The importance of robust API security in insurance

The importance of robust API security in insurance

In this article by Andre Kerstens, Principal Solution Architect, Noname Security, we take a look at how APIs in insurance handle vast amounts of sensitive data, making robust API security essential to protect against vulnerabilities, prevent data breaches and ensure the integrity of policyholder information. 

Andre Kerstens, Principal Solution Architect, Noname Security

When an incident occurs, from an unfortunate car accident to damaged business equipment, policyholders rely on mobile applications and online portals that collect information, open claims, and process them through automated workflows. Behind the scenes, an insurer’s APIs handle what amounts to a policyholder’s life story in data. These APIs exchange:  

  • Sensitive details on people’s health, homes, families, vehicles and valuables.  
  • Personally identifiable information (PII) and payment data linked to bank accounts.   
  • Data on employees, properties, and legal matters, for businesses with policies.  

API integration with this data makes them a major security risk. Malicious actors understand that APIs offer a quick, direct route to a company’s information. Frequently, APIs are deployed with misconfigurations, weak authentication measures, and accidental exposure to the internet – vulnerabilities that attackers can easily exploit.  

We’ve observed several trends that make it challenging for insurers to protect APIs. Ongoing API expansion means that each new digital initiative leads to an increase and continuous evolution of APIs, making it difficult to maintain an accurate inventory.   

Many insurers have separate development teams working in isolation across different business units, often without a unified guide for secure design. Moreover, while APIs are mainly designed to transmit information, our research indicates that only 40% of organisations know which of their APIs return sensitive data.  

The importance of API discovery and risk assessment in insurance  

The average enterprise manages between 15,000 and 25,000 APIs, depending on its size. These APIs continuously enable rapid and seamless information sharing between the technologies that policyholders depend on for essential services.  

Insurance companies need a thorough understanding of their API landscape to effectively manage their digital ecosystem. API discovery and inventories provide real-time visibility into the APIs being used, including legacy and unmanaged APIs. This allows organisations to detect potential security gaps, vulnerabilities and misconfigurations that can go unnoticed.  

Conducting risk assessments for every API empowers insurance companies to recognise and rank potential risks. By understanding the information managed by each API and evaluating its security posture, companies can enforce suitable security protocols to efficiently alleviate risks. This proactive strategy helps to prevent data breaches, unauthorised entries, and additional security incidents that could lead to reputational damage and financial losses.  

Solving the lack of visibility in API security  

A lack of API visibility and inconsistent processes are common challenges. API development tends to lack centralisation, with developers scattered across various cloud providers and operating outside the enterprise security team’s oversight.   

Additionally, APIs are often developed in silos within different business units. Many of these APIs are not integrated into the company’s API management solution, missing out on basic protections such as rate limiting and authentication.  

Standard API management tools often fall short in meeting insurance companies’ security and visibility requirements. API gateways and web application firewalls (WAFs) are limited to capturing managed API traffic, leaving vast numbers of unmanaged APIs, including shadow and zombie APIs. Moreover, depending on the business unit responsible for their design, APIs may not undergo testing against common attack methods.  

Today’s threat landscape calls for insurers to adopt a comprehensive API security approach encompassing four critical areas:   

  • API discovery  
  • Posture management  
  • Runtime protection  
  • API security testing  

Many insurers lack visibility into a significant portion of their API traffic. Without a complete and accurate inventory, they are exposed to a variety of risks. As part of API discovery, insurers can proactively locate and inventory all APIs regardless of configuration or type; look for dormant, legacy and zombie APIs; identify forgotten, neglected or otherwise unknown shadow domains; and eliminate blind spots and uncover attack paths.  

Posture management and runtime protection  

To protect policyholder data effectively, it’s crucial to have a complete inventory of APIs and understand the types of data flowing through them. By implementing posture management capabilities, insurers can automatically scan infrastructure to uncover misconfigurations and hidden risks; notify key stakeholders of vulnerabilities; identify which APIs and internal users can access sensitive date; and prioritise risk remediation based on the severity of detected issues.  

Amidst the digital rush-to-market, API security testing during production may go overlooked. To ensure it doesn’t, it’s essential to detect and block attacks in real time. This is where API runtime protection can help insurers to:  

  • Monitor for data tampering and leakage, policy violations, suspicious behaviour and API attacks.  
  • Analyse API traffic without additional network changes or difficult-to-install agents.  
  • Integrate with existing workflows (e.g. ticketing, SIEMs, etc) to alert security teams.  
  • Prevent attacks and misuse in real-time with partial or fully automated remediation.  

Continuous API security testing is key  

API development teams feel the pressure to work as quickly as possible. This need for speed makes it easier for an API vulnerability or design flaw to occur and go undetected. They need to implement key API security testing capabilities that can automate tests to simulate malicious traffic; discover vulnerabilities before APIs entering production; and cross-reference API specifications against established governance policies and rules.  

By proactively identifying and assessing the risks of every API, insurance companies can implement proactive security measures and mitigate vulnerabilities. The aforementioned real-life scenarios demonstrate the value of API discovery and risk assessment in uncovering security gaps and enabling insurance companies to enhance their API security posture.   

Insurance companies and their technology partners need to adopt best practices around discovery, posture management, runtime protection, and continuous security testing to safeguard not only their APIs, but the data their policyholders entrust to them for safekeeping.