Securing remote access: with the transition to dial-up access to the Web, IPSec VPN technology arrived on the scene as a way for agents, or field-based employees, to access the company network and data. Now, SSL VPN is emerging as a strong challenger to traditional IPSec VPN

Risk & Insurance, Nov, 2004 by Tom Starner

As vice president of information technology at MCM Corp., Paul Webb naturally worries about security. MCM, a Raleigh, N.C.-based insurance holding company that owns Occidental Fire & Casualty Co. of North Carolina and Wilshire Insurance Co., gives contracted independent agents indirect access to its main network via the public Internet--a potentially scary proposition, to say the least.

To greatly reduce risks associated with data transmitted via the Web, MCM uses technology called a Secure Sockets Layer (SSL) virtual private network (VPN), or SSL VPN. While VPNs are not all that new, SSL VPNs, the latest VPN iteration, require that the remote user only have access to the public Internet and proper authentication to be securely connected to the company network.

On the other end, the corporate network has a piece of hardware that sits between the public Internet and the company network/server to prevent unauthorized access.

"That's the beauty of the SSL VPN technology," says Webb, adding that MCM launched its SSL VPN in June. "We have full control because it allows us to implement our security policies."

The original VPN technology, called IPSec (Internet Protocol Security) VPN, requires an application, also called a client (actually software) that resides on the remote user's computer to provide access. That means the remote user either has to have a desktop or laptop PC with the client installed in order to remotely, and securely, access the company network via a VPN. With SSL VPN, any Internet connection will work.

Mark Burnette, Global IS security officer at Willis Group Holdings Ltd., the New York-based global insurance brokerage, says that incorporating SSL VPNs into the Willis data delivery mix has been a winning proposition.

Burnette, who joined Willis just over two years ago, added the SSL VPN hardware, in this case the e-Gap Appliance from Fort Lee, NJ-based Whale Communications, and moved the Willis mail server to the internal network.

"We had to respond to the growing demand for remote access as the Willis workforce continues to become more mobile," Burnette says. "Brokers and other Willis employees across the globe need access to e-mail, but they grew tired of lugging laptops around to check and send mail."

The Web mail solution is a good one, Burnette adds, but unprotected Web mail also means potential data risk, so Willis added the SSL VPN as a way to provide the flexibility and protect its network at the same time.

"We require a two-factor authentication, which includes a username/password as well as a key fob device," Burnette says.

Burnette explains that while the SSL VPN appliance can secure much more than e-mail, Willis initiated it just for e-mail as a starting point. In the future, Willis retains the potential to run any Web-based application through the appliance.

"The beauty of SSL VPN is that it's a one-time cost," he says. "You pay upfront for the hardware and that's it, it just works.

"This is absolutely something business can't do without, now that there is increasing demand for more remote access," Burnette adds.

So far, Willis has 4,000 users on its iNotes (email) server in North America. The next challenge is determining how to extend access to Willis' international offices, which currently are primarily served by slow, expensive dial-up accounts.

According to Richard Stiennon, a vice president of research at Gartner, the Stamford, Conn.-based technology research and advisory firm, insurance companies, with their independent agency system, have one of the best existing architectures for technology such as SSL VPN.

In the past, Stiennon explains, there existed various levels of security for agents who needed access to underwriting, new customer data or claims data. Unfortunately, part of the problem is insurers could potentially expose their proprietary data to agents as well as the data agents and brokers needed.

"Insurers even gave agents the hardware to access company data," he says. "At the time, the business model supported it, and insurers could make those investments. It also made the agent happy and successful."

But with the transition to dial-up access to the Web, IPSec VPN technology arrived on the scene as a way for agents, or field-based employees, to access the company network and data. Now, SSL VPN is emerging as a strong challenger to traditional IPSEC VPN.

"SSL is starting to replace traditional VPN," Stiennon says. "It's a perfect application because you don't need the heavy duty client, and there is practically no technical support needed for the insurer."

The best part, Stiennon adds, is the security, as long as the proper steps are taken. For example, a user accessing an application from a public Web kiosk or other machine that is not secure means any companies using SSL VPN must take the proper steps. The Willis example of username, password and key fob log-on falls into that category.

According to Tim Riley, group chief information officer at Alea, a global, multi-line solutions-oriented reinsurer/insurer and also a Whale customer, Alea has been an early adopter, having used SSL VPN for two years.