The IEEE is leading efforts to create interoperability standards for cloud computing. CIO Alexander Pasik has also been thinking about how businesses should deal with their concerns about cloud security, and sharing his thoughts with InformationWeek. He says that one of the reasons why customers are happy to let banks handle their money, rather than keeping it under the mattress, is that bank deposits are insured. Pasik suggests that cloud providers should offer similar security against a data breach.
As I've noted elsewhere, the cyberinsurance market is heating up. I agree with Pasik's analysis, and I particularly like this statement: "Security can't be guaranteed, but it can be insured."
But I have issue with a statement made elsewhere in the article - and not, I hasten to say, attributed to Pasik. This is the idea that "the damage done by a security breach usually can be quantified financially so enterprises that suffer one could still be compensated". The word I'm picky about is "usually".
I've been reading Douglas W. Hubbard's book How To Measure Anything, and it's made me hypersensitive to claims that there are unmeasurables in business. Hubbard would change that "usually" to "always". If the damage can't be quantified financially, then it isn't damage. And, as Hubbard mentions in the book, insurance is all about quantifying intangibles - putting a value on abstract things, and putting a price on potential events.
On a different tack, perhaps cloud providers should look at the other reasons why customers trust banks. Isn't a big reason that the banks provide services among themselves that customers could not afford to perform for themselves? Life would grind to a halt without the national and global payment systems. And then there's the payment of interest.
What could cloud providers do to emulate these banking benefits? They could imitate banking payment systems by offering to ship data securely between parties on scheduled dates. They could add more value by brokering collaborative processes between their users, so that, for example, an electronics retailer and an insurer could work together to sell breakdown cover without the need for any systems integration by either party.
Cloud providers could even replicate the concept of interest by "paying" their customers with anonymized, aggregated usage data culled from across the cloud's total activities. All of these measures would require a substantial change in service relationships - but all industries have to evolve if they're to survive and thrive.
Cloud Insurance