10 Questions Insurance Firms Should Ask their Cloud Service Provider
April 5, 2017
There is no longer any question that the cloud is safe and secure for insurance companies. Small- to enterprise-sized companies are taking advantage of the elasticity and efficiency the cloud brings to their companies. Although many cloud service providers may use similar hardware or software applications, the way they do business will be different. There is the standard contract for clients to sign, but what about the details in the print? Here are some questions you will want to ask your provider before you sign that contract.
1. What is Your Level of Encryption?
Encryption is what keeps intruders away from your data. If the encryption is done right, then even if the bad guys get hold of your data they can’t do anything with it. There are three main areas you want to verify about encryption; data at rest, in transit, and on mobile devices. Ask the cloud service provider if the data encryption is 256-bit Advanced Encryption Standard (AES) SSL for transit, and 256-bit AES at rest. This is a necessity for those working in the insurance industry. For more information on securing your data:
2. Can You Keep a Signed Audit Trail of Users Actions?
Keeping track of user’s actions helps the company keep track of possibly malicious activities, as well as user negligence. Users who know their activities are watched are less likely to make mistakes, and much less likely to do anything against company policy. Malicious activities do not necessarily mean malicious intent, but covers employees clicking unauthorized emails that could carry viruses.
3. What Certifications have you Attained?
This question may give you answers you are not concerned about. There are many certifications out there, so get ready to get an earful of acronyms. Mainly for the insurance industry, you are looking for a cloud service provider that is HIPAA and AICPA certified.
4. What are the Roles in Data Protection?
Don’t assume because the cloud service provider has your data that they are solely responsible for the security. Many times data breaches occur from within the company. Typically, it is a result of user error or negligence. Users forget to log out of systems or click on links that contain viruses, and these types of data breaches are not the responsibility of the provider. This is standard, but it is good to ask just so the roles are understood by both parties.
5. What is your Data Replication Procedures and what is your Level of Data Durability?
Data replication is the number of servers that contain your data. If possible you want three servers holding your data across three different data centers. This data should be synchronized instantaneously. The higher the data durability quotient the better. Do not think in the way of 99.999% (which is called five nine), but ask if they can go higher. In some cases, cloud service providers can offer 10s or even 11s (think of these number as adding another zero at the end of 10, 000.
6. What is your Exit Strategy if I decide to Move to Another Provider Later?
You want to make sure that if you decide to move to another cloud service provider in the future that all of your data moves with you. You need to know how the provider will assist with the movement of data, what the procedure is to destroy your data from their servers once it has been moved, and if they use a third party partnership who reviews the transition process.
7. How much Control do I Have Over My Data?
This may seem like a strange question, but you need to make sure that data during creation, midlife, and at the end of the lifecycle remains under your control. At the beginning of the data lifecycle you want to make sure the data is captured accurately, in midlife it should capture edits and deletions accurately, and in the end, there should be an archiving process. Find out more: Get your complimentary copy of Greg Hanna’s book ‘Computers Should Just Work!’
8. Does My Data Stay in the US?
This can be a no-brainer, but some providers have international servers, and if you do not mention your type of business, they may not know to keep the data within the United States. As part of the insurance industry your data must stay within the borders of the country, so make sure they are aware of this fact.
9. Will My Data be on its Own Server?
The answer is probably not. Virtualization allows cloud service providers to run multiple clients on a single server. The data is separated by partitions and will not be mixed up with each other, but if you really want data on your own server then they will have an option that allows you to purchase your own server. Unless you are a very large company that requires an entire server for yourself, the extra cost is probably not worthwhile.
10. Who Can See My Data?
Cloud service providers are still a type of IT entity. People are at the data centers maintaining the data. Find out what internal controls are in place to stop their personnel from copying, deleting or viewing your data.
Cloud service providers offer a lot of options, and you want to make sure that everything they tell you is in the contract. Do not take their word for it, if it is not in writing then you will not have any recourse later. Request a free assessment now!
Subscribe now and stay up to date with News, Tips, Events, Cybersecurity, Cloud and Data Compliance.