Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Are Cloud Companies in Denial About Risk?

March 16, 2011 at 9:48 am PT

A little more than two years ago I wrote an article for BusinessWeek about a prediction by the analyst Mark Anderson about the potential for a catastrophe in the cloud. It’s only a matter of time, Anderson argued, before something goes terribly wrong with the entire notion of cloud computing, something so bad–a service would go down or a nasty hacker attack would expose or destroy data–that those more careful CIOs who resisted the cloud would end up looking smart.

It hasn’t happened yet, but Drew Bartkiewicz read it and became rather taken by the idea–so much so that he registered the Web domain name cloudcatastrophe.com. Once a regional sales manager for Salesforce.com, he had already drunk deep of the Cloud Kool-Aid. By the time he registered the domain, though, he was working in the insurance industry underwriting insurance policies for technology companies as vice president for cyber and information security risks at The Hartford.

His unique job history has led him to start asking fundamental questions about cloud computing and its business models that should if nothing else give some potential cloud customers pause and nudge cloud service providers–as varied as Salesforce, Amazon Web Services, Microsoft Azure and the like–to think about something they rarely talk about: Risk.

Don’t confuse this with security. Talk to the executive of any cloud provider, as I did recently with Adam Selipsky of Amazon, and you quickly find out that cloud providers take security seriously and they mean it, because without it they’re out of business.

Rather, the question is this: If a cloud catastrophe happens–critical, financially valuable data is breached or exposed or destroyed on a large scale–who’s financially liable for the damage to the customer’s business? Is it the cloud provider, who agreed to manage the data on behalf of the customer? Or is cloud computing still a use-at-your-own-risk sort of thing? The answer is, there is no clear answer. Bartkiewicz thinks the cloud computing industry will have to start answering it, and soon.

Bartkiewicz recently launched a new company called CyberFactors that aims to do two things. First it evaluates cloud providers for the risk they assume based on the amount of data they manage. Second, the firm helps develop warranties that cloud providers can offer to their customers and cloud policies for insurers so that both sides of the cloud relationship can be prepared for the worst. I caught up with him last week after he spoke at the Cloud Connect conference in Santa Clara, CA.

NewEnterprise: In a nutshell, what do you think is wrong with the cloud computing business models that are so popular and winning over so many customers?

Bartkiewicz: I’m an old Salesforce guy, so I was a big believer in the cloud, and then I got involved underwriting technology risk for insurance companies. I started to see some very interesting patterns emerge. The cost of failure is going up. So are the number of data breaches, and so are the laws imposing regulation on companies that handle data. Cloud computing companies are not being required to address in their models the implied financial liabilities they have on their balance sheet.

So where’s the implied risk you’re talking about?

If you take 100,000 customers of cloud computing companies, each is going to value their data in very different ways. Some use the cloud merely to track sales leads, others use it for trade secrets. Still others have identifying information on their customers. If a cloud company were to wind up suffering a catastrophic breach it would be in the long-term position of arguing with the customer over the value of the data compromised. The end result is a tremendous off-balance sheet liability, and shareholders and analysts who follow these companies aren’t connecting the dots. They need to be asking tough questions about this.

So where do you come into the picture?

Right now the thinking among the cloud companies is that any problem created by technology can be solved by more technology. They talk a lot about security, and they’re serious, but this isn’t a security issue. There’s not an industry in the world that doesn’t disperse risk through the means of insurance. I don’t mean to suggest that the cloud companies need to get insurance. What I mean is that they need to make insurance easy to get and affordable for their customers.

Wouldn’t something like risk be covered in a service-level agreement?

Right now the norm is that cloud companies cap their indemnification at the value of the contract. So if you spend $10,000 a year on a cloud application, the maximum you can get in the case of a breach is $10,000. But the data in question could be worth many times that. The average cyber-incident in our models costs $4.5 million.

And what does Cyberfactors actually do?

It’s a risk quantification tool. Companies that have cyber risk on their books today, whether or not it’s in the cloud, can make better informed transactions with cloud companies. Companies who use cloud computing need to know who absorbs the cost to fail, given the cost to fail is going up. There is a record number of class action lawsuits over privacy breaches, and regulators are imposing a lot of costs that result from a breach that have to be absorbed. This is a global problem in terms of data liability. Second, we have a platform called Cloudinsure.com that tries to “mash” cloud computing with insurance. Cloud computing needs massive risk transfer in order to save itself from itself.

So what companies are you working with?

I can’t say, but I can say we’re working with two cloud companies right now to help them design warranties. We just launched the company. And if a cloud has too much risk, and the warranty approach doesn’t make sense, we can also design insurance policies and then bring in the insurance companies to help back it.

What do the cloud companies think of this? Have you taken the idea to them?

I brought this concept to a cloud company. When I told them they need to disperse their risk, they said it would slow down the sales cycle. It was quite telling because the number one growth pattern for companies right now is denial.

Tagged with: Amazon Web Services, Arik Hesseldahl, cloud computing feature, cloud feature, cloud insure, cyber factors, data, Drew Bartkiewicz, insurance, liability, Microsoft Azure, NewEnterprise, risk, Salesforce.com

Apple Denies Working with NSA on iPhone Backdoor

December 31, 2013 at 8:49 am PT

You Won’t Believe All the Crazy Hardware the NSA Uses for Spying

December 30, 2013 at 12:15 pm PT

HP Is Negotiating to Settle Bribery Charges

December 30, 2013 at 8:45 am PT

CIOs Brand Enterprise Social Tools as Most Overhyped Technology of the Year

December 30, 2013 at 3:39 am PT

Malware Attacks by Syrian Pro-Government Hackers Are on the Rise

December 27, 2013 at 1:27 pm PT

Latest Video

View all videos »

Search »

You Say Goodbye and We Say Hello

Walt Mossberg and Kara Swisher in Media

The NSA and the Corrosion of Silicon Valley

Michael Dearing in Voices

You Won’t Believe All the Crazy Hardware the NSA Uses for Spying

Arik Hesseldahl in News

View all today’s news »

Uncovering a More Useful Android Lock Screen

Bonnie Cha in Product Reviews

Lenovo’s Bendy Yoga 2 Laptop Makes All the Right Moves

Lauren Goode in Product Reviews

Space Monkey Peer-to-Peer Digital Storage System Offers Better Backup

Katherine Boehret in The Digital Solution

Diabetes Data Beamed to Your Phone

Walt Mossberg in Personal Technology

Nokia Lumia 2520: A Solid Windows Tablet in Need of Apps

Bonnie Cha in Product Reviews

View all reviews »

There was a worry before I started this that I was going to burn every bridge I had. But I realize now that there are some bridges that are worth burning.

— Valleywag editor Sam Biddle