Zurich Insurance identifies Okta to save 50% and go passwordless

Zurich Insurance will celebrate its 150^th anniversary in three years’ time, and with such a long history, it has also been left with older systems and customers. Mark Cameron, Enterprise IT Architect at Zurich UK, explains: 

As an established company, the firm has a lot of legacy IT and an older demographic of customers but we’re now looking to be much more customer-centric and easier to engage with digitally, and hopefully attract younger customers too.

Zurich UK is part of the wider Zurich Insurance Group which has about 53,000 employees spread across 210 countries and territories, with a big presence in the UK, Europe and North America, as well as a large number of customers in the Middle East and South America.

Cameron’s role is to come up with the IT mechanisms that meet the Swiss company’s business strategy:

This means working out how we engage with customers digitally, giving them a pleasant experience. But as we are a very risk averse company, we need to balance that against being safe and secure.  Our organisation has never been breached at a time when many household names have been – it’s a reputation that we prize and want to keep.

Cameron works within one of the three pillars of IT within Zurich UK - architecture. The other two pillars are service management and the group information security (GIS). All three teams work closely together to deliver what the company needs from an IT perspective. Most recently, it had been looking to replace its proprietary security mechanisms:

We’re all based on a central data centre, all of our security is proprietary based on our own Active Directory which was internally facing. We then started to build our customer portals to reach out to the outside world and did bespoke builds for our security – some based on our active directory, and a lot based on how we as an organisation work rather than being focused on the customer.

In the UK alone, the company had 20 portals with 20 different authentication mechanisms, meaning that if a customer wanted to buy car insurance, home insurance, have a pension or invest in savings, there were 20 different systems. This created a lack of consistency, and resulted in a high amount of effort and expense being spent on security. Cameron says: 

We were spending a lot of money on something which isn’t our area of expertise, so we wanted a company whose whole reason for existing is to focus on identity and security, so that we could focus elsewhere.

Zurich UK considered Okta, ForgeRock, Layer7 SiteMinder and Ping as alternative providers. In addition, as the company uses Microsoft Azure’s private cloud, its identity service was also considered.

Opting for Okta

For Cameron and his team, Okta was both technically superior and also more flexible in its approach to all of the alternatives:

From a technical perspective, big pluses from Okta included adaptive multi-factor authentication (MFA) and integration with Active Directory. As an example of how Okta treats its customers: we’ve got a 200,000 user base, with all the credentials we wanted to carry over to ensure there was minimal impact for customers, but these were stored using [password hashing function] bcrypt in an Okta data store, and at the time Okta used a different encryption standard. However, they implemented bcrypt just for us in about two months as a beta.

Cameron adds that Okta’s lifecycle management ability was another benefit:

With a lot of authentication solutions, you get the identity management solution, the ability to manage credentials and authorization and then you have to interface that into your customer journey. With Okta, you can build the customer journey, you can build the lifecycle of on-boarding, removing and migrating people as well as introducing MFA, and we didn’t have to bolt something else on top.

From a monetary perspective, the switch to a software-as-a-service (SaaS) based model, rather than having to invest in its own data centre will result in cost savings:

I would say we’re expecting to save about 50% by going for a solution like Okta in the long-term.

The next step for the insurer is to move to a completely passwordless enterprise, says Cameron: 

Going passwordless would make things easy for our customers. We’ve got customers that maybe log-on once a year to check their pension, and they would call our contact centre every year to reset their details. If you can move to using thumbprints or retina scans it would make it a lot easier than passwords,” he says, adding that it would also help enable the company to be more secure internally. We have an average age of 58 within our company so our staff often require more technical help -so moving away from passwords would reduce this requirement.

Cameron believes that Zurich Insurance can become passwordless within the next two to four years.

Connecting with Uber

It’s not just security where the company hopes to use new technologies. Cameron explains: 

We’re very keen to innovate in the digital space – we’re very keen to work with insurtechs and new technologies and come up with new ideas. For example, in Europe we’re connecting with Uber to do dynamic insurance for taxi drivers, and we’re using Okta as an authentication method to enable that.

Taxi drivers may only be using their vehicles commercially for 20 hours a week, but have had to ensure themselves for seven days. By working with Okta and Uber, Zurich can measure when the drivers are on their journeys using the Uber app – and only insure them for the period in which they’re carrying passengers.

Cameron hopes this openness of working with new types of partners will lead to many more years of success at the insurer, but much of that will be down to using modern technology and attracting younger customers.

[Updated to clarify relationship between Zurich UK and the global Zurich Insurance Group].