Back to Case Studies

Prudential
The Prudential group is one of the UK's largest financial services providers with total funds under management of around £150 billion. Within the Independent Financial Adviser (IFA) marketplace Prudential offers services to its customer via a secure Extranet.

Introduction
As eBusiness becomes more prevalent, companies are increasingly looking at how they can improve their existing business model and reap the benefits of conducting business electronically. Without internet security however, these benefits may be short-lived.

The security of client and company information becomes paramount when trading online. Prudential recognised the need for a secure and trusted environment when it launched its extranet, enabling IFAs to work more efficiently and effectively. An extranet allows a company to share information with others, for example customers, suppliers and trading partners, using web-based applications. BT Trust Services provided the digital certification technology to secure Prudential's extranet, giving Prudential the confidence to trade securely with its partners.

Since 1998 BT has been providing digital certification through BT Trust Services, using market leading technology from US-based VeriSign. As part of BT's portfolio of eBusiness propositions, Trust Services from BT offers a portfolio of digital certification products principally to corporate organisations. Digital certificates act as an online signature, which authenticate the user. The BT portfolio provides digital peace of mind by making online transactions secure, and building confidence in websites, intranets and extranets. The various Trust Services products from BT provide security when trading with customers, information protection and a Site Seal 'stamp of approval' to reassure visitors of website security. BT also offers the most secure encryption commercially available for highly sensitive internet communications.

The security challenges - and the solution
IFAs traditionally contacted Prudential with new business quotations, policy valuations and application tracking enquiries. The extranet was developed over a one-year period to allow the bulk of interaction between Prudential and its IFAs to take place over the internet. Prudential's extranet allows IFAs to access the same kind of information on a self-service basis via the extranet as they can through more traditional media. The benefits to IFAs include reduced administration and overheads, coupled with an immediate access to relevant policy information.

The main security challenges for the extranet were that it had to be capable of allowing access to hundreds and potentially thousands of financial advisers, while allowing Prudential to manage the level of access privileges IFAs receive. At the same time, IFAs had to be sure they were using a system with a high level of security as their client details would be entered onto the extranet. In short, there needed to be a trusted environment for both Prudential and IFAs to conduct business without fear or concern for safety of information.

Digital Certificates
Graham Gillespie, the Application Delivery Manager who heads up the extranet project team at Prudential, chose digital certificates rather than user names and passwords to meet the security challenges. Using passwords and user names can be costly as there is a large element of administration in both setting up the system and maintaining it. Passwords and user names also carry a security risk as the can be guessed or cracked by unauthorised users. It can also be difficult for IFAs to remember passwords and user names, especially if they deal with a range of companies who all give them different user names and passwords to enter secure areas.

By issuing each IFA with a unique digital certificate, Prudential can identify each individual IFA by simply interrogating their certificate each time they enter the extranet. As the extranet recognises and validates the identity of the IFA on an individual basis, personalised content can be delivered based on the information contained in the digital certificate.

"Our aim is to eventually offer an entirely personalised service for each IFA," says Gillespie. "For instance, one IFA might have a focus on investment products, while another specialises in group pension schemes. So the content delivered via the extranet will reflect those activities, with services matching the IFA's needs".

Verisign Managed PKI Services from BT
The large number of potential users meant that Gillespie had to choose a security platform that would allow his team to administer, manage and grow the extranet security as needed. For this reason, the Verisign Managed PKI from BT was chosen, as it means Prudential can operate as a customised Certification Authority (CA), without the additional work of establishing a secure environment in which to operate a certificate service. Verisign Managed PKI from BT give Prudential the ability to issue digital certificates to authorised users while outsourcing all the technical work. Prudential chooses who to issue certificates to, while BT manages the database, administers the server, backs up the system daily and performs all the other overhead work that comes with operating a high availability certificate service.

The first port of call for Gillespie was www.btglobalservices.com/trust, BT dedicated eBusiness security website. Gillespie decided to trial the product before buying, which is free with the service's 30-day trial.

"Setting up the free 30-day trial of the service proved very easy," said Gillespie. "We used the demo facility which was particularly useful to see how the service would work in a real-life situation. We then trialed it internally to check how our systems reacted to it. The trial was a great success so we set up the service for real - and we were issuing our own certificates within a matter of days of submitting our request".

Verisign Managed PKI from BT was also chosen for its six data fields, the part of the service that actually validates the certificate. Three data fields are pre-defined to guarantee the same level of security regardless of application or company. The other three are user defined fields, allowing Prudential to customise which values their certificates validate and giving them a wider range of authentication options. This feature also gives Prudential the ability to treat each IFA as an individual within the extranet framework, and getting closer to Gillespie's goal of offering fully personalised extranet pages.

The process for registering online as an extranet user is very simple. The IFA fills in a one-off registration form with their details, which is then passed to an administrator who checks and verifies those details. Once Prudential is confident that the IFA is bona fide, an email is automatically generated and sent to the IFA with their pin number and a link to the extranet, where they can collect their digital certificate and install it.

Looking to the Future
Around 90 per cent of IFAs using the extranet have installed and are using their certificate without support from Prudential. The remaining few who do need support have access to Prudential E-Commerce help desk. Currently there are more than 7,000 registered users of the extranet with planned developments likely to increase that number substantially.

Prudential has successfully implemented eBusiness practices, bringing increased efficiency to the service it provides to its customers. This change has been brought about by the extranet, which enables high volumes of transactions to be processed in greatly reduced timescales. The challenge of securing all these transactions has been met by BT's Verisign Managed PKI security service, giving Prudential and the IFAs peace of mind that their client details remain safe, secure and private.

In the Independent Financial Adviser market, the standards body ORIGO has approved digital certificates as the chosen method of access to providers Extranet services. A company (by the name OSIS) has been established to act as the Certificate Administrator. If an IFA is in receipt of an OSIS certificate they will be able to access the services of all participating providers. BT Trust Services has been selected to provide the certificates for OSIS

May 2002