Catch Me If You Can

People choose poor passwords, Carley says. Thats a problem across all industries. If you choose an easy-to-remember password, more likely than not its a poor password. Choosing your last or first name, spouses name, pets name, or even password is all too common. Theyre open to dictionary attacks, where hackers simply try every possible word, as well as other social engineering strategies, such as investigating a users life to find likely password candidates.

There are ways of stronger authentication, but they havent gained traction. Individuals can obtain PKI certificates, but few have. Biometric devices can be incorporated into users login requirements, but they carry a cost and the installation is outside the control of the insurance carrier. Insurers would therefore alienate a large class of users if they required either of these methods.

On the other hand, while authentication is a problem, it certainly is nothing new or even unique to e-commerce. Consider, for example, the traditional call center. Without face-to-face contact, identifying a caller typically falls to knowledge of detailed account information or unique personal attributes (mothers maiden name, birthplace, challenge questions, and so on). Therefore, rather than authentication, the more common uses of technology beyond securing the communication connection itself are managing identity information and controlling what authorizations users have once authenticated.

The easiest way to administer authorization is simply to grant authenticated users access to the entire network or sub-network. However, according to the research and consultancy firm Ovum (London), a more granular level of control is needed for modern e-business and to satisfy the regulatory requirements insurers contend with. Some insurers also find its simply a matter of necessity.

Take Progressive, Mayfield Village, Ohio, as an example. The company, well known for its consumer-oriented Web site (www.progressive.com), also has an agents- only site, www.ForAgentsOnly.com (FAO). It allows agents to process endorsements, obtain customer policy and claims information, and access agency production numbers and other data. Premium quotation capabilities are being added to the site: Progressive began to roll out this functionality with a group of agents in Ohio in the summer of 2002 and expects to expand the availability to more agents in 2003 and beyond. Agents either log on to the site directly through their Web browser or communicate via interfaces within agency management systems from Applied Systems or AMS.

Agents use a single ID and password to access the site, and authentication gives them access to most areas of the site with the exception of agency financial data, which is restricted by another password. It was important we restrict access to commission statements only to personnel whom the agency itself deemed appropriate, says Alvito Vaz, Progressives IT manager responsible for the FAO site.

When Progressive first rolled out the site in the late 1990s, it relied on existing security from its legacy environment. As the site grew in functionality, however, the insurer implemented a Lightweight Directory Access Protocol (LDAP) security structure for the agent portal to add both better security and redundant points of control in the event of mainframe failure. Specific details of the systems components could not be released.

The key to keeping authorizations current has been daily synchronization between different databases. We sweep our security database against our distributor databases and merge or purge as needed to keep the security database in synch, explains Vaz, who also has been involved with industrywide initiatives regarding security, such as the Agents Council for Technologys efforts to standardize agent passwords across company systems.

Missing Info

A challenge for some insurers is a lack of existing data needed to administer an authorization system with a detailed level of control. Many companies simply dont have rich identity information, dont have a means to capture it, and have no way of managing it. So even if they determine an access role field is needed in the directory server, how can they take their business processes and administer it? asks Nand Mulchandani, co-founder and CTO of Oblix, an identity management solutions provider.

When an insurer has determined a particular identifier is a necessary component to authorization, the task falls either to the insurer or to the users to add that information. Generally, companies take the latter approach, either asking users to provide such information as a prerequisite for granting initial access to the system, or by loading whatever partial information may exist in other supporting systems and relying on users to cleanse the data with use. Insurers may preload a directory with whatever dirty information they have, then open up the administration to the users, Mulchandani explains.

Passing responsibility to the user also is a way companies have addressed another problem of authorization; namely, the cost to administer changes, which increases along with the granularity of access control and the number of users. We have the ability to have an agency administer its own users and passwords to give different users different levels of authority, explains Progressives Vaz. Right now, that capability mainly is being used by the larger agencies.

Without having at least the ability to allow users to administer their own access, insurers will incur the costs to reset passwords and to add, remove, or modify authorizations. Businesses underestimate the cost of moving business processes to the Web, Mulchandani explains. We see businesses open the floodgates to this whole set of people they didnt manage before; then, six months to a year later, they realize theyre getting too many password resets and their help desk is overtaxed.

Identity and security management are not only time-consuming challenges for insurers, but for customers and agents as well. Dealing with multiple-user IDs and passwords across numerous insurers sites is one issue; another is when multiple log-ons are required at an insurers site. Almost universally, insurers are working to include either consistent sign-on (CSO)where users may need to enter a common ID and password at different areas of the siteor single sign-on (SSO)where only one log-on is needed.

Springfield, Mass.-based MassMutual (www.massmutual.com) is working to provide SSO access to its producer portal. Like many insurers and financial services firms, MassMutuals portal connects users to a number of legacy systems, each of which has its own security architecture. When producers go to an annuities application, they may use credentials that reside in an SQL database, explains A. Scot Miller, the insurers chief architect for information security. For a different system, they may use their name and password in an LDAP directory. At a customer site, they may use an ACF2 or RACF identifier.

MassMutual is evaluating its current technology (which, for security reasons, could not be named) to determine if any is robust enough to address the synchronization required to support SSO. It will require connecting each of these legacy systems to a metadirectory, or virtual directory, which will in turn give us a consolidated access point for delegation, provisioning, and identity administration, Miller explains.

Security Meets Privacy

As insurers address issues of security, they find related issues of privacy and confidentiality that face them from both federal regulations, such as HIPAA, Gramm-Leach-Bliley, and the Patriot Act, and a myriad of state regulations to which they are subject. A forward-looking security-management program must take all these related elements into consideration.

Many privacy provisions concern not only safeguarding access to confidential information, but also guaranteeing the integrity of that information. Insurers find they must assess the entire chain of consumer/agent/company communication and decide what technologyor business practiceis appropriate. For instance, MassMutual realized that while the Web-based communication between the company and its customers could be secured, e-mail could not. Unless you have established an electronic relationship involving the exchange of private keys, e-mail simply isnt secure, says Miller.

Therefore, although policyholders can, for example, pay premium invoices online, copies of bills or confirmation of payments are not directly e-mailed to those policyholders. To provide users with this information yet still maintain secure communications, MassMutual is considering sending policyholders e-mail that contains embedded hyperlinks to this confidential data. This will allow policyholders to come back over to an SSL-encrypted session, Miller explains.

The Weakest Link

Perhaps the biggest threats to Web security are still the points in the chain where human impact trumps technology. Laptops can be stolen, printed reports get misplaced, and users simply might not follow good security procedure. If you go into agents offices, they probably have a list of passwords taped to their desktop, which isnt the most secure, says Vaz. Though there will never be a way to eliminate bad practice, Vaz adds, Were working through industry groups to improve that through education and development of standards that simplify agent workflow.

High-tech solutionssuch as embedded biometric technologycan be used to render devices inoperable in the event of theft but carry an added expense. Users can be educated on the importance of security, on protecting property and passwords, and on good computing practices such as clearing Web page caches and regularly scanning thin-client PCs for viruses, Trojan horses, and malicious scripts. Insurers also can require the use of more complex passwords, containing both alpha and numeric characters, to reduce vulnerability to dictionary attacks and social engineering.

But in the end, no amount of technology can address every network security riska fact of e-commerce that is paralleled in everyday life. People worry about secure online credit card transactions but dont think twice about handing a credit card to a server at a restaurant who disappears with it for five minutes, says Lauri Ingram, senior program director in META Groups insurance information strategies service. There will always be gaps, no matter how much technology is put in place.

Cyberterrorism

Both hackers and cyberterrorists are threats that can cause serious damage to insurers networks and back-end systems. However, there are some key differences between the two. Hackers attack networks for sport or target a particular company for revenge or criminal intent. Terrorists target companies purely for social or strategic impact.

Regardless of the attacker, the basic prevention and defense are the same, says Jeff Carley, network security specialist and chief technology officer of Engedi Technologies, Inc. He explains the two biggest security holes in insurers cyberterrorism security strategies are failures of business, rather than technology. Insurers need to develop a security strategy with the full support of management and their board. Then there needs to be extensive awareness training, including everyone who has interaction with the network, from the mailroom to the agents with cellular-based laptops.

Carley believes a key defense against cyberterrorism will involve making stronger partnering connections. The insurance industry should be looking toward consolidating access to an industry-centralized or third-party distribution hub, such as the auto repair networks that currently exist. Although those networks require the difficult work of standard-setting and cross-carrier cooperation, they not only offer greater security, but also ultimate cost savings due to greater access control and the consolidation of identity- and security-management functions.

Insurers also should carefully consider their authorization strategy as part of their hacking and terrorism security measures. Its easier to administer [security] if you give every authorized user access to everything, Carley says, but thats not the most secure. Different people need different access, which is harder to administer, although the tools for doing so are getting better.

Finally, part of a Web security strategy is testing the controls and technology in place. This is something that can be done either by or in connection with a security consultant or with the use of hacker tools. Understandably, the availability of hacker tools is not widely publicized, and we will not do so here. However, there are resources available to point insurers in the right direction in their testing efforts. These include:

The SANS (SysAdmin, Audit, Network, Security) Institute – www.sans.org
The Terrorism Research Center – www.terrorism.com
Financial Services Information Sharing and Analysis Center – www.fsisac.com