Aegon Insurance uses SecuMailer to send its insurance policies securely to customers
Aegon Insurance is one of the biggest insurers of The Netherlands. It has 30 million customers worldwide, with products ranging from life insurance to pensions and wealth management. Aegon is a publicly traded company at the AEX Exchange in The Netherlands.
The business problem
For Aegon Liability Insurance a solution was needed that would allow them to send out prolongation messages and renewed insurance policies via email. This is a monthly occurrence for Aegon, every month policies will start for the first time, some will renew and some will expire. These messages are generated by the insurance backend system of Aegon, which is hosted by their IT partner, Keylane.
Prolongations and insurance policies are sent to a mix of intermediaries and customers (both retail and wholesale). Both groups require robust data protection as required by the GDPR. The challenge for Aegon was twofold: integrate with the insurance backend and comply with regulatory requirements for data protection and customer care. And last but most of all not least, the process must have a great user experience.
Proposed solution
This is where the SecuMailer SaaS solution came in. Because SecuMailer uses email as its underlying technology it was quite straightforward to connect to the insurance backend hosted at Keylane. In our experience many backend systems have an email connectivity option. The Aegon case was no different in that respect. The only issue that needed to be addressed was upgrading the SMTP TLS client at the side of Keylane so it was compatible with TLS 1.2, a must have requirement from SecuMailer and the Dutch government with regards to connection security.
SecuMailer runs its SaaS platform on AWS and it uses Lambda serverless technology. This has several advantages with regards to data privacy and data security. Because there are no permanent physical or virtual servers there is no data residue when processing emails. There are no traces left behind due too the fact that the containers that are used for Lambda processing are deleted after running.
So how does this architecture work for Aegon and what improvements have SecuMailer and AWS realized?
It starts with connecting the insurance backend to the SecuMailer platform. This is done via an SMTP connection to the mail relay servers that are hosted on AWS EC2. These mail relay servers are the first point of contact with the SecuMailer platform. The EC2 servers are configured according to the requirements of the Dutch National Cyber Security Center (NCSC), specifically for the TLS algorithm and cipher suite specifications. Using AWS auto scaling groups the mail relay servers are able to scale up and down with processing requirements from Aegon. This helps a lot since the Aegon is quite spiky in nature as most of the processing is done in a batch like session at the end of each months.
Virtual servers
Ensuring the data security of the EC2 virtual servers is paramount as they are the only long running components in an otherwise fully serverless architecture and they are therefore the most vulnerable part of the SaaS architecture. Until recently SecuMailer used a suite of native Linux tools to establish a proper data security baseline for the EC2 instances but it has recently adopted AWS GuardDuty for EC2 and AWS Inspector for EC2 to enhance its security posture on EC2. Combined with the single pane of glass that AWS SecurityHub offers it has greatly improved EC2 data security and the visibility of the EC2 platform data security status.
Serverless computing architecture
All email is processed by the AWS Lambda serverless platform. This offers unparalleled data security and data privacy advantages that are key components for Aegon. Many people are familiar with the data leak provisions of the GDPR and the sometimes spectacular fines that follow data breaches. Less well known, but not less impactful, are the requirements for data minimization. The GDPR states that data owners should strive for keeping as little data as possible for as little time as possible. Aegon, being a data owner, has this requirement and passes this on to its data processors, like SecuMailer, and by association AWS.
SecuMailer uses AWS DynamoDB for storing meta data, combined with KMS encryption for data at rest. To safeguard integrity and availability of the data the platform uses DynamoDB Global Tables and Point-In-Time-Recovery (PITR). During processing of the emails for Aegon temporary data storage is based on AWS S3 with KMS encryption for data at rest, meeting all requirements from Aegon with regards to data security. Recently SecuMailer has added GuardDuty for S3 to further enhance data security for S3 based objects, next to the already existing S3 based KMS encryption for S3 objects at rest.
Before emails are delivered the SaaS platform will investigate the recipient mail server(s) and determine whether it is secure enough to deliver the email. SecuMailer has developed its own SmartTLS engine to query the recipient mail server, verify its TLS version and its configured cipher suite. It will check for self-signed certificates, expired certificates or missing root and intermediate certificate authorities. The SaaS platform does the scanning via a serverless Lambda, using a VPC that is connected to the internet via a NAT Gateway for maximum security. Queries can only be initiated within the Lambda internal network, no outside connections can go in during this process. The outcome of the delivery is communicated back to Aegon via a webhook that uses Simple Email Services (SES) events transported via Kinesis and processed by AWS OpenSearch.
Shared responsibility model
As AWS states it, security of the cloud is the responsibility of AWS and security in the cloud is responsibility of the service provider, aka SecuMailer. Within the technical architecture AWS provides a secure Lambda platform with excellent data security and data privacy capabilities, These are further enhanced by extensive monitoring and tracing capabilities like GuardDuty for Lambda, AWS X-Ray and AWS CloudTrail. With these capabilities SecuMailer, and thereby Aegon, can be assured that there are no data integrity issues whilst processing the secure emails for Aegon. This assurance can be reported upon so there is tangible evidence that the SaaS platform running on AWS maintains integrity throughout the data processing cycle.
Result
The end result is that Aegon has experienced excellent service with 100% uptime, without data leaks and verifiable data security throughout its usage. So far SecuMailer has processed more than 3M secure emails for Aegon without a hitch.
Better together
Using the cloud technology of AWS and enhanced by specialist knowledge of SecuMailer the SaaS platform has recently been able to achieve the highest level of trust by recently becoming a qualified EU Trust Service Provider for secure email (qREMSP – qualified Registered Electronic Mail Service Provider). Combining proven and innovative AWS services with SecuMailers deep understanding of email security has created a winning solution for Aegon.
Implementation
Onboarding with SecuMailer is done by the following steps:
- Buy your solution at AWS Marketplace
- Follow your implementation instructions ( 30 minutes- 2 hours work)
- Get personal workshop to integrate all data security and privacy measures also in your organization policy
- Start sending out all your emails secure and fully compliant with GDPR and eIDAS
Background information SecuMailer:
SecuMailer is a private company. We provide our customers with a SaaS solution to send confidential information by secure email.
SecuMailer was started in 2017 by Yvonne Hoogendoorn CIPP/e and Meint Post CISSP / ISSAP
SecuMailer is fully compliant with the GDPR and certified for eIDAS , ISO 27001:2022, NTA 7516 and has the ECSO-label (European Cyber Security Organization).
SecuMailer is available on the AWS Marketplace.
SecuMailer is one of the founders of the Dutch regulation NTA7516 for secure email with personal medical information. This regulation combines elements of the GDPR, The eIDAS and the Dutch medical laws.