If I say to you, “Tell me about your home security system,” you might start describing the sensors on your windows or the keypad near the front door. You can tell me you installed a doorbell camera, or you might say, “I do not have a security system in my house. I’m not sure I need one.”
What you may not tell me about may be areas of your home security where you are vulnerable, but you have not thought about the risk. Maybe you have a garage door opener in the car that stands outside every night. The weather in May is wonderful, so you like to keep the windows open. You rarely take the time to activate the security system when you go.
If we think of the insurance company as a home, it has similar types of vulnerabilities that are ripe for exploitation. Later this year, Majesco will introduce API platforms with gateway features that will cover many of these vulnerabilities. If you understand how effective an API gateway can be in protecting insurance companies, and how easy it will be to implement, you may want to add it to your list of must-haves.
Where are the insurance companies most exposed?
An API gateway protects your business from outside hacking by shutting down vulnerabilities you may never have thought of. At a high level, there are three types of security flaws.
- Role-based vulnerabilities. This is the wrong person who has access to the wrong items and areas.
- Database vulnerabilities. These may include the open taps of data flowing into the outside world because “someone left data left behind.”
- The API function itself. This would include open access to an application via the system or developer tool.
In our previous blog about API security, we discussed role-based security and not allowing full access to every API for all internal employees – from developers to business users. This is important just to keep everything structurally secure. But the idea of security roles is equally applicable when it comes to external access. APIs are growing rapidly in use. The dramatic increase in built-in insurance, partnerships and platforms means that insurance companies are finding themselves with a host of new people who need access to some level of systems and processes. Keeping track of system keys and keeping track of access must be an automated process. The API gateway will be this important guard at the gate. It will keep the roles straight and prevent anyone from accessing systems via exposed API endpoints.
For example, Majesco’s API platform will allow Majesco clients to isolate who has access using customer login keys for login. When logging in, the system will determine which APIs are available to that person.
Data leakage is a completely different type of problem. Keeping track of who, how and when an API is used in today’s API environments is largely a matter of someone in IT who has the task of knowing the entire system architecture. The use of an API at the time it was installed may have been completely secure. Data moved from point A to point B and it facilitated whatever transaction it needed to facilitate. Over time, however, system teams may upgrade an API or change its use. This can happen at the other end of a partner system. This does not mean that the data flow has been turned off, just that it no longer fulfills its original purpose. This presents two security issues. Data can end up in the wrong hands, and hackers can also have a way into core systems. All of these problems are real and multiplied within companies that control their own APIs directly from their internal systems, which do not yet use cloud API platforms.
API gateways – a portal for secure access
Use cases help us identify the differences between a safe environment and an unsafe environment. Let’s say your business has 50 APIs without a gateway in place (all windows with potential external access) and you start measuring your potential exposure. You catalog how many external users have access to these APIs from start to finish and realize that the system security you have in place is patchy and not completely visible anywhere on a dashboard or console. Your company may have imagined that it was safer than it actually is.
An API gateway would solve these problems. It will add a horizontally split orchestration layer on top of the APIs, so that end users only have access to updated, useful APIs that they need at the console level. The console works just as well on the inside as on the outside of a company’s system. A dashboard gives system administrators complete insight into usage, crashes, volume, and invalid entry attempts. Customers will have less API complexity and an environment that is understandable and manageable. Still, some companies may wonder how secure they can be if they operate in a hybrid cloud environment that still includes local systems.
“If we will never be completely on the cloud, only our cloud-based systems will be secure. Right?”
Part of the beauty of an API platform in the cloud is the gateway’s ability to make the entire environment more secure by securing API endpoints.
Let’s say for a moment that you’re currently driving in a hybrid environment. In some cases, your backend systems are located in the cloud. Others are in place. It would make sense that you might need two different gateways or two different API platforms. Yet this is not the case. One of the possibilities of choosing Majesco’s API platform method will be that all your multinodal systems can be managed at API gateway level. Your nodes may be different, or the processing may take place in the cloud or on site. The Majesco API gateway covers everything. This will make entry and exit points secure. It will add security to all systems where APIs are connected. This is one of the most attractive reasons to update your API settings. It takes your biggest vulnerable areas and safely puts them away behind an organized layer of safe orchestration. In addition, it will prepare your organization to become an API-centric company.
The last hurdle to implement an API platform
One of the last obstacles that organizations have when it comes to adopting a new API method is simply understanding how easy it is. We have learned that nothing is really easy when it comes to systems, so we think, “Why would it be different to set up an API platform? Insurance is another type of industry and we have different protocols. Do we not need to set up insurance-specific safety standards? ”
Yes, insurance is unique. Standards and governance principles are specific to each industry and insurance is no exception. No, you do not have to bother with insurance-specific standards. Cloud providers have made it super easy for insurance companies to configure their gateways. Insurers will find that they do not have to write code to define rules or expand environments. They will use drag and drop, select and select gateway setting options. It’s part of the interface.
In addition, modern cloud-based or cloud-based API platforms, such as AWS or Azure, already have pre-built frameworks or pre-activated activators, whether for specific functional needs, such as complaint handling, or for specific industries, such as healthcare or insurance. They have pre-built rule templates, which you as a new customer or new deployment can simply connect. When you copy and paste the framework into your gateway, it inherits the rules defined for our industry. Once connected, you have created an industry-specific API gateway and your organization is now much more protected because you have reduced important vulnerabilities.
At Majesco, we are committed to realizing an API-centric business for our customers. For us, this means a unified program to create a comprehensive API orchestration platform based on a cloud-based API management service, and to then personalize it to cover our entire portfolio of P&C, L&AH, Data Analytics and Digital1st® product offerings. Exciting development is underway in this regard. Look out for more in the coming months!
If you want to learn more about how cloud-based platforms become the new tools for business growth and security or to stay in touch regarding Majesco’s upcoming announcements about API-centric systems, be sure to contact us today.