How the mutual insurance company Matmut secured its unmanaged workstations to maintain its activity
Matmut, which was undergoing a business continuity plan (BCP) in the face of the Covid pandemic, deployed the TrustBuilder.io MFA strong authentication system on a large scale and within a few days to secure remote connections via the VPN (teleworking).
Cédric Chevrel, CISOof the Matmut group shared his experience with us during a RETEX workshop at the 2020 Security Conference.
- Maximum security for remote connections via VPN (telecommuting)
- Implementation of TrustBuilder.io MFA architecture in 24 hours
- Good feedback from the user experience
- Good monitoring with complete reporting on logins and enrollments
Matmut, a " life partner " for its members
A major player on the French market
Matmut was founded in 1961 by Paul Bennetot, whose aim was to offer automobile insurance to employees in the private sector. Today, the group is known for being a major player on the French market with more than 6,300 employees in France and more than 500 agencies.
With nearly 3.9 million members and more than 7.4 million contracts, Matmut provides a complete range of property and personal insurance products (car, motorcycle, home, boat, hunting, liability, family protection, health insurance, legal protection, assistance) as well as financial and savings services (car loans, consumer credit, savings accounts, life insurance, loan insurance, etc.) to individuals and professionals, companies and associations.
The security of the information system within the BCP framework
Teleworking has become an essential part of the response to the Covid pandemic. Remote connections, on equipment not always controlled by the companies, raise security issues that must be addressed, especially to adapt the system to the explosion of phishing attacks.
Cédric Chevrel, CISO of the Matmut group, reviews his experience with TrustBuilder as part of the group’s Business Continuity Plan (BCP) in the face of the containment caused by the Covid pandemic.
Cédric Chevrel
CISO of group Matmut"Very suddenly, everyone's home. We had to find a way to telecommute all the employees who didn't all have company-owned and operated mobile devices."
Project
Remote work and business continuity
The lockdown occurred very suddenly, leading to many questions about how to maintain activities. ” At that same period, the group was in the process of renewing its workstations” reveals Cédric Chevrel. He added that until then, employees had been working on fixed workstations. ” We were also in the early stages of deploying Windows 10,” he points out.
Connection to the IS during the lockdown
In a very short period of time, “the IT Security Department stepped in to boost the technologies used to manage security issues, i.e. IPSEC VPN, SSL and VDI “explains Cédric Chevrel. The objective was to ensure that employees could telecommute within the best security conditions”.
What the Group was looking for ...
- Implement a user-friendly MFA solution for remote access to the information system
- Protect against the risk of undesired connections from third parties
- Explore potential future use cases for Cloud-based services
- Deploy and implement a MFA solution within a very short period of time
"We had this issue related to VPNs security: highly exposed and vulnerable to attacks by Brute Force, but also to ID leaks".
Security risk analysis
Early in the project, the CISO carried out a risk analysis and rapidly established a number of measures to control them. For instance, Cédric Chevrel explains that “the geographical connection location was limited to France”.
Naturally, the group wanted to control connection attempts from unauthorized devices. After all, the installation procedures sent to employees could be duplicated. It was therefore necessary to maintain visibility of who was connecting, when, and from where. Lastly, the risk of ID leaks and the lack of control over the devices authorized to connect also had to be covered.
"We needed to implement a MFA solution without further delay. And it needed to be attached to a user and a device in order to address the specific needs and risks with regards to the lockdown situation.”
Solution
A benchmark had previously been carried out by the group and TrustBuilder.io MFA was deemed worthy of future needs. In fact, the solution ticked off all Matmut requirements: cost-efficiency, flexibility, rapidity of implementation and deployment, protection against security risks related to the lockdown and post-lockdown, as well as ease of use and installation for the end-users.
“We were looking for a solution that would be flexible and responsive. This would allow us to adapt it over time. […] The ease of use and installation for employees was also a key feature for us.”.
"Anyone who wants to log in in the morning receives a notification on their device (tablet, smartphone or PC) where they are asked to enter their PIN code. From there, the SSL VPN solution connects automatically thanks to a link established with TrustBuilder using a RADIUS protocol".
Ultra-secure MFA
TrustBuilder's strong multifactor authentication enables Matmut to cover security risks caused by remote work.
Simple integration and administration
TrustBuilder.io MFA makes it easier for the IT team, i.e integrators and administrators. The solution integrates with the company directory without the need to recreate accounts for all employees. In addition, it is also possible to customize the communication to users directly in the solution (enrollment, confirmation emails, etc.).
Simple and fluid user experience
TrustBuilder.io MFA is passwordless for a seamless user login experience. Employees can easily and quickly enroll in a few clicks from a received email. Key factors for making the solution adopted by all end-users.
"We were able to implement the solution within 24 hours thanks to the synergy between the technical and purchasing teams of the IT department, the group's information systems security (ISS) and TrustBuilder's team.”
Results
Matmut sequenced the deployment of inWebo’s MFA solution. “We started with 1,000 users and ended up with 5,000 users” pointed out Cédric Chevrel. During this roll-out phase, the group assisted its employees by sending out installation procedures and by reinforcing its support team.
Cédric Chevrel shares the group’s satisfaction regarding inWebo’s MFA solution. “There has been no incident, and this is an extremely positive thing”. He adds that “the solution has globally met the needs of the risks to be covered.”
As regards to the user experience, “with inWebo, there is only a PIN code to enter whereas before employees had to fill in their first name, last name and password every day” says Cédric Chevrel. It is so much easier for them and yet much more secure.
Lastly, Matmut was able to keep track and have a very good visibility, remotely, of connections, enrollments, and so on. “We have created very precise dashboards of the registrations made, the effective connections and those that were not made”
- Maximum security for remote connections via VPN (telecommuting)
- Implementation of inWebo MFA architecture in 24 hours
- Good feedback from the user experience
- Good monitoring with complete reporting on logins and enrollments
Going forward
Once the lockdown was over, Matmut was able to very simply and quickly adjust the scope of the solution. The SaaS model and the responsiveness of inWebo’s teams made it possible to adapt, in a very reactive manner, to new changes in scope brought by the latest economic events, use cases or by the company’s security policy.
Finally, the migration to Windows 10 was done smoothly with inWebo MFA. “As soon as an employee is deployed, we make a new enrolment so that we can set the new device which will be allowed to connect” states Cédric Chevrel.
