Microservices Authentication and Authorization from a German Insurances Perspective

Koschel, Arne; Hausotter, Andreas; Niemann, Pascal; Schulze, Christin

Home // International Journal On Advances in Security, volume 15, numbers 3 and 4, 2022 // View article

Microservices Authentication and Authorization from a German Insurances Perspective

Authors:
Arne Koschel
Andreas Hausotter
Pascal Niemann
Christin Schulze

Keywords: Security; Authorization; Authentication; Insurance Industry; Microservices Architecture.

Abstract:
Even for the more traditional insurance industry, the Microservices Architecture (MSA) style plays an increasingly important role in provisioning insurance services. However, insurance businesses must operate legacy applications, enterprise software, and service-based applications in parallel for a more extended transition period. The ultimate goal of our ongoing research is to design a microservice reference architecture in co- operation with our industry partners from the insurance domain that provides an approach for the integration of applications from different architecture paradigms. In Germany, individual insurance services are classified as part of the critical infras- tructure. Therefore, German insurance companies must comply with the Federal Office for Information Security requirements, which the Federal Supervisory Authority enforces. Additionally, insurance companies must comply with relevant laws, regulations, and standards as part of the compliance requirements. Note: As Germany is considered relatively strict with respect to the privacy and security demands, meeting these requirements may well be suitable (if not even ”over-fulfilling”) for insurance companies in other countries. The question raises thus of how insurance services can be secured in an application landscape shaped by the MSA style to comply with the architectural and security requirements depicted above. This article highlights the specific regulations, laws, and standards the insurance industry must comply with. We present conceptual approaches for authentica- tion and authorization in a MSA tailored to the requirements of our insurance industry partners. In particular, we focus on different architectural patterns for service-level authorization as well as approaches for service-level authentication and discuss their advantages and disadvantages.

Pages: 65 to 74

Publication date: December 31, 2022

Published in: journal

ISSN: 1942-2636