Navigating Banking Infrastructure: The Cloud Dilemma
By Sameer Kanse
Cloud and digital transformation have become essential for any bank’s network fabric. The journey from the first Diner’s Club credit card in 1950 to NPCI-driven P2P payments on multiple UPI apps has been transformative. This has, however, put immense strain on the backend infrastructure and security concerns in banking infrastructure. API-driven architecture ushers in an era of open technology and platforms supported by mandated information sharing on areas like credit risks between multiple customer accounts. API-driven architecture and the need for cross-collaboration necessitates the move to the cloud for banks. Most new applications are built around the Microservices framework to enable rapid real-time transactions, which is better for cloud-based architecture than monolithic on-site core banking systems.
Cloud migration, however, opens network challenges for banks at three levels:
Level 1: Data in Transit between end devices to the cloud
The widespread banking infrastructure has led to exponential expansion of bank branches and cross-company API driven. Traditional MPLS-based routing configurations fail to address these requirements driven by their lack of adaptability to API frameworks, complex routing needs, and high costs from private links. The partial migration of networks to IPV6 vs most networks being on traditional V4 networks causes translation issues between private and public networks, leading to NATing nightmares for network administrators.
Level 2: Data access from the cloud
Near real-time requirements for data access create a complex web of Identity and Access management rules, data encryption, and capacity utilisation of network infrastructure while retaining a balance between costs & functionality. This opens a complex web of cloud-based security firewalls conflicting with native firewall configurations. Traditional IP-based routing as a security measure often fails when exposed to API and internet-driven routing to/ from the cloud, which increases issues when exposed to multi-cloud environments.
Level 3: Social Phishing and End-point Security
Finally, the prevalence of pervasive data access across devices and locations leads to security risk challenges. A floating population of multiple endpoints exposed to social phishing leads to challenges beyond traditional anti-virus tools and statewide firewalls. Social phishing is often underestimated, leading to most ransomware attacks emanating from valid authenticated endpoints within the network.
A banking network typically evolves with multiple vendors for patch management, firewalls, network routing, encryption, cloud, automation workflows, API management and end-point security, leading to a lack of clear ownership distinction between vendors. The CIO thus faces an issue of visibility and manageability of the network’s security posture across these levels and the ability to take mitigation measures on any Security incident in near real-time.
Modern software-defined WAN technologies alleviate issues around leveraging internet underlays with built-in encryption. All SDWANs are, however, not equal; evaluation of migration to SDWAN should evaluate solutions based on some key parameters like –
- AES256 encryption, together with a dynamic key rotation at customizable time intervals as low as every 5 minutes for mission-critical applications together with IP persistence, Bandwidth aggregation, and IPV6 XLAT features to leverage multiple WAN technologies, including Mobile Broadband networks, should be a pivotal criterion to address Level 1 issues.
- Micro-segmentation-based LAN management seamlessly integrated into a unified managed wi-fi solution & location anomaly detection offers an additional layer of security beyond traditional IDAM and end-point authentication-based solutions. The availability of micro-segmentation features with ease of configuration is a crucial criterion for addressing Level 2 and 3 issues.
- Finally, most SDWANs fail to create a GUI for configuration and a single pane of glass view across all intertwining network elements. An essential evaluation criterion is a GUI-enabled Network-as-a-service dashboard via integrated solutions set from a single provider or API-driven architecture compatible with GUI tools like Grafana. AI-driven link optimization and self-healing workflows offered by advanced SDWAN solutions like CelerityX, enabled by Cnergee systems, can significantly improve the service experience.
Ultimately, any banking infrastructure should open opportunities for seamless integration to enhance end customer experience while balancing the security requirements with the open flow of data required between multiple applications. The challenge for the new age CIO lies in managing this balancing act, and a vital element of this act lies in choosing the right vendor for SDWAN transformation.
(The author is Sameer Kanse, Chief Business Officer, CelerityX, and the views expressed in this article are his own)
