Empowering and Securing Banking and Financial Organizations

Banks, in their digitization journey, migrate their banking applications to cloud-based platforms, including payment applications, NetBanking applications, and loan management systems. These applications are accessed by end users through distinct domains and subdomains. Here are some of the common inbound use cases in Banks.

• Account Opening : During account opening and onboarding, banks utilize inbound traffic to collect and process customer information, identification documents, and other necessary details.
• Transactions: Inbound traffic for customer transactions includes online banking transfers, mobile banking transactions, and credit/debit card payments. Banks receive and process these transactions to update customer account balances and finalize financial transactions.
• Data Feeds and Market Updates: Banks receive inbound traffic in the form of real-time data feeds from stock exchanges, financial data providers, and market data vendors. This data includes stock prices, market indices, currency exchange rates, and other market-related information
• Customer Support and Communication: Inbound traffic includes customer inquiries, requests, and communications via channels like phone calls, emails, chatbots, or social media.

In order to comply with regulatory requirements and ensure comprehensive protection for these application workloads, it becomes necessary to implement layered security measures. 

Several essential security services are typically employed in this context:To ensure comprehensive security in the BFSI sector, key measures include encryption for data protection, intrusion detection and prevention systems (IDPS) for threat mitigation, network firewalls and segmentation for controlled traffic, vulnerability management for addressing weaknesses, real-time security monitoring and incident response, data loss prevention (DLP) measures, and robust logging and auditing for compliance.

It is important for banks to continuously evaluate and enhance their security measures to adapt to evolving threats and maintain the integrity, confidentiality, and availability of their cloud-based banking applications.

By integrating Palo Alto Networks software firewalls  with native security solutions, organizations can adopt a layered security approach that encompasses various essential components like - 

1. DDoS Service: The combined solution includes robust protection against Distributed Denial of Service (DDoS) attacks. This helps safeguard networks and infrastructure from malicious attempts to disrupt services by overwhelming them with excessive traffic
2. WAF (Web Application Firewall): The solution incorporates a Web Application Firewall (WAF) that enhances security for web-based applications. It analyzes and filters incoming web traffic, detecting and mitigating potential threats, such as SQL injection or cross-site scripting attacks
3. VM-Series  (Next-Generation Firewall): The integration leverages the capabilities of a Next-Generation Firewall (NGFW). This advanced firewall technology goes beyond traditional firewall functionalities, providing deep packet inspection, application-level visibility, and granular control over network traffic
4. Proxy: The combined solution also includes a reverse proxy component, which acts as an intermediary between internal network resources and external connections. This can perform port and protocol switching for resources in a private network

With the layered security approach, organizations can establish a comprehensive and multi-layered defense strategy to safeguard their networks, applications, and data from a wide range of cyber threats.

Let's take an example of architecture in figure 1,  Customers can consider deploying a separate Centralized Ingress VPC  with VM-Series behind gateway load balancer.  The sequence of steps are as follows:

• User tries to access a banking portal to upload a document. For example- www.bank.com/app1
• Traffic after being inspected by DDoS, enters the Ingress VPC via IGW
• Route Table routes the traffic to GWLBe in Ingress VPC and  forwards to VM- Series for inspection.
• GWLBe sends the inspected traffic to the public ALB, with no source IP change. ALB Forwards the traffic to one of the L7 Load Balancer/Reverse Proxy instances.
• LB/RP reads the host header/path and sends the traffic to the correct VPC / Private ALB

Figure 2

To safeguard inbound traffic, various security features can be enabled on the firewall. These include:

1. Geo Location-Based Policy: This helps prevent unauthorized access and reduces the risk of potential threats from specific regions
2. Application Control (App-ID) : NGFWs enable policy enforcement and control of inbound traffic based on specific applications. By identifying application characteristics, they can selectively allow or block traffic, ensuring that only authorized applications can access the network
3. Decryption: Implementing decryption mechanisms allows for inspecting and analyzing encrypted inbound traffic. By decrypting the traffic, organizations can identify and mitigate potential threats or malicious activities hidden within encrypted communications
4. Data Loss Prevention (DLP): Monitor inbound traffic for sensitive or confidential data entering the network. They can enforce policies to prevent the unauthorized transfer of sensitive information, such as credit card numbers, personal data, or intellectual property
5. Advanced Threat Prevention: Utilizing advanced threat prevention measures enhances the security posture against sophisticated attacks. These measures employ various techniques, such as behavioral analysis, machine learning, and threat intelligence, to detect and prevent known and unknown threats
6. External Dynamic Lists (EDLs): EDLs enable the use of external threat intelligence sources to block traffic from known malicious IP addresses or domains. This helps proactively protect the network by preventing communication with known malicious entities
7. Advance WildFire: Wildfire subscription can detect and prevent advanced cyber threats, including malware, zero-day exploits, and other sophisticated attacks. This  capabilities to scan inbound traffic for known malware signatures or behavior patterns. They can detect and block malicious files or attachments, protecting the network from potential malware infections

By enabling these security features, Banking and Financial organizations  can strengthen their defense against potential inbound threats, enhance the security posture, and minimize the risk of unauthorized access or malicious activities targeting their networks and systems.

Providing Outbound Control 

Outbound traffic can vary in terms of its destinations and requirements. Banking and Financial organizations use outbound traffic to transfer data transmitted from a bank's internal network to external systems or services. Banks utilize outbound traffic for various use cases, including:

• Payment Processing: Banks transmit payment instructions and data to external processors and financial institutions via outbound traffic for secure transactions. For example- such as SWIFT messages for international transfers
• Market Data and Trading: For trading activities, banks access real-time market data feeds from stock exchanges and financial providers using outbound traffic
• Card Processing: Banks communicate with card networks and payment processors for transaction authorization, fraud checks, and payment settlement through outbound traffic
• External Services Integration: Banks integrate with third-party services such as CRM platforms, fraud detection systems, and identity verification providers. Outbound traffic is used to exchange data and interact with these external services
• Regulatory Reporting: Banks transmit regulatory reports, including financial statements and transaction information, to regulatory bodies through outbound traffic
• Interbank Communication: Banks securely exchange information with other financial institutions for interbank transfers, correspondent banking, and regulatory reporting using outbound traffic

In all these cases, banks need to ensure the security, integrity, and confidentiality of outbound traffic. Several security requirements should be considered to maintain a secure environment. Such as- 

• Secure Connectivity: Establish secure connections between the bank's on-premises infrastructure and the public cloud through encrypted communication channels, such as using VPN (Virtual Private Network) or dedicated private connections
• Network Segmentation: Implement network segmentation in the public cloud to separate services, applications, and data, limiting the impact of security breaches and improving control over outbound traffic flows
• Intrusion Detection and Prevention: To safeguard against security threats, such as unauthorized access attempts or malicious activities, deploy intrusion detection and prevention systems (IDPS). These systems actively monitor outbound network traffic, enabling the detection and prevention of potential security incidents
• Data Loss Prevention (DLP): Implement data loss prevention mechanisms to monitor and control outbound data flows. DLP solutions help identify and prevent the transmission of sensitive data that violates security policies, ensuring that confidential information is not leaked or exposed
• Logging and Monitoring: Implement a centralized logging system and SIEM solution to collect and analyze detailed logs of outbound traffic. This enables proactive detection of security incidents, identification of patterns, and timely response to potential threats. Monitor outbound traffic for suspicious activities, policy violations, or unauthorized access attempts, promptly investigating any anomalies
• Compliance and Regulations: Ensure compliance with relevant security standards, industry regulations, and data protection requirements, such as PCI DSS (Payment Card Industry Data Security Standard) or GDPR (General Data Protection Regulation). Implement necessary controls to protect customer data and maintain regulatory 
• Network Traffic Monitoring: Continuously monitor outbound network traffic for anomalies, unusual behavior, or signs of potential security breaches. Use network traffic monitoring tools to identify any suspicious outbound connections or abnormal data transfer patterns
• Secure DNS: Implement secure Domain Name System (DNS) services or DNS filtering solutions to protect against DNS-based attacks, such as DNS hijacking or domain spoofing. Secure DNS helps ensure that outbound traffic is directed to legitimate and trusted destinations
• Web Proxy: Deploying a web proxy server enables the implementation of web traffic filtering. Proxy servers serve as intermediaries between users and the internet, handling communications with websites on behalf of users, providing an additional layer of security and privacy

Considering the deployment example in this document, Let us consider an example of traffic flow in AWS environment 

1. Traffic originates from VPC to the Partner website towards the internet. For example, a notification to a partner portal about a successful payment. Based on the VPC  route table entry, The traffic is forwarded to the TGW Attachment
2. TGW attachment hands off traffic to GWLBe. GWLBe sends traffic for inspection by  VM-Series in outbound VPC 
3. Post Security inspection, PANW sends traffic back to GWLBe. GWLBe routes traffic to NAT Gateway. NAT Gateway Sends traffic out towards the destination

Figure 3

The VM-Series firewall offers several security capabilities that can be enabled for outbound protection:

1. Advanced Wildfire: By enabling Advanced Wildfire, the firewall can analyze suspicious files and identify potential malware or unknown threats. This proactive approach helps in detecting and preventing outbound communications associated with malicious activities. It can block outbound connections to malicious domains, detect and quarantine infected files, and prevent the spread of malware within the network
2. App-ID: The firewall's App-ID feature allows for the identification and control of applications used in outbound traffic. It provides granular visibility and control over application usage, helping to enforce policies and prevent unauthorized or risky applications from accessing the network
3. Advanced URL Filtering: Enabling Advanced URL Filtering enhances outbound security by controlling and monitoring web traffic. The firewall can enforce policies based on URL categories, ensuring that users access only authorized websites and protecting against malicious or inappropriate content
4. DNS Security: By enabling DNS security capabilities, the firewall can protect against DNS-based attacks and enforce policies for outbound DNS traffic. It helps prevent communication with malicious domains, detects and blocks DNS tunneling attempts, and ensures the integrity and availability of DNS services
5. SSL/TLS Inspection: SWFW can decrypt and inspect encrypted outbound traffic to detect potential threats hidden within encrypted communications. This allows for the detection of malicious content or activities that may otherwise go unnoticed
6. Advanced Threat Prevention: SWFW can identify and block outbound traffic associated with known and unknown malicious traffic. It can inspect outbound traffic for known attack signatures and anomalous behavior. They can detect and prevent outbound network attacks, providing an additional layer of protection against threats targeting the network perimeter
7. Data Loss Prevention (DLP): SWFWs can monitor outbound traffic for sensitive or confidential data leaving the network. And enforce policies to prevent the unauthorized transmission of sensitive information, such as credit card numbers, personal data, or intellectual property
8. Performance and Scalability: In addition to the aforementioned security controls, SWFWs can be implemented in both public and private cloud environments to accommodate infrastructure expansion in a scalable manner, ensuring optimal performance

By leveraging these security capabilities on the Software Firewalls,  organizations can establish robust outbound protection, effectively monitor and control application usage, safeguard against web-based threats, and enhance the security posture of their networks.

Protect East-West and On-Prem Traffic

In banks, east-west communication refers to the exchange of data and communication between different systems and services within the organization's network. Here are some common use cases for east-west communication in banks:

• Internal Service Integration: Banks often have multiple internal systems and services that need to communicate with each other. For example, the integration of customer relationship management (CRM) systems with core banking systems or loan origination systems
• Interdepartmental Communication: Different departments within a bank, such as retail banking, wealth management, or risk management, may need to share data and collaborate on various initiatives
• Workflow Orchestration: Banks often have complex business processes that involve multiple systems and services working together. This ensures efficient and coordinated execution of critical processes such as loan approval, payment processing, or account opening
• Security and Compliance: In a public cloud environment, east-west communication plays a crucial role in ensuring security and compliance. Banks can implement security controls, such as network segmentation and traffic monitoring, to protect sensitive data and prevent unauthorized access between different services and components

To ensure secure communication between workloads deployed in the cloud and on-premises deployments, Palo Alto Networks Software Firewall solution can be deployed in scalable and resilient architecture. For example, consider the figure 4 below, where we have deployed VM-Series firewalls in AWS in a centralized architecture.. This setup utilizes a Transit Gateway to facilitate connectivity and routing capabilities for traffic movement.

Figure 4

In the architecture diagram in figure 4, when an application in the on-premises environment or within a specific VPC needs to communicate with an application in another VPC, the traffic is directed towards the Transit Gateway from the source. The Transit Gateway then forwards the traffic to the inspection VPC, where security checks are performed.

After the security checks are completed, the traffic is routed back to the Transit Gateway, which then forwards it to the destination based on the defined route table. This process ensures that the traffic undergoes necessary security measures before reaching its intended destination. The security controls which can be enabled are - 

• Application Security: Application-level visibility and control, allowing banks to enforce security policies based on specific applications. They can identify and block unauthorized applications or suspicious behavior within east-west traffic, ensuring that only legitimate and authorized applications communicate with each other
• Traffic Inspection: Inspect east-west traffic to detect and block malicious content, malware, or unauthorized communications. They can analyze traffic patterns, apply security rules, and filter out potentially harmful or non-compliant traffic, preventing the spread of threats within the network
• Threat Protection: NGFWs can detect and prevent intrusion attempts within the bank's network. By analyzing east-west traffic for known attack patterns, suspicious activities, or malicious behavior, NGFWs can identify and block unauthorized access attempts or prevent lateral movement of threats

These measures help safeguard critical systems, data, and applications from unauthorized access, malicious activities, and emerging threats.

Protecting Cloud Native Workload 

Banks can embrace a microservices architecture in the public cloud, decoupling various services and enabling flexible, scalable, and agile deployment and management of banking services. Kubernetes serves as a suitable platform for hosting DevOps and CI/CD tools, empowering banks to automate software development, testing, and deployment processes.

To ensure network security within the Kubernetes cluster for the containerized applications, Palo Alto Networks  CN-Series firewalls can be deployed. CN-Series provides full Layer-7 visibility and comprehensive security for containerized apps providing visibility and control to safeguard banking systems and data. 

Deploying PaloAlto's container firewalls allows banks to eliminate blind spots in their environment that cannot be ensured by deploying a network firewall outside the cluster. These can dynamically scale without compromising DevOps speed and agility.

Figure 5

As shown in the figure 5, Banks can secure specific applications/namespaces only with stricker policy and not all the applications on the cluster. It also enables them to achieve PCI compliance by enforcing strict policy only for Payment Processing applications. 

Network security teams can prevent threats riding in the container environment with our Threat Prevention and Wildfire malware analysis services.

MultiCloud and Hybrid Deployment

Banks often adopt the practice of using multiple cloud service providers to host different applications, services, or components of the bank's infrastructure. By adopting a multi-cloud strategy, banks can leverage the unique features and capabilities offered by different cloud providers. Also, it  enables banks to implement robust disaster recovery and business continuity strategies

At the same time, deploying banking services across multiple cloud providers ensures high availability and resilience. In the event of an outage or disruption, banks can swiftly switch to another provider, minimizing customer impact and ensuring uninterrupted operations. 

It is essential to design a robust and secure network architecture while connecting a multicloud environment in banks. Banks should consider their specific requirements, performance needs, security considerations, and compliance obligations when selecting and implementing connectivity solutions for their multi cloud environment.

There can be multiple ways of connecting-

• Connection via VPN 
• Connecting with private link
• Connecting via a 3rd party edge solution

Below is one of the examples for connecting an AWS and Azure environment along with on-prem connectivity. direct connect services establish private and high-bandwidth connections between the bank's on-premises infrastructure and multiple cloud providers. This provides a reliable and low-latency connection for data transfer and application access. Multicloud networking services provide networking capabilities, such as load balancing and  traffic routing to ensure efficient and secure connectivity between clouds.