“Securing customer data in property and casualty insurance, life & savings, and asset management products is tantamount to protecting a company’s ethos. After all, organizations in this industry gain brand loyalty by promising to give customers’ “peace of mind,” which now includes maintaining the privacy and security of their information.

However, one leading global insurance company reports that another business mandate— offering best-in-class customer service—can pose challenges to the mandate to protect customer data. How does an organization provide anytime, anywhere access to services, while also protecting confidential customer data from unauthorized access and leak?

In the insurance industry, as in many others, day-to-day business workflows can be quite complex, resulting in security requirements that stretch traditional IT tools. The global insurance provider reported that relying on what’s referred to as “Role Based Access Control” (RBAC) resulted in overly complex security systems that were difficult to administer and maintain. The result was significant overhead for IT operations that drained thousands of man-hours for creating, auditing, troubleshooting, and updating roles. Teams and budgets were stretched thin due to the increased complexity of business requirements, the need to share data, and an expanding user base. The cost of regularly auditing and updating roles was soaring. It simply was not a sustainable approach.

The organization’s security leaders decided to try a different strategy. They devised a roadmap to incrementally extend their role-based controls with Attribute Based Access Control (ABAC) using NextLabs Control Center. This would enable them to implement fine grained authorization controls while decreasing the complexity of authorization management. The main objective was to streamline IT operations and save money, while increasing security standards and world-class customer service.

The organization chose NextLabs’ Control Center for its dynamic policy engine, policy authoring and lifecycle management, activity monitoring and reporting, and the ability to do custom integrations with homegrown applications. The first phase of their implementation introduced attribute-based controls to secure customer and employee access to private data via the customer web portal, a java-based application accessed by millions of their customers. This enabled them to provide fine-grained access using contextual variables to enhance security for their most sensitive data.

 

Figure Title: Staged Implementation Phases using a XACML-based architecture

 

After a 6 month implementation cycle, the organization was able to roll out its standards-based policy platform and custom Policy Enforcement Point (PEP), supporting millions of users and thousands of employees. A key benefit of NextLabs’ Control Center is its highly scalable architecture based on the XACML standard. Subsequent implementation cycles will be even simpler and faster, as teams simply instrument additional PEPs for other applications.

The organization’s eventual plan is to decommission many role-based controls in several applications, reducing the number of roles dramatically. Thousands of hours of maintenance will be eliminated, along with the manual task of verifying and updating roles. Customer service remains world-class, data remains secure, and they benefit from huge cost savings.

By Tarun Mehta, NextLabs Solutions Team