NOSes /

Insurance provider creating massive multiple-use directory

Anthem says Active Directory project to help slash user management and apps development costs.

By John Fontana
Network World, 07/23/01

CINCINNATI - John Reynolds has 10 million good reasons why he needs a stable, secure and scalable directory infrastructure. If those reasons aren't enough, the director and technical architect for e-commerce for insurance provider Anthem Blue Cross and Blue Shield has another 14,000 to back up his argument.

Those figures represent the number of users, internal (14,000) and external (potentially 10 million), who need access to data on his network in compliance with the Health Insurance Portability and Accountability Act (HIPAA), a 1996 law mandating data security and privacy requirements for the healthcare industry.

The directory is part of an ambitious and ongoing project that has Anthem revamping its entire network infrastructure and application development based on its e-commerce goals.

Those goals are to build an infrastructure that can easily adapt to technology changes while supplying services such as secure access to applications, insurance services and claims information.

Reynolds, Anthem's director and technical architect for e-commerce, will share the details of the project and results of his directory stress testing at this week's Catalyst Conference in San Diego, which focuses on enterprise infrastructure and is hosted by The Burton Group.

So far, Anthem has spent nearly $5 million to build the infrastructure, surround it with security defenses such as intrusion detection and purchase applications.

Reynolds says the project is driven by HIPAA but that it's worth it because the infrastructure will create a single source of user data for all his applications and systems, and provide single sign-on for internal and external users.

Those things were not possible when Anthem was forced to manage users in each of a multitude of systems, including Microsoft, Novell, Unix and legacy mainframes.

"You need to have data in one place for use by all systems," Reynolds says. "You only want to construct that data once when you're dealing with millions of users."

The Anthem directory, along with Web access control software, will be key for managing users and their privileges.

It also provides additional capabilities such as self-service account maintenance, delegated administration, role-based security, auditing and services that pull user data from the directory into forms-based applications.

"When we built the directory infrastructure we didn't just build an e-business infrastructure, we built an enterprise directory infrastructure that supports a majority of our business initiatives around access to data, employee data or whatever data we need," he says.

"So it's an internal directory and a Web directory at the same time," he adds.

A pioneering move

That is a pioneering move because it begins to prove that a directory can support a pliable enterprise infrastructure that can be molded to accommodate the glut of unique users and services inherent in e-commerce.

And it begins to blur the lines between managing internal and external users and resources without compromising security.

It's that kind of flexibility that defines the Anthem infrastructure and will eventually help the company slash its user management and application development costs.

The flexibility also helps Anthem deal with its many acquisitions.

"Our strategic direction is consolidation," Reynolds says. "We are an acquisition company so we are constantly acquiring new technologies that we have to adapt into our infrastructure."

A year ago the company began consolidating its user accounts from systems such as human resources and Lotus Notes into Microsoft's Active Directory after choosing it over Novell's eDirectory. Now the company is rolling in administration of Unix and NetWare accounts and user information from legacy systems.

In parallel, Anthem mapped out the reinvention of its network, building a highly redundant, dual infrastructure for e-commerce around Java and Microsoft.

Web servers on the presentation level are IBM's Apache-based HTTP Server and Microsoft's Internet Information Server. Application servers in the middle tier are BEA's Java-based WebLogic and Microsoft's COM servers. The infrastructure relies on Oracle 8i databases and legacy systems for back-end data, and uses redundant servers for fault tolerance.

It all runs on Windows 2000 and Compaq four-way and eight-way servers and ties into Active Directory.

With that architecture, Anthem is pioneering the use of Active Directory as a Web-based directory. Microsoft has only recently talked about features that let companies exploit Active Directory beyond its basic support for Windows 2000 users.

Anthem already has nearly 14,000 internal desktops using the directory to gain secure access to corporate resources, including users connected through VPN and dial-up accounts.

Now the focus is on building a directory-based Web access control system on top of Active Directory using OpenNetwork Technologies' Directory Smart, which will provide single sign-on internally and externally for what could eventually be more than 10 million users.

Other services also on tap

But Directory Smart also will provide other services.

"We have the ability to do delegated administration," Reynolds says. "I can create an account in Directory Smart and specify that account as an administrator, not for the directory or Win 2000, but within Directory Smart so that account would have a delegated right to manage or create accounts for a list of people underneath it. That is important in a healthcare space because a lot of the time we are delegating those types of authorities to our group plan administrators and such."

Native user objects

That also speaks to another important issue Anthem has addressed with its directory.

Directory Smart uses native user objects from Active Directory so Anthem does not have to create and manage internal and external objects for the same user.

A user object is a combination of attributes such as name, address, password and telephone number.

"We wanted to set up self service so people could do things like change their passwords," Reynolds says.

"We can do those more internal business types of things if we have one object. Having more integrated access with the objects we use for our network operating system management has been a very big plus for us," he says.

Anthem also uses Directory Smart and standard Java 2 Platform Enterprise Edition security application programming interfaces to make it easier for developers to use Active Directory to handle authentication and authorization services for all applications.

Using those standard APIs, Anthem's BEA WebLogic application servers interact with Directory Smart to obtain logon and access data stored in the directory.

Besides those features, the directory supports other applications.

"The directory provides more than e-business services," Reynolds says. "It's a real point of information. If someone comes to a Web form and needs some help the idea is to provide interaction with customer service. "We can hook the directory into telephony, [customer relationship management] and help desk systems."

Insurance provider creating massive multiple-use directory

A pioneering move

Other services also on tap

Native user objects

Related Links