these plans are developed they should be simplified and communicated to users to create trust in the security of cloud service providers.

    I’m not sure if it’s “couture” to plug me & my own blog here, but I’ve written a number of posts on risk management in technology, which I hope people find useful: http://amorphousprojects.com/blog/?action=search&search_item=tag&search_term=risk+management
    In addition, I’m happy to do consulting work if anyone is looking to develop a full and comprehensive risk management approach. (Admin/Om, feel free to delete these plugs if you wish).

    That’s just my $0.02 and I hope it helps,

    Share
  3. Another form of cloud insurance would be to invest in a hybrid solution, like Egnyte’s hybrid cloud (www.egnyte.com). That way, if you lose access to the cloud in an outage like Amazon’s, you will still have uninterrupted local access to all of your files.

    Share
  4. After power outages, cloud insurance looks even better http://t.co/he11jvXd

    Share

Comments have been disabled for this post