As insurers extend more connectivity to their field staff, they are challenged with how to eliminate vulnerability and secure remote access from various devices and connection methods.By Michael P. Voelker

Keeping security technology current at the endpoint, including installing the latest patches, virus definitions, and other upgrades, does become more complicated in the remote access environment. Vendors have stepped into the space to help ensure endpoint protection is up to date.

For example, in Trade Talk (April 2003), Prudential Financial said it uses Sygates Secure Enterprise to enforce and automate security practices. Remote users dial into Prudentials corporate network and establish a VPN, whereupon the Sygate enforcement server challenges the Sygate security agent to make certain the endpoint is compliant with corporate security policy.

Insurers also must consider what happens if the endpoint itself is lost or stolen. In insurance, where were transaction-oriented, there isnt much likelihood of [a hacker] obtaining transaction information, says John Sarich, insurance industry marketing manager in the consulting practice at FileNet. But it absolutely changes the scenario if and when users store information on their corporately provided or personal devices.

In fact, META Group maintains the biggest security threat remains the loss of small computing devices that now can store hundreds of megabytes of proprietary enterprise data, according to its 2003 Pervasive Security Update report. Encryption of files and disks and boot-up and network-access authentication are essential as are centralized backup and recovery strategies in the event of device loss.

Authentication, however, remains a weak link in the remote security chain. First, human nature leads some users to find ways to bypass inconvenient boot-up authentication. Second, authentication measures themselves still are primarily just IDs and passwords (what you know) and, in fewer cases, include a second factor of security certificates and smart cards (what you have). Biometric devices (who you are) still are uncommon, according to a consensus of sources in this article, and other measuressuch as systems to alert of attempted access from unexpected physical locations (where you are)are rare. Further, the META report maintains almost all PDA operating system passwords are completely insecure because they are simple and not securely stored.

For all major platforms, there are known mechanisms to circumvent user passwords. Palm and PocketPC systems both have had back doors that allow debuggers to access system files, completely bypassing the user password. Without rigorous password enforcement in combination with data encryption, device security is very low, says David Thompson, senior research analyst in META Groups Technology Research Services.

Lastly, if the endpoint device is lost, insurers need to have in place a way to shut off the access of that device to the network, assuming device authentication controls are compromised. Health insurer Lumenos, for instance, provides its sales force notebooks, and Lumenos CTO Chad Pomeroy reports the carriers VPN can restrict network access at the device level if a notebook is lost. Also, user logon information is not cacheable.

Securing the Connection

Carriers, such as P&C insurer Country Insurance & Financial Services, whose auto-damage appraisers have been using notebook computers for more than five years in the field, contend with supporting and securing multiple remote connection methods. The primary use of the notebooks at Country Financial is for connection to the insurers estimating partner, ADP, using the security built into the ADP estimating program and a direct modem connection.

According to Brad Lockwood, support analyst at Country Financial, connection to ADP is made using wireless modems, built into Panasonic CF-28 Toughbooks, which access the Cingular Interactive (formerly Mobitex) network. The insurer has stayed with this direct connection method, rather than an Internet-based one, because the Cingular infrastructure is more established than wireless Internet currently is, and coverage is more important to appraisers than connection speed.

Additionally, field staff can make a direct-dial connection to the Country Financial network and also have a software-based VPN available for Internet-based connections, which ultimately will replace the current modem-based connection to ADP. Finally, the insurer augments its security technology with a policy that prohibits users from installing any additional software on their machines.

Because insurers have been providing remote access for some time, and since direct dial-in was the earliest means of access, modem-based firewalls are a key line of defense for many insurers. For Internet-based connections, establishing a VPN still remains the security method of choice, and among the various technologiesincluding IPsec (IP Security Protocol), SSL (Secure Sockets Layer), and Microsofts PPTP (Point-to-Point Tunneling Protocol), IPsec VPNs currently are, by far, the most widely used among insurers.

However, as users demand access from more locationsincluding public hotspotsand from more devicesincluding kiosks and similar nonowned endpointsthe VPN equation becomes more complicated. The one drawback to IPsec VPNs, particularly in supporting mobile devices, is they require a client application running on the endpointmeaning the user must control the endpointand these clients must be updated over time.

This has led to some current interest in purely Web-based versions of SSL VPNs, which rely on the SSL technology that is part of most browsers. The difference between SSL and an SSL VPN is SSL is designed to secure only the communication between the endpoint and connecting device, whereas an SSL VPN, by virtue of creating a private network, secures the environment for the applications users have access to.

SSL VPNs are most useful today for securing access to e-mail, a primary need of remote staff, as well as other Web-based systems on an application-by-application basis. Boutique vendors such as Whale Communications, Netilla Networks, and NetScreen offer SSL networking applications, and in November 2003, Cisco announced it had added clientless SSL capabilities to its flagship VPN appliance.

At the international insurance brokerage Willis, about 3,000 of the firms 13,000 total employees use Whale Communications e-Gap for secure remote access to e-mail. The company also provides secure direct dial-up access to nearly 35 percent of its users, who have full access to network resources, according to Mark Burnette, global information security officer at Willis.

The brokerage also supports approximately 300 power users who utilize an IPsec VPN client and a personal firewall on either company-provided or personal PCs for Internet-based connections. They use two-factor authentication for all remote access, requiring RSA SecurID tokens in addition to IDs and passwords.

[Whales e-Gap] integrates seamlessly into our existing SecurID infrastructure, Burnette reports of Willis experience with the system, installed in late 2002. Users who already have an access token can use the same token to connect via Whale, the IPsec VPN, [or] dial-up.

Willis is looking to e-Gap to help consolidate its security infrastructure going forward, including replacing its current IPsec VPN to connect more remote staff with less effort and overhead. [e-Gap] does not require a client, and thats one of the reasons were excited about it. With [our] IPsec VPN, we have to be able to control the remote machineto say, We cant connect you unless you put this piece of software on your PC, Burnette explains.

Clientless versions of SSL VPNs also can allow remote, secure access from a variety of devices or connection points. Agents come in all the time from computers not under your control, explains Joseph Steinberg, director of technical services at Whale Communications. Particularly if theyre coming in from a kiosk, when they complete their section, there should be no data on that machine. Regular Web browsers have auto-complete, caches of pages that come in that it stores to improve performance, and opened attachments stored in temporary files. What an SSL VPN can do [vs. a basic SSL connection] is wipe the data off the access device.

Key Challenges

On the plus side, as insurers try to meet the demands of users for any time, anywhere access to information and applications, they have available continually better and less expensive security solutions. Highly sophisticated security models now are available for customers under $100 per node. Considering the value of the intellectual property that is dependent on a trustworthy architecture, its a bargain, says Palm.

However, there are some common challenges carriers need to address. The first is securing remote access can be a rocky marriage of new and old technology. Almost every company has a complex infrastructure, says Stle Ekelund, manager in Accentures security practice. The most common problem is they dont have a comprehensive access-management strategy already in place. They have too many user stores, and the system is not integrated. And now theyre adding a new dimension, a new [security] system, which exacerbates that complexity.

Ekelund therefore advises, regardless of how readily insurers may be able to grant access, they need to consider security first. When we talk [to insurers] about security in design, security often is an add-on. But security should be considered from the beginning. Its also important to have it in the implementation, because your components could be individually secure but their connectivity flawed. Finally, security is an ongoing operation; its not static.

Also, insurers sometimes have found the security measures they deploy for users based outside the office dont translate when those workers come into the office. Ekelund cites an example of a field employee bringing a PDA infected with a virus into an insurers headquarters. Without proper controls, You will go directly into the network or synch with your PC, and the [security] perimeter will not be aware of that because youre already inside, using a trusted channel, he says.

Niche vendors have offered solutions to ensure endpoint devices are checked before they are connected behind the firewall: Sygates Secure Enterprise does this as do systems from competitors InfoExpress and Zone Labs.

At Lumenos, My focus is when users come in, making sure they dont have any more access than they would with our VPN, Pomeroy explains, although he was not at liberty to disclose the type of security technology in place. Users are presented a dashboard to install updates if their software is out of date, and Lumenos IT department has a program in place for routine updates, as well.

Education and Security Practices

Because providing remote access is a technological issue, its tempting to view remote-access security as solely a technology problem, too. Yet the human component of security breaches needs to be considered as fully as the possible hacking of networks or the spreading of viruses. According to META Group, poorly managed environments that lack clear policy direction regarding appropriate use, management, or security are the surest ways to compromise applications and data.

Accentures Ekelund adds, I have seen too often companies have invested millions of dollars in technical and logical security. If that is compromised by [employees] who dont play by the rules, if they dont have a security policy, or if the users are not aware of the policy and how they should behave, everything is compromised.

In fact, the single easiest security exploit is not computer hacking but, rather, social engineering, according to Palm. A hacker can send an e-mail to 1,000 people, asking for their login name and password credentials, and somebody is likely to reply to the hacker. Employees need to understand security is a weakest link issue and the easiest way for a hacker to obtain otherwise-secure information simply is to ask for it. [Insurers] need to look to IT security training and certification to reduce this factor of human error.

Finally, just because insurers dont provide a certain type of remote access now doesnt mean they wont be faced with demands from increasingly tech-savvy field staff in the future. Therefore, they must plan accordingly. The business needs to have a more proactive strategy [for remote access security], especially such businesses as insurers that do have a mobile workforce, Kozup says. Theyre going to be met with more and more requests for different access and network types in the future.