Multi-Cloud Insurance Platform with Zero-Trust & Native Performance
Quarkus Native & OPA-based Authorization for Germany's Leading Insurance IT Provider
Project Gallery
Multi-Cloud Insurance Platform
Multi-cloud insurance platform with policy management dashboards
The Challenge
Multi-Cloud Platform for Insurance Giants with Zero-Trust Security
This leading German insurance IT provider supports several major German insurance companies managing tens of millions of insurance policies with cloud technology adoption. The challenge was to build highly secure, high-performance backend systems across multiple cloud platforms (OpenShift, AWS) while meeting strict insurance industry compliance requirements.
Multiple insurance clients each requiring isolated, secure environments
Legacy core systems with limited availability windows (24-hour downtime constraints)
Complex authentication/authorization across different customer identity providers
Need for ultra-fast startup times and low memory footprint for EPA mobile backends
Service-to-service authorization in multi-tenant Kubernetes environments
Automated infrastructure provisioning for multiple customers
Integration with diverse authentication systems (Kerberos, AD, OIDC, custom solutions)
Each insurance company has incompatible user data and systems requiring automated deployment
The Solution
Cloud-Native Platform with Quarkus Native & Policy-Based Security
We architected and implemented a sophisticated multi-cloud platform using Quarkus Native for ultra-fast performance and Open Policy Agent (OPA) for zero-trust authorization. The solution provides high-performance backends for EPA mobile applications while maintaining strict separation of concerns and policy-based security. We created an automated deployment system enabling insurance use case deployment with a single mouse click.
Native Mobile Backends
Quarkus and Spring Boot Native services providing lightning-fast startup (<100ms) and minimal memory footprint for EPA mobile app backends
Policy-Based Authorization
OPA (Open Policy Agent) sidecars enforcing policies based on scope claims, completely separated from application code
Brokered OIDC Proxy Architecture
Brokered Keycloak system: parent Keycloak per insurance company binds to their IDP. OAuth2-proxy sidecar → use-case Keycloak → parent Keycloak → company IDP. Fully automated authentication deployment with minimal customer setup.
Istio Service Mesh
Service-to-service authorization using x-forwarded-client-cert headers for namespace and service-level access control
Automated Infrastructure
Terraform-provisioned clusters with monitoring stack (Jaeger, Prometheus, Grafana, Kibana) linked to GitOps repositories
Data Availability Layer
ODS (Operational Data Store) with Pub/Sub and Kafka providing high-performance access to backend systems outside 24-hour windows
Critical Challenges
Key technical hurdles and how they were overcome
Automated Authentication for Insurance Use Cases
Problem
Each insurance company has different user data and systems - none compatible. Manual authentication setup would be expensive and time-consuming requiring weeks of integration work. But business requirement is use cases must deploy with a mouse click for rapid customer onboarding.
Solution
Created fully automated deployment with brokered Keycloak architecture. Parent Keycloak of insurance company binds to their IDP (LDAP, AD, OIDC, custom). Initial customer setup configures minimal info: claim relations, auth method, attributes. Attributes automatically mapped to use cases. User from insurance page forwarded to use case → OAuth2-proxy sidecar detects missing session → forwards to brokered Keycloak for use case → parent Keycloak → company IDP if needed. Keycloak redirects with use-case-specific tokens. Full deployment and authentication setup completely automated via GitOps.
First insurance use case deployed and fully authenticated in 3 minutes from mouse click - stakeholders didn't believe it was real
Impact
Fully automated authentication deployment - insurance companies onboarded in minutes vs. weeks. Zero manual integration work. Business analysts can deploy new use cases independently without developer involvement.
Native Compilation for Insurance-Grade Performance
Problem
EPA mobile backends required instant scaling for unpredictable load (thousands of agents using apps simultaneously). Traditional JVM startup (10+ seconds) meant keeping instances warm 24/7 - extremely wasteful and expensive.
Solution
Quarkus Native and Spring Boot Native compilation achieving <100ms cold start. Enabled true serverless-style deployment - spin up on demand, shut down when idle. Combined with Kubernetes HPA for instant scaling based on actual load.
Impact
80% cost reduction on AWS Lambda and compute resources. Instant user response even during cold starts. Enabled efficient scaling without keeping idle instances running.
24/7 Data Availability Despite 24-Hour Windows
Problem
Core insurance and banking systems are often only available within strict maintenance and operating windows. Business teams still expect 24/7 data access for reporting, mobile apps, and digital sales channels.
Solution
Implemented an Operational Data Store (ODS) based on Pub/Sub and Kafka that mirrors and decouples relevant data from core systems. Read traffic is served from the ODS, while writes are synchronized back to core systems via events – fully auditable and compliant with regulatory requirements.
Impact
24/7 access to portfolio and policy data for mobile and business applications without overloading core systems or violating core availability windows.
Service-to-Service Authorization in Multi-Tenant Environments
Problem
In a multi-cloud, multi-tenant landscape, not only user authorization is complex – services themselves must be strongly identified and restricted. Classical API keys or purely IP-based filters are not sufficient for insurance-grade compliance.
Solution
Introduced Istio service mesh with mTLS and evaluation of the 'x-forwarded-client-cert' header. From that, the calling service and namespace are derived and checked against centrally managed policies that control which endpoints and namespaces may be called.
Impact
Clear, centrally configured service-to-service security boundaries, fewer misconfigurations, and significantly improved auditability of internal traffic flows.
Business Impact
Measurable value delivered to the business
Customer Onboarding Speed
The automated authentication architecture reduced insurance company onboarding from weeks of integration work to 3-minute mouse-click deployment
Infrastructure Cost
Native compilation enabled true serverless deployment, eliminating need for warm instances on AWS Lambda and compute resources
Policy Update Speed
OPA policy changes deployed without application downtime, enabling real-time security posture adjustments
Developer Productivity
Terraform automation and GitOps reduced infrastructure work, freeing team for feature development
Innovations
Groundbreaking solutions that set new standards
Brokered Authentication Architecture for Insurance Use Cases
Fully automated OIDC brokerage system: Parent Keycloak per insurance company → use-case Keycloak → OAuth2-proxy sidecar. Supports LDAP, AD, Kerberos, OIDC, custom IDPs. Minimal customer setup (claims, auth method, attributes), everything else automated via GitOps.
Industry first: insurance use case deployment and authentication in 3 minutes vs. weeks. Zero manual integration work. Business analyst self-service deployment without developer involvement.
Impact: Revolutionized customer onboarding - from bottleneck to competitive advantage. Enabled rapid expansion across multiple major insurers.
OPA Policy-Based Zero-Trust Security
Open Policy Agent sidecars enforcing authorization policies based on scope claims, completely separated from application code. Policies updated independently without service restarts.
Complete decoupling of security policy from business logic - security team can update policies without developer involvement or application changes
Impact: <1 minute policy updates, real-time security posture adjustments, audit-friendly policy management
Quarkus Native for Insurance Backends
Sub-100ms startup times enabling true serverless-style deployment on Kubernetes for EPA mobile backends. Combined with HPA for instant scaling based on actual load.
First German insurance IT provider to deploy Native compilation at production scale for mobile backends
Impact: 80% cost reduction, instant scaling, perfect user experience even during cold starts
Multi-Cloud Terraform Automation
Complete infrastructure-as-code provisioning clusters across OpenShift, AWS, customer premises with full monitoring stack (Jaeger, Prometheus, Grafana, Kibana) linked to GitOps repositories. Customer-specific configurations via Kustomize.
Unified automation across diverse cloud platforms with insurance-grade compliance and monitoring
Impact: Infrastructure provisioning: days → hours, consistent deployment across all environments
"The multi-cloud platform enabled us to serve major insurance clients with unprecedented security and performance. The automated authentication architecture and OPA-based authorization set new standards for our infrastructure. What used to take weeks now happens in minutes."
Technologies Used
core
persistence
messaging
infrastructure
devops
security
monitoring
frontend
testing
Need Multi-Cloud Platform with Zero-Trust Security?
If your organization requires high-security, high-performance cloud platforms across multiple environments with policy-based authorization, let's discuss your architecture.
Schedule Consultation