Let's start with an experiment: Count how many passwords you enter into web services each day for your personal use. You probably rattle off a list of passwords for email accounts, social networks, utility payment sites, and any number of fringe applications. Then think about all the passwords you need for your job. How many more is it? One? Four? Ten?
Passwords are a fact of life in the digital age, and despite many tech pundits calling for their elimination over the past few years -- most recently after the Heartbleed worm exposed flaws in the OpenSSL protocol that many sites use to transmit user name and password information -- the number of passwords that a person uses at home and at work reaches into the dozens. Enterprises -- including insurance companies -- are finding that this leads to poor habits around password composition and choice.
[Novarica's Tom Benton says there is a cultural component to effective IT security: Insurance CIOs Must Bridge Gap on Security]
"The more passwords you have, the more people will use simple or insecure ones, or write them down or use the same ones across multiple sites," says Thomas Dunbar, chief information risk officer for P&C carrier XL Group (Dublin; $238.6 million in first-quarter 2014 income). "That drops down your level of security."
The solution for XL Group comes in the form of federated single sign-on for many of the company's systems. The insurer first implemented what it called "simplified sign-on" about five years ago, Dunbar says, when employees had up to two dozen passwords to remember for enterprise functions. Simplified sign-on brought that down to three or four total passwords per employee.
The Integration Sticking Point
But the technology behind single sign-on has improved over the past few years to address one of the sticking points of implementing such a platform: the problems of integrating new technologies. Single sign-on was so popular with XL Group employees, Dunbar reports, that any time something that didn't fit into the framework was introduced, employees would complain.
"A lot of what XL focuses on when using computers is the colleague experience," he says. "We get a lot of feedback if we give them something that's not under the single sign-on."
With single sign-on in place, looking for technology solutions that are compatible with the system via federated sign-on is "a priority any time we look for a new system," Dunbar says. In a coincidental twist, one recent implementation that used federated sign-on was Security Mentor, a training system vendor that provides online cyber-security-awareness training for XL Group employees. The training sessions, which cover such topics as phishing, mobile security, and password best practices, are accessible via XL Group's federated sign-on, a move that was crucial to ensuring that employees completed the training courses.
"We recommend single sign-on as a way for organizations to connect with us to provide training," says Marie White, Security Mentor's founder, president, and CEO. "We're finding that employers want to make access to their staff as easy as possible, want to make it seamless, and the easier you make it, that's one less barrier for training."
Further, in its role as security expert, Security Mentor recommends single sign-on as an overall way to improve the security habits of large enterprises' employees. Phishing attacks -- especially "spear phishing" attacks that target specific high-risk or high-value individuals in an attempt to gain their passwords -- make good password habits even more important.
"Obviously the Target data breach has brought a lot of attention to the need for end-user data security," White says. "We did a research report with Enterprise Management Associates and found that 33% of the employees surveyed said they use the same password for work and personal devices. If they reuse passwords, they can be breached on many accounts."
That's where the combination of training and technology around single sign-on does the most work in making enterprises more secure. Through programs such as Security Mentor's and its own training initiatives, XL Group and other insurers that choose to go the single sign-on route have plenty of teachable moments to help ensure that those single passwords are as secure as possible. With only one password framework to maintain, carriers can establish strict password expiration rules and easily remove from the system users who have left the company, XL Group's Dunbar says.
"We do password testing on a periodic basis, and if someone leaves the organization, removing their access is easy even for external applications," he says.
Agent-Focused SSO Effort
Another recent high-profile implementation of federated single sign-on in the insurance industry is SignOn Once, a joint effort of insurers, vendors, and agents through ACORD, ACT (Agents Council for Technology, a component of the Independent Insurance Agents & Brokers of America), and the Real Time/Download Campaign. Designed for independent insurance agents, the tool was developed over the past two years through an ID Federation working group so that agents who represent multiple carriers don't have to deal with dozens of passwords for the many portals they use.
"Today, from a carrier perspective, they prefer each agent has one ID and one password, but because of the pain of maintaining the passwords, some agencies will use one for the whole agency," says Jim Rogers, assistant VP of distribution technology strategy for The Hartford (Hartford, Conn.; $564 million in first-quarter 2014 earnings) and a founding member of the ID Federation. "Some very large agencies have the equivalent of a full-time person managing them."
More common were situations where agency employees shared passwords among one another on an ad hoc basis or kept insecure paper files with their many passwords in plain view on their desks. Each carrier and agency had different rules regarding suitable passwords, expiration dates, and deprovisioning of ineligible personas. It was clear, Rogers says, that something had to change. But it didn't happen overnight: Getting carriers to agree to federate IDs required lots of legal legwork. After a Trust Framework was drawn up, SignOn Once was introduced at the 2014 ACORD LOMA Insurance Systems Forum trade show.
When agents use SignOn Once, a token is created indicating that the particular ID is in use by a specific individual and passed along to the insurer. For insurers and agents alike, this goes a long way toward ensuring that the correct agency and agent are identified as making a policy sale and are appropriately compensated.
"Now you can't go to the agency next door and just sign into the carrier using your old agency credentials," Rogers says.
That's the overall goal of SignOn Once, according to Rogers: to return the user name-and-password model to its original goal of identifying who is accessing sensitive data at an insurance carrier.
"Our industry deals with a lot of sensitive information. Anything we can do to increase cyber-security and make it easier to do business is welcomed," he says. "When someone uses this, you know they're active agency employees. You can look at their security certificates. It's definitive, not separate people using the same user name and password."
Nathan Golia is senior editor of Insurance & Technology. He joined the publication in 2010 as associate editor and covers all aspects of the nexus between insurance and information technology, including mobility, distribution, core systems, customer interaction, and risk ... View Full Bio