Leading Insurer Closes Major Gap in API Security

Established in Israel in 1978, Clal Insurance and Finance is a leading insurance and long-term savings company, overseeing assets totaling NIS 332 billion* (US$90.87 billion). Through three distinct divisions, it delivers an array of services and products to private and corporate customers. Clal’s approximately 4,400 employees work in collaboration with 3,700 insurance agents, all dedicated to providing quality service and professional support to customers.

The company is driving a digital transformation based on APIs, which is fostering seamless innovation and a first-mover advantage in data exchange with business partners, other fintech companies, and customers. However, this API ecosystem also introduces a new conduit for potential threats — a particularly pressing issue in Israel, a nation that is frequently targeted by cyberattacks. By deploying Akamai API Security, Clal Insurance and Finance achieved three goals:

1. Automated discovery and inventory of all APIs
2. Automated remediation process
3. Improved API security posture

Clal used to secure its websites with another company’s traffic manager, security information and event management solution, and web application firewall. But those security measures fell short when it came to the company’s vital and far-reaching API inventory.

Clal’s ecosystem powers innovations like Clal Express, a web service that allows customers to avoid out-of-pockets costs — a service the company wanted to manage and secure as APIs proliferated across the organization.

When COVID-19 hit, Clal deployed an API gateway solution to centralize the API ecosystem that they had started to build. “That’s when I realized we lacked a clear view into the more than 600 APIs exposed via our websites, and thousands across the enterprise,” explains Haim Inger, CTO for Clal. 

Although the API gateway provides partial insights into the API environment, it’s not a security solution. In fact, the companies using an API gateway must secure it. “As we started looking for solutions to secure our API gateway, I saw the gap between where we were and where we wanted to be with API security,” continues Inger.

Needing visibility into their API portfolio and the ability to detect any threats or abuse in their APIs, Inger and his security team evaluated solutions. In addition to gaining the ability to check for transaction anomalies and minimize rule changes to account for API behavior, the solution needed to be easy to deploy.

After assessing three solutions, Inger chose cloud-based Akamai API Security. “I expected deployment to take months but to my amazement, we integrated it with F5, Splunk, and all our APIs in just four days,” Inger says.

Immediately after deploying API Security, Clal realized its value. Unlike solutions that would require Clal’s security team to review each API and write rules that promote only desired behavior, the Akamai solution automatically inventories and assesses the state of Clal’s API ecosystem.

“We didn't need to do anything to understand the state of our API estate. After ingesting tokenized data about our APIs, the Akamai solution automatically delivered insights into what needed to be fixed and how to fix it,” Inger explains.

Since conducting the initial inventory and analysis of Clal’s APIs, Akamai API Security continually inventories and analyzes the ecosystem. “The discovery process is very important because it provides ongoing insight into what APIs are being used and how, and allows us to close APIs that are no longer in use,” says Inger.

The Akamai solution also continually surfaces and reports on vulnerabilities and anomalies through a risk audit and behavioral analysis. Examples include credit card data being transferred in an unsecure manner within an API, or a fintech partner using an API in an unsanctioned way. In every scenario, API Security empowers Clal to ensure that none of its APIs are conduits for attacks.

Inger and his team also appreciated the ability to pair the solution with API Security ShadowHunt, a managed threat hunting service that harnesses Akamai's expert analysts skilled in API threat hunting. 

“We are alerted, for example, about unusual patterns in how or how frequently our APIs are accessed. These notifications allow us to immediately remediate any vulnerabilities and prevent our customers’ data from being accessed and compromised,” Inger says.

An accurate view into the API ecosystem and instant notifications about potential issues not only help strengthen Clal’s security posture, they help fortify partnerships and ensure uninterrupted business. “Before, we would simply shut down our line of business with a fintech partner that was attacked. Now we can address the API vulnerability and maintain our important partnerships,” Inger explains.

Now in their second year of API Security and ShadowHunt adoption,  Inger and his team are pleased. “The solution and service deliver as promised. Plus, since API Security is cloud-based, we don’t have to maintain or upgrade it,” Inger continues.

Moreover, the 360-degree view that Akamai provides into Clal’s development and production environments — along with security alerts — are invaluable. “Akamai helps us ensure the strongest security posture possible in our API environment,” Inger concludes. 

Clal Holdings is a holding company whose holdings are mainly Clal Insurance and Finance and the MAX credit card company. Shares of Clal Insurance Enterprises Holdings are held by the public, with no controlling shareholder core, and are traded on the Tel Aviv Stock Exchange. Alrov Real Estate and Hotels Ltd. holds 14.1% of the Company's shares, while the Phoenix Group holds 7.0%, the Harel Group holds 6.6%, and Mr. Shalom Shai (Dona Engineering & Construction Co. Ltd.) holds 5.1%. In terms of gross earned premiums, the Group's market share is 15% of the insurance market (in 2022), and the volume of assets it manages exceeds NIS 332 billion (as of September 2023). In March 2023, Clal acquired Max from Warburg Pincus, a US investment fund, and its partners. The Clal Group operates in several diverse insurance and long-term savings areas, such as pension, provident and advanced training funds, general insurance such as car and home, health insurance and credit cards. In addition, the Group has a unique activity among insurance companies in mortgages and credit insurance. Since 2023, the Group has also been active in the credit card industry. The Clal Group owns insurance agencies, pension funds, provident funds, training funds, and a credit insurance company. As of December 2022, the Group has 4,403 employees at Clal Insurance and Finance and the insurance agencies and 1,337 employees at Max. All said, this places Clal as one of Israel's leading long-term insurance and savings groups.