Insurers Target Single Sign-On Capabilities Jul 09, 2008 URL: http://www.financetech.com/showArticle.jhtml?articleID=208808204
While single sign-on technology has been recognized as a worthy goal in insurance technology circles for several years now, a quick scan of the industry still yields little evidence of centralized depositories for user IDs and log-ons that consolidate the number of passwords that an employee, business partner or customer needs to access a carrier's systems.
"It's been a big topic for a number of years, and I think it's a utopia that hasn't been reached yet in many instances," according to Mike Barba, manager, business consulting, at SMART Business Advisory and Consulting, a Devon, Pa.-based firm with expertise in areas including enterprise risk management, regulatory accounting and claims management. "A lot of people will claim they have single sign-on, when in reality they do have local databases of users that they still need to manage," he adds.
In many ways, single sign-on (SSO) does represent a sort of utopia. Its benefits are far-reaching. From a security standpoint, SSO can eliminate the all-too-common "sticky note" approach to identity management that has been adopted by many employees who -- overwhelmed by the number of different log-on IDs and passwords they need to access applications -- have taken to writing their passwords down and storing (nay, displaying) the information in plain sight at their workstations. SSO implementations also can lead directly to ease-of-use improvements for customers, employees and producers by reducing the number of password gateways needed to navigate a Web site or application, without sacrificing security. >>
Thus far, the insurance industry has indeed struggled to implement this technology -- and thus realize its benefits -- in part because many of the applications and systems within insurers' technology environments are not ready for SSO. "A lot of the problems stem from the fact that a lot of applications aren't written to use standards-based authentication protocols or standard systems where identities are managed," Barba explains.
Too often, vendor-developed insurance applications have been created without any of the authentication standards needed for SSO, Barba says. Many third-party vendors traditionally have programmed only with functionality in mind. The idea of a standards-based approach to identity management -- such as through Lightweight Directory Access Protocol (LDAP), a standard created at the University of Michigan and further developed by the Internet Engineering Task Force -- has been an afterthought.
"It really comes down to the applications [insurers] choose to use and how they are implemented," Barba explains. "If companies have a lot of third-party applications, they're stuck at the hands of the developers of the third party as to whether or not they're going to be able to integrate the application into their single sign-on environment."
Pros and Cons
Perhaps an even bigger roadblock to adoption has been the inherent risk/reward dynamic of SSO implementations. On one hand, a reduction in the number of passwords an employee has to remember will help eliminate the dreaded sticky note technique for remembering passwords. Further, SSO makes it easier to manage a consistent approach to identity management. On the other hand, though, hacking into an insurer's system that has SSO requires only one password, as opposed to several.
The old way of doing things -- with separate identity management for each individual application -- was a security deficiency in many ways, but a security feature in many others, explains David Aflak, senior manager of information systems at San Francisco-based Esurance (approximately $600 million in 2006 written premium).
"There is an inherent security feature in having multiple accounts, multiple passwords and multiple log-in requirements for application access," Aflak relates. "If you have a single sign-on solution, you sign on to one PC successfully and you basically have access to the entire store at that point."
However, insurers are becoming increasingly confident that they can manage the balancing act required to implement SSO while maintaining the highest information security standards. For example, the added risk can be mitigated by two-factor authentication, when necessary, and by a more consistent enterprise security policy.
Esurance, for instance, has started to look into implementing a single sign-on solution with an eye on automating many account management processes and auditing procedures necessary for Sarbanes-Oxley compliance. "There is a definite productivity benefit to accomplishing at least a percentage of what single sign-on can provide," Aflak says. "If that productivity opportunity is there, then it is worth pursuing because the business will ultimately benefit from it."
Like Esurance, many carriers are placing increased value on applications that are amenable to single sign-on initiatives, and vendors are reacting accordingly. "You've seen a much greater push with applications that have come out in the last couple [of] years -- that most of them can speak some type of standards-based authentication protocol," SMART's Barba says. "It's something that's been on the rise and increased over the years."
With many applications now in a better position to support single sign-on, and interest in the technology surging, the key question surrounding SSO has changed. Carriers are no longer wondering if they can implement an SSO solution, but instead are asking: What's the best way to do so?
At Cleveland-based Medical Mutual of Ohio (MMOH, around $2 billion in annual revenue), where an internal single sign-on project is in the midst of rollout, managing scope was and continues to be an important contributor to the initiative's success.
Instead of attempting to immediately consolidate the identity management functions for all or most of the insurer's more than 160 applications, Antares Management Solutions has chosen to focus on Medical Mutual of Ohio's 15 core applications. Antares is a wholly owned MMOH subsidiary that offers business process outsourcing to other insurers. The group, as is the case with the SSO project, also acts as part of the internal IT department for its parent company.
In a sense, Medical Mutual was able to manage its own expectations around the concept of single sign-on. "We made scope meaningful," says Kevin McGuirk, a business solutions provider for Antares' security, audit and consulting services, and project manager for the single sign-on implementation. "Our single sign-on initiative is not set up here for all creatures great and small. We don't do single sign-on for every single application in the environment."
This strategy corresponds with the approach to SSO that SMART's Barba says most organizations have to take. "It's a utopia -- the idea of single sign-on -- but getting close can have major benefits to your company," he comments. "The goal should be to simplify your operations and maintain the most secure environment possible for the management of user IDs."
Essentially, MMOH's initiative consists of two main parts, McGuirk says. The single sign-on piece itself is a front end that automates user log-on into multiple systems after an employee successfully authenticates him- or herself to Medical Mutual of Ohio's LAN. The front-end application leverages a data store from Islandia, N.Y.-based CA to store multiple IDs and passwords from disparate systems.
The second piece is a back-end password synchronization technology that formats, validates and passes the enterprise password, or LAN ID, to other systems. In some cases, users are required to change their passwords at 30-day intervals. When a user makes such a change in one system, McGuirk says, the password synchronization system will pass that change on to the other core systems. The carrier also worked with CA on the password synchronization integration, as well as architectural validation and training efforts.
Antares' director of security, audit and consulting services, Tim Sargi, says that, while Medical Mutual of Ohio's SSO initiative is companywide, the carrier tried to focus its effort toward its "shop floor" users -- claims, customer service and membership personnel. For that reason, the SSO project team intentionally does not refer to the project as a single sign-on initiative, even though Sargi and McGuirk readily admit that, essentially, that's what it is.
"We tried to set the precedent there by saying that it's a 'production log-on' [project], a way to get into the systems quickly for the regular shop floor person," Sargi says.
One Step at a Time
At Columbus, Ohio-based Nationwide ($160 billion in assets), where two single sign-on projects -- one consumer-facing, one employee-facing -- are under way, managing scale has also proven to be a virtue. Regarding the internal project, Rick Schnierer, associate vice president, corporate Internet solutions, at Nationwide, says the implementation team has focused on applications that can currently support SSO. Obviously, with a company as large and diverse as Nationwide, not every application in its environment is prebuilt with the necessary authentication standards, he notes.
"At this time, it's not necessarily a single sign-on approach; it's more of a reduced sign-on approach, with the thought that we'll eventually get to one user ID and password," Schnierer explains.
Nationwide manager for infrastructure engineering Rob Armstrong served as point person on the internal single sign-on team. He says that the employee-facing SSO initiative focused on Web-based applications. After a review of the vendor marketplace in mid-2007, the company decided that purchasing a single product to cover Web-based, client-based and RACF-based applications was not practical.
"We instead chose to focus on the Web environment as well as working on point solutions for some of our larger client-based applications, such as Lotus Notes," Armstrong says. "The majority of our new applications, as well as our stated future technical direction, [are] focused on Web-based technologies."
The goal of the initiative, Schnierer says, is to migrate different parts of the company onto the set of security and identity management standards that Nationwide has developed. In doing so, he suggests, the organization will be able to react to regulatory changes more quickly and reduce redundant processes.
On the consumer-facing side of things, Nationwide is looking to get as close to true single sign-on as possible with its Web applications, in an effort to more closely align the identity management characteristics of its consumer-facing Web sites with the company's cross-sell business strategy.
Nationwide's consumer-facing SSO solution is based on Sun Microsystems' (Santa Clara, Calif.) J2EE platform and leverages a company customer information file, as well as third-party security software. Nationwide declines to mention specific vendors.
Presently, Nationwide is migrating its current consumer- facing Web applications to the new SSO environment. Michael Carrel, associate vice president, corporate Internet solutions, at Nationwide, says the project will be a multiyear effort and that each application will likely require minor modifications to take advantage of the new authentication method.
One reason for the complexity of the SSO initiative, Carrel points out, is that, as an enterprise, Nationwide boasts an extraordinarily diverse offering of products, such as property and casualty, variable and fixed life, financial services, IRA, banking, 401(k), and annuity products.
"Currently, customers who have products with us in a variety of areas ... are forced to have multiple log-ins to interact with those products or services," Carrel explains. "We have undertaken this initiative in order to make our customers' online experiences better and serve them in a more comprehensive way."
With single sign-on leading to a more unified Web experience for customers, Nationwide sees an opportunity not just for improved customer experience, but for increased cross-selling, as well. "We want to integrate our Internet self-service sites so we can present our customers with an integrated view of the relationship they have with us," Carrel says. "We feel that our business strategy of targeting customers with our full product breadth requires us to service them in an integrated way."
Even if reaching customers in a more unified way wasn't a major part of its business strategy, it's certainly possible that consumer demand alone would have led Nationwide toward single sign-on for its consumer-facing Web sites.
"Customers expect that, to be quite frank," Carrel acknowledges. "Their expectations are around [things like] changing their address in one place and having it [go] into effect everywhere. It's a basic foundational function that is critical to serving our customers in the way they expect to be served."
Improved security, of course, is another benefit that Nationwide hopes to achieve with its SSO projects. With the customer-facing initiative, for example, certain transactions will require additional layers of security at log-in, such as challenge questions or other two-factor authentication methods.
As the SSO solutions (particularly the internal project) are being developed, Nationwide is working to strike a balance between passwords that are airtight from an information security point of view, but easy enough for employees to remember without having to write them down. "You have to balance the risk versus the reward. You do essentially have all the keys to the kingdom, so to speak. So the important thing is to make the passwords challenging and configured in such a way that they are easy to remember," says Schnierer.
Tell It Like It Is
To address matters such as the importance of relatively complex passwords and other key measures, Schnierer and Carrel say that a strong security communication and education program should accompany any SSO implementation. "All along the way, you have to have a pretty solid security awareness program to make sure that associates understand the reasons behind what you require," Schnierer says. "If it makes sense to the user, then the user is more willing to adopt [stronger password configurations] as well as become an advocate [for them]."
Striking such a balance -- benefiting from the security improvements of SSO without exposing the company to new risks -- was something Medical Mutual also kept top of mind.
As an added layer of security, Medical Mutual managers are required (in some instances by regulations, in some instances as a matter of company policy) to review systems access for all staffers, contractors and temporary help every six months. An audit logging system also has been implemented. "If the manager has requested access for [his or her] staff, [then] the staff has access to the systems they actually need to have and nothing else," McGuirk relates.
To help facilitate the systems access review process, Medical Mutual of Ohio installed a Web-based system for managers. "Prior to the single sign-on rollout, we actually did install a Web feature of the recertification process where the manager, on a six-month basis, can bring up each and every one of his or her employees and review what systems they have access rights to and then [choose to] either remove or continue that access," according to Sargi.
Also prior to the implementation, MMOH sequestered database, security and server administrators, as well as a group of programmers, and put them through a one-week battery of training to get the team familiar with the SSO technology and product syntax. McGuirk says that the training -- performed with an assist from CSS (Certified Security Solutions), a Seattle-based information security consulting firm -- improved "the on-the-job transfer of knowledge."
And the MMOH team is still on the job. In October, McGuirk expects to tie the password synchronization into the back end and also integrate the SSO front-end and password synchronization capabilities with the carrier's AS/400 claims systems, Oracle general ledger and financial applications.
Meanwhile, at Nationwide, the employee-facing SSO capability is in its infancy, the carrier's Armstrong says. The company has completed infrastructure testing and is now evaluating applications to ensure that they function properly and securely with the new authentication procedures. "We are actively working [on] the project and will begin utilizing the new SSO environment with a large number of our internal applications in the third quarter of 2008," Armstrong says.
On the consumer-facing side, Nationwide has implemented the SSO solution for one line of business thus far, with additional lines set to roll out before the end of the year and into 2009.
Communication efforts to accompany their respective rollouts are under way at both Medical Mutual of Ohio and Nationwide (involving both the employee-facing and consumer-facing SSO teams). "I think that communication is a very significant piece to this, both to the end user and to the development staff," MMOH's Sargi says.
Adds Nationwide's Carrel, "The important part of the implementation is not the technology, but the work that needs to be done to inform customers about the changes and benefits, and prepare the company for the integration."