It’s Not Just Twitter’s Problem: What Insurers Need to Know about DDoS and the Snake in the IoT Garden of Eden

On Friday October 21 a massive Distributed Denial of Service (DDoS) made over 1,000 websites unreachable, including, Twitter, Netflix and PayPal. Two cloud providers, Amazon Web Services and Heroku reportedly also experienced periods of unavailability.

The attack was directed against a key part of the internet’s infrastructure, a domain name system provider, Dynamic Network Services aka Dyn. When a person enters a web address into a browser, such as google.com, the browser in turn needs an IP address (a string of numbers and periods) to actually connect with that web address. Domain name system providers are a critical source of IP addresses.

On Friday Dyn was the target of perhaps the largest ever DDoS, when its site was overcome by tens of million of requests for IP addresses. Because Dyn could not provide the correct IP addresses for Twitter and the other affected sites, those sites became unreachable for much of the day.

It also appears that the DDoS was mounted using a widely available malware program called Mirai. Mirai searches the web for IoT connected devices (such as digital video recorders and IP cameras) whose admin systems which can be captured using simple default user names and passwords, such as ADMIN and 12345. Mirai can then mobilize those devices into a botnet which executes a directed DDoS attack.

There are a number of potentially serious implications for insurers:

  • An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholder and the insurer providing the discounts to a variety of potential losses.
  • If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses.
  • As insurers continue to migrate their front-end and back-office systems to the cloud, the availability of those systems to customers, producers, and internal staff may drop below acceptable levels for certain periods of time.

The Internet of Things will change insurance and society in many positive ways. But the means used to mount the October 21 attack highlights vulnerabilities that insurers must recognize as they build their IoT plans and initiatives.

How do insurance providers develop an agile IT infrastructure?

Insurers have always faced the challenge of taking products and solutions to market faster and doing so at lower cost. The sources of this challenge are not new – changing partner and customer expectations, increased and new competition and demanding regulators with perhaps the addition of the current financial climate.

Insurers have risen to each challenge, offering new ways to interact with their customers, offering new products and tracking their processes against new requirements. However, warning signs loom as insurers are increasingly finding that each of these solutions involve adding something new, encumbering their infrastructure with the latest systems, applications and integrations. Insurers already suffer from heterogeneous and complex IT landscapes and many are in the throes of large, costly programs designed to simplify and reduce costs.

The challenge today is a little more specific from those in the past: How can an insurer increase in agility, speed to market and flexibility while keeping the support and maintenance costs manageable?

Insurers are increasingly realising the benefits of a Software as a Service (SaaS) approach for some parts of their IT landscape. The promise of being up and running on an out of the box solution can be very appealing for activities that don’t differentiate the insurer or are well understood. While these solutions continue to be additive, they don’t increase the load on the IT infrastructure team beyond the due diligence exercise. However, many of the areas that need the greatest speed to market are differentiating and require customisation – how can insurers achieve that without increasing complexity?

Is Cloud the Answer?
There has been much discussion about cloud and how this is changing the way start-ups and businesses deal with their IT infrastructure. Insurers exist in a heavily regulated environment and are rightly hesitant to jump on the latest technology fad to solve their problems. However, dismissing the developments in cloud and SaaS propositions altogether for their core operations may be throwing the baby out with the bath water, along with possibly the bath as well.

There is value in considering cloud-thinking or a cloud style approach to problem-solving when considering the insurer’s infrastructure. Central to enabling cloud is simplifying, standardising and above all automating activities with IT infrastructure. Once the common activities one needs to do are automated this frees up costly team members and time to look at other problems. Through automation one can keep adding new applications and solutions to the IT landscape with a lower impact on support and maintenance costs, enabling an insurer to remain flexible, agile and keep their costs manageable.

It is time for the IT department to look internally and apply the same automation and efficiency thinking of their business counterparts to their own operations. Regardless of an insurer’s position on cloud, there is value in applying cloud-thinking. Consider how automation and simplification can increase predictability, supportability and quality in IT Operations. If appropriate, take that learning and move some services to the cloud.

In practice this approach doesn’t simplify the IT landscape and move everything to one “cloud” way of doing things. Rather it accepts the insurance industries need for complexity, for flexibility in approach and seeks to enable a fast and cost efficient approach to deliver it.

 

Ace buys Chubb: what it means for insurance technology

Today’s blockbuster announcement of Ace buying Chubb will have a lot of industry ramifications—some of which will play out in the IT sphere. No doubt there has already been an IT assessment element in each insurer’s due diligence efforts. Between now and the effective date of the merger, there will be a lot of planning focused on:
  • Efficiencies and platform rationalization–aka “let’s figure out what is the right number of core systems, which core systems will be the survivors, and how data conversion and integration will work”
  • Cloud, SaaS, data management/stores, and analytics
  • Professional service and SI support capabilities that can scale to the new Chubb
  • Which systems will best support a digital roadmap
Some seemingly redundant systems may survive—at least over a 1 to 3 year period. For that to happen, the business (and/or various geographies’ compliance) requirements of the operating units using these system will be too divergent or too difficult to quickly build into a single surviving system. All this reinforces the reigning market message to insurance technology firms. If you want to be around in 10 years:
  • Design highly configurable and agile systems that feature ease of integration
  • Have enough scale to meet the needs of bigger and bigger insurer customers—grow, merge, or wither
 

The security breach of the month/week/day – and why you should consider the Cloud

I don’t want to pick on one particular company, but the breach at Anthem hits pretty close to home — our industry is under attack. Should this surprise you? Absolutely not. What is particularly concerning is that these are companies that are spending enormous sums of money to stop these intrusions.   And are still getting hacked. JPMorgan Chase, Home Depot, Target, Michaels. I list these, not just as a reminder, but because I personally was affected by all four breaches. I’m on my third credit card in just over a year because every breach forces a new one. The JPMorgan Chase and the Anthem breaches are different and more onerous. In the Target breach, and others like it, credit cards were compromised. You can close a credit card account. In the recently disclosed Anthem breach — everything was lost. Name, Address, Social Security number, employer, net worth.   In other words, everything to steal your identity. I can’t close my life and open a new one. Is there a purpose to this rant? There is.   First, the technology exists — and is reasonably affordable — to encrypt this data. Is it a big project? Of course. Do you still want me to be your customer? How is it that in 2015 critical data about me is sitting in a data center and not encrypted?   Second, one of the biggest arguments against using applications in the Cloud is that having data in your own data center is more secure. Really? Seems not. I was recently discussing running a Life insurance system in the cloud with the CIO of a larger insurer. They put forth the ‘safer in my shop argument’, so I asked them a simple question: Is your budget for security larger than Google, Amazon or Microsoft (three of the largest Cloud vendors)?   After much thought, he replied that it was not, and our discussion changed paths. So maybe it is time to rethink the importance of your own data center. Beyond just security, is it your core competency to run a data center? Does it bring new revenue into your company to run a data center? Is it cheaper to run your own data center?   I believe the answer to all three is a resounding No. So when you are out looking for new applications and technology, I suggest it may be time, or beyond time, to think differently. Oh, and start asking your personal bank, credit union, insurance company, etc.: is my data encrypted?

Life in the Cloud – vendor activity is high

Few technologies are talked about as much as cloud computing. Cloud services may top the list of technology buzzwords used in corporate board rooms, by Wall Street analysts, in the trade media and within insurance IT organizations, but it often is talked about as an emerging technology – one that is potentially transformative but still little used. The level of general interest in cloud computing is understandable. It promises tremendous flexibility, tempting economic advantages, and unending operational efficiencies. To that end, insurance carriers are dependent on the cloud offerings available. Only if vendors are offering products on the cloud can carriers take advantage of them. So where are the vendors? Do all vendors have cloud applications? What options are available for insurance carriers and are they aligned with carriers on the importance of cloud apps? What challenges do vendors face, and what are their plans for the future? I surveyed 41 vendors to provide answers to these questions as well as to understand pricing models, platform investments, and their expectations of where the market is going. Cloud has grown from an emerging trend to the way of doing business for most vendors in a remarkably short time. While vendors may believe they are leading the competition by offering a cloud solution, the reality is that cloud options are now the norm. Vendors have moved swiftly to create cloud offerings and those that don’t have some type of offering are rare. Although these offerings are common, that doesn’t change the very real and significant concerns that carriers have, particularly around privacy issues and performance. Yet carriers interest in cloud computing continues to gain traction as a way of managing costs, improving efficiencies, and offering opportunities to transform the business. Despite the high interest, vendors who wish to be successful in selling cloud options to carriers will have to address concerns in three key areas: privacy and data integrity, reliability and performance, and may want to provide tools to help carriers learn to manage and govern their cloud offerings. This rapid evolution is not without its challenges for vendors. Customer-facing challenges are of high concern for vendors include issues such as managing the release cycle across multiple clients balancing front end, customer facing features reliability and performance enhancing features, and the impact of a changing target market customer base. Vendors are also concerned about identifying the right pricing model. Managing the shifting business model from license and professional service fees to subscriptions is formidable for many vendors. In addition, cloud creates notable organizational challenges, especially competing for scarce engineering resources. Cloud is expected to generate significant levels of revenue, and vendors that have not put their cloud plans together may want to begin to build a roadmap for the future. Check out the report – Life in the Cloud: Vendor Plans and Priorities

Risk, reward and cyber-scurity

For most people the amount of time, skill and effort required to get access to our family photos far outweighs the possible value someone would find there in. Thus, security measures based on making it really quite difficult to get to the data while at the same time not too hard to use have become increasingly popular. I would file username and password security in here. Occasionally, the digital assets on the other side are valuable to the right group. Banks use 2 factor authentication and a variety of non-digital schemes to ensure security. Even World of Warcraft where rare digital swords and armour carry their own value offer broader measures of security to protect accounts. The recent leak of a number of celebrities private photos shows that there are other assets worth the time and effort required to break this level of security. The risk associated with the data insurers hold has to date been quite minimal. There are health, specialty lines and large commercial lines where this isn’t the case, but for most people the data held by insurers and available through portals is largely innocuous and available through other means. As insurers start to tap into wider data sources and the Internet of Things it is imperative that the industry considers how it protects it’s customers. A simple example from products available today: some insurers likely hold the real-time location of the car driven by celebrities and millionaires children, thanks to the increasing popularity of telematics based car insurance. This brings with it increased security, the opportunity to recover the car if stolen and the opportunity to bring much needed assistance swiftly if the car and driver suffer an  accident. In the wrong hands this data is sadly highly valuable and thus worth the time, effort and risk to assault and try to recover. Whilst the details around the leak are still emerging it is clear that it is incumbent on the providers of these services to offer sufficient security in the first place and to educate it’s users on appropriate use. To insurers looking at cloud and portals, I say consider the edge cases – the celebrities using your security for instance, those for whom there are organised groups who would be rewarded for getting the data. Take into account the type of data available through various security schemes and portals, some information is naturally less sensitive. No one will read a story about a film star’s driving score and premium due next month, but where they drove and when – well maybe that’s a headline you don’t want your name associated with.

Celent Predictions for 2014

It’s clear that my colleagues and I see 2014 as something of a tipping point, a water shed for established and new technologies  to take hold in the insurance industry. I’ll try to summarise them succinctly here. Expect to see reports on these topics in the near future. Celent’s 2014 prediction focus on:
  • The increasing importance and evolution of digital
  • The rise of the robots, the sensor swarm and the Internet of Things
  • An eye to the basics
The first topic area is labelled digital but encompasses novel use of technology, user interfaces, evolving interaction, social interaction (enabled by technology) and ye olde customer centricity. Celent predicts vendors would market core systems as customer centric again, but this time meaning digital customer centricity. Celent expects to see core system user interfaces to acquire more social features along with a deeper investment in user interfaces leveraging voice, gesture, expression and eye movements. A specific digital UI example was the wide spread adjustment of auto damage claims (almost) entirely done through photos. In addition, gamification use for both policyholders and brokers will be adopted or increase in use for those early adopters. Celent further predicts greater investment in digital and that comprehensive digitisation projects would start to drive most of the attention and budgets of IT. The second topic I’ve called Robots and Sensors, while digital there is a significant amount of attention and specificity. The merger or evolution of the Internet with the Internet of Things accelerates with devices contributing ever more data. Celent predicts this rise of the Internet of Things or the sensor swarm, will push usage based insurance policies to other lines of business, not just telematics based auto policies that UBI is currently synonymous with. Celent further predicts that the quantified self movement and humans with sensors will in 2014 yield the first potentially disruptive business model for health insurance using this data. As an aside the increasing use of automation, robotics and AI will see broader adoption in the insurance industry. For those reading my tweets, Celent predicts 2014 will see drones used for commercial purposes. I hope we won’t have the need, but wonder if we’ll see drones rather helicopters capturing information about crisis stricken regions in 2014. The final topic I’ve called the basics. Celent predicts insurers will continue to focus heavily on improving performance of the core business – a good counterbalance to the hype around digital and a good pointer to where to focus digitisation efforts. At Celent we have noted a pragmatic interest in the cloud from insurers and we predict increasing complexity in hybrid cloud models, to the benefit of the industry. A little tongue in cheek but finally, Celent suggests that industry will finally find a business case for insurers adopting big data outside of UBI. Avid readers of the blog will be happy to see we haven’t predicted an apocalypse for 2014.   A special thanks to Jamie Macgregor, Juan Mazzini, Donald Light and Jamie Bisker for their contributions.  

Agoraphobia and Insurance Cloud Models: Don't Be Afraid to Play Outside

The insurance industry is currently engaged in an important discussion about the potential opportunities and risks presented by modern cloud architecture. Insurers have a continuing need to reduce operational costs, increase flexibility and most importantly become better at communicating and integrating with partners and customers. Cloud computing models have the potential to help in all these dimensions and can potentially have enough impact to fuel disruptive business models. Unfortunately, there is a recent trend toward labeling private clouds as less risky than public clouds and hybrid clouds as a reasonable compromise. This is an example of cloudy thinking (sorry!) designed to maintain the current architecture and business status quo and does a disservice to innovative technology and business models. Celent believes that over the next 5+ years, insurers will naturally move to an “outside in” architectural model that that aligns well with a hybrid cloud model and, for some classes of carrier, a public only model. Private clouds adopt the services-based model which enables service reuse and enterprise process and data consistency, but only draws upon internal services. This is an incremental improvement for insurers, more efficiently organizing resources for extended private networks that often pre-date the public internet. The biggest value driver for private clouds is the ability to consolidate resources and systems across business units and geographies, which is great if you have consolidated those systems. Among insurers, HCM and financial systems fit this model well, core systems not so much. Insurers assumptions that these private networks are safer is predicated on the idea that insurers are better at network security, infrastructure management and disaster recovery than the public cloud infrastructure providers, which is unlikely. There are appropriate uses of private clouds, especially in interim IT architectures, but beware of private clouds as a key element of your longer term IT strategy. Public clouds are generally used as Software as a Service providers of a specific application or suite of applications that are somewhat configurable and maintain data security and privacy for each customer in a multi-tenant model accessible over the Internet, possibly through VPN. Like more traditional ITO outsourcing, the customer needs to do due diligence on the vendors technology choices and roadmap, infrastructure investments and security models to ensure long term vendor viability. Public cloud based SaaS applications are very useful for very specific applications that require minimal configuration, widespread access and limited integration into larger workflows. Generally, public cloud applications do not integrate well into other applications without extensive API work and work arounds. In many cases, public cloud applications were introduced to the enterprise by business units to bypass IT budget issues and work queues and are not part of the Enterprise Architecture. Note that for small companies or startups, public cloud based SaaS providers can make sense as virtual IT, IF the carrier can get past the idea that most of their business processes and concomitant IT systems are not significant business differentiators. Hybrid cloud models that are designed to integrate ‘best choice’ public services and carefully chosen internal services using a robust business process management orchestration tool to manage across an extended bus architecture are the best choice for insurers seeking innovation, cost control and risk reduction. Insurers currently use a wide variety of external services, for rating, underwriting, service fulfillment, social media, mobility and analytics. A properly implemented hybrid model that is agnostic as to where services are fulfilled, can enable insurers to reduce costs, focus on core competencies, extend distribution networks to non-traditional channels and explore new business models.

Mind the Gap. Are Insurers and Vendors in Latin America on the same page about SaaS and Cloud Computing Usage and Adoption?

Almost with the end of the year around the corner we are yet immersed in some very important reports for all of us which, by the way, will be produced integrally with Latin American focus for the first time. The CIO Report and the Policy Administration System ABCD Vendor View Report are on their way.

From our past and recent discussions with Insurers and Vendors about different topics around technology, architecture, trends, features and functionality something has been driving my attention: It seems to be a gap in the perception about usage and adoption of SaaS models and Cloud Computing in Insurance, at least in Latin America. While the detailed reasons and how large is the gap between Insurers and Vendors will be part of a report next year, initial findings point in the direction that Vendors perceive more benefits from adopting these models while Insurer’s CIOs do not feel the pressure and do not have it as a priority.

A SaaS approach, applied to a Policy Administration System for example, appears as a perfect fit to the business model of many Vendors. SaaS enables Vendors to target small and medium Insurers as they can consistently manage a single scalable version of the solution and offer support very cost effectively with prices that fit smaller Insurers wallets.

On the other side, CIOs seem to feel more comfortable with on-site, self-controlled environments. Hardware and communications prices are more accessible to them providing more processing power and bandwidth for their dollars that a few years ago. In some countries even regulation presents a challenge to these type of offering as regulators still question where the system and the data needs to reside.

Something to consider is that Insurers in this region have yet not been exposed to much SaaS and Cloud offering so the perceived associated benefits and the price difference between traditional on-site and the new alternatives is still a discussion to mature.

Another aspect that might help to build the bridge and cross the gap is that core system replacement is starting to show increased trends and it will expose Latin American Insurers to new architected solutions with technology and functionality much more flexible and robust but at the same time more complex to administrate. Specially smaller Insurers will need to consider how to remain competitive, improve processes and deliver better quality products and services through diverse and new distribution channels at a cost they can bare.

Interesting times to come as we unveil what to expect in the region. In the meanwhile if you are interested in participating in the Latin America CIO Report or the Policy Administration System Report please let me know. Also feel free to reach me at jmazzini@celent.com with your comments and thoughts around SaaS and Cloud Computing usage and adoption.

Happy Holidays!

SaaS Activity in 2010 Insurance Software Deals

Every year, Celent conducts a survey of software providers which details the activity in the insurance automation market (http://www.celent.com/reports/north-american-insurance-software-deal-trends-2011-lifehealthannuity-edition and http://www.celent.com/reports/north-american-insurance-software-deal-trends-2011-propertycasualty-edition). The latest snapshot showed a 14% growth in SaaS across all categories. This increase was expected based on conversations we had last year with both insurers and vendors. It was good to get some numbers that defined the level of activity in this area. What was surprising was that billing was one of the leaders in the move to SaaS in terms of percentage of deals. Thirty percent of the reported insurance billing systems sold in 2010 were delivered through some type of hosted solution. This demonstrates both the desire of companies to upgrade their billing service and reduce the cost involved in delivering these new capabilities. Look for increased activity in this area in 2011.