01:55 PM
Selectively Testing the Web Services Waters
Without the proper security controls, participation in Web services over the public Internet is about as wise as yelling intimate secrets on a crowded street corner.
So it's no surprise that most insurance carriers are not exposing themselves through this channel just yet. Instead, progressive carriers are dipping their toes in the waters of more secure inter-application Web services transactions.
"The whole idea of Web services as a business enabler is compelling," contends Ron Calabrese, second vice president, claims systems, at Hartford-based Travelers Property Casualty Corp ($66 billion in assets). It is also understood, however, that heavily regulated insurance carriers "can't sacrifice security for [efficiency]."
Although Web services promises to revolutionize e-commerce through open standards of communication that will enable application accessibility to a whole host of businesses and consumers, security standards for Web services that can be accessed via a public registry such as a UDDI (Universal Description Discovery and Integration) have yet to be accepted and ratified.
In recognition of the fact that security standards probably won't be put in place any time soon, experts are advising insurance companies against holding their collective breaths. "Huge firms are being asked to cooperate" to establish security standards, relates Michael Haney, senior analyst, Celent Communications (New York). "That in and of itself can cause debates and delays."
Currently gaining momentum with carriers is the use of Web services as an EAI (enterprise application integration ) protocol in order to "broadly expose [applications] with less effort," according to Rick Hoehne, insurance solutions executive in IBM's (Armonk, NY) sales and distribution organization.
When Web services are used internally for this purpose "dynamic machine-to-machine communication is enabled without a lot of heavy custom point-to-point integration work," explains Matt Josefowicz, senior analyst, Celent Communications.
"Let's say your company has three systems that it wants to make able to 'talk' with four other system. If you set up point-to-point integrations between the systems, that is 12 points that have to be covered," explains Josefowicz. "If you 'teach' all of those applications to send and receive internal Web services, then there are only seven integration points." Efficiency benefits become more and more apparent, stresses Josefowicz, as the number of systems that need to be connected become more numerous.
Currently, insurers are looking to two dominant solution platforms to get the job done. They are Microsoft's .NET platform and those based on the Java standard defined by Sun Microsystems (Palo Alto, CA). Even the most prudent of carriers feel confident when it comes to the implementation of these platforms for internal inter-application communications because all transactions are completed internally-safe and sound from the evil that may be lurking beyond a carrier's corporate firewall.
Improved Legacy Access
New York-based MetLife ($286 billion in assets) is currently exploiting the use of Web services to reduce administrative costs, as well as increase self-service capabilities and improve time-to-market, relates Clint Eastham, director, application development and institutional e-business, MetLife. Adds George Foulke, vice president of IT at MetLife, "Web services are [helping MetLife] to draw together access to legacy systems that were much too cumbersome."
As a result of accessibility improvements, the carrier can more easily "serve up" legacy data and make it available to policyholder and producers via different log-in and password-protected customer sites. Web services have enabled the "MetLife family to get crafty in its ability to separately brand and customize sites by distribution," relates Foulke. Administrative costs are also being reduced because policyholders are given the ability to make routine policy changes.
Similarly, Northbrook, IL-based Allstate Corp. ($118 billion in assets) is reaping the benefits associated with an internal Web services architecture for integration of its applications, explains Pat Coffey, assistant vice president, protection technology, Allstate.
The practice is enabling the insurer's applications to exchange information. As a result, policy information is more easily "linked" to Allstate's Customer Care Center. Another application that is linked via the Web services architecture is AccessAllstate.com-Allstate's site for financial representatives.
Through Web services, Allstate was able to "leverage code that had already been written," relates Coffey. This enables "simplification of our support and production environments," adds Cathleen Halliburton, director, technology.
Allstate's initiative is powered by the use of SOAP (Simple Object Access Protocol), which Celent's Josefowicz identifies as an emerging standard for inter-application information exposure. Additionally, the carrier decided to build its Web services capabilities through use of Microsoft's Visual Studio.NET, explains Halliburton. Allstate decided on the suite of programming languages and development tools that support .NET because of the product's ability to enable speed to market.
"Allstate has embraced Web services as a standard to deliver future solutions," says Coffey. "Web services allows you to [easily] serve it up on a Web site, perform business-to-business transactions, or connect systems [internally]." She adds that in the immediate future Allstate can see itself engaging in secure Web services with predefined partners.
This won't necessarily mean that Allstate is risking its information's security. According to Michael Jackowski, a partner in Accenture's (Chicago) Insurance Solution Practice, through the use of encrypted private networks and pre-negotiated security techniques, an insurance company and a predefined partner can exchange information with the same minimal security issues that it would have to address with standard EDI (electronic data interchange).
Although best practices for the security of point-to-point Web services transactions have yet to be established because the practice is new, there are a number of methods and strategies that are currently being trusted by carriers that are testing the waters of point-to-point Web services, according to Josefowicz.
One of those methods is the use of https (Hypertext Transfer Protocol Secure)-the protocol for accessing a secure Web server. Using https in the URL instead of http directs the message to a secure port number. A user's session is then managed by a security protocol. IP address verification can also be used to help secure these transactions.
Digital certificates are another security method carriers are deploying to secure information, says Josefowicz. They are the digital equivalent of an ID card used in conjunction with a public key encryption system. Also, the use of SSL (Secure Sockets Layer) is being trusted to protect these transactions. As an SSL session is started, the server sends its public key to the browser. The browser then uses the key to send a randomly generated secret key back to the server.
Travelers is exploiting a secure Web services connection for external point-to-point use with San Diego-based Mitchell International, Inc.-an auto glass clearinghouse. It established the relationship in order to streamline its glass claims/replacement process in early 2001, reports Travelers' Calabrese.
Increasing Ease of Use
The system has made life easier for policyholders, glass vendors and the insurance carrier. Before its implementation, "glass shops would have to call Travelers in order to obtain coverage information," relates Calabrese. Today, since Travelers and Mitchell are granted access to each other's data via a secured connection, information can be obtained without delays. "If a policyholder has cracked his windshield he can call Travelers and obtain information about where the closest participating glass vendor is located," explains Calabrese. Also, the system enables Mitchell to tap into Travelers' applications that provide customer coverage information.
As they explored the creation of a secure Web services-based link, Travelers and Mitchell decided not to use the public Internet for the transport of information. "A lot of security concerns were eliminated as a result," says Calabrese. Because both companies acknowledged they would most likely be individually linking to other businesses in the future, they wanted to ensure the system's flexibility. That led to the decision by both Travelers and Mitchell to expose information via the SOAP protocol.
Security was the next issue that Travelers tackled. Because both companies were utilizing an AT&T (New York) data network before they decided to use Web services, the process of securely linking the partners was simplified. This is because "AT&T has a way of securing an IP connection between two companies," explains Calabrese. To further ensure the security of the connection, Travelers opted for use of firewalls that translate and confirm IP addresses. The incorporation of a digital demilitarized zone (DMZ) is another security method that the carrier is using. The DMZ is a sub-network that sits between firewalls. It acts as a middle ground between Travelers' internal network and the external network. Travelers' external-facing Web servers reside within the DMZ.
"By adding this extra layer, we can verify the validity of the SOAP request and even translate that into a new request," he explains. "The use of a DMZ also allows us to isolate any virus attack 'outside' of the Travelers environment."
Like Travelers, MetLife is taking advantage of a Web services link that it has established with a partner-Dental Connect Inc. (Irvine, CA). The connection uses a claim intake component that extends to MetLife's legacy, explains Eastham. The service is enabling access of claims information "while the dental patient is sitting in the chair," he says.
Although the point-to-point initiatives that these carriers have undertaken might be viewed as leading edge, the number of insurers linking to vendor partners is likely to increase, in the opinion of Accenture's Jackowski. For the time being, he adds, carriers may be waiting for vendor partners to take the first step. Meanwhile, "several industry-leading vendors, such as Process Claims [Manhattan Beach, CA] and ISO [Jersey City, NJ] are looking to leverage point-to-point Web services to simplify integration with insurers' core processing systems," Jackowski says .
Future movements toward even more open Web services by insurance carriers are dependent upon whether IT management determines that the security risks outweigh possible efficiency gains and competitive pressures. For the most part, carriers do not appear to anticipate the use of Web services over the public Internet in their immediate future.
---
SECURITY STANDARDS: Beyond the Jargon
Here are some of the major groups working toward the establishment of standards for Web services security:
- OASIS (Organization for the Advancement of Structured Information Standards)
Mission: OASIS (Billerica, MA) is a global consortium that drives the development and adoption of e-business standards. OASIS produces worldwide standards for security, Web services, XML conformance, business transactions, electronic publishing, topic maps and interoperability within and between marketplaces. Key standards include: extensible rights markup language, WS-Security, Security Assertion Markup Language (SAML) provisioning, biometrics and extensible Access Control Markup Language. k www.oasis-open.org
- W3C (World Wide Web Consortium) Mission: The World Wide Web Consortium develops interoperable technologies (specifications, guidelines, software and tools). Key standards include: XML encryption, XML signature and XKMS (XML Key Management Specifications). - www.w3.org
- Liberty Alliance
Mission: The Liberty Alliance project was formed in 2001 to establish an open standard for federated network identity. Key standards include SAML to pass standards-based security tokens between identity and authentication systems. WWW.PROJECTLIBERTY.ORG
- WS-I (Web Services Interoperability Organization)
Mission: WS-I is an open-industry organization chartered to promote Web services interoperability across platforms, operating systems and programming languages. The organization works across all industries and standards organizations to respond to customer needs by providing guidance, best practices and resources for developing solutions for Web services. - WWW.WS-I.ORG