Security of SaaS cloud solutions

[suchona.kani.z]

The cloud has now become an undisputedly fundamental piece of the puzzle on the path to the digital transformation of corporate IT. As part of this, insurers are dealing with the change - the disruption - of their entire corporate IT, their applications and platforms as part of digital projects. All against the background of the search for cost-cutting potential and efficiency optimization within the corporate organization. Cloud or SaaS solutions make a significant contribution here.

In the past, companies bought their software (on CD-ROM, for example) and installed it locally. Today, however, applications can be obtained directly from the cloud as software as a service (SaaS). However, SaaS cloud solutions must be critically examined with regard to the necessary operational data protection. Before companies use such solutions, they should check whether and what measures need to be taken to ensure a legally appropriate level of data protection. Such an examination is not only the responsibility of the companies using them, but primarily of the providers of SaaS cloud solutions. The following reference architecture provides an overview of the complex tasks and the variety of components that must be maintained and managed by a service provider/IT service provider.


Tasks and components of service providers/IT service providers at a glance, Source: IT manual / 10th edition – Westermann 2017

These can be very different applications and/or platforms france consumer email list and levels of complexity:

Microsoft 365 for normal office applications
CRM solutions for sales matters
Inventory solutions for insurance companies to map the core business
Platforms for insurance brokers to communicate with insurers
The operational IT security of insurance companies is thus essentially shifted outwards, i.e. to the SaaS cloud service provider. This means that IT service providers are held more responsible when it comes to complying with the regulatory requirements for insurers. All dependencies and interfaces must be considered and taken into account.

Where are the data protection risks?
One of the key questions is what types of data - for example personal data - are transmitted. It is also important to clarify where the data is transmitted to, i.e. where the servers are located? Strict guidelines now apply within the EU, which usually ensures a high level of data protection for the cloud provider. If the data is transmitted to third countries (not EU member states or outside the EEA), an adequate level of data protection must be guaranteed there.

At the same time, additional requirements may apply to SaaS providers. Depending on the server location, framework conditions for operational data protection are also of great importance.

Regulations that need to be taken into account depending on the initial situation:

BaFin – VAIT (Insurance Supervisory Requirements for IT)
BSI – Criteria Catalog C5 (Cloud Computing Compliance Criteria Catalog)
General Data Protection Regulation (GDPR)
Criminal Code (StGB)
EU data protection regulations
Data Act
Digital Operational Resilience Act (DORA)
Holistic consideration of the relevant security aspects
What all the regulations under consideration have in common is that they are a continuous process. As part of the contractual nature of the relationship between an insurer and a service provider, continuity and thus control on the part of the service provider must be guaranteed - for example up to other third-party providers, i.e. additional external service providers.

The establishment of an internal control system (ICS) for corporate IT is an essential component with a key role.

Our experts at adesso are clearly in a position to advise insurers on their way through the “regulatory thicket” and thus ultimately create an interlinking between the company’s ICS and the SaaS cloud environment.

This makes an essential contribution to insurers, who receive lasting, tangible support in fulfilling their regulatory audit obligations.

You can find more exciting topics from the adesso world in our previously published blog posts .

Also interesting:

No longer a trend, but a reality! – Inventory management and value creation through Software as a Service
Image Dimitrios Archontakakis
author Dimitrios Archontakakis

Dimitrios Archontakakis is Managing Consultant in the Center of Competence - SaaS at adesso. He has many years of in-depth experience in software development as a product manager for portfolio management solutions in primary insurance and reinsurance.