To thrive in a fast-changing economic landscape, the finance sector has had to reinvent itself by embracing cloud and mobile computing. Even though financial organisations have made significant progress toward digital transformation, the adoption of new technologies is often overlayed on legacy IT infrastructure. This is holding the financial industry back from reaping the benefits of their digitalisation efforts. How can financial institutions manage to succeed in a polarised world of legacy infrastructures and modern cloud-based applications?
Advances in technology have opened the market to disruptive digital competitors. The rise of so-called challenger banks has developed in line with consumers’ readiness to embrace e-commerce through smartphones and e-payments. This market dynamism means that customers have become more demanding and expect real-time, customized, and seamless experiences in their daily interactions with their banks.
Digital innovation and business agility are key for financial institutions to not only maintain their existing customer base, but also to attract new customers, grow market share, and address growth opportunities in new market segments. Despite the need to maintain strict compliance with financial regulations and governance controls, the finance sector is evolving fast, and digital transformation is well underway.
To mitigate the risk of losing customers, financial organisations are faced with the challenge of attempting to replicate the level of in-person customer service that they used to deliver in their branches with similarly outstanding digital experiences. This is a core reason that user experience is a top business priority for most financial organisations, not only for their customers but also their employees.
The challenge for financial organisations is that, although they want to adopt new IT solutions to enable transformation, they have to abide by strict policies to meet the requirements of their regulators. As such, they’re risk-averse, and tend to stick with their legacy IT infrastructure. Their reluctance to interfere with their core banking-related IT systems, many of which have been in place for 30+ years, leads to a hybrid setup of their IT.
While there are various reasons why it is difficult to implement changes in legacy architectures, the financial industry, like many other industries, is still modernising its user-oriented front ends. However, unlike other industries, banks are struggling to live in the hybrid cloud and on-premises environments, for the same regulatory reasons that are holding them back from fundamentally modernising. They have to be compliant with the policies and regulatory requirements of their data flows and at the same time have to balance security and user experience for their new cloud-based initiatives.
While financial organisations are embracing mobile and cloud technology to foster company-wide digital transformation, they still have to consider the security of the data flows that are leaving their boundaries. With the transition to cloud-based applications, they must manage the enablement of their workforce without compromising security by using the internet as a path to access apps.
For financial institutions to maximise the full potential of the cloud in their hybrid infrastructures, while still maintaining the utmost security, they’d be wise to consider the following five key steps.
Banks traditionally had central headquarters supported by branch offices. In traditional “hub-and-spoke” networking environments, all these locations connect to a single corporate network and link to a central private data centre. In this setup, all data is routed back into the data centre via expensive MPLS backhaul links. This all worked fine when desktop apps all lived on-premises, but no longer functions when applications have moved to the cloud. The detour from each user via the corporate network to break out to cloud-based applications adds latency and therefore harms the user experience.
For example, Office 365 is a common application that lives in the cloud, and its adoption creates a surge in cloud-bound data traffic that requires a huge amount of bandwidth. In a legacy environment, data traffic flows from the branch offices to the data centre over MPLS networks, then outbound through the data centre security stack to Microsoft clouds hosting Office 365. It then must double back through the inbound security stack back into the data centre, then back out to branch offices. This multi-hop, multi-security-check route introduces huge amounts of latency and hinders Office 365 performance.
Financial institutions need to provide staff seamless access to their cloud-based applications. They can overcome the latency challenge by giving staff direct connectivity to the internet and their cloud-based applications.
The banking sector’s journey to the cloud was halted abruptly due to the COVID-19 pandemic. Within a matter of days, thousands of office- and branch-based staff were required to work remotely.
Unfortunately, this transition was not as seamless as one might have hoped, due to organisations’ existing “hub & spoke” infrastructures. Ultimately, remote workers were sending data on an even more convoluted journey to access their applications. Going back to the Office 365 example: traffic originates from a VPN client and flows into and out of the data centre via a linear stack of appliances including load balancer, distributed denial of service (DDOS) security, firewall, VPN concentrator, intrusion prevention system (IPS), SSL, data loss prevention (DLP), and/or advanced threat protection (ATP). Again, the inherent latency in the traffic route means that Office 365 performance decreases, often to the frustration of the user. They might even feel tempted to bypass VPN controls, which could open the corporate network to attack.
Relying on VPN for remote connectivity may be a proven method, but unfortunately, the VPN was invented before the age of the cloud and therefore no longer provides the most efficient route, but rather acts as a performance killer. A VPN connection not only slows down traffic but opens the whole network for the user and application, therefore potentially leading to security issues. Banks should start looking to free themselves from VPNs and look to more modern approaches which provide a higher amount of security and prohibit network access to unattended users.
Establishing and maintaining secure remote connections to cloud applications does not need to be a performance killer nor an attack vector. A zero trust-based solution can enable granular, direct, and secure user-to-application access and can be implemented on top of legacy infrastructures.
An additional point to review in hybrid setups is the Virtual Desktop Infrastructure (VDI), which has been broadly adopted in the financial sector for security and data residency restriction. Instead of accessing the application directly, virtualisation enables the visualisation of information on-screen, without the ability to change or extract data, as the application is still running on the server and hence does not leave the corporate boundary.
VDI technology enables remote users to connect to core systems, email, and other applications via bring your own device (BYOD), mitigating classic issues such as data exposure and theft. However, desktop virtualisation is a complex undertaking, and performance of the virtual desktop can again prove an issue for the user, as the transmission of the virtual image is relying on network connectivity. The remote access path once more needs to involve a VPN to allow VDI access and only in the last step provides the app view.
Furthermore, these solutions are not only notoriously difficult to set up and costly to maintain, but are over-used and add an additional security risk, particularly during the pandemic. Financial organisations must be careful not to remedy an underperforming network with additional infrastructure. This not only adds further complexity and cost but also increases risks. As organisations travel further down the path of building upon their legacy infrastructure, they become less agile, innovative, and competitive. This is the exact opposite of the ultimate aim of their digitalisation journey.
Reconsider the costly and complex setup of a VDI infrastructure. Complementing it with a cloud-based security approach can help to control what the user has access to and adds centralised visibility and control next to a faster and consistent user experience.
Banks have traditionally relied on fat clients and desktop systems in their offices, which provide a completely different touch and feel than what staff are used to from their personal devices when used for private browsing and social media interaction.
To provide the same experience, banks are considering allowing BYOD. CIOs in banking and financial services increasingly manage projects that extend primary business functions such as core banking systems (CBS) to mobile workers through app extensions as a means to survive in the modern banking world. Because financial institutions can’t give direct access to legacy infrastructures, they invest heavily into mobile apps to get work done from the field as a workaround in some parts of the world. The appification of these core banking functions aims to provide field employees with a simple, speedy, and secure method of helping customers make decisions and engage in services remotely. To provide and collect the best information for quotes, policies, coverage details, terms and conditions, and other data, field staff need access to core banking and insurance systems.
One solution to the remote access challenge is creating mobile apps for loan origination and policy quote engines, packaging them inside a mobile device manager (MDM) container and using real-time web services or APIs that connect to core systems. But appification creates new headaches for IT leads, like the need for increased development overhead, frequent change requests, or higher demand for end-user requests. Such an approach adds complexity to the overall IT environment. Instead of building mobile apps, IT teams should be looking for more effective ways to give field staff secure access to core business functionality through the cloud.
Ubiquitous mobile broadband access, increasing cellular speeds over LTE (now moving to 5G), and public Wi-Fi hotspots facilitate remote work from anywhere. Allowing employees access to CBS applications from the field with the same ease of access as from headquarters or a branch office means there is no need for mobile-app extensions but for secure BYOD.
Financial institutions always need to think about upcoming audits and other regulatory requirements. An internal IT audit challenges the organisation’s ability to understand its risk exposure and analyses the efficiency of an organisation to detect and report data breaches. Additionally, an organisation needs to understand whether they have appropriate measurements in place to cope with these risks. As financial organisations seek new methods of creating value, address new target groups, and keep track with the change of digitalisation, they still need to ensure they have insight into all data streams in response to audits.
CIOs should always know who is in the network, and what they have access to.
IT decision-makers need to anticipate what supervisory developments mean for their organisation and make decisions based on these, as well as their own threat analysis and cyber programmes. The most important parameter is therefore the visibility into all employees’ on- and off-network traffic, regardless where they are working and which device they are using to access their applications. With the rise of cloud and mobility, financial institutions face the challenge of keeping track of all data flows within their organisations‘ range. They need a single pane of glass to regain visibility into that traffic, and the cloud can be a key enabler.
To fulfill the requirement of an internal IT audit and for visibility into all data streams in the fight against cybercrime, a highly integrated cloud security platform reduces the complexity of tasks and facilitates auditing processes.
A zero trust architecture typically employs a cloud security model to support fundamental principles of default-deny posture and follow-the-user policy controls. In this way, zero trust extends security protection to mobile devices so that remote staff can access core applications with the same level of security controls as staff based in the office. Users are never placed on the network, and instead connect only to applications as allowed by configured business policies. This contrasts with traditional VPN access, which tenuously extends the corporate network beyond the limits of its effective control.
Additionally, users and devices are authenticated first before access to an application is granted. As each user is directed to an application, regardless of whether it resides in the data centre or in the cloud, zero trust enables the fastest connection between the user location and application-hosted location. There is no longer a need for backhauling through the corporate security structure, thereby considerably improving application performance and user experience.
Digitalisation efforts are well underway in the financial industry. However, to gain maximum benefit from the cloud, financial institutions can do more than just implementing cloud-based front-end apps. Zero trust enables them to overcome limitations of their legacy infrastructures, as this security approach adds performance, security, and user experience to cloud-based apps.