Last week’s possibly lightning-caused outages at Microsoft and Amazon Web Services reiterated a very important lesson in cloud computing: Stuff happens, and even the best-laid plans won’t stand up to an act of god or faulty electrical infrastructure. That’s why the burgeoning field of cloud insurance looks even better than ever. A well-thought-out insurance model will address the actual costs and risks of cloud outages or security breaches, for both customers and providers.
Consider the situation with AWS. April’s four-day outage and last week’s hours-long outage had entirely different causes. In the first instance, properly architected applications stayed up and running throughout or suffered only minimal downtime. AWS’s post-mortem of last week’s incident tells a story of root electrical-infrastructure problems that didn’t discriminate in who it affected. If the hardware that powers the cloud isn’t running, even certain high-availability and disaster-recovery strategies might be rendered ineffective.
In both cases, the compensation for affected customers was the same: 10-day service credits equal to 100 percent of their usage. That’s fantastic in terms of getting paid back — and then some — for the actual downtime, but what about the opportunity costs of going down? In the case of a prolonged outage, what about the costs of having to stand up alternative resources in order to get an application back online? Standard contracts from commodity cloud providers like AWS don’t provide for compensation beyond service credits, and for good reason.
Cloud providers also stand to benefit from an insurance system. Not only will the availability of policies allay some cautious potential customers’ concerns about moving to the cloud, but insurance policies for providers will help offset the cost of dealing with an outage. Those service credits cost money, after all, as do steps taken to investigate and resolve outages and implement improvements to prevent future incidents.
This doesn’t even touch upon the damages that can arise from a security breach that results in the exposure of sensitive data. State and (possibly soon) federal statutes might require both cloud providers and their customers to notify affected users of the data breaches and take other steps toward remediation. Lawsuits, fines and other legal issues might start piling up. As it stands right now, everyone’s costs are their own, which probably is fair, but for some, it might appear like a lot of risk to assume.
Cloud insurance to the rescue?
Thankfully, it looks like cloud computing insurance might actually be a reality in the near future. As I detailed in a recent GigaOM Pro piece (sub req’d), both the IEEE and private companies have recognized the importance of developing an insurance model custom-built for the cloud.
One particular company, CloudInsure, appears to have the right idea. At a high level, its approach involves vetting cloud providers, cloud customers and the value of the data, and then determining premiums accordingly. In practice (the company is still in its developmental phase), it should work a lot like auto insurance. Just like make, model, safety features, geographic location, miles driven and other factors affect car insurance premiums, so too will various factors around provider- and customer-side security and availability procedures, as well as the potential costs to resolve an incident, affect cloud insurance premiums.
However, anyone attempting to create an insurance model around the cloud really has to understand where risk lies and how the business model works. There aren’t yet any real standards in place for how to build secure, reliable, multi-tenant clouds that span geographic boundaries, or to build applications that run atop them. It might be easy to make draw inspiration from traditional outsourcing arrangements, but cloud computing with its standard contracts and on-demand resources aren’t traditional outsourcing.
For its part, CloudInsure already is working with a number of cloud providers, including AWS, Microsoft and Salesforce.com. That should help it better understand the unique aspects of cloud computing and its various models, such as Infrastructure-as-a-Service, Platform-as-a-Service and Software-as-a-Service.
Ultimately, cloud insurance isn’t about acknowledging that cloud computing isn’t safe or reliable as much as it is about acknowledging that cloud computing is fallible like anything else. AWS, Microsoft and their customers can do everything right, then, BAM!, lightning strikes and everyone’s left counting their losses. It might be comforting to know that someone else will help foot the bill.