7 minute read 19 May 2020
Thunderstorm with lightnings over the water

Why your cloud security operating model is key to create trust while transforming your business.

By Reto Aeberhardt

Financial Services Head Cyber Risk Management | Switzerland

Trusted cybersecurity and cyber-risk management advisor. Passionate about emerging technologies that support today’s business transformation. Slalom waterskiing enthusiast.

7 minute read 19 May 2020

Cloud security includes everything security teams are responsible for today but translated into the cloud environment – considering the shared responsibility model. Are insurers ready?

For life and non-life insurers, digitalization of sales and distribution is just one of the key trends transforming the industry. In their relentless pursuit of growth, insurers are exploring new business models, new products and services and new ways to deliver value to customers. We believe customer insights, seamless experiences and digital tools are keys to success. So it’s no surprise that many insurers are also looking to cloud technology to enable digital transformation and faster development of new digital products.

Juggling trends and disruption

Insurance companies are confronted with various challenges today. The 2020 edition of the annual EY Global Insurance Outlooks previews various key issues shaping the industry in the near term. The study highlighted the unique challenge of European insurers to stimulate growth and drive innovation in the face of a near-recessionary economic environment. At the time of publication, the impact of COVID-19 had not been factored in and it remains difficult to predict the full reach of the impact.

We will see competition intensifying alongside closer regulatory scrutiny – two trends that will add further complexity to the industry within the next few years. In order to face these challenges and be better positioned on the market, agility and speed in response to new client needs (speed to market) is essential. Insurers seeking to win in the market with competitive advantages will need to think about emerging technologies such as artificial intelligence (AI), machine learning, robotics and cloud computing. Cloud-based infrastructures will allow insurers to use attractive IT-cost models, move from CAPEX to OPEX and apply pay-as-you use services. The result is better flexibility, allowing, for instance, new features and functionality to be tested much faster than in the past while only paying for resources used during testing.

Balancing present needs and future opportunities is also challenging. But there is considerable upside for those insurers that can undertake successful digital transformation programs and seize the opportunities offered by the cloud. Of course, as they transition to the cloud and offer more digitally oriented portfolios and services, insurers must strengthen their cyber security frameworks and keep protecting what matters most. Some are hindered by core legacy systems that remain in place and can prevent insurers from adopting new technology, including launching apps or moving to the cloud.

According to EY’s cloud adoption survey, cloud is the most transformative technology available to financial services organizations. Its top benefits? Speed to market followed by cost optimization and scalability.  Moving to public cloud securely and under strict regulatory supervision requires experience and expertise. Organizations need a partner to define what “good looks like” in a cloud-native environment.

GISS 2019


say that the biggest barrier for cloud adoption is the lack of knowledge and experience

Besides a lack of knowledge and experience, top barriers to public cloud adoption today are regulatory compliance, culture change and security of sensitive data.

Potential risks related to cloud adoption and operation:

When starting the cloud adoption journey, it’s important to assess potential upside and downside risks. This investment early on improves understanding of how to best govern and manage cloud adoption based on a clear cloud strategy derived from the business (transformation) strategy.

Moving to the cloud does not exclusively affect IT; it also has an impact on IT-supported business processes (and thus operational aspects). A holistic view should be adopted from the beginning. Accordingly, insurance companies face various new challenges in the transformation process. The use of a cloud usually results in changes to the risk map. So it’s vital when evaluating the use of cloud technologies to identify and assess any risks at an early stage alongside the opportunities offered by transformation.

When advising clients on various cloud topics we have noticed different aspects of what could go wrong during the cloud journey:

  • Cloud transformation strategy is unclear and/or addressed as pure IT topic. Often missing top management buy-in.
  • Organizations fail to manage people risks
  • Cloud operation responsibilities are not clearly defined – consider the shared responsibility model.
  • Organizations have insufficiently assessed the readiness of in-scope applications leading to the risk that a cloud migration (lift & shift) is executed instead of true cloud transformation.
  • Organizations fail to define a cloud security target operating model (TOM).

It often comes back to the fact that the shared responsibility model is not considered enough. Depending upon the cloud service model chosen, responsibilities are shifted. The cloud service provider is responsible for the security of the cloud and the cloud service client is responsible for the security in the cloud.

Considering and assessing the existing operating model to securely operate, monitor and govern the future IT infrastructure including core business applications and tools is an important task to be able to define how the target operating model should look.

Focusing on the TOM at an early stage and defining how the cloud-based IT-Infrastructure will be operated and governed – in what will most likely be a hybrid, multi-cloud environment – will help companies to better manage and secure their infrastructure in the future. Other key considerations include having the right tools in place to measure compliance of security controls e.g. database encryption controls or access controls.

Compared with other cybersecurity investments in emerging technologies, cloud computing has overall the highest priority.
GISS 2019

What should you consider when defining your cloud (security) target operating model?

All five domains of the NIST Cybersecurity Framework hould be considered when defining security operations. Depending on the cloud service model or combination selected, the following aspects should be considered:

  • Identity and access management (IAM)
  • Directory services (DS)
  • Security information and event management (SIEM), as well as vulnerability and patch management
  • Operation of state-of-the art security measures (e.g. web access firewall (WAF), firewall (FW), IDS & IPS, SIEM systems, data leakage prevention)

How can governance over security controls be ensured in a cloud environment?

In addition to the challenge of rethinking and adjusting existing security operations processes, we believe there is a potential risk of outdated security controls during and after transforming to the cloud. These can stem either from inaccurate prioritization or limited resources to update the controls catalogue. Updating controls includes assessing the current controls catalogue to determine if these controls are still appropriate or if new controls are necessary and whether key risk indicators (KRIs) must be adjusted.

Establishing a proper cloud security operations model will also include the definition and implementation of a solid cloud governance solution framework (CGSF). It’s important to build up a solid Cloud Governance Solution Framework (CGSF) to ensure clarity over regulatory compliance, data classification and data governance as well as operation risk management. EY has developed a dedicated financial sector CGSF which allows organizations to lead cloud regulatory controls.

With regard to resilience and business continuity aspects, we recommend repeating the business impact analysis (BIA) considering the cloud-based IT architecture and cloud target operating model. Companies should also reassess existing business continuity strategy options and incorporate cloud-specific measures into business continuity plans.

Key takeaways

A successful cloud transformation journey starts with stakeholder buy-in. Companies should apply a holistic view and consider all opportunities and risks to understand their future security posture in the cloud. It’s important to consider legal and regulatory requirements and address them taking into account all aspects of the business. Finally, your applications and people need to be ready for the transformation. A cloud risk and readiness assessment lays the groundwork for the next steps.


Having a solid and comprehensive cloud operating model in place, and focusing on security aspects at an early stage of any cloud journey will allow you to protect your most valuable assets, your client data, your intellectual property and to enable options to act fast on the market, to respond to your client needs and to stay client centric providing insurance services to your clients, create trust while transforming and operating your business in secure manner.

About this article

By Reto Aeberhardt

Financial Services Head Cyber Risk Management | Switzerland

Trusted cybersecurity and cyber-risk management advisor. Passionate about emerging technologies that support today’s business transformation. Slalom waterskiing enthusiast.