How RSM helped a large insurance carrier in its move to the cloud
CASE STUDY |
The importance of migrating systems and data to the cloud has taken on a renewed sense of urgency over the last year, and some companies have made a mad dash to transition away from their traditional on-premises approach on a compressed timeline as a result. But enthusiasm around the rush to the cloud—especially as cyberattacks remain prevalent as ever—can open the door to new risks, and businesses need to be sure they have the proper systems in place to account for security amid the transition.
In making the leap to the cloud, one major U.S. insurance company hired RSM to provide independent assurance around the processes the company was using to implement and validate its security in the cloud. From late 2020 into 2021, RSM used a mix of scalable automated and manual testing techniques to meet the company’s needs and address a wide scope of security concerns.
"They needed to have a company that had the right experience with cloud providers to analyze their security with an independent view, and they had limited personnel within their own company,” said David Llorens, secure architecture director at RSM. The complexity of the cloud environment the company adopted made a third-party review especially crucial.
“Bringing someone from the outside and basically helping them to ensure that they are going in the right direction, and identify risks they haven’t thought of, was incredibly valuable for them,” Llorens said.
A comprehensive view
The size of the insurance company in this case—an organization with thousands of employees and business applications distributed across various data centers and cloud providers—was a significant factor, because the company wasn't making the shift to just one cloud provider. Rather, it was moving its data over to roughly 500 different cloud provider platforms (accounts) for various functions.
“We had to have people who understood security risks within different cloud providers, had an understanding about what processes were implemented at the enterprise level and could identify if they were consistent across different cloud environments,” said Llorens.
Here were some of the issues RSM helped the client address:
- Developing a standardized approach to identity and access controls
- Ensuring flexibility among research and development teams, to continue innovating while also adhering to security protocols
- Reducing risk of inadvertent data exposure
- Identifying risk of ransomware/deletion of cloud resources
- Reducing risk of malicious insider activity in relation to information technology systems
- Architecting and implementing pipelines to manage IT infrastructure and software development, throughout the life cycle of those components
Data security and privacy are increasingly important in the insurance sector as companies in this space are collecting more data from customers than ever before, thanks to Internet of Things technologies and telematics. Using the cloud to store such sensitive data and provide services to clients makes sense, especially from a scalability perspective—but only if the company has the proper systems in place to protect the information.
RSM scaled the use of automated scanning tools to gather data on this client’s security posture rapidly and then analyze those results. The firm was able to review processes and technology from end to end, providing a holistic perspective on the associated risk, and also developed a three-year cloud road map that helped the organization rework its own security strategy and develop a risk-based approach toward projects.
RSM’s professionals brought a balanced mix of extensive technical knowledge and governance experience to this project. Governance without the technical details needed to protect technology will leave clients with a shallow perspective on the security risk exposures they have. Extensive technical knowledge without governance will leave clients with several issues to resolve but a lack of clarity regarding the business impact, associated compliance concerns and a holistic view on how to remediate the root cause of these issues.
RSM has cross-disciplinary teams that provide the technical depth and business acumen that clients require to align their IT security strategy to business metrics and goals.
That background proved useful in navigating the scale and complexity of the security practices and business functions that RSM assessed for this client, especially in these three areas:
- Vast amounts of data: “When we talk about the complexity of this project, it really is unparalleled because the organization has something along the lines of 500 different cloud provider accounts,” said Wes Ladd, manager at RSM. “And any one of those accounts can basically be representative of its own data center. It’s such a dynamic environment.” In its security assessment of the insurer’s cloud systems, RSM found several issues related to identity and access management.
- System architecture: Being a market-leading insurance company, the client, in this case, has complicated needs when it comes to system architecture, including connectivity between data centers, cloud platforms and on-premises data. RSM’s professionals assessed whether the company had the right architecture in place to ensure a seamless flow of data between all these different environments.
- Organizational complexity of the business: Various business units throughout this insurance company had a major stake in its migration to the cloud. This organizational complexity required understanding everything from governance requirements to technical configurations to technologies choices. RSM was able to provide a holistic view of how all these elements worked together and how to address various functions coherently.
Most companies decide to embark on moving their data and systems to the cloud because such platforms offer a dynamic infrastructure that allows them to scale up with ease. But with that greater flexibility for growth comes a new set of security considerations, different from what legacy businesses may be accustomed to addressing for data they store on-premises. For most companies, such as this insurance carrier, having a third-party advisor familiar with the complexities of the cloud environment is essential to keeping data secure.