Case Study: Insuring data with proper controls

The opening up of the insurance sector has resulted in a slew of new products with attendant security threats.

The insurance sector has witnessed a sea change in the last two to three years. The Insurance Regulatory and Development authority (IRDA) has become established as the key regulator and the sector has been opened up to private players who have forged joint ventures with established financial institutions. New insurance products have become available, and a new model of conducting business has taken root in the online space and in other channels.

However, the growing competition and the increase in number of products have also resulted in certain information security issues that pose as a challenge to the insurance industry. The Chief Information Security Officers (CISOs) in the insurance sector have clearly laid down their priorities for risk management. As insurance sector is privy to sensitive information, it is necessary to have stringent safeguards for protecting customer information.

Parag Deodhar, Chief Risk Officer and Vice President-program management and process excellence, Bharti AXA General Insurance Co. Ltd., has laid down his security related priority to ensure data loss prevention. His endeavour is to work out strategies around securing data with new technology initiatives around internet, e-commerce applications and mobile computing.

Vinayak Khadye, Chief Technology Officer India First Life Insurance company Ltd., agrees with his peer when he says that his primary objective is to protect information assets by identifying risks and establishing appropriate controls without creating any barriers, which might prevent the business from meeting its objectives and goals. Our thrust is to meet our compliance and regulatory requirements, minimize the security related incidents, protect the company assets and data security. We also need to secure mobility, conduct risk assessment and vulnerability assessment of web application, and keep track of end point security and web server availability.

Ensuring a robust secure system poses immense challenges, besides involving huge cost in deploying right solutions to mitigate the risks.

Security challenges and spending

Evolution of web 2.0 and mobility within the organization have increased challenges for Bhartis Deodhar, and this prompted him to go for internal audit and certification of the highest order.
However, with the business growing at a very rapid pace and rapid changes in the organization with regard to people, processes, products and technologies, the vital challenge for Deodhar is to ensure control over the confidential information including the customer data.

Latest trends like cloud computing, social networking, wireless networks, mobile computing have led to a surge in security related issues, and this is getting coupled with rising zero day vulnerabilities across various new OS and applications, says Deodhar.

The issue before Vinayak Khadye, of India First Life Insurance company, is to demonstrate the ROI on security solutions, besides training and educating the users on security issues and concerns, implement security framework and policies that will not hinder the business growth. He must also conduct constant reviews of policies, processes, information security MIS / alerts to prevent untoward incidents. Plethora of challenges exist in handling data security, mobile device management, risk assessment and web server security and deploying right tools to address these is critical, admits Khadye.

The situation calls for increased investments. Springboards latest report shows that in terms of overall spend, industry-specific solutions dominate the IT budgets of insurance companies, and include applications for claims management, policy administration, underwriting and sales. According to the IT managers, insurance sectors top IT investment priority is slated to be around deploying CRM solutions, web development of in-house solutions, adoption of SoA and telecom, voice and video over IP solutions. The IT spends in the BFSI segment is expected to grow to $2.7 billion in 2013, with a CAGR of 14.2%, with insurance sector being a prominent contributor to the same.

The security related budget in the insurance space is at par with the industry standard, as Khadye maintains that total IT security budget for the year at India First, which has a capital base of Rs 455 crore, is about 5-7% of the total IT spend. Bharti Axa, for instance, spends about Rs 8 to 10 lakhs on certification and auditing for its teams. According to Deodhar, an approximate amount of Rs 30 lakhs is spent on procuring standards to streamline processes and polices and the IT investment is quite high.

Solutions meeting security needs

While the IT managers deploy the regular end-point solutions as a default, there are certain elements of security, which is focused to bring in the necessary safeguards. For instance, Vinayak Khadye brought significant investments around deploying internet facing web application scan for Malware, service alerts, application vulnerabilities and system vulnerabilities security as a service (Saas). Besides, designing and implementing of network and data centre three tier architecture such as network zoning, dual firewalls, redundancy, email and web security with McAfee SIG, establishing business continuity policy and a DR environment have been key security investments.

Bharti Axa is the first company to go in for ISO27001 across all functions and branches, which has been the significant deployment for its security head. The standard has helped Deodhar to bring in stringent security policy framework. However, as a standard the insurance sector is predominantly relying on email archival, email cleaning and online security scan on cloud with multi-layered security approach with no hardware, software and no operational cost.

There is visibility of virtual desktop with improved data security and centralizing of desktop and information lifecycle management in the data centre. Some solutions pertaining to this sector, as the security heads find, includes information rights management, virtualisation, security, mobility security management, risk assessment and vulnerability assessment of web servers.

According to them, the UID program could offer new ways for identity confirmation and access management of end customers for the financial services industry. In addition, the new IT rules, which cover data protection, should help in enhancing the security posture of the financial services companies.

Security Best Practices

There has been increasing pressure on the security heads to drive best security practices to ensure data security while keeping the cost low. The security heads have been working towards opex model and drive down the cost while ensuring everything is safe and secured. While having effective security policy and procedures, BCP, IPS at data centre, implemented MARS, an all-inclusive solutions, change management etc., a start-up such as India First opted to go the cloud way.

Khadye points, We have implemented email archival solutions on cloud - clean email and web filtering. The services will enforce email preservation and legal holds, accelerates legal discovery and HR enquiries, and quick response to audit requests using advanced search functionality. The clear email on the cloud is geared to ensuring that email is 100% virus free, it will also address spam concerns, and be pre-cleaned for unsolicited or pornographic content. Web filtering according to Khadye monitors and controls all web content, provides real-time scanning of requested web pages, protects from web-borne malaware, deploys multi-layered defences against new and known malawares.

India First has implemented cloud based vulnerability services solution that carries out vulnerability assessment of internet facing application and provides alerts daily.

Overall security is always as strong point as the weakest link. Often it is the human factor that turns out to be the weakest link. Deodhar has been able to set up a good training and awareness program, which takes of from the point where an employee gets inducted. There are also the refresher trainings, web based trainings, and videos based trainings to enable employees render a secure performance.

Also we have a global security team which interacts regularly with all CISOs across group companies through a formal security Xchange program. This helps us understand the latest trends and threats across the world and helps us prepare better. We also have a global SOC which helps us monitor and manage the incidents proactively, says Deodhar.

Insuring the Future

As a standard most security heads have set the agenda to go in for ISO 27001 implementation and certification. The priority across the companies would be to enhance end-point security management by implementing Data loss prevention, IRM, Identity and access management, encryption of data, load balancing eBusiness and mobile computing security tools. Khadye informs that securing portable devices such as USBs and mobile in the existing environment is critical. A data base activity-monitoring tool is also the need of the hour.

adidas


Add new comment