Is It Really You?

Like all security people, Miele always is concerned someone will try to find a way to beat the system, but he admits to feeling more comfortable with protecting his company's Web site than he is with Penn National employees taking a laptop and leaving the company headquarters. "How many times have you read where an employee lost a laptop with names, addresses, and Social Security numbers on there?" he asks. "We have security protections in place, but when [employees] are moving around with a laptop or a tablet PC, we don't want them putting sensitive data on it."

Miele isn't na?ve enough to believe everyone abides by that rule, though, so Penn National has encryption technology that locks down the machine the minute it is shut off. "If someone would steal the laptop and grab the hard drive, it is useless because [the hard drive] is encrypted," he says.

Miele's biggest concern involves transporting private information. Penn Na-tional's policy is employees are not allowed to e-mail any such items unless they are encrypted.

John Girard, vice president and distinguished analyst in Gartner's security research group, agrees the biggest mobile security challenge remains the loss or theft of devices. Only 40 percent of mobile devices used in business have robust data encryption on them, he contends, which means there are significant gaps, but he adds insurers have done a better job than other industries.

The number-one goal for companies should be to make the devices encrypted, according to Girard, and to ensure there is some type of authentication procedure in front of that encryption that will be difficult or impossible for either an inside or an outside thief to break.

Depending on the operating system and the platform, companies already may have an encryption tool embedded in the device. "The biggest issue is to turn [the encryption device] on and use it consistently," says Girard. "With a large number of users, you have to be able to prove to an auditor you turned on the system and protected the sensitive information on the device."

Girard sees many companies implementing data encryption through the use of third-party software. "It adds money to every platform, but you get comprehensive reporting on the state of your devices, and you get more protection around the encryption technology so it is harder for people to break in," he says.

The connection points back to Penn National are a concern for Miele. Users enter the network through a VPN that is unique to the company, he explains, and two-factor authentication is deployed. "We make sure they not only authenticate with a user ID and password, but there is another item they authenticate with," he says. "That identifies them, and we can let them into our VPN."

Devices need something more than a PIN code, Girard believes, but he knows of clients who have a tough time getting their users to take even that small step. "If the information on the device is really sensitive, I recommend at a minimum using a strong pass code–something longer than four characters," he says. "[Gartner] has guidelines with the number of times you enter a code before it times out. We recommend time out somewhere between one and 20 minutes, depending on the sensitivity of the application and the data."

Users also can add smart card authentication, flash keys that contain a certificate, or even biometrics, points out Girard. One tool he feels works well from Check Point Software Technologies is called the Picture PIN, he notes. The Picture PIN puts a series of icons on the screen, and users have to know the pattern in the icons that allows them to log in when they tap in the pattern. "Someone who grabs your [device] won't know what that means," he says.

Organizations also are looking at other types of data protection mechanisms, such as data masking, data redaction, or other forms or solutions short of full encryption. Challenges around the sharing of Social Security numbers, according to Mark Steinhoff, principal in the security and privacy services practice for Deloitte, find organizations evaluating the nature of the relationship and the existing processes and supporting infrastructure to evaluate the alternatives. "In some cases, it may be an organization would decide it is not going to share that information, so encryption may be the solution," he says. "In other cases, it may lead to modifications of systems to remove and replace Social Security numbers or credit/debit card numbers with an alternative type of identifier."

Insurers have worked to upgrade their Web sites to enable customers to find their policies online, according to Julie Bernard, a senior manager for Accenture who is in charge of the consulting group's security practice for insurance in North America. Making those upgrades, though, requires an element of nonrepudiation, which Bernard views as the biggest security challenge.

Carriers need to go beyond standard Web site security, continues Bernard, to be assured customers can validate their identity, so when they do click the signature function, insurers can consider it a policy and begin the coverage immediately.

"The complexity in this space involves taking something that's been figured out internally and making it scalable and externally focused, either to large pools of agents or even direct to consumers," says Bernard. "The infrastructure and architecture complexity of that actually is pretty substantial."

The level of security for companies depends on the nature of the organization and what its footprint is, according to Steinhoff. If an organization is dealing from a purely domestic perspective, it has to be in compliance with various forms of privacy, data protection, and security regulations, but outside the United States, the [security] challenge becomes greater, he asserts. "For example, if you look at strong authentication, the banking industry came out with enhanced authenticating guidelines in late 2005," he says. "That has led to the implementation of a range of solutions targeted largely at the external customer. At the same time, organizations are continuing to evaluate authenticating users, either internally or externally, and what the best types of technology to do that are."

An organization may decide a token-based solution is the most viable and reliable solution, adds Steinhoff. Looking down the road, though, there may be other technologies that support downloading secure applications, and cell phones providing dual authentication for users. "Not every organization is doing that today," he observes.

In large financial services companies the mainframe hasn't gone away, points out Steinhoff. But in a Web-enabled world, companies have extended the challenges that historically existed only in the mainframe environment. "You are talking about potentially providing greater ranges and numbers of external users with access not only to the front end but also to the back-end systems," he says. "The challenges around authentication and authorization have been extended, but the challenges have not been solved."

At the same time, Steinhoff believes the key to an organization implementing a more controlled Web-facing application is an understanding the same types or categories of controls that have been built into back-end systems–the concepts of establishing a secure environment–still hold true. "One key to providing that secure environment is to ensure the change management processes appropriately integrate security and data-encryption-type capabilities," he says.

Another aspect is the increased emphasis on the privacy of sensitive information and the continued growth of laws and regulations around practices such as first notification. "It's not strictly a technology and security issue; it becomes a broader compliance, privacy, and data protection issue, as well," says Steinhoff.

From a business point of view, Sanford Sherizen, an independent security consultant, claims companies absolutely have to be Web based and take advantage of related opportunities in a competitive market. "It can be expensive to put in place, but the business payoffs are major," he says. "The problem is if you don't do it well–and well includes doing it in a secure way–the damages can be very large. That includes the types of things that have happened with loss of client information and personal information."

Companies can operate a Web-based business with manageable costs, Sherizen contends; however, it takes a great amount of attention to detail. It involves a brand-new approach for some organizations in terms of paying the price for being more secure. This approach includes doing things such as security awareness training, senior executives showing support through the budget as well as policies and procedures, and looking at the world in a different way than before. "You can have skilled businesses that are using some Web 2.0 advanced techniques, but if they are doing it with less than adequate security, the cost may be very large, and frankly, in some cases, it's not worth doing if they can't do it securely," he says.

Penn National continues to deal with the debate over control of the customer, Miele indicates. While the carrier may be the entity underwriting the insurance, the independent agency signed up 100 people to purchase auto insurance. "We protect the [customer] information, but we allow [the agents] to get to their information based on some reporting requirements," he says.

Once the agents download the policy information into their own system, it is the agencies' responsibility to protect it. "We do everything possible to protect [personal information]," says Miele. "But now, [the agents] have to do the same thing."

He recommends agencies have some encryption technology, establish a secure storage area to keep data, and deploy an e-mail encryption policy. "Agencies all fall under state privacy laws, so they have to follow the guidelines," he says.

Miele doesn't have many concerns about the agencies Penn National works with, placing his trust in the vetting process the carrier goes through for its agents. "If one person loses his or her identity and it gets leaked out, that one person can cause us just as many problems as 5,000 people," says Miele. "We are under law first to notify all the potential clients and the reporting agencies, and in some states, you have to notify the attorney general's office. I believe in New Jersey you have to notify the press. That loss of company goodwill is more damaging to us than to the one person."

More insurers have been focusing on the direct-to-consumer business as they realize what banks have known all along, explains Bernard. "If you can push stuff to the Web, your profitability is that much higher," she says. The issue, though, is how to deal with the agent infrastructure, particularly with independent agents because they can't have a log-on mechanism that's substantially different from carrier to carrier in order to quote business. "If you make it really hard, they are not going to sell your product," says Bernard.

One of the problems with dealing with multiple insurers in this manner is learning all the PINs and passwords. Bernard estimates most agencies have three or four passwords they use everywhere. "If it's any more complicated than that, they are storing it in Outlook or on a posted note by their desk," she says.

Barlock points out this same conversation has been going on for several years in the mass consumer market involving Web organizations such as eBay, E*TRADE, and banking as consumers juggle all their passwords. "All of those same problems we're now seeing in play for the insurance industry," he says.

Bernard believes a slight nuance between insurance and other industries is the agent population–a set of affiliated people. Carriers have their own laptop encryption program, but it may not work on an agent's laptop because that laptop is not owned by the company.

"To the extent these companies are affiliated or agent models, what rights do the companies have or what ability to put controls on an independent agent's mobile device?" asks Barlock.

Penn National blocks employee access to online blogs, according to Miele, even though he agrees there are legitimate blogs that discuss insurance issues and believes they are good for the industry as long as they are used correctly. "The problem is they are out there in the open," says Miele. "Even if the blog owners are well protected, the other problem is you might have the wrong kind of information put out on the blog. If we allowed certain claims reps to go out on a blog, what if they started putting information out there? You can do that without putting names out, but you can put out things and not realize you are letting go of private information."

Barlock doesn't believe the insurance industry has fully sorted out what the business model is around Web 2.0. "It's much easier for me to understand in these pure-play Internet companies such as Facebook, whose business is all about collaboration, to use these Web 2.0 technologies to enable the business," he says. "In insurance, sorting out the business model is a little trickier."

The Web 2.0 set of technologies is all about collaboration, adds Barlock, and the security implication is all about how to protect the data or the information that is being collaborated. "For insurance companies, if I have proprietary information my agents know about and they are using Wikis and blogs, the challenge is what controls am I going to put in place to protect all this intellectual property and proprietary data," he says.

The trick with security is to pick something that is not disruptive to users, points out Girard. But if users say any security is disruptive, the line has to be drawn somewhere. "Not having a PIN is unacceptable," he says. "If the information is extremely sensitive, then having something such as a smart card or biometrics with a couple of other factors becomes important to prove accountability."

Girard has dealt with companies where the users are perfectly willing to accept strong security because they've come to understand the security protects them as much as the company. "But I have plenty of companies where the users either don't understand or don't want to understand that concept and continue to fight off whatever you try to put into play," he says.

The insurance industry has to get together and set security standards and requirements for the entire industry, Sherizen believes, so it's not just one company trying to impose its will on its partners. "People complain," he says. "They don't want security because it interferes with their work and is onerous. The reality is if you make it easy and you make it work and you make it something management says you have no choice about, then you are going to have a much easier job with it."

Financial services as an industry has a much greater focus on security and spends more on it than many other industries, Barlock suggests, because of the nature of the transactions and the sensitivity of the data. "Financial services has been one of the vanguards in security," he asserts.