Identity management: the key to successful use of SaaS in the insurance sector

SaaS as a reliable tool to promote innovation and competitiveness

The use of SaaS models offers the insurance industry many great advantages. Two of main benefits are efficiency and scalability, which make it possible to flexibly adapt to market requirements with minimal upfront costs. They promote innovation and competitiveness by providing easier access to the latest technologies and significantly speeding up the development of new products.

Integrated compliance and security measures can also reduce the amount of work for insurers if IT security aspects are taken into account from the start every time a SaaS platform is developed.

The key to successful SaaS implementations: identity and access management

The seamless integration of the SaaS solution into the insurer’s IT infrastructure is vital for it to run efficiently. It is important to focus on two things in particular, namely ensuring there is a secure connection for users and the insurer’s IT interfaces to the platform, as SaaS applications are generally provided over the internet. Another key aspect is the long-term management of user access. This plays a central role in the security strategy because it ensures the confidentiality and integrity of data and systems.

In recent years, insurance companies have invested heavily in developing robust identity and access management (IAM) systems. It is therefore critical that the connection of SaaS applications be seamlessly integrated into these established IAM processes, without this causing any disruptions or security gaps or leading to duplicate data being stored and maintained. A consistent, end-to-end IAM strategy is the foundation for secure and efficient user management across all systems.

Identity lifecycle management with SaaS applications

In order to meet the regulatory compliance and security requirements of VAIT, insurance companies should avoid setting up a separate user administration for SaaS applications that has to be maintained manually. Instead, what they need to do is implement a standardised, central user management system that guarantees seamless user access to all relevant applications via single sign-on. It is also important to ensure that the insurance company’s established security mechanisms, such as multi-factor authentication, continue to be used systematically in the newly integrated SaaS solutions.

In addition, it is critical that SaaS applications allow for reliable authentication and also offer the option of seamless integration of business roles defined by the insurance company for authorisation purposes. In the best-case scenario, the insurer will have an application that supports the flexible mapping of these roles onto corresponding authorisations in their system. This ensures consistent and efficient authorisation management that is in line with the ‘need-to-know’ and ‘least privilege’ principles mandated by VAIT.

Standardised integration of SaaS applications is made possible by protocols such as SAML 2.0 and the more recent OAuth 2.0. These protocols are critical for the standardisation and connectivity of authentication and authorisation processes across different systems.

OAuth 2.0 is a widely used authorisation framework that enables applications to provide secure, delegated access. It serves as a link between an identity provider (IdP) and a connected application by providing a secure authorisation mechanism. If a user wants to access a resource in the application, OAuth 2.0 forwards the request to the IdP. Once the user has been successfully authenticated and authorised, the IdP issues an access token used by the application to access the data that the user has been authorised to access without having to exchange the user name and password. This step ensures secure, seamless interaction.

The identity provider (IdP) facilitates the transfer of claims (attributes), which may contain specific user attributes and group memberships, during the OAuth 2.0 authorisation process. This information can then be used for fine-grained access control, ensuring that users can access resources (such as the SaaS platform) according to their roles and attributes within the organisation.

Because the current authorisations are always transferred each time a user logs in, this means that access rights can be updated in real time. In other words, changes to authorisations made by the insurance company, such as the addition or removal of a group, take effect immediately. As a result, it is no longer necessary to regularly synchronise authorisations in the different systems being used, which simplifies administration and reduces the likelihood of errors as a result of delayed synchronisation cycles.

Employees are offboarded in SaaS applications with immediate effect using the customer’s identity provider (IdP). Access to all connected SaaS systems is immediately blocked as soon as a user account is deactivated in the IdP. Along with that, any recertification of accesses required by regulators can still be carried out in the customer’s system.

Implementation in the Afida platform

When the Afida SaaS platform was developed, there was a strong focus on providing a secure, fast and efficient connection to the customer’s existing IAM infrastructure. To give an example, people who use Azure AD benefit from a fast connection, which is typically implemented in just a few minutes. All you need to do is configure a corresponding enterprise application in Azure AD or some other similar IdP solution and define the user groups that are to be given access.

The insurance company’s employees can immediately access the applications on the Afida platform once the enterprise application has been configured. By taking these two steps, existing security measures such as multi-factor authentication and governance rules (this includes password policies and identity lifecycle management processes) are extended to cover the SaaS application in which they are also applied.

Integration of applications into the API

Two really important things are the user interface and the seamless integration of the technical interfaces when rolling out a SaaS application. There are two main scenarios that you need to consider:

• 1. Access to the API is also possible thanks to the integration of API access, which takes place in the context of user interactions (with the user token that is already used to access the application issued by OAuth). As a result, the company is able to integrate the business functions provided by the SaaS solution directly into the user interface of its existing in-house systems.
• 2. Machine-to-machine communication, which, for example, connects an insurance company’s commission/backend system to the SaaS solution and ensures the secure and direct exchange of data.

For the backend connection of a SaaS solution, one of the standardised protocols previously mentioned (such as OAuth, for example) can also be used to establish a strong, secure connection. Additional methods such as API tokens or client certificates provide even more flexibility. What method the insurance company ultimately chooses to deploy often depends on the technical capabilities of its backend systems, which requires that a detailed analysis be carried out during the implementation phase in order to identify the best possible solution.

Conclusion

Managing user identities and authorisations manually in external systems is a strategy that is not up with the times, requires significant resources and also entails major security risks. Therefore, when it comes time to selecting a SaaS solution, it is essential that the insurance company makes sure that it is able to integrate seamlessly into its existing IAM solution. If a SaaS application supports integration of the IAM solution, the amount of time and resources required to create the connection is reduced to a minimum, often just a few hours or days. This allows the company to quickly switch its attention to technical aspects of the application and increase operational efficiency.

Outlook

The Afida platform has successfully demonstrated how quickly the solutions can be integrated into existing systems in a number of projects. In another blog post, I will explore in greater detail the question of how identity governance processes for privileged access management are seamlessly linked to customer systems in order to ensure end-to-end compliance when handling highly sensitive data.

Would you like to learn more about exciting topics from the world of adesso? Then check out our latest blog posts.