Even before the heist of 30,000 identities from the credit reporting agencies Experian, Equifax and TransUnion resulted in the largest identity theft fraud case in US history late last year, META Group (Stamford, CT) research found that the number-one driver for security investments is the potential damage to a company's image after a security breach. Currently, many insurers manage user authentication as a service for each individual application, creating multiple stores of user data. These multiple and sometimes redundant storeswhich include user names, passwords, credentials and access-level authorizationsincrease the potential for inaccuracy. But the decentralized identity management systems that most insurers operate not only leave a carrier vulnerable to cyber-threats, but are expensive, as well.
On average, internal user information is stored in 22 distinct data stores, while external user information is stored in six, according to a META Group white paper, "The Value of Identity Management." And when authentication is handled as a function of individual applications, users must remember more passwords, and more IT support is required. Additionally, with disparate data stores, account provisioningthegeneration and maintenance of user accounts for platform and application accessis time consuming. There would be significant savings in costs and resources if these stores were consolidated and tasks such as account provisioning and password reset were automated, contends the META report.
Currently, the maintenance of user identities consumes, on average, 25 to 30 percent of an IT organization's time, reports John Hunt, partner, PricewaterhouseCoopers LLC (New York). "Anywhere from 15 to 30 or 40 percent of help desk calls deal with password reset," he says. "Each call costs between $20 and $25. It's a significant expense and it's non-value-add because password reset functions can be automated."
Although the business case for identity management consolidation is strong, there are a number of obstacles that need to be overcome before the benefits are realized. The most significant hurdle is that "insurers haven't budgeted for it," says Hunt. "Also, identity management crosses the entire organization, so there is typically no owner of the problem." Such a structure encourages decentralization and "carriers usually implement one-off solutions instead of putting together a steering committee," he adds.
Nationwide Insurance ($24.5 billion in assets, Columbus, OH) is one of the exceptions. The carrier has formed an executive steering committee in order to examine its identity management. According to Susan Gueli, associate vice president, information technology risk management, Nationwide, besides herself the steering committee is composed of the company's vice president of IT and its infrastructure architect. The five major components on which the carrier's identity management strategy focuses are authentication, authorization, provisioning and registration, identity validation and multi-factor authentication. The insurer manages the identity of 38,000 employees, agents and their employees, and business partners across the enterprise, according to Gueli.
Currently, the carrier is moving towards ID consolidation. "We are going through an evolutionary period right now from the perspective that, in the past, authentication has been seen as a service of the application. So today user data resides in disparate systems," Gueli says. "We are moving toward a central administration, internal enterprise directory and an e-business directory for authentication." Nationwide's internal enterprise directory will be used for employee authentication. Its e-business directory will be used for customers and producer/agents.
Also, Nationwide's central administration will be a distinct group handling all of the directories for identity management. The implementation strategy focuses on integration of the company's most central applications into the central directory first. "We wanted to have a big impact initially so that folks would clearly see the value of the central directory and a single password," says Gueli.
Although the planned three-year migration effort is only two months old, Nationwide already has reduced the number of passwords for some users from around eight to three or four. Additionally, the steering committee has explored additional aspects of value that the consolidation will bring.
For instance, Nationwide expects that application development will be eased because it will no longer be necessary to develop an authentication mechanism within each new application. Also, as Nationwide moves toward a more centralized system, the ease of implementing authentication policies will increase. "When you are dealing with many different authentication mechanisms, it's hard to implement policies on every one of them at the same time," Gueli says. "So if there was a policy change tomorrow, implementations would have to be staggered out." With an enterprise directory, the period of transition (during which there is sometimes an inconsistency of policies) will be avoided. Another expected advantage of the plan is the reduction of help-desk calls for password reset. These are currently the most common types of calls received by Nationwide's help desk. Although the carrier has automatic password-reset functions in place today, because of its disparate systems it faced challenges in managing the process.
"The problem is, when you have many authentication mechanisms, it is difficult to implement an automatic reset function for all of those mechanisms," says Gueli. "Nationwide has tried to first address the big hitters."