Return of the Guru

Is End Point Lockdown the Answer to Data Security?

Ara Trembly
Insurance Experts' Forum, July 14, 2011

The war against cyber-crime is in full swing, and insurers, and indeed everyone else, are faced with tough decisions about how to secure the data that is so vital to their very existence.  Everyone knows that protected systems are needed, but just how much protection is enough—and what will that protection cost in terms of a company’s productivity and its competitive position? 

One solution proposed in a 2010 white paper from Viewfinity, a vendor of privilege management and application control for desktops, laptops and servers, is “end point lockdown.”  According to the paper, “There are a number of advantages when endpoints are locked down so that end users do not have full administrative access on their systems. In general, an environment that is more locked down has less changes and less variation from a known good configuration. This secures the desktop which in turns leaves company less venerable to malware, virus, etc.”

Malware, of course, is often one of the tools used by criminals to crack into systems.  It certainly makes sense, then, that fewer changes to the enterprise environment would tend to make for a more secure enterprise.  Yet, as the white paper points out, “a completely locked down environment may result in lowering productivity and creating a shift in the types of IT support calls coming into the help desk. An organization may go from dealing with virus attacks to an increase in incidental calls elated to printer installation requests and other tasks requiring administrator.” 

Not surprisingly, Viewfinity suggests that managing access privileges on a case-by-case basis can be a useful tool in limiting opportunities for problems to develop.  An “all-or-nothing lockdown methodology,” the white paper notes, will not yield the flexibility needed to allow a company to set its own parameters on personal access. 

This also makes sense, but it leaves insurers essentially in the same place with regard to security decisions.  Software may provide a means to do custom limitations on access, but it cannot in the end tell you whom you should trust.  These decisions will, of course, be unique to each insurer and each enterprise, and you can be sure that—human nature being what it is—some of these choices will prove to be ill-advised. 

In the larger picture, however, decisions on privileges and access will be driven by a single factor—namely, how an insurer views its IT risk profile at any given moment.  If yours is an enterprise that has remained relatively untouched by criminal hands, you are far more likely to be liberal in granting privileges than you would be if, say, you had just experienced a cyber-break-in, especially if that breach reached the news media and, unfortunately, your competitors. 

On the whole, I am in favor of granting as few such privileges within the enterprise as possible.  A carrier must carefully study—and keep studying—just what kinds of access are actually needed internally for optimum functioning of the enterprise.  How much can I restrict my systems (and increase security) while still remaining competitive?  The answer, again, will depend on your experience and your consequent fear level with regard to breaches. 

In the end, we are trying to weigh the odds to determine how much of a gamble we will take that our systems are secure enough and that our access policies are where they need to be to make that gamble likely to pay off.  We must also ask ourselves (in the words of that great philosopher Dirty Harry): “Do I feel lucky?”


Ara C. Trembly ( is the founder of Ara Trembly, The Tech Consultant, and a longtime observer of technology in insurance and financial services.

Readers are encouraged to respond to Ara using the “Add Your Comments” box below. He can also be reached at

This blog was exclusively written for Insurance Networking News. It may not be reposted or reused without permission from Insurance Networking News.

The opinions of bloggers on do not necessarily reflect those of Insurance Networking News.



Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Insurance Networking News, please use the form below to login. When completed you will immeditely be directed to post a comment.

Forgot your password?

Not Registered?

You must be registered to post a comment. Click here to register.

Blog Archive

Trends in P&C and L/H/A Policy Administration Systems

Novarica research shows that nearly 40 percent of P&C and life/health/annuity carriers are currently replacing or planning to replace a policy administration system.

Product Configurators: Moving Insurers toward Self-Sufficiency

Insurers may like a vendorís full service model for updating policy content rules, but they donít want to be held captive if the vendor doesnít offer fast speed-to-market.

How Quote Data Can Deliver Powerful Business Insights

Quote data often is disregarded due to its volume, but properly managed can offer insights into product and pricing strategy, expense control, cross selling and upselling.

Insurers: Let's Be The Best

I donít like when insurance companies are hectored by people inside or outside of the industry about how they arenít innovative. Many insurers are leading the way in gleaning real results from emerging technology disciplines, including big data, analytics, mobile technology, and telematics.

6 Crucial Guidelines for Digital Insurers

Going digital isnít just something that can be accomplished by decree. It takes finesse to keep everything in sync.

Top Stories in Property/Casualty

Novarica Commentaries are available to clients only, but weíve posted direct links to some of the most important stories below.