Wavestone Strengthens Global Insurer’s Customer Trust, Securing Private Data
- Cybersecurity
- Data & AI
- Insurance
Data security: key to customer trust
The insurance industry has historically had to work hard to gain the trust of consumers, with recent data breaches making the challenge even tougher. For instance, in 2024, an attack on one of America’s largest life insurance companies resulted in millions of customers’ private data being accessed, underlining the critical role of data security in consumer trust.
To differentiate itself in the marketplace, Wavestone’s client decided to become a leader in customer trust by keeping customers’ sensitive medical and personal information secure. This was seen as fundamental to winning and retaining customers.
In light of this, security was a top priority as the client pursued an extensive cloud adoption program. This program was part of their strategy to reduce significant technical debt, enhance operational efficiency, and streamline costs. The migration involved moving many business-critical applications that processed ‘crown jewel’ data, so it was vital to ensure that the cloud application infrastructure was secure and did not compromise any customer data.
The first stage of the migration program involved the client finding a trusted partner to securely redesign the architecture of over 120 applications. These applications had not been updated for many years and were not originally designed with security in mind.
All applications were rigorously assessed to ensure they adhered to security-by-design principles before migration. The application architecture was thoroughly evaluated to meet minimum security standards and fully assessed to identify potential risk exposure for the client.
This enabled the client to leverage cloud native technologies, such as Azure Key Vault and Log Analytics, and address technical debt by upgrading the underlying infrastructure and application technology stack.
The client integrated Wavestone into their security team as an extension for the nearly two-year duration of the project.
Identifying & resolving data security risks during migration
An assessment framework was developed to identify failures and risks, ensuring robust reporting to senior stakeholders about any security gaps within the architecture. The combined team was responsible for evaluating the target design and proposals from both technical and security standpoints, flagging potential security concerns, and proposing remediation actions to align the final migrated design with the client’s security policy.
This started with the high-level risk assessment for each of the 120+ applications in scope and was later extended to include a low-level risk assessment and post migration reviews.
Some of the activities that the team conducted as part of this remit included:
Analyzed the applications’ target architecture in the cloud, assessed the design for 10 key security domains, evaluated the proposed design for ‘cloud-safety’, and prepared a risk assessment report for each application. This included a RAG (Red-Amber-Green) status for each risk, highlighting technical, operational, financial, and reputational risks, and proposed remediation actions for all identified risks.
Reviewed the primary architecture and interviewed enterprise and cloud architects based on the documentation to complete the security questionnaire. Requested updates from network architects, and once finalized, produced a high-level Risk Assessment document for presentation to key stakeholders.
Conducted detailed reviews of the technical solution document instead of the primary architecture document. Analyzed various aspects of the target design, including technical architecture, authentication model, encryption and DLP, logging and monitoring capabilities, tech debt, governance, and more. Introduced a proprietary security questionnaire to identify risks and vulnerabilities and led interviews with enterprise and cloud architects to complete the documentation before key stakeholder review.
Set up new processes for relaying relevant information to senior stakeholders, including establishing tracking and accountability mechanisms for security and IT processes.
Introduced and implemented best practices for multiple processes across the IT entity, including documentation for architecture teams, tracking for remediation teams, and reporting for the project management team.
Building client confidence in their data security
The program delivered by the combined team not only bolstered the client’s reputation for customer trust but instilled confidence within its security and cloud migration teams.
With the assurance provided by the team’s efforts, the client’s security and cloud migration teams could confidently proceed with the migration of applications to the cloud, knowing that the level of security was robust, and that customer and confidential data remained secure. This assurance served as a cornerstone in upholding the client’s commitment to safeguarding sensitive information and maintaining trust with their customers.
In addition, the ways of working adopted by Wavestone were key in supporting the pace achieved to migrate applications to the cloud and optimize the client’s infrastructure footprint, delivering secure, and optimized operations.
Key realized benefits
Over the course of this two-year engagement, several key benefits were apparent:
- Security confidence: The level of application architecture security was raised significantly, giving senior stakeholders confidence in their ability to both mitigate and detect potential incidents.
- Enhanced transparency: The measures put in place now paint a much clearer picture of the current state of security and, consequently, the risk profile of their environment.
- Improved governance: New enhanced processes for the identification of potential risks and their subsequent reporting ensures senior stakeholders are up to date on their current state of security maturity and allows for faster mitigation.
With Wavestone’s expertise, the client achieved a secure and seamless cloud transition, enhancing their data security posture and solidifying their reputation for safeguarding customer trust.
-
Tom Lawrie
Partner – UK, London
Wavestone
LinkedIn