2 TABLE OF CONTENTS EXECUTIVE OVERVIEW... 3 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS... 4 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS (CONT.)... 5 BUSTING SAAS MYTHS... 6 AN EVALUATION CHECKLIST FOR LOOKING UNDER THE CLOUD HOOD... 7 AN EVALUATION CHECKLIST FOR LOOKING UNDER THE CLOUD HOOD (CONT.)... 8 PATH TO IMPLEMENTATION FOR ENTERPRISE SAAS PROJECTS... 9 SERVICE LEVEL AGREEMENT CHECKLIST... 10 CONCLUSION AND NEXT STEPS... 11 APPENDIX... 12
3 Tweet this! Insurance carrier executives technical and non-technical alike need to understand the differences between various types of cloud computing. THE DEFINITIVE GUIDE TO SAAS SOLUTIONS FOR THE INSURANCE INDUSTRY EXECUTIVE OVERVIEW When terms are used interchangeably, their definitions and differences tend to blur. Such is the case with much of the terminology surrounding cloud computing. The term the cloud is often used to describe myriad computing platforms, but there are significant differences between cloud computing, Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS). The differences are more than just semantics. A misunderstanding on what a particular solution provides can mean the difference between a successful technology implementation and one that is over budget and drags on well past the anticipated go-live date. It can mean the difference between a technology solution that delivers on its promises and one that fails to deliver. Insurance carrier executives technical and non-technical alike need to understand the differences between various types of cloud computing. By doing so, they can select a technology platform that will deliver the anticipated benefits and support the carrier s growth strategies. Designed primarily for a non-technical audience, this E-book: Provides an overview of the cloud computing environment Highlights important differences between cloud deployment models with a focus on the benefits of SaaS Busts the prevailing myths about SaaS Outlines an evaluation checklist that carriers can use to determine if a supposed SaaS offering meets the true definition of SaaS Offers a path to implementation for getting SaaS projects up and running
4 Tweet this! SaaS is an end-to-end solution and requires very little, if any, development work by the carrier. WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS As you enter your dark home and flip on a light switch, do you ever think about how electricity travels from the electric company along the electrical grid to your lamp? Probably not, as most of us just assume that the electricity will be there when we need it. Whether you are turning on a nightlight or illuminating the entire house, the right amount of electricity is delivered to each lighting fixture in the right wattage on demand. Carry the analogy further: Like the electrical grid that requires wiring and light bulbs that allow you to use electricity, cloud computing also requires a delivery method. The three most commonly used methods of delivering this computing power are Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). (For complete definitions, see Glossary of Terms.) Cloud computing is analogous to the electrical grid: The cloud is computing power available on demand and delivered directly to every device that needs access to the Internet.
5 WHAT EVERY INSURER NEEDS TO KNOW ABOUT SAAS (CONT.) IaaS is similar to the electricity company delivering electricity to the street where you live. You would be responsible for bringing the electricity into your home. PaaS would deliver electricity to your home, yet you would be responsible for building the electrical sockets. In SaaS, all you provide are the light bulbs and lamps. It s obvious that the vast majority of homeowners desire to simply plug in a lamp and receive electricity rather than figuring out how to deliver electricity to their homes. In similar fashion, a SaaS delivery model is the most complete framework of cloud computing, giving insurance carriers access to software solutions over the Internet typically through a web browser. It s an end-to-end solution and requires very little, if any, development work by the carrier. Cloud Delivery Method Example Level of Customization Required Provider Responsible for: Customer Responsible for: IaaS Amazon High Storage, Hardware, Software, Networking, Components Development Tools, Applications PaaS WordPress Medium Storage, Hardware, Software, Networking, Components, Development Tools Applications SaaS Salesforce.com Low or None Storage, Hardware, Software, Networking, Components, Development Tools, Applications Customization Only If Required
6 Tweet this! Insurers can quickly incorporate SaaS into their existing environment and slowly retire legacy systems. BUSTING SAAS MYTHS A variety of SaaS myths prevail. Here are the most common myths, and the truth behind them. Myth: ALL SAAS SOLUTIONS ARE CREATED EQUAL. Reality: What s under the hood can make or break your implementation and your budget. Your vendor may claim that it offers a SaaS solution, but in fact, it s installing its software on servers at a third-party data center. These data centers located anywhere in the world can represent significant security risks. Myth: SAAS IS A NEW TECHNOLOGY AND, THEREFORE, RISKY. Reality: Salesforce.com, perhaps the most well-known example of an enterprise solution, has been available since 1999 and boasts many insurers as clients, including Aon, Allianz, Blue Shield of California, and USAA. In addition, there are many SaaS success stories in other industries including manufacturing, government, retail and high tech. Myth: SAAS REQUIRES A RIP AND REPLACE OF LEGACY SYSTEMS. Reality: Insurers can adopt a strategy that allows them to quickly incorporate SaaS into the existing legacy environment and slowly retire legacy systems as it makes sense for the business. Myth: PRIVACY AND DATA SECURITY ARE A PROBLEM IN A SAAS PLATFORM. Reality: Vendors with well-developed SaaS systems have adequately addressed privacy and data security. Data segmentation, dedicated servers, and user authorization and access controls are just a few of the measures vendors use to meet insurer demands for privacy and security. Myth: The federal government has even shown its support for SaaS with its Federal Cloud Computing Strategy. Government agencies including the National Aeronautics and Space Administration (NASA), the Department of Defense (DoD), and the Department of Treasury Office of the Comptroller of the Currency (OCC) are using SaaS for a variety of applications requiring a secure environment. MY INSURANCE CARRIER IS TOO LARGE/TOO SMALL TO MAKE SAAS WORTHWHILE. Reality: In the past, the most likely carriers to use SaaS were either very large or very small organizations. Today, carriers of all sizes are leveraging SaaS, driven by the availability of many different solutions via SaaS as well as the general maturing of solution capabilities, said Chad Hersh, Novarica s Managing Director of Insurance Practice.
7 AN EVALUATION CHECKLIST FOR LOOKING UNDER THE CLOUD HOOD Although there are instances in which an insurance carrier may want to devote the time and resources to an IaaS or PaaS delivery method, most carriers like most homeowners would prefer to purchase a SaaS solution that enables them to turn on the lights with no development and yet easily customize the solution to meet their unique needs. Unfortunately, the blanket term cloud computing is often used to describe IaaS, PaaS, and SaaS solutions. To ensure carriers receive the type of cloud computing delivery method that will meet their needs, carriers can use the following checklist to better evaluate a vendor s claim that its software runs in the cloud. REGULATORY COMPLIANCE: Are there documented policies and internal controls that meet recognized industry standards such as SSAE16? Can legal counsel review all agreements, customer master service agreements, and all other binding agreements? Is there a tier certification based on the definitions provided by the Uptime Institute (www.uptime.com)? Are policies and controls in place for accessing internal systems and resources, electronic communications, and devices including mobile or portable devices, notebooks, tablets, smartphones, and removable media? Is there a data breach policy to ensure accurate and timely execution of the policy? Is there a data disposal policy? Is there a data retention policy? Is there a data privacy policy based on industry best practices? RISK MANAGEMENT: Are system and data backups performed on an automated and regular schedule with logging, alerting, and notification? Are systems and data backups on any media always encrypted? Are backup media stored offsite securely using an appropriate industry standard media rotation? Is there adequate redundancy to mitigate local equipment failures? Can you ensure ongoing operations as a result of any realized natural or manmade risks? Does a disaster recovery plan exist and are there controls to ensure accurate and timely execution of the plan? Are there controls to audit and monitor systems to identity unauthorized software installation and baseline deviations? Are there controls to ensure servers and equipment are patched and/or upgraded based on industry-accepted standards? OPERATIONS MANAGEMENT: Can adequate data be collected regarding capacity, utilization, and performance? Do you provide regular capacity and performance metrics? Do you provide adequate transparency of the incident management process? Do you monitor all third-party services in event of provider failure?
8 AN EVALUATION CHECKLIST FOR LOOKING UNDER THE CLOUD HOOD (CONT.) INFORMATION SECURITY: Are support and operations staff adequately trained? Is formal security awareness training for cloud-based services available? Do all employees, contractors, and third parties have appropriate employment and non-disclosure agreements and appropriate background checks? Do all new employees, contractors, and third parties have appropriate and timely provisioning of access? Is de-provisioning of terminated employees, contractors, and third parties conducted in a timely manner? INFRASTRUCTURE SECURITY: Is anti-malware software installed? Is there an intrusion detection system with regular and automated updates? Is a time-service protocol used on all servers, systems, and applications? Are configuration, deployment, and operations activities conducted across only secured networks? Are audit logs restricted to authorized personnel? Is event information from all sources centrally collected, logged, and secured? Are access and audit controls for the production environment in place? Are application vulnerability assessments of the SaaS infrastructure performed in accordance with industry best practice guidelines? Are internal security audits performed in accordance with industry best practice guidelines? Can network perimeter or application vulnerability testing be performed? Can unauthorized wireless network devices be detected? APPLICATION SECURITY: Is encryption protocol for all services enforced? What level of multifactor authentication is supported? What level of sign-on integration or identity federation for authorizing or authenticating is used? Can information security and application access requirements be based on role or context? Are password reset and security supported? Is encryption available to protect application data? Is transaction activity logged within the system to provide an audit trail? Is transaction activity logged within the application delivery service? LIFECYCLE MANAGEMENT: Are application change requests properly logged, tracked, prioritized, authorized, coded, reviewed, tested, and deployed through an established process? Are data validation tools and scripts used to identify the integrity of calculations and expected workflow? Are performance-testing tools and scripts used to identify performance issues prior to a production release? APPLICATION SUPPORT: Does an incident management process exist, and is there a dedicated team to receive, log, manage, and escalate issues? Is live human support available via telephone, email, or live chat? What level of dedicated account management is offered for help with configuration and maintenance?
9 Tweet this! By understanding your ultimate destination, you will be able to determine which SaaS offering is right for your organization. PATH TO IMPLEMENTATION FOR ENTERPRISE SAAS PROJECTS TO ENSURE A SUCCESSFUL ENTERPRISE SAAS IMPLEMENTATION, FOLLOW THESE STEPS: 1. Outline the benefits you want to achieve from a SaaS implementation. It s only by understanding your ultimate destination that you will be able to determine which offering is right for your organization. Benefits include reduced costs, speed-to-market, flexibility and collaboration across geographies. 2. Create a written requirements document that defines the actual nuts and bolts of what the software solution should provide. The document should include a description of current processes with the goal of making incremental changes to these processes. The objective is not to reengineer entire processes but to highlight areas to test improvement ideas. 3. Require the SaaS provider to sign an SLA before finalizing a contract (see sidebar, next page). 4. Determine which IT resources will be needed. A SaaS implementation should require less IT support.
10 SERVICE LEVEL AGREEMENT CHECKLIST This SLA checklist will help you evaluate a cloud service provider s maturity, experience, and ability to provide effective cloud-based solutions. 5. GEOGRAPHIC PRESENCE: The provider must ensure that its systems and associated operations and customer support teams are available to service the client s business. 1. AUDIT AND COMPLIANCE: The cloud service provider should clearly state how and when its controls are audited, and make the audit results available to clients. A standard such as SSAE16 should be used as the basis for the audit, and a reputable, independent third party should conduct the audit on an annual basis. 2. AVAILABILITY: The provider should offer a system availability commitment that documents which percentage of time the system (including a client s business-critical workflows) will be continuously available. This availability should be objectively measured using automated scripts that also incorporate access to third-party services made available from the provider s platform. The percentage of system uptime and number of scheduled maintenance windows should be outlined. 3. BUSINESS CONTINUITY: The provider must outline its disaster recovery plans, explicitly stating its primary site redundancy positioning and RTO/RPO commitments to ensure adequate protection. Disaster recovery tests should be performed regularly and documented, with the results available for review. 4. CUSTOMER SUPPORT: The provider should explain how its customer support staff will provide the skills, knowledge, and expertise required to support a client s business and technical needs. 6. LOCATION OF DATA: The cloud service provider must be able to clearly identify where a client s data is stored and how the applicable data provenance requirements are enforced. 7. MAINTENANCE: The provider should outline the types of maintenance tasks it performs and its associated maintenance window schedule. 8. PERFORMANCE: The provider must clearly state its response time objective, and should have a monitoring solution that can objectively and transparently measure performance commitments outlined in its SLA. 9. PRIVACY: The provider should clearly state how client data is secured (including encryption algorithms) and kept private from other clients and third parties. 10. SECURITY: The provider must be able to provide documented security policies and evidence that these policies are being followed. Third-party penetration testing should be performed and the results made available for review. ONE FINAL ITEM TO CONSIDER: Before selecting a cloud service provider, conduct an on-site visit of its data center. This will allow you to inspect the provider s environment and further explore its security controls.
11 Tweet this! A SaaS solution requires the least amount of development work for the carriers since the infrastructure and platform are included. ABOUT OCEANWIDE Founded in 1996, Oceanwide has been at the forefront of delivering SaaS insurance software for 18 years. Bridge, the latest offering from Oceanwide, offers a new approach to insurance policy administration systems. Designed from the ground up to be fully configured without custom programming, Bridge empowers insurers, MGAs, and brokers to take creative new ideas to market in weeks, not years. For additional information, please visit oceanwide.com, or call (888) 289-7744. CONCLUSION AND NEXT STEPS Although the terms IaaS, PaaS, and SaaS are often used interchangeably, all cloud computing delivery methods are not created equal. A SaaS solution requires the least amount of development work for the carriers since the infrastructure and platform are included. With the SaaS framework, the carrier has only to customize screens. SaaS BENEFITS For small carriers with limited IT resources or budget, SaaS may allow them to get onto a modern system and compete more nimbly. For mid-sized carriers, SaaS offers a way to cost-effectively modernize core systems. For large carriers hindered by legacy systems, SaaS provides speed to market for new products. Source: Chad Hersh, Novarica, Managing Director of Insurance Practice SaaS for core insurance offers valuable benefits in the long run, especially in terms of the commercial model, maintaining application currency, and supporting efficiency. Source: Jamie Macgregor, Senior Analyst, Celent Cloud computing, SaaS, and hosted solutions are expanding insurers outsourcing options and promise to help companies be more agile, competitive, and cost-effective. Source: Insurance Accounting & Systems Association (IASA)
12 APPENDIX GLOSSARY OF TERMS APPLICATION SOLUTIONS PROVIDER (ASP): A service provider remotely hosts and manages the servers on which an application resides. ASP differs from cloud in resource allocation: cloud computing shares infrastructure whereas an ASP or hosted environment is created for each individual client. CLOUD COMPUTING: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. HYBRID CLOUD: A cloud infrastructure comprised of two or more distinct cloud infrastructures. INFRASTRUCTURE AS A SERVICE (IAAS): The capability to use processing, storage, networks, and other fundamental computing resources and run software such as operating systems and applications. The user has control over operating systems, storage, deployed applications, and select networking components (e.g., host firewalls). PLATFORM AS A SERVICE (PAAS): The capability to use consumer-created or acquired applications developed using programming languages, libraries, services, and tools supported by the provider. PRIVATE CLOUD: A cloud infrastructure provisioned for exclusive use by a single organization, either on or off premises. PUBLIC CLOUD: A cloud infrastructure provisioned for open use for the general public. SOFTWARE AS A SERVICE (SAAS): The capability to use the provider s applications running on a cloud infrastructure through either a thin client such as a web browser or a program interface. SaaS applications are always offered on a term or per transaction basis. Source: Adapted from National Institute of Standards and Technology, U.S. Department of Commerce; Software as a Service: Insurance-Ready at Last, Chad Hersh, Novarica, Managing Director of Insurance Practice.