Aflac Fortifies Its Digital Business Against API Attacks

Financial services organizations are tasked to innovate at an accelerated pace as consumers continue moving away from brick-and-mortar experiences in favor of digital interactions. This has also become the reality for Aflac. However, meeting their digital transformation goals required Aflac to pursue a distributed versus centralized approach to deploying new applications. While this approach has been beneficial from a resource management perspective, it added complexity to an already challenging asset management scenario.

In addition, the company was also heavily reliant on their existing API gateways to provide visibility into their API estate. This too was a notable issue for leadership. Despite being components of the API delivery stack, API gateways are not designed to provide the security controls and observability required to adequately protect APls. Additionally, APls that were implemented outside of a gateway presented even more visibility and security challenges.

“We were aware that our API footprint was large, and we wanted to be completely confident that we had every API accounted for, that we had full visibility into their operation, and that they were being continuously tested for security risks. This was essential to our strategy to address the risk of exploit amid the backdrop of an expanding technology footprint,” said Goldsworthy.

Beyond getting a complete picture of their API estate, Aflac also knew that they needed to be able to defend their APls against attacks. Considering their ironclad reputation and global reach, the company was well aware that they could become a target. They required a holistic API security solution that would give them not only visibility but also an ability to remediate vulnerabilities and attacks to avoid becoming another headline.

“Noname (now an Akamai company) was the most advanced and complete API security solution that we tested, going above and beyond our initial requirements. Not only does Noname (now an Akamai company) have the technology to address our current needs, I was also pleased with what I saw on their roadmap to address emerging security challenges,” Goldsworthy added.

After evaluating the Noname API Security Platform (now part of Akamai API Security), Aflac decided it was the most comprehensive solution to protect their APls — many of which reside in their AWS environment. The solution provides both API discovery and API runtime protection, allowing the company to have full visibility into every type of API they have, including HTTP, RESTful, GraphQL, SOAP, XML-RPC, JSON-RPC, and gRPC.

The API discovery module will also provide insight into the types of data that traverse the company’s APls. This provides Aflac with visibility into which of their APls are able to access sensitive data and identify any anomalies in data access.

This also means the company will have real-time protection to thwart any API attacks. The solution uses automated Al and machine learning detection to conduct real-time traffic analysis and provide contextual insights into data leakage, data tampering, data policy violations, suspicious behavior, and API security attacks.

Akamai API Security runs out of band, leveraging VPC traffic mirroring to copy API traffic from AWS Application Load Balancer in Aflac’s environment. This approach enables monitoring without any impact to performance. The data is then forwarded to Akamai remote engines deployed on EC2 instances for further analysis. The platform also retrieves information from Aflac’s API gateways by sending execution logs and access logs to Amazon CloudWatch. The breadth of integrations Akamai provides across the AWS ecosystem provides Aflac the support they need to confidently address their data security obligations.

Aflac is already scoping out how it plans to expand its API security coverage globally, notably in Japan. Asia is a burgeoning market for the company, and they want to ensure that their customers in emerging markets have the same level of security. This will not only continue to differentiate them in the marketplace but also fortify their reputation as a customer-first organization.

The company is also implementing the testing module of the Akamai API Security solution, which empowers organizations to identify vulnerabilities during development and address them before they reach production. True to the shift-left approach, the testing module provides a suite of APl-focused security tests that security operations can run on demand or as part of a continuous integration/continuous delivery (Cl/CD) pipeline to ensure that APls are implemented securely. Aflac sees the testing capabilities of Akamai API Security as a strategic benefit that will allow them to improve testing and augment their existing application security tools with a comprehensive API security testing solution.

“Aflac is excited to have a true market leader securing our API estate. We are confident in the Noname Security platform (now part of Akamai API Security), their team, and their vision. With so much value already recognized and given their impressive ability to innovate, we are excited about what the future of our partnership will offer,” concluded Goldsworthy.

Aflac Incorporated is a Fortune 500 company, providing financial protection to millions of policyholders and customers through its subsidiaries in the U.S. and Japan. When a policyholder or insured gets sick or hurt, Aflac pays cash benefits promptly, for eligible claims, directly to the insured (unless assigned otherwise). For more than six decades, Aflac voluntary insurance policies have given policyholders the opportunity to focus on recovery, not financial stress.