Security, Speed, Scale: How ACKO Builds Digital Trust Into Every Product Decision
Digital trust sits at the center of every insurance interaction. Data moves fast, expectations are high, and the margin for error is small. ACKO, India's first born-digital insurer, treats security as a product capability - not a checkbox.
"Security is not an afterthought at ACKO - it's built into our engineering process from day one," says Harish Rama Rao, Senior Vice President - Product Engineering at ACKO. The message is simple: security drives innovation, it doesn't slow it down.
Security by design: shift left, ship faster
ACKO operates in a regulated space with millions of daily touchpoints. Every feature - claims, policy issuance, engagement - starts with security and governance in the design. "We operate at speed - our innovations reach millions instantly. So, we embed compliance and security right from the product design stage," says Rama Rao.
A shift-left philosophy keeps vulnerabilities out of production. InfoSec guidelines are embedded into the engineering framework, so new features inherit the same security and privacy standards automatically. The result: fewer surprises, faster releases, stronger trust.
- Build threat models at the spec stage, not post-QA.
- Codify privacy and security controls as reusable templates.
- Gate releases with policy-as-code, not manual approvals.
Cloud-native scale and resilience without legacy drag
ACKO's cloud-first architecture enables elastic scale, redundancy, and high availability. Systems run across multiple availability zones; if one fails, operations continue. Auto-scaling matches demand - peak loads expand capacity, quiet hours reduce it for efficiency.
This also powers disaster recovery. A multi-data-center setup with hot, warm, and cold environments maintains continuity. "Customer experience is paramount. Downtime is simply not an option," says Rama Rao.
- Multi-AZ deployments and automated failover as a baseline.
- DR drills measured by RTO/RPO and user impact - not just checklists.
- Cost controls tied to real traffic patterns, not static provisioning.
Zero Trust as the operating model
In an ecosystem of APIs, partners, and cloud integrations, Zero Trust isn't optional. "Zero Trust is both a philosophy and a pattern. We assume nothing is inherently secure - every interaction, internal or external, must be verified," says Rama Rao.
No shared credentials. Encrypted communications. Strict key rotations. Services authenticate to each other, and partners follow the same rules. Trust is earned every time, by every identity and device.
- Short-lived credentials and enforced mTLS for service-to-service calls.
- Continuous verification with device posture and context-aware access.
- Partner onboarding gated by the same policies applied internally.
NIST SP 800-207: Zero Trust Architecture offers a solid reference model for teams formalizing these controls.
AI and agentic systems: move fast, keep guardrails tight
AI is improving claims and customer journeys across the stack. But the security bar stays high. "We don't lower the security bar for AI or agentic systems. Even when agents access or process data, they must pass through the same security layers as any other system," says Rama Rao.
ACKO practices data minimization with external LLMs, shares only what's required, and prevents retention post-processing. AI-generated code runs in sandboxes with strict authorizations and routine audits.
- Minimize, mask, or tokenize data before LLM calls; block training retention.
- Route all AI I/O through secure gateways with policy checks and logging.
- Isolate agent actions; require human-in-the-loop for sensitive workflows.
Automation and continuous vigilance
Speed matters. Precision matters more. ACKO uses real-time monitoring, anomaly detection, and automated alerting to stay proactive. Platform telemetry tracks data flows, flags unusual behavior, and triggers automated responses before issues escalate.
"Once you build the right platform and practices, product innovation becomes fast, safe, and scalable," notes Rama Rao.
- Unify logs, metrics, and traces; correlate signals automatically.
- Apply drift detection on infra and policies to catch silent failures.
- Run chaos and security gamedays to harden muscle memory.
The human side
Technology is built by people. "Great systems come from empowered teams that understand both speed and responsibility," says Rama Rao. He credits staying grounded - travel, people, culture - for balance and clarity.
That mindset shows up in the work: move fast, but move responsibly.
What insurance product and engineering leaders can do now
- Make security a product requirement, not a review step. Treat controls like features with clear acceptance criteria.
- Adopt shift-left: threat modeling in discovery, guardrails in code, and policy-as-code in CI/CD.
- Standardize on Zero Trust: short-lived credentials, mTLS, least privilege, verified devices, continuous auth.
- Architect for failure: multi-AZ by default, DR drills quarterly, and user-centric reliability metrics.
- Operationalize AI governance: data minimization, sandboxed execution, audit trails, and human approvals for high-risk actions.
- Automate detection and response: anomaly baselines, auto-remediation for known classes, and clear runbooks for the rest.
- Invest in teams: security champions in each squad, blameless postmortems, and ongoing training.
The road ahead
The path is clear: embed security early, treat Zero Trust as default, pair automation with oversight, and invest in people. That's how speed and safety work on the same side.
ACKO shows what this looks like at scale: a cloud-native foundation, tight governance, and continuous improvement. Or as Rama Rao puts it, "For us, security is not a destination - it's an ongoing cycle of learning, adapting, and innovating."
If you're upskilling product and engineering teams on practical AI skills for insurance workflows, see AI courses by job.
For deeper security standards, review ISO/IEC 27001 as a baseline for controls and governance.
Your membership also unlocks:
