While some large enterprises avoid moving to the cloud because of rigid security and compliance requirements, one company flipped that argument: SCOR opted for the cloud for a key block of its business precisely because of the cloud’s rigid security and compliance offerings.
About the Business
SCOR is a leader in the life reinsurance market in the Americas, offering broad capabilities in risk management, capital management and value-added services and solutions. A number of primary insurers use SCOR’s automated life underwriting system, Velogica, to market life insurance policies that can be delivered at the point of sale. Other companies use Velogica as a triage tool for their fully underwritten business. Velogica receives applications via the insurer’s e-application software, immediately pulls third party information in combination with application information and runs it through a sophisticated algorithm. The algorithm brings all the underwriting factors together and produces a final decision for the policy – approve, deny, or refer to underwriter.
“Through the Velogica system, we get thousands of life insurance applications a day from multiple clients,” explains Dave Dorans, Senior Vice President. “Velogica is a significant part of our value proposition and is important to the future of our business.”
Data security has always been a priority for SCOR but the issue became even more critical as data breaches at some of the largest and most respected companies made headline news. SCOR decided to invest in a state of the art data security framework for Velogica. “We wanted clients to have full confidence in the way Velogica stores and handles the sensitive personal data of individuals,” Dorans said.
SCOR’s goal was to have Velogica accredited as a Service Organization Control (SOC) 2 organization – a competitive advantage in the marketplace – by aligning with one of the more respected information security standards in the industry. Determining what it would take to achieve that goal became the responsibility of Clarke Rodgers, Chief Information Security Officer with SCOR Velogica. “We quickly determined that SOC2 accreditation for SCOR’s traditional, on premise data center environment would be a monumental task, could cost millions of dollars and perhaps take years to complete. Moreover, while SOC2 made sense for Velogica, it wasn’t necessary for other SCOR businesses.
AWS: a simpler option for security
Rodgers decided to go a different route: move SCOR’s Velogica business to the cloud. He knew that Amazon Web Services (AWS) aligned with every major security and compliance framework that the company would need and more, including SOC 2. AWS’s Shared Responsibility model clearly defines the security relationship between AWS and its customers, allowing Rodgers to plan how to build out Velogica’s security model on top of AWS’s security focused infrastructure. “The sole driver for moving to the cloud was increased security and compliance,” he said.
The strategy involved isolating Velogica from SCOR’s application portfolio to viably attain the SOC 2 certification while also relying upon AWS for the application’s back-end compliance needs. “Generally, going with AWS was an easy decision because we felt they had the best features, broad service offerings, ease of use and they would help us get up and running quickly.”
First, Rodgers needed to convince the company of the credibility and security processes of AWS. The IT department came on board quickly, seeing that if Velogica didn’t go to AWS it could be challenging to get certified in SOC 2 globally and that could deliver a trickle-down hit on revenues for the Velogica business.
Working with 2nd Watch and Alert Logic
After receiving corporate approval for using AWS, the next hurdle was determining how to handle the migration. Rodgers knew that the company had limited cloud expertise, and acquiring sufficient knowledge and the related skills would take considerable effort, time and expense. AWS referred him to 2nd Watch as a highly recommended Premier Partner. SCOR began working with the cloud migration and management services firm in September of 2014. The 2nd Watch team helped SCOR design and test the new environment and migrate Velogica to AWS. They also provide ongoing help in managing and supporting the application.
Part of the new environment is Amazon WorkSpaces, AWS’s hosted desktop offering, which the SCOR Velogica team uses for day to day operations and enables the application isolation required to meet SOC 2 compliance.
SCOR also needed an in-depth security solution to handle security monitoring and compliance within their dynamic AWS infrastructure. After evaluating the options for the continuous threat detection and log management, Rodgers took 2nd Watch’s recommendation that Alert Logic was the most comprehensive offering.
With deep security insights, Alert Logic builds solutions for cloud scale. Their 24×7 Security Operations Center means SCOR has an extension of their team with expert security analysts to provide best practice recommendations every step of the way. “The expertise we now have at the ready is phenomenal. We have comprehensive security for our business critical application in AWS and dedicated Alert Logic analysts to advise us on how to remediate and bolster our security even further to continuously thwart attacks,” Rodgers said. “The Alert Logic component was easy, since it’s seamless in our AWS environment. We know as we scale, they’ve got us covered.”
Benefits of 2nd Watch and AWS
2nd Watch’s expertise with AWS and familiarity with many different migration scenarios and issues have been especially helpful to SCOR and the Velogica team. “They came in and quickly understood our technical infrastructure and how to replicate it in AWS, which is a huge feat,” Rodgers said. Other benefits include:
Adherence to specific security needs: To help complete SCOR’s compliance requirements for Velogica, 2nd Watch undertook and completed its own accreditation on SOC 2. 2nd Watch also implemented several security elements in the new AWS environment including; encryption at rest in Amazon Elastic Block Store (EBS) volumes leveraging the AWS Key Management System (KMS), Amazon Virtual Private Cloud (VPC) to establish a private network within AWS, security groups tuned for least privilege access, Security-Enhanced Linux, and AWS Identity and Access Management (IAM) Multi-Factor Authentication (MFA).
AWS optimization: 2nd Watch has helped SCOR identify opportunities for optimization and efficiencies on AWS, which will help down the road if the company wishes to expand the AWS-hosted application to regions outside of North America. “With our SOC2 Type 1 behind us, we are now focused on optimizing our resources in the AWS Cloud so we can fully exploit AWS’s capabilities to our security and business benefit.” Rodgers explains. “We will rely on 2nd Watch for guidance and assistance during this optimization phase.”
Cost savings on AWS: Rodgers hasn’t done a full analysis yet of cost savings from running the infrastructure on AWS, but he’s confident the migration will eventually cut up to 30% off the price of hosting and supporting Velogica internally.
For Rodgers, having 2nd Watch as a technology partner has been like having an insurance policy behind his company’s first bold move to the cloud. “Being a pioneer is great, and while there’s been healthy skepticism for the project, we also got a lot of support for the strategy. It’s much less risky with a partner like 2nd Watch that has so much experience with the cloud and specifically Amazon Web Services.”
For more information on SCOR and Velogica, visit www.scorgloballifeamericas.com.