Securing cloud-based applications and data is still new and complex. The insurance industry continues to experience breaches, exposing customer records numbering in the hundreds of millions. However, certain cloud security measures can be implemented by insurance firms to help prevent such data breaches.
An effective way to achieve cloud security is to break down security concerns into manageable parts and organize them based on areas of abstraction. This approach enables you to understand what’s needed and helps you prioritize your efforts accordingly. Below is a depiction of an Enterprise Cloud Security Framework, which has been adapted from the Open Systems Interconnection model (OSI model).
How can you apply this framework to take charge of cloud security for your insurance business and develop a strong, multifaceted strategy that appropriately safeguards your digital assets? Let’s take a closer look.
The 7-layered defense against cybersecurity risks
For cloud security in insurance, there are seven layers you need to address to protect your organization. Identifying and implementing solutions at each layer is essential to creates a strong defense against intruders and cyber risks.
The data layer requires applying relevant mechanisms for database, content, and messaging security. This includes encrypting data at rest and in transit; using secure transit methods like VPNs; implementing data lifecycle management; controlling secrets like security keys; and deploying a security and information management (SIEM) solution for real-time alerts, logs, reporting, and compliance. However, it’s important to note that data security relies on measures taken in all the other security layers.
Securing your applications depends on addressing three critical areas: access control, vulnerability management, and monitoring. Access control best practices include giving role-based rights in an enterprise and logging every access for traceability. To manage and minimize vulnerabilities and risks, adopt automated tools to scan programming code, and harden all of your applications against the top 10 Open Web Application Security Project (OWASP) risks. Monitoring should combine traditional policy-based models with today’s AI-enabled user and entity behavior analytics (UEBA) tools for faster anomaly detection. Such approaches can also quarantine suspicious connections and alert the appropriate staff member when human remediation is necessary. Penetration testing (pen test), an authorized simulated cyberattack, should also be performed to evaluate the security of the applications.
- Host (Provider’s) Network
Ask your provider to supply robust modern infrastructure solutions, security mechanisms and breach remediation, with AI-enabled detection as part of the mix. Beyond the contractual obligations that you negotiate, insist on validation processes that ensure your provider is completing all necessary security, configuration, and upgrade tasks on time. Be certain to require detailed reporting on every test attack to help you uncover any insufficiencies. Additionally, deploy malware protection for devices that access your host’s systems, regardless of whether they’re a desktop or mobile solution. Pen testing at this layer is also crucial.
- Enterprise (Internal) Network
Your firm is responsible for security “in” the cloud, which also means the transport systems that move data between your internal network and your provider’s infrastructure. In practice, it means addressing items such as firewalls, operating systems, configurations, segmentation, traffic encryption, server encryption, messaging protection, data integrity checks, and attack prevention. You’ll also need to conduct periodic pen tests to evaluate defenses and uncover any new security gaps.
As ‘perimeter’ now encompasses both cloud-based and on-site infrastructure, many insurers are adopting a “zero-trust” approach. That’s because over 67% percent of breaches are caused by hacking and social attacks, according to Verizon’s latest data breach report 2020. In a nutshell, zero-trust is a software-defined method where nothing and no one is given access until an advanced verification process is completed. Zero-trust typically includes identifying and protecting your most critical assets, across all enterprise solutions, as this is a smaller sub-set of all assets. To do so, additional layers of inspection and enforcement are implemented to prevent threat infiltration and asset exfiltration.
- Physical Access
Implementing physical access controls is vital to supporting all your cybersecurity approaches. In addition to traditional mechanisms like door locks, badges, cameras, and security guards, leading organizations are also deploying security robots to roam indoor and outdoor spaces. Such bots can detect credentials as well as send live HD streaming video to uncover and document suspicious behavior as it unfolds. With moving to the cloud, this layer of security is no longer your responsibility; it is the responsibility of your cloud provider to ensure that physical access to your assets is protected.
- Policies, Procedures & Awareness
Perhaps the most overlooked security measure is also the most fundamental. Although it’s critical to know how to detect and respond to threats, it’s equally important to detail how employees can prevent data breaches, , and what steps they should take if a breach is detected. A key aspect of this process is ongoing employee education that includes providing incentives for reporting suspicious activities – whether it’s an email phishing attempt or a fellow employee acting outside of the norm.
How do I get started?
A good first step for devising an effective strategy to secure your seven layers is to develop a comprehensive governance model. Strong cybersecurity governance is comprised of the following:
- Security at all layers
- Principle of least privilege
- Secured systems
- Security best practices automation
With appropriate governance as a building block, you can protect your data and digital assets across all seven security layers through risk assessments and mitigation strategies.
Learn more about how we can help you with your cloud enablement by visiting our Digital & Cloud Services practice.