Open in app

Sign in

Write

Sign in

FSI Landing Zone On AWS

Depascale Matteo
Storm Reply
Published in
11 min readJul 25, 2024

This article is co-authored with Nicola Grassi

Overview

In the dynamic landscape of financial services, navigating the intricacies of IT structures can be a considerable challenge. Imagine a realm where your banking enterprise embraces the cloud, unlocking a world of possibilities. This journey begins with the concept of Landing Zones — a foundational framework designed to redefine your approach to application migration.

A landing zone defines services, automations, and configurations essential for initiating the migration of an application to the AWS cloud. Before delving into the intricacies of the landing zone, let’s first gain a concise understanding of the challenges faced by an FSI (Financial Services Industry) customer within the banking sector concerning its IT structure.

FSI customers grapple with a myriad of challenges, including the ever-changing landscape of requirements that differ across nations, the constant evolution of security threats emanating from external sources, the imperative need for comprehensive documentation to satisfy regulatory, and the constraint of limited time and personnel resources available to tackle these challenges. Recognizing demands from the financial sector, we have undertaken the initiative to extend the Landing Zone framework, curating a bespoke solution explicitly for the FS industry.

The Landing Zone emerges as the first step in addressing these complex needs. With its prescriptive and highly automated approach, it excels in configuring security and network elements by design. When deployed with precision, it becomes an instrumental asset, significantly facilitating the overall migration process. Our approach, rooted in profound expertise within the cloud landscape, particularly with AWS, enables us to discern and implement the correct and comprehensive solution across various stages of the migration journey.

Shared Responsibility

AWS Shared Responsibility Model.

Before delving into the specific concepts related to the Landing Zone, let’s clarify the security and compliance context in which we operate — a framework that AWS defines as a shared responsibility. AWS assumes full responsibility for the hardware and the inherent operation of the services it offers under the shared SLAs (Service Level Agreements). Simultaneously, it is the customer who utilizes these services, placing their data in the cloud and is obligated to update and employ them securely and efficiently for their business.

The services provided vary, ranging from IaaS (Infrastructure as a Service), where the customer is responsible for the entire management of updates, firewall configurations, and security, to PaaS (Platform as a Service), in which AWS customizes application management while the customer manages Firewall and Network. It extends to SaaS (Software as a Service), where AWS manages a greater part of the services directly.

How do AWS and the customer respectively address the security and compliance requirements outlined above? AWS engages in ISO certifications and controls hardware facility accesses, collectively known as the Security of the Cloud. On the other hand, the customer needs to be clear from the outset about configuring the Landing Zone, considering all aspects. This is where an AWS partner like Storm Reply comes into play, facilitating the achievement of security in the cloud. Indeed, the partner, through automatisms configured in the Landing Zone, is already capable of addressing and providing prescriptive compliance.

Abilab Map

Abilab Map Areas.

An AWS Landing Zone tailored specifically for the Financial Services Industry (FSI) should ideally mirror the typical organizational structure of companies within that sector. In this context, AbiLab and its application map emerge as integral components.

AbiLab is the Center of Research and Innovation for Banking promoted by ABI (Italian Banking Association) to encourage interchanges between banks and innovation partners. At European level, Abilab is active in various projects financed by the European Commission and in a number of working groups, where it offers contribution on the subject of innovation and cybersecurity.

The AbiLab Application Map serves as a benchmark model and catalog for mapping applications. It proves to be a valuable tool for organizing both the technical and functional characteristics of individually managed applications. This, in turn, facilitates the gradual understanding of their value concerning business needs.

Within this framework, it becomes possible to identify five macro areas wherein each specific banking application can be categorized.

  • Access
  • Support
  • Operations
  • Common application services
  • Infrastructure systems

Subsequently, these applications can be separated within their cloud infrastructure to maximize independence.

Accounts Structure

AWS Accounts Structure Overview.

On AWS, each resource — whether it’s a virtual machine, database service, or console user — belongs to a specific AWS account. These accounts are entirely isolated from one another unless explicitly granted by the customer. While a single AWS account can, in theory, host an entire company’s infrastructure, it’s considered a best practice to distribute AWS management across multiple accounts. This approach ensures the safe configuration of users and roles, avoiding the mixing of different functions and test environments with live production environments.

AWS Organizations, a service facilitating the management of multiple accounts, comes into play for this purpose. It allows the comprehensive management of accounts and the grouping of these accounts into organizational units (OU), aligning with functions as depicted in the AbiLab diagram.

Based on our experience and the AbiLab map, a potential division into units is outlined below:

  1. Infrastructure Unit: contains network and shared services accounts.
  2. Core Unit: for centralized logging and security.
  3. Workloads Unit: divided into public and internal workloads.
  4. Releases Unit: devoted to release processes.

Within the Workloads Unit, a further breakdown into AbiLab macrofunctions is feasible, such as channels, administration, operations, and more.

An advantageous aspect of this subdivided structure lies in security management across the AWS cloud. The creation of security control policies, either at the organization-wide level or embedded within specific units, facilitates the configuration of stakes and limits undesired use or activities outside the defined security regulations at the enterprise level.

Leveraging AWS Tools for Compliance

AWS Security Maturity Model.

In FSI, ensuring compliance is paramount. By integrating AWS services, you not only automate evidence collection but also enhance the efficiency of compliance reporting. Let AWS tools handle the technicalities, allowing you to focus on core business operations.

Here’s how you can streamline the process using AWS tools:

AWS Audit Manager: Automated Evidence Collection

Simplify your compliance journey with AWS Audit Manager. This service automates the collection of evidence for various regulations, saving you time and effort.

Gather crucial information from AWS CloudTrail, AWS Security Hub, and AWS License Manager. AWS Audit Manager not only automates this process but also composes comprehensive reports based on the compiled data.

AWS Artifact: On-Demand Compliance Documents

Accessing compliance documents is made easy through AWS Artifact. Obtain on-demand downloads of essential documents, including AWS ISO certifications, Payment Card Industry (PCI) reports, and Service Organization Control (SOC) reports.

Security

Security is paramount, especially when it comes to regulated financial services industries. Here’s how our solution ensures a robust security posture:

Workforce Identity

Workforce Identity diagram.

You can use AWS IAM Identity Center to centrally assign, manage, and audit your users’ access to multiple AWS accounts and SAML-enabled business applications.

Our solution provides the flexibility to choose your identity source, ensuring a seamless integration with your existing systems (i.e. on-premises Active Directory).

Easily manage permissions at scale, giving you granular control over access and ensuring the principle of least privilege.

Streamline access management with a centralized hub for Single Sign-On (SSO) to your applications, enhancing overall security and auditing.

Forensic Analysis

Forensic analysis is crucial for understanding and mitigating security incidents, especially for regulated FSI. With our solution you can examine digital evidence from various sources within the AWS environment, including logs, network traffic, system images, and artifacts. Additionally for forensic analysis we can use various AWS services:

  • Preparation: CloudTrail, CloudWatch, AWS Config, VPC Flow logs, and AWS Security Hub
  • Detection: GuardDuty
  • Containment, Eradication, Recovery: Lambda, Security Group, Network Firewall, and Elastic Load Balancer
  • Post incident: EBS snapshots, S3, Audit Manager, and AWS Amazon Detective

Data Encryption

In an era where data is at the core of every operation, ensuring its security is non-negotiable in financial services.

  • In-Transit Encryption: data in transit is encrypted by default, ensuring secure communication between components.
  • At-Rest Encryption: data at rest and application data are encrypted based on security guidelines enforced through Landing Zone. Encryption keys can be managed through Amazon keys or client keys (BYOK — Bring Your Own Keys).

AWS Digital Sovereignty Pledge

This pledge is not merely a declaration; it defines AWS’s principled stance on data protection. At the heart of this commitment lies a profound dedication to ensuring that your valuable data remains within the AWS Region of your choosing.

Continuous monitoring of data residency adds another layer of assurance, guaranteeing compliance with regional requirements. Furthermore, AWS systems are designed to prevent remote access by AWS personnel, providing an additional safeguard for your data.

This commitment extends beyond mere compliance: it actively aligns with crucial financial services EU privacy, portability, and digital sovereignty programs, including CISPE, SCC, SWIPO, and GAIA-X. This shows AWS dedication to support the highest standards of data protection.

Automation

In the ever-evolving landscape of technological advancements, automation stands as the pinnacle of efficiency, security, and reliability. Embracing automation isn’t just a choice, it’s a strategic imperative to propel your processes into the future.

Infrastructure as Code

Automation takes center stage in the form of Infrastructure as Code (IaC), a paradigm that revolutionizes how we design, deploy, and manage infrastructure.

  • Automated Testing: meaning faster delivery and rapid feedback, ensuring that each deploy stands the test of security and functionality
  • Code Versioning: empowering you to roll back changes effortlessly and pinpoint the origin of any newly surfaced issues
  • Replication: each feature integrates into the main template, rendering your FSI Landing Zone a blueprint ready for duplication across new accounts — scaling up operations
  • Reducing Human Error: automation is designed to minimize the need for human intervention, recognizing risks associated with manual processes

Network Design

Simplified Network Design.

In the dynamic landscape of financial services, the backbone of organizational efficiency and innovation is intricately tied to the design of its digital connectivity. Network infrastructure is not a technical detail but a strategic asset that can determine your enterprise’s trajectory in the digital age. It serves as the foundation upon which your entire digital ecosystem is built, influencing not only the day-to-day operations but also the long-term competitiveness and adaptability of your organization.

In the realm of network infrastructures, diversity reigns supreme. Each FSI enterprise has its unique topology, considering specific needs and challenges. Most network design patterns feature private connectivity, whether through VPNs or dedicated connections. Traffic typically navigates through a central hub, which then directs it to its intended destination. In transit, the traffic may encounter firewalls and additional layers of protection before reaching its final stop, be it on the internet or the intranet.

Build Confidence

Landing Zones empower you to approach the cloud with confidence. Start with a simple Proof of Concept (POC) and scale according to your evolving needs. This flexibility is essential, allowing you to adapt and expand seamlessly, ensuring your digital infrastructure aligns with your business ambitions. This scalability not only mitigates risks but also build confidence, allowing your organization to embrace the cloud with the assurance that it can seamlessly evolve alongside your strategic objectives.

Business Continuity Out of the Box

In the financial services industry, downtime isn’t just inconvenient, it’s a substantial risk.

High Availability refers to a system’s capability to remain operational even if some infrastructure components fail. Traditionally, on-premises solutions involve having two or more data centers distributed across the country at a significant distance from each other. In AWS, a similar concept is applied, focusing on two major components:

  1. Region: An abstraction of multiple data centers within the region itself.
  2. Availability Zone (AZ): A single data center within a region.

Infrastructure achieves high availability when it spans at least two Availability Zones. This configuration ensures there are at least two data centers at different points within a region, each with a minimum distance of 100km from the other. While most AWS services are inherently distributed across multiple AZs, others may require a load balancer or standby replication.

Based on our experience, FSI enterprises benefit from adopting a multi-region landing zone. This approach extends business continuity, ensuring customers remain unaffected by downtimes. Multi-region landing zones interconnect their intranet across each region and with on-premises infrastructure, fully leveraging the potential of AWS.

Third-Party Products Integration with AWS Marketplace

Consider this scenario: your company has previously invested in commercial licenses for network, monitoring, or security products and prefers utilizing these over AWS cloud-native alternatives. AWS acknowledges and accommodates this preference through its expansive Marketplace — the most comprehensive in the cloud market.

The AWS Marketplace serves as a versatile platform where integration with a myriad of third-party products becomes not only possible but highly convenient. This approach allows businesses to leverage existing investments and maintain compatibility with established tools, ensuring a smooth transition and coexistence of preferred solutions within the AWS ecosystem.

How To Get Started With Your Landing Zone

Embarking on the journey to deploy a customized Landing Zone tailored for the Financial Services Industry (FSI) involves a collaborative and consultative approach. We offer an off-the-shelf Landing Zone solution, encompassing the services outlined thus far. The crucial step is engaging in discussions to meticulously address specific points and outline how to incorporate them into the code. Below are the key topics that need thoughtful consideration during the Landing Zone configuration:

  1. SCP and General Security Configurations: define and refine Security Control Policies (SCP) and overarching security configurations aligned with FSI requirements.
  2. Organization Account Structure: strategize the optimal organizational account structure that aligns with the unique needs and functions of your FSI establishment.
  3. Network Integrations: to seamlessly align with the FSI landscape, ensuring robust connectivity and data flow.
  4. Automation Deployment Strategy (IaC + CICD): devise a deployment strategy leveraging Infrastructure as Code (IaC) and Continuous Integration/Continuous Deployment (CICD) practices for efficient and automated processes.
  5. Identity Provider Configuration: configure identity providers to ensure a secure and streamlined user authentication process.
  6. Cloud Tagging Strategy: develop a comprehensive cloud tagging strategy for organized resource management and tracking.

Engaging in in-depth discussions on these focal points allows us to introduce a preliminary definition based on the required effort, including the number of workshops needed and your enterprise teams that need to be engaged. After that, we can craft a fully customized Landing Zone deployment explicitly for your enterprise in the FSI market. This marks the starting point of a secure and confident migration of applications to AWS, ensuring that the unique security needs of the FSI sector are met with precision and expertise.

Learn more about us and how we work here: https://www.reply.com/storm-reply/en/fsi-landing-zone-on-aws

References

AWS
Cloud Computing
Landing Zone
Financial Services
Aws Learning

--

--

Depascale Matteo
Storm Reply

Written by Depascale Matteo

142 Followers
Writer for

Hi I'm Matteo👋! I’m an AWS Cloud Engineer and AWS Community Builder passionate about Serverless on AWS. Follow me https://www.linkedin.com/in/matteo-depascale/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams