How insurance companies and authorities communicate securely
The Swissdec architecture sketches show how corporate processes communicate with insurers and authorities today. An attempt is made to explain some essential concepts of this architecture and to outline future developments. The central data exchange platform of Swissdec Distributor is used to optimise and automate processes between about 200,000 companies and their insurers & authorities in Switzerland. Currently (2018), more than 17.8 million personal data with their wages are distributed between the participants annually.
Figure 1: Overview Swissdec processes and participants
The process participants are:
- Companies with their ERP systems and their ERP manufacturers by means of ‘transmitters’
- Insurers & public authorities with their specialised backend systems via ‘end recipients’
The systems connected by the process communicate via M2M interfaces using standardised protocols. The problematic n:m relation between the companies and insurers & authorities is transformed into a simple “n:Distributor:m” relation by means of a central distributor (see Figure 3). The distributor communicates with the companies on behalf of insurers & authorities and forwards the data to the end recipients in a data protection-compliant manner (checked and filtered). The Swissdec distributor acts as the representative of the end recipients (insurers & authorities) vis-à-vis the companies. In this function, the distributor enjoys the full trust of the end recipients. On their behalf, the distributor handles and ensures the communication processes with the ERP systems of the companies. On a technical level, however, the distributor only acts as an intermediary for messages. The systems of the end recipients and the companies, on the other hand, are responsible for the technical correctness of the messages and business processes.
The Swissdec Distributor
The use of the Swissdec Distributor has the following advantages:
- Easier development, testing and production for companies as ERP systems only communicate with the distributor,
- Reduction of data and process redundancy,
- Data to end recipients is filtered, ensuring data protection compliance. Design firewall, i.e. different versions can be bridged on the distributor by means of transformation. The lifecycle of versions is smooth and smart.
- Dynamic quality assurance (QA, plausibility check) and data filtering on the distributor No data storage on the distributor, i.e. communication between the company and insurers & authorities takes place in “real time” (7×24).
- SW manufacturers for transmitters and end receivers are tested and certified by Swissdec to ensure high quality regarding interoperability and data in the process. This then enables ‘plug and play’ of the process participants later in production.
Figure 2: Swissdec communication relationships
The technical architecture is based on cascaded web services that establish a synchronous call from the transmitter (ERP system) via the distributor to the end recipient (insurer & authorities). In this way, a “real-time” connection is established via the distributor, which allows a time-critical interaction of systems in the M2M process. In addition to the secure channel at transport level (SSL/TLS), the web services are secured by the standardised security concepts of WSS (Web Services Security; SOAP Message Security: signature+encryption).
Figure 3: Communication 1:Distributor:m
Runtime-critical processes are handled asynchronously, i.e. the transmitter gets control again immediately after the call and tries to pick up its response later by means of polling. Runtime-critical processes are handled asynchronously, i.e. the transmitter immediately regains control after the call and later attempts to fetch its response by means of polling.
Other parts are organised like a “construction kit” and are used in different contexts. Two of them – which also concern the area of data security – we only want to mention briefly here.
Already the computer scientist Melvin E. Conway showed with “Conway’s Law”, named after him, how organisations influence system structures. Swissdec only provides a technical standard and the distributor. The actual system parts are developed in the ERP and back-end systems. For this reason, the procedure for Swissdec is also an important aspect. The methodology for developing a Swissdec standard does not correspond to a classic application development. Very different participant requirements must be standardised so that in the end interoperability functions on the distributor by means of plug & play of the processes. Figure 4: Development methodology
A] The process is divided into “public” and “private” parts.
- The public process provides the basis for the Swissdec standards.
- The private process enables a segment-specific optimisation of the processes (from SMEs to large corporations).
B] Communication can now be derived from this and a protocol developed. C] Everything is then specified in a Swissdec standard. These guidelines describe the functional and technical part of the process. The Application Programming Interface (API) is available as Web Services Description Language (WSDL) with XML Schema (XSD). Frameworks can be used to generate code for different platforms. Integration into one’s own application can then be programmed “seamlessly”.