It’s Not Just Twitter’s Problem: What Insurers Need to Know about DDoS and the Snake in the IoT Garden of Eden
On Friday October 21 a massive Distributed Denial of Service (DDoS) made over 1,000 websites unreachable, including, Twitter, Netflix and PayPal. Two cloud providers, Amazon Web Services and Heroku reportedly also experienced periods of unavailability.
The attack was directed against a key part of the internet’s infrastructure, a domain name system provider, Dynamic Network Services aka Dyn. When a person enters a web address into a browser, such as google.com, the browser in turn needs an IP address (a string of numbers and periods) to actually connect with that web address. Domain name system providers are a critical source of IP addresses.
On Friday Dyn was the target of perhaps the largest ever DDoS, when its site was overcome by tens of million of requests for IP addresses. Because Dyn could not provide the correct IP addresses for Twitter and the other affected sites, those sites became unreachable for much of the day.
It also appears that the DDoS was mounted using a widely available malware program called Mirai. Mirai searches the web for IoT connected devices (such as digital video recorders and IP cameras) whose admin systems which can be captured using simple default user names and passwords, such as ADMIN and 12345. Mirai can then mobilize those devices into a botnet which executes a directed DDoS attack.
There are a number of potentially serious implications for insurers:
- An insurer with a Connected Home or Connected Business IoT initiative that provides discounts for web-connected security systems, moisture detectors, smart locks, etc. may be subsidizing the purchase of devices which could be enlisted in a botnet attack on a variety of targets. This could expose both the policyholder and the insurer providing the discounts to a variety of potential losses.
- If the same type of safety and security devices are disabled by malware, homeowners and property insurers may have increased and unanticipated losses.
- As insurers continue to migrate their front-end and back-office systems to the cloud, the availability of those systems to customers, producers, and internal staff may drop below acceptable levels for certain periods of time.
The Internet of Things will change insurance and society in many positive ways. But the means used to mount the October 21 attack highlights vulnerabilities that insurers must recognize as they build their IoT plans and initiatives.
Insurers have always faced the challenge of taking products and solutions to market faster and doing so at lower cost. The sources of this challenge are not new – changing partner and customer expectations, increased and new competition and demanding regulators with perhaps the addition of the current financial climate.
Insurers have risen to each challenge, offering new ways to interact with their customers, offering new products and tracking their processes against new requirements. However, warning signs loom as insurers are increasingly finding that each of these solutions involve adding something new, encumbering their infrastructure with the latest systems, applications and integrations. Insurers already suffer from heterogeneous and complex IT landscapes and many are in the throes of large, costly programs designed to simplify and reduce costs.
The challenge today is a little more specific from those in the past: How can an insurer increase in agility, speed to market and flexibility while keeping the support and maintenance costs manageable?
Insurers are increasingly realising the benefits of a Software as a Service (SaaS) approach for some parts of their IT landscape. The promise of being up and running on an out of the box solution can be very appealing for activities that don’t differentiate the insurer or are well understood. While these solutions continue to be additive, they don’t increase the load on the IT infrastructure team beyond the due diligence exercise. However, many of the areas that need the greatest speed to market are differentiating and require customisation – how can insurers achieve that without increasing complexity?
Is Cloud the Answer?
There has been much discussion about cloud and how this is changing the way start-ups and businesses deal with their IT infrastructure. Insurers exist in a heavily regulated environment and are rightly hesitant to jump on the latest technology fad to solve their problems. However, dismissing the developments in cloud and SaaS propositions altogether for their core operations may be throwing the baby out with the bath water, along with possibly the bath as well.
There is value in considering cloud-thinking or a cloud style approach to problem-solving when considering the insurer’s infrastructure. Central to enabling cloud is simplifying, standardising and above all automating activities with IT infrastructure. Once the common activities one needs to do are automated this frees up costly team members and time to look at other problems. Through automation one can keep adding new applications and solutions to the IT landscape with a lower impact on support and maintenance costs, enabling an insurer to remain flexible, agile and keep their costs manageable.
It is time for the IT department to look internally and apply the same automation and efficiency thinking of their business counterparts to their own operations. Regardless of an insurer’s position on cloud, there is value in applying cloud-thinking. Consider how automation and simplification can increase predictability, supportability and quality in IT Operations. If appropriate, take that learning and move some services to the cloud.
In practice this approach doesn’t simplify the IT landscape and move everything to one “cloud” way of doing things. Rather it accepts the insurance industries need for complexity, for flexibility in approach and seeks to enable a fast and cost efficient approach to deliver it.
- Efficiencies and platform rationalization–aka “let’s figure out what is the right number of core systems, which core systems will be the survivors, and how data conversion and integration will work”
- Cloud, SaaS, data management/stores, and analytics
- Professional service and SI support capabilities that can scale to the new Chubb
- Which systems will best support a digital roadmap
- Design highly configurable and agile systems that feature ease of integration
- Have enough scale to meet the needs of bigger and bigger insurer customers—grow, merge, or wither
Mind the Gap. Are Insurers and Vendors in Latin America on the same page about SaaS and Cloud Computing Usage and Adoption?
Almost with the end of the year around the corner we are yet immersed in some very important reports for all of us which, by the way, will be produced integrally with Latin American focus for the first time. The CIO Report and the Policy Administration System ABCD Vendor View Report are on their way.
From our past and recent discussions with Insurers and Vendors about different topics around technology, architecture, trends, features and functionality something has been driving my attention: It seems to be a gap in the perception about usage and adoption of SaaS models and Cloud Computing in Insurance, at least in Latin America. While the detailed reasons and how large is the gap between Insurers and Vendors will be part of a report next year, initial findings point in the direction that Vendors perceive more benefits from adopting these models while Insurer’s CIOs do not feel the pressure and do not have it as a priority.
A SaaS approach, applied to a Policy Administration System for example, appears as a perfect fit to the business model of many Vendors. SaaS enables Vendors to target small and medium Insurers as they can consistently manage a single scalable version of the solution and offer support very cost effectively with prices that fit smaller Insurers wallets.
On the other side, CIOs seem to feel more comfortable with on-site, self-controlled environments. Hardware and communications prices are more accessible to them providing more processing power and bandwidth for their dollars that a few years ago. In some countries even regulation presents a challenge to these type of offering as regulators still question where the system and the data needs to reside.
Something to consider is that Insurers in this region have yet not been exposed to much SaaS and Cloud offering so the perceived associated benefits and the price difference between traditional on-site and the new alternatives is still a discussion to mature.
Another aspect that might help to build the bridge and cross the gap is that core system replacement is starting to show increased trends and it will expose Latin American Insurers to new architected solutions with technology and functionality much more flexible and robust but at the same time more complex to administrate. Specially smaller Insurers will need to consider how to remain competitive, improve processes and deliver better quality products and services through diverse and new distribution channels at a cost they can bare.
Interesting times to come as we unveil what to expect in the region. In the meanwhile if you are interested in participating in the Latin America CIO Report or the Policy Administration System Report please let me know. Also feel free to reach me at email@example.com with your comments and thoughts around SaaS and Cloud Computing usage and adoption.