Identity and Access Management — the Enabler of Smooth Insurance Experiences
A short look at what does Identity and Access Management do for the business of If P&C Insurance.
If I must summarise in one sentence what Identity and Access Management (IAM) does for If Insurance it would sound like this:
“IAM ensures the access to the data and services is securely granted, revoked and controlled based on true identity and its actual role in the complete landscape of relationships, not on the isolated, narrow or historic view of the user credentials.”
The “invisible” enabler of smooth digital experiences is IAM. It answers several important questions before giving access to the requested service, product, data or functionality.
Who are you in real life? (Identification)
How can you prove you are who you say you are? (Authentication)
What do you mean to us, i.e., what are your relationships with us and with others? (Identity Management)
Which doors are you knocking at, i.e., how are you approaching us — channel, device, system, location? (Authorisation from here on — applying business rules)
What do we have here for you, i.e., what kind of data, services or products can be provided to you in the actual context? (Granting access)
Based on these answers the permissions to access information and services are granted.
Essentially, this is what IAM does at its core regardless of the industry and the actual service. The enforced permissions must always reflect the actual situation.
Time dimension is an important factor to consider as life goes on as children become adults, have life experiences (job, marriage, children, etc.), and eventually pass on. Any of these occasions in a person’s life can play a relevant role in the business context and could be considered an important input to the IAM environment.
In If Insurance we believe IAM is the key element to provide a 360-degree view of the customer, partner, or employee. This is where we accumulate and manage major facts about the individual — all the different contexts, roles, relationships, permissions. Regardless of the communication channel and device used this information serves our business systems to make the right decisions and provide proper information and functionality to users. In fact, it enables our business to serve customers smoothly, securely, and precisely. Our IAM mission is to ensure one identity for one individual across all countries, all systems, all products, and all channels we have in If.
In the IAM space it is important to:
Ensure privacy and security as well as keep disruptions to the insurance experience at the minimum level.
Find a balance between trust and smoothness for each specific business service. The higher the security and privacy requirements, the more complicated the user experience.
Integrate with different business systems to deliver IAM services in a unified and manageable manner.
Apply the same IAM principles to the partner operations in distribution, claims, etc. so If services are delivered via partners as smoothly and securely as if we were to do it directly.
Many other considerations in the IAM area exist to enable smooth and omni-channel customer journeys. However, IAM guideline №1 in If is to ensure 1:1 mapping between a person and his or her electronic identity. This implies we should always start by identifying and authenticating our counterparty properly. A centralised authentication service is the cornerstone of the IAM infrastructure in If. User habits and local needs should not be sacrificed in favour of total centralisation. Therefore, we often rely on the trusted authentication methods which are already available to many users in their countries like Bank ID in Sweden and Norway, NemID and MitID in Denmark, Finnish Trust Network inFinland, SmartID and different national ID schemas in Baltic countries.
Regardless of the authentication method used by the customer, his or her identity is what matters to us. It is key to deliver personalised experiences to the customer on the fly.
Once the identity is known and has been proven to us, using our new IDP platform (Curity), the Identity Management platform (ForgeRock for Identity Management, IDM) looks for relevant data and relationships regarding other objects like people, products, contracts and establishes the context for further interactions. ForgeRock puts the user into the context of the actual transaction with us, makes sense of what the user means to us. The business system then calls the policy-based authorisation engine (Axiomatics) to supply the user with the proper access permissions to the data and functionalities in the relevant business systems.
Identity management and authorisation services are becoming a central place to control the identity attributes and the access permissions across countless number of business systems. Obviously, this cannot be achieved in one day and many projects are run to integrate IAM platforms with the most critical and sensitive business systems to continue to ensure GDPR and EIOPA compliance.
The same principles but with different types of tools are used to ensure proper governance of identities and permissions towards internal employees. Centralised Identity Governance and Administration (IGA) and Privileged Account Management (PAM) tools are planned to be implemented to accomplish the mission.
The importance of the IAM mission is well understood and supported by the business in If at all levels. IAM representatives participate in major internal decision forums whether it relates to IT architecture, security, new or changing business services or Internal platforms. A digital business is not anymore, a separate part of our business. ANY business in If Insurance is a digital business after all. IAM is what enables it.
The IAM Enabler teams in If are rapidly expanding to implement and extend the use of new IAM tools across the group. Consider joining If should you find these challenges inspiring!
