This Month's Experts:
Director, Agent Internet Systems, Progressive Insurance, Cleveland
Karlyn T. Carnahan, CPCU
Global Industry Manager, Insurance, Sun Microsystems, Menlo Park, CA
Systems Officer, Nationwide Insurance, Columbus, OH
Global Technical Strategist, Insurance, Microsoft, Redmond, WA
William N. Pieroni
General Manager, IBM Global Insurance Industry, Armonk, NY
Q: What are some of the benefits of Web services for insurers and what is the promise of Web services for transcending the complexities and costs of legacy systems?
A: Alvito Vaz, Progressive Insurance: Web services and Internet connectivity provides the capability to improve the level of customer service by providing immediate, real-time access to information. Historically, customer information was not available and required the consumer to call their agent who then had to contact the insurer. Web services can streamline this process by making information available to either the agent or the customer directly. This instant access will improve customer service and satisfaction. The key to effective usage is designing applications to effectively use the same Web service for both internal and external usage.
A: Josh Lee, Microsoft: Insurers will be able to use Web services in two major categories of applications. First, in tying together internal systems with the use of loosely coupled messaging and transactions. Because Web services are based on industry standards like XML and SOAP, they can be leveraged from many platforms and applications. By expressing objects and internal transactions as SOAP- and XML-based Web services, those systems can send and receive messages in those standard formats, thereby knitting together systems that were largely proprietary.
The second way that Web services can be leveraged is externally. This means that an insurer that wants to publish their rating calculations for the state of New York for personal auto can do so as a Web service for any consumer. By again using standards, a true SEMCI model can take shape as systems can easily discover and integrate Web services into applications like agency management systems. Since "legacy" systems will likely be in existence for some time, it's important that the newer technology be able to sit on top of those platforms and provide more flexible ways to integrate the older and the newer systems.
A: Fred Pantaleano, Nationwide Insurance: Web services has the potential to take complex and/or redundant insurance-required business functions and reduce cost, complexity and time to market. Examples include rating, VIN, third-party software interfaces, address look up, territory validation, etc.
A: Karlyn T. Carnahan, Sun Microsystems: Today, we see Web services as a mechanism for distributing vital information and services across a networked interchange. Web services is a portal-based computing environment that separates the back-end development and processing challenges from the front-end presentation.
In business terms, Web services is an infrastructure that delivers information and services to employees and customers "on demand," from anywhere, any time, via any Web-connected device, transcending disparate legacy system, bottlenecks and gridlocks, and expanding the value of the existing assets. The net effect is improved customer service, increased efficiency, lower business costs and improved profitability.
A: William N. Pieroni, IBM Global Insurance Industry: The benefits of Web services for insurers center around three interrelated sources: Expense optimizationThe ability to dramatically lower the cost of internal and external legacy integration, thereby increasing the ability to leverage third-party information, applications and alliances; Process enhancementThe ability to enhance core capabilities (underwriting, policy administration, and claims processing by tailoring activities and driving function closer to the agent and insured; Strategic flexibility/operating adaptabilityReduced expense and increased process enhancement will give rise to additional managerial degrees of freedom, given reduced time and cost of change.
Q: If a carrier chooses a Web services architecture (for instance .NET), does it run a risk of not being able to communicate with other business partners that chose other architectures (Sun ONE or WebSphere)?
A: Vaz, Progressive Insurance: No. The underlying architecture should be transparent and able to interface with heterogeneous systems.
A: Pieroni, IBM: The real risk is not about isolation or technology obsolescence but rather around more traditional technology risks: lack of scalability and robustness. Most carriers are focusing on near-term issues like relative ease of installation or learning curve timeframe. However, the greater issues are on longer-term technology risks such as scalability across the internal and external value chain. These issues have historically been the root cause of major mistakes in technology selection.
Unfortunately, not all Web services architectures or solutions have proven their ability to scale and deal with the specific complexities of the industry.
A: Pantaleano, Nationwide Insurance: Of course, but I believe collaboration across various vendors will be there in the end. Our standard for Web services within Nationwide Insurance is .NET.
A: Lee, Microsoft: True Web services architectures are the new paradigm. Recognizing this, large companies that provide this infrastructure have begun the work of standardizing the specifications for those Web services. This had already begun with the submission of SOAP and WSDL (Web Services Description Language) to the W3C. In February, Microsoft and IBM formed a consortium called the Web Services Interoperability Organization (WS-I) with some 60 other companies participating. The goal of this organization is to ensure that the messages that flow in and among Web service based systems are consistent with certain foundational frameworks and specifications so that messages can be processed. In June, the first of these extensions to Web services (WS-Security) was released to OASIS by IBM, Verisign and Microsoft as the first step in a process that will see a robust and interoperable Web-based architecture emerge as industry standards. After that, it's all up to the vendors that implement those standards in their tools.
A: Carnahan, Sun Microsystems: Not only is this a huge issue, but that very issue is either going to result in Web services being a huge success or a complete disaster. As you go up the protocol stackas things become high level and sophisticatedthere's always pressure to make those higher-level services proprietary. However, proprietary lock-in contradicts a fundamental advantage of Web services, and that is the ability to transcend disparate technology systems.
Standards-based computing is all about choice and ROI. Sun's Open Net Environment (Sun ONE) is completely standards-based, therefore, technology vendors compete purely on the excellence of the product and performance, and not by default.
Q: What types of security concerns exist with Web services and how can insurers protect systems and data from security breaches?
A: Vaz, Progressive Insurance: Security is a key consideration. In some ways this is also a key obstacle in the industry's ability to effectively utilize Web services. The predominant method today is user ID and password authentication. This has created a problem with agents having to track multiple ID's and passwords. An ideal solution would be a centralized, trusted repository that the industry utilizes to verify identity. Progressive and other companies are working to address this issue through the Agents Council for Technology, which was formed by the Independent Insurance Agents & Brokers of America.
A: Lee, Microsoft: Security methodologies with Web services are the same as those employed for Web sites and Web servers. New specifications, like WS-Security (referenced previously), will make support and bridging of various security protocols possible. Other solutions that will emerge will also make it more difficult to initiate denial of service attacks against Web service servers. In short, nothing changes in the way that systems are protected. As for technology, there are no new requirements that shouldn't have already been in practice with Web servers in almost all insurance companies.
A: Pantaleano, Nationwide Insurance: "Secure Computing" is a major theme for Microsoft for the next few years. There are significant challenges in this arena. At the end of the day, common sense security practices will need to be implemented whether Web services are accessed or not. So encryption, placement of services behind firewalls, and type of data sent outside the "hardened environment" are all considerations from a design perspective.
A: Carnahan, Sun Microsystems: Web services enables access to applications and services that once sat safe inside the haven of the corporate data center, expanding the horizon of a transaction beyond the borders of the enterprise firewall and into the virtual market place. One benefit of Web services built upon HTTP, SOAP and XML is the ease with which these technologies meld with the existing infrastructure of the Web when compared to traditionally distributed technologies such as CORBA and DCOM. This flexibility is a double-edged sword. Because these technologies are so familiar, it's easy to forget that a Web service requires stronger security than a Web site. The first security consideration is user identification and authentication to ensure that only authorized users have access to the service.
In deciding which transactions need protection and which do not, insurance companies should place transactions into three classifications: those that need protection from observation and tampering; those that need protection from tampering; and those that need no protection. Transactions that need protection from both observation and tampering require SSL. Insurance companies that need protection only from tampering are better served by using a MAC (Message Authentication Code).
A: Pieroni, IBM: Web services' security concerns involve traditional issues as well as several specific factors. Security and security standards are a major focus of Web services standards activity. All of the major vendors are working together on SOAP and other security standards, and their urgency is being fueled by the need to make B2B Web commerce secure enough to support new and growing markets. Newer security concerns created by Web services center around multi-step intermediaries. Two key issues are how to maintain security as a message passes through several Web sites before reaching its destination and the need to pass authorization along with the message whatever the transition path.
Q: How long will it be before we see mass adoption of Web services technology in the insurance industry? Also, what do insurance carriers have to do to prepare for Web services?
A: Vaz, Progressive Insurance: The biggest challenge will be retrofitting existing legacy systems to work in a Web environment. This is likely to be a two-staged migration with "bridges" being built to expose functionality to the Web. A secondary, and more extensive, re-architecture effort will be needed to convert existing systems to a Web services approach. Based on the critical business impact to existing operations, this is likely to take years to accomplish. Progressive has taken steps to extend our legacy applications to the Web by making policy information and documents available to both agents and customers. Many policy-related questions and changes can be handled using these tools.
A: Carnahan, Sun Microsystems: We are seeing mass adoption now in the insurance industry. All of the carriers I have spoken with in the last six months are working on Web services at some level.
Utilizing Web services can drive a tremendous amount of cost out of the process. The emergence of global standards will deliver the ability for all carriers to utilize Web services. First, carriers must hone down their business strategy. Understand what the company truly stands for and where it is going. Step two is to examine and evaluate the current architecture. Step three is to adopt open standards in applications, design and architecture. Assure that new applications being developed or purchased have open standards.
A: Pieroni, IBM: The adoption of Web services has long since begun. Most carriers have realized that the benefits of Web services are materially significant. Adoption is already occurring and will continue over the next 24 to 36 months. Beyond that time frame, we will see the adoption rate increase dramatically.
To prepare, insurers must focus on more critical process and organizational-related issues. The majority of insurers will need to fundamentally change business processes to leverage Web services to transform the business. It is these process and organizational capabilities that have and will continue to differentiate winning insurers.
A: Lee, Microsoft: There is already a great move towards Web services. It will only be a few years before the industry will start to see some fantastic implementations of distributed systems. Such solutions like reinsurance exchanges or claims exchanges will be facilitated by Web services. To prepare, the first is to make existing systems XML-compliant. Legacy systems may require some bootstrapping to make them able to parse XML. By also participating with industry standards organizations like ACORD, insurers will be able to use the frameworks for XML messaging.
For more information about the future of Web services in insurance, register for I&T and ACORD's Insurance Standards Leadership Forum: Business Strategies for Industry Transformation, Sept. 18, 2002, at the Roosevelt Hotel in New York City. For details, visit www.insurancetech.com/events/islf2002.
Greg MacSweeney is editorial director of InformationWeek Financial Services, whose brands include Wall Street & Technology, Bank Systems & Technology, Advanced Trading, and Insurance & Technology. View Full Bio