Cloud & Compliance

SCOR experience

Les jeudis de l’Afai2d of June, 2016

Henri Guiheux, Group CISO

2

Cloud & ComplianceAgenda

1 Cloud evolution and Regulatory pressure over the past 5 years

2 Cloud Experience of SCOR

3 Cloud Trends

3

Cloud & ComplianceCloud evolution and Regulatory pressure over the past 5 years

IT Infrastructure models Traditional architectures: In premises, Co-location, Outsourcing, Cloud Infrastructure: Public, Private, Hybrid, Sovereign Cloud, IAAS, PAAS, SAAS Big Cloud players: AWS Amazon, Google, Microsoft Azure, ..

Increase of Data leakage and Cyber attacks Wikileaks, Snowden, Sony, Target, Anthem, Ashley Madison, T-Mobile, US government agency …

Global environment highly regulated for SCOR Directives & standards: Solvency II, HIPAA, GLBA, U.S. Privacy Shield, General Data Protection

Regulation Financial authorities: Autorité des marchés financiers, (AMF), Autorité de contrôle prudentiel et de

résolution: L'ACPR, Financial Industry Regulatory Authority, Inc. (FINRA), Monetary Authority of Singapore (MAS), Swiss Financial Market Supervisory Authority (FINMA), China Insurance Regulatory Commission (CIRC), Prudential Regulation Authority (PRA) …

Appearance of Security assurances to provide trust from Cloud providers BSI 27001, SSAE16, ISAE 3402, SOC1 Type 1, SOC 2 Type 2

4

Agenda of the meeting

1 Cloud evolution and Regulatory pressure

2 Cloud Experience of SCOR

3 Cloud Trends

5

Cloud & ComplianceSCOR Experience: Approach

SCOR cloud strategy Develop digital with same SCOR IT resources Use Centralized Private Cloud if applicable for IAAS or PAAS Select Cloud SAAS if appropriate

SCOR Implementations since 2012 Move servers from SCOR premises or co-location datacenters to centralized private cloud Keep into SCOR premises minimum equipment strictly requiring proximity. Promote SAAS solutions implementation

SCOR security & compliance Asses and monitor security of Cloud providers Enforce SCOR IT internal control using COBIT Framework and including cloud environment Align SCOR IT internal control with regulator security requirements and client security & data

privacy commitments Move toward SOC1 and SOC2 certifications for services provided to its clients.

6

Cloud & ComplianceSCOR Experience: SAAS implementation

Corporate services Time tracking, general expenses, purchase to pay, e-learning, security awareness, …

Collaborative services institutional web site, social network, streaming video

Security services mail security gateway, authentication, security operation center

Business services Marketing, CRM, Specialized Risk Expertise services.

Additional services to come Messaging, Business Continuity (mass notification maessage), Privacy Compliance service, …

7

Cloud & ComplianceSCOR Experience: Lessons learned

Cloud is not magic and simple.

Different level of maturity of security and compliance are observed from cloud based

service providers.

Risk Assessment during selection and contractual clauses (compliance, security, audit,

intellectual property, reversibility, SLA, …) are key steps.

Transfer of IT activity to the cloud involves IT management transformation moving from

doer role to controlling/monitoring role with capacity of formalization.

Network and technical architecture become critical to avoid:

Performance, reliability and quality issues

Interfacing issues with other IT Systems

Hidden costs related to configuration and integration must be anticipated

A strong internal control framework must be established to enable quality and performance

conformance and compliance with external requirements (Cobit 5 very valuable)

8

Agenda of the meeting

1 Cloud evolution and Regulatory pressure

2 Cloud Experience of SCOR

3 Cloud Trends

9

Cloud & ComplianceCloud Trends Key to Monitor cloud players in a very competitive and moving industry

Increase of Private Cloud offers to be competitive with Public Cloud offers

Cloud evolution driven by IoT

Key to watch disruptive cloud technology more economic, secure and productive

Data encryption at rest

application containers (data isolation)

Container hypervisors

Software Modelling enabling complex configuration :

ready to use

Dynamically Scalable,

Highly automated,

Fully traceable