Insurance companies are huge reservoirs of personal information. After the cyberattacks on Optus, Medibank and Latitude compromised the personal data of millions of Australians, have the country’s giant insurers changed their approach to cyber security?
In January, the insurance giant Suncorp announced a three-year agreement with Microsoft. The deal, said a media release, allows the insurer to increase use of the Microsoft Azure cloud and will facilitate the migration of 90% of its IT systems up to the cloud by the end of this year.
IB asked Charles Pizzato (pictured above), Suncorp’s executive general manager of IT infrastructure, if the recent attacks led to any changes in this partnership arrangement? Or are there features in this agreement specifically designed to deal with the cyber threat?
“I might take it from two different lenses, from the cloud lens, and then the workplace tech lens separately,” said Pizzato.
He said the recent cloud partnership deal with Microsoft actually followed a change in his firm’s position concerning the division of its data between the cloud and data centres. Last year, he said, Suncorp planned to ultimately retain some data in data centres.
“We actually changed our position to say we’re going to exit data centres and cloud will be our default, there won’t be an on-premise environment,” he explained.
One of the factors driving that decision, he said, was the high level of cyber security available in the cloud. Pizzato said that became apparent when his team was investigating the cloud’s “best in breed” control framework and ensuring Suncorp’s “baseline” was up to that level.
“We’ve built that over a period of months with Microsoft and we’ve got a number of different controls that operate right across that cloud environment to give us comfort that our data is unequivocally safer in a cloud environment than it would be in the data centre,” said Pizzato.
Suncorp’s executive GM of IT infrastructure said this safety is not just a feature of Microsoft’s cloud but that firm does invest very heavily in cloud security.
“I do absolutely believe that the benefits in having workloads in the cloud around security are enormous,” said Pizzato. “Microsoft pump billions of dollars into security every year, many more times than what an organization like Suncorp could.”
The other security strategy, he suggested, that his firm has changed in recent months, is a more focused commitment to a “defence in depth strategy.” This approach provides protections at all layers of the environment, rather than primarily around the perimeter.
Pizzato gave the analogy of an egg and its hard shell. Many organisations, he said, typically have security like an egg, so once you get through the shell, everything is “pretty squishy” and open to attack.
This includes attacks where a criminal will literally walk into an organisation’s office and plug a laptop into a network.
“This is actually how breaches often happen,” said Pizzato. “So it’s not just about securing the shell, every layer within the organization’s security framework needs to be tight and that makes it much more complex to be able to penetrate an organization’s security controls,” he said.
Pizzato said his firm’s “control framework” now has a “much more hardened environment right through the stack.” For example, there are now more specific controls over what applications and people can access across the network.
Through an existing enterprise agreement with Microsoft, he said, the end user side of his firm’s operation is protected. This includes security controls built around zero trust architecture. He said Microsoft is using artificial intelligence (AI) to “fundamentally shift the complexity of actually being able to get inside an organization.”
“If you take advantage of that, you absolutely, inherently get a level of a level of security baseline that is just far above what you could get if you’re using disparate technologies from a number of large organizations,” said Pizzato.
However, he said Microsoft is not its only source of security controls. Suncorp, he says, also uses CrowdStrike and Netskope.
“We do have CrowdStrike for our endpoint security,” said Pizzato. He said this firm is doing some “really good things” in the endpoint security space. Netskope is used to secure information going through SaaS services.
He also said artificial intelligence is playing a greater role in cyber security. During a recent meeting with Microsoft at the tech firm’s Seattle headquarters, Pizzato said presentations covered everything from endpoints to ChatGPT.
Pizzato said a simple example of how AI is currently being used by Microsoft is to identify multiple log-ins on a device from different locations and then take action to block access to the account.
“That’s an example of AI saying, ‘Well, it’s physically impossible for someone to be in those two places at once, there’s something going wrong here,” he said.
How do you see the cloud and cyber security? Are you confident customer data is safe? Please tell us below
