How the mutual insurance company Matmut secured its unmanaged workstations to maintain its activity
Matmut, which was undergoing a business continuity plan (BCP) in the face of the Covid pandemic, deployed the TrustBuilder.io MFA strong authentication system on a large scale and within a few days to secure remote connections via the VPN (teleworking).
Cédric Chevrel, CISOof the Matmut group shared his experience with us during a RETEX workshop at the 2020 Security Conference.
Matmut, a " life partner " for its members
A major player on the French market
Matmut was founded in 1961 by Paul Bennetot, whose aim was to offer automobile insurance to employees in the private sector. Today, the group is known for being a major player on the French market with more than 6,300 employees in France and more than 500 agencies.
With nearly 3.9 million members and more than 7.4 million contracts, Matmut provides a complete range of property and personal insurance products (car, motorcycle, home, boat, hunting, liability, family protection, health insurance, legal protection, assistance) as well as financial and savings services (car loans, consumer credit, savings accounts, life insurance, loan insurance, etc.) to individuals and professionals, companies and associations.
The security of the information system within the BCP framework
Teleworking has become an essential part of the response to the Covid pandemic. Remote connections, on equipment not always controlled by the companies, raise security issues that must be addressed, especially to adapt the system to the explosion of phishing attacks.
Cédric Chevrel, CISO of the Matmut group, reviews his experience with TrustBuilder as part of the group’s Business Continuity Plan (BCP) in the face of the containment caused by the Covid pandemic.
Cédric ChevrelCISO of group Matmut
Remote work and business continuity
The lockdown occurred very suddenly, leading to many questions about how to maintain activities. ” At that same period, the group was in the process of renewing its workstations” reveals Cédric Chevrel. He added that until then, employees had been working on fixed workstations. ” We were also in the early stages of deploying Windows 10,” he points out.
Connection to the IS during the lockdown
In a very short period of time, “the IT Security Department stepped in to boost the technologies used to manage security issues, i.e. IPSEC VPN, SSL and VDI “explains Cédric Chevrel. The objective was to ensure that employees could telecommute within the best security conditions”.
What the Group was looking for ...
Security risk analysis
Early in the project, the CISO carried out a risk analysis and rapidly established a number of measures to control them. For instance, Cédric Chevrel explains that “the geographical connection location was limited to France”.
Naturally, the group wanted to control connection attempts from unauthorized devices. After all, the installation procedures sent to employees could be duplicated. It was therefore necessary to maintain visibility of who was connecting, when, and from where. Lastly, the risk of ID leaks and the lack of control over the devices authorized to connect also had to be covered.
A benchmark had previously been carried out by the group and TrustBuilder.io MFA was deemed worthy of future needs. In fact, the solution ticked off all Matmut requirements: cost-efficiency, flexibility, rapidity of implementation and deployment, protection against security risks related to the lockdown and post-lockdown, as well as ease of use and installation for the end-users.
“We were looking for a solution that would be flexible and responsive. This would allow us to adapt it over time. […] The ease of use and installation for employees was also a key feature for us.”.
Matmut sequenced the deployment of inWebo’s MFA solution. “We started with 1,000 users and ended up with 5,000 users” pointed out Cédric Chevrel. During this roll-out phase, the group assisted its employees by sending out installation procedures and by reinforcing its support team.
Cédric Chevrel shares the group’s satisfaction regarding inWebo’s MFA solution. “There has been no incident, and this is an extremely positive thing”. He adds that “the solution has globally met the needs of the risks to be covered.”
As regards to the user experience, “with inWebo, there is only a PIN code to enter whereas before employees had to fill in their first name, last name and password every day” says Cédric Chevrel. It is so much easier for them and yet much more secure.
Lastly, Matmut was able to keep track and have a very good visibility, remotely, of connections, enrollments, and so on. “We have created very precise dashboards of the registrations made, the effective connections and those that were not made”
Once the lockdown was over, Matmut was able to very simply and quickly adjust the scope of the solution. The SaaS model and the responsiveness of inWebo’s teams made it possible to adapt, in a very reactive manner, to new changes in scope brought by the latest economic events, use cases or by the company’s security policy.
Finally, the migration to Windows 10 was done smoothly with inWebo MFA. “As soon as an employee is deployed, we make a new enrolment so that we can set the new device which will be allowed to connect” states Cédric Chevrel.