Athora Belgium offers numerous online services. These services are aimed at life and group insurance brokers and employers via its Gensite extranet or via Brio, a secure partner site, as well as at the policyholders who have access to the e-services of Athora and to all the details on their insurance policy in real time through the myBroker platform. When added up, that accounts for 11,000 users with different levels of access. Athora had to set up an infrastructure capable of integrating the different kinds of access and of guaranteeing security for all stakeholders.
The initial project started in 2015-2016 with Gensite and Brio, a partner site for insurance brokers that provides a secure link to Gensite. There was a need to set up an infrastructure capable of securing the Gensite extranet site and the Brio app, while providing integration capabilities to other players of the insurance industry that would need to integrate at a later stage, such as Willemot. Athora Belgium has chosen ForgeRock AM, which was then implemented by Devoteam.
The first step focused on the authentication of end-users, the second on authorization based on security profiles. Indeed, access levels differ depending on the user and his/her job: an insurance broker will not have the same access as an administrator. The same applies to an Athora employee who can be in charge of managing life insurance, non-life insurance or in charge of IT support. The same also applies to employees of companies that manage their complete group insurance portfolio with Athora.
In 2017, the Gensite project saw a major reorganisation, aimed at offering advanced management of users’ access and associated roles. The new version of Gensite was released in July 2018.
Athora has standardised its roles, which are today limited to around ten. The user is assigned access rights as ‘claims manager’ or ‘life insurance manager’, whereas before that same user had access to around one hundred applications. Now that the management of roles has been optimised, the system is easier to audit. This has already been assessed by several audit reports that pointed out an enhanced security governance.
The implementation of a simplified access control model has also resulted in providing additional use cases. For instance, when a user ‘wears several hats’, he may be working for several insurance brokers of the same group or being both a manager and working with customers. Once authenticated, a user can shift dynamically from one role to another, thanks to the simplified role model and its real time enforcement.
Lastly, Athora’s support department has access to a new key function in its daily operations. The support can impersonate an end-user with the purpose of solving specific problems, without any need to preconfigure the system. Moreover, since every impersonation is consented and audited, any suspicion of fraud or potential for fraud on a transaction by a privileged user is directly traceable.