Cloud insurance sees hazy future

Service level agreements (SLAs) pertaining to cloud computing services are currently comprehensive enough for any service disruption, notes an industry analyst who says the introduction of insurance packages to safeguard companies' potential loss of business may add unnecessary complexity and contain "uncompetitive" premiums. One insurance vendor, however, says cloud-specific insurance services can be complementary and offer much market potential.

Chris Morris, research director of cloud technologies and services at IDC Asia-Pacific, questioned the need for cloud insurance packages, saying that since the assets are owned by the cloud service provider, it is up to this provider to compensate any loss of income to customers in the event of a service interruption.

The analyst told ZDNet Asia that different IT applications rely, to varying extents, on externally sourced cloud computing services. If the cloud service is simple and clearly defined, such as a basic infrastructure-as-a-service for non-critical application hosting, Morris said penalties stated in standard SLAs should be sufficient and do not require additional insurance.

For more complex and business-critical deployments, in which the service is delivered by multiple providers such as telcos and server providers, he said the onus here is on the application owner to fully understand the impact on their business if there is a loss to the service.

"If it is that vital to the continuation of income for the business user, then its risk assessment will identify this and its governance committee will insist on business insurance to be carried by [the cloud vendor]," added the IDC analyst.

Difficulties in risk assessment
Asked about the limitations of putting together an insurance package for cloud-based services, Morris reiterated that most problems arise from the nature of cloud services and how multiple vendors are involved in the delivery process.

He noted that unless a single vendor agrees to take on the lead provider role in such contracts, risk assessment of the cloud service will be "difficult" and the insurance premium is unlikely to be competitive. Conversely, if a single vendor can control the entire service delivery supply chain, it would then be more practical for a third-party insurance services provider to provide insurance for it, making the insurance package more attractive to potential customers, the IDC analyst added.

Morris noted that in most cases, the penalty payments offered by cloud service providers did not reflect the potential for lost income incurred by affected customers. In such cases, where the business risk was big enough to warrant coverage, companies should then look into purchasing the relevant policies.

That said, he added that the "downside" to this option was that cloud services were backed by only a brief track record for the delivery of critical business services. In the absence of proof of delivery, the premiums for insurances to critical services might be so expensive as to be unaffordable, the analyst surmised.

Insuring data, not service
However, Meghan Hannes, managing director at cloud insurance provider CloudInsure, which was started in August 2010, said the company is taking a different approach to cloud insurance than what Morris described.

Hannes told ZDNet Asia in a phone interview that rather than provide coverage for the cloud service per se, CloudInsure is designing its policies for "cyber liability", which includes aspects such as regulatory coverage, data privacy and security. In other words, it assesses the risks related to the type of data the company is exposing with cloud-based services, she explained.

Additionally, she said the company's products--expected to be available in the fourth quarter of this year or first quarter of 2012--would "not interfere" with existing SLAs. Rather, the insurance would support these agreements and "starts where the SLAs end off", she added.

According to CloudInsure's Web site, it currently lists six cloud providers in the initial pool of cloud services it rates. These are Amazon Web Services (AWS), NetSuite, Oracle, Salesforce.com, Intuit and SuccessFactors. How CloudInsure does the rating, though, remains under a non-disclosure agreement, Hannes said.

Quizzed if CloudInsure was the first to offer such insurance services, she replied that it was. Elaborating, she acknowledged that there were already existing cyber liability services that cater to the loss of information on the Internet or corporate Web sites. However, the market for such services assumes the infrastructure is owned by the company, whereas CloudInsure takes the stance that the infrastructure providing the cloud services is not owned by its customers, she explained.

With regard to how the company priced its insurance premiums, Hannes revealed that this was still in the "development phase" but its guiding principle would be "pricing risk according to the worth of the data being insured", which she said reflected "true economic loss" in times of service disruption.

She pointed out that industries where there were "regulated data", such as healthcare and financial services, would be one of the "first-movers" in terms of adopting such insurance policies as these organizations faced more economic liability for the data they placed on cloud services. As such, Hannes said there was a "tremendous amount of untapped potential" where cloud insurance was concerned and the market could be worth anything in the millions to billions range.

One cloud service provider ZDNet Asia spoke to regarding the viability of cloud insurance products choose not to comment on the question directly. Instead, Amazon Web Services' spokesperson Regina Tan, said: "We will continue to listen to customers on what is most important to them with regard to SLAs, and will always consider ways in which we can enhance our offering for customers."

Tan added that cloud computing reinforces some old concepts of building highly scalable Internet architectures, while introducing some new concepts that change the way applications are built and deployed. As such, companies looking to leverage the full benefits of the cloud, including its elasticity and scalability, need to first understand the services, features and best practices, she suggested.

In April, AWS suffered a partial failure to its Elastic Compute Cloud (EC2) at its northern Virginia site which brought down notable Internet service providers such as Quora and Reddit. Its Dublin, Ireland EC2 site also experienced downtime last month following an "explosion that caused the transient electric deviation" and disabling some of the power synchronization systems, according to a report by technology site, Data Center Knowledge.