Core Banking Infrastructure on AWS while Implementing AWS Security Practices

Having a vision to be the Trade Finance Bank for Africa and missioned to stimulate a consistent expansion, diversification and development of African trade, while operating as a first class, profit-oriented, socially responsible financial institution and a center of excellence in African trade matters, Afreximbank is a UN affiliated PanAfrican Multilateral Financial institution headquartered in Egypt. The bank works towards promotion of intra and extra African trade. The Bank is one of the largest Financial Institutions in the African Region and the single largest B2B bank in Africa.

Citrus Consulting Services enables setting up one of the first ever core banking infrastructure on AWS while implementing AWS security practices.

Afreximbank encountered the following challenges which inclined them to evaluate and leverage public cloud platforms

• Afreximbank needed a decentralized and decoupled system to make their IT infrastructure highly available, secure, reliable, scalable and cost effective.
• Afreximbank was interested in an OPEX (Operational Expenditure) model in terms of expenditure. This helped allay their concerns for a large upfront acquisition because of various constraints.
• Afreximbank also had a requirement of a flexible platform which can facilitate and incorporate various operating systems, programming languages, web application platforms, databases and other services needed for hosting a custom banking application in no time
• Afreximbank also had a critical requirement of hosting applications in multiple availability zones in order to ensure load balancing, business continuity and high availability.
• Afreximbank also had a fundamental requirement of a robust and reliable disaster recovery setup in case of any unprecedented circumstances due to the encounters previously faced.

Afreximbank’s infrastructure is running on AWS Cloud while leveraging multiple services of AWS like Elastic Compute Cloud to house the various VMs designated for different operations and applications of Afreximbank and provide secure and resizable compute capacity in the cloud.

Each EC2 instance is attached with the Elastic Block Storage Volume which is a highperformance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale. This duo of EC2 instances and EBS Volumes resides safely in the AWS Virtual Private Cloud which provisions a logically isolated section of the AWS Cloud where the resources were launched in a virtual network defined. There were primarily 2 subnets created, a public and a private subnet which in turn included different subnets for various applications and grouped VMs.

Afreximbank also used various other services of AWS like CloudTrail which is a service that enables governance, compliance, operational auditing, and risk auditing along with a service for monitoring and observability named Amazon CloudWatch. Amazon Relational Database Service (Amazon RDS) was used to set up, operate, and scale a relational database in the cloud hence providing cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching and backups. Along with RDS, Amazon Simple Storage Service (Amazon S3) was used which is an object storage service offering industry-leading scalability, data availability, security, and performance for the static contents of the application

An Elastic Load Balancer was used to distribute incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions handling varying load of your application traffic across multiple Availability Zones. Amazon Elastic Container Service (Amazon ECS) which is a fully managed container orchestration service was used to run the most sensitive and mission critical applications because of its security, reliability, and scalability. Along with the above services, Amazon ElastiCache was implemented thereby allowing Afreximbank to seamlessly set up, run, and scale popular open-Source compatible in-memory data stores in the AWS cloud. AWS Elastic Beanstalk was also used for the infrastructure architecture of Afreximbank for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS. Along with the abovementioned services, AWS CloudFormation was used to model and provision AWS and thirdparty application resources in the AWS cloud environment. AWS Lambda was used to run the application or backend service code without provisioning or managing servers as an optimization strategy for managing costs and paying for only the consumed compute time.

Apart from the above functional services, AWS Identity and Access Management (IAM) was used for the security purposed which enables Afreximbank to manage access to AWS services and resources securely. Using IAM, they can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources along with AWS Virtual Private Network (AWS VPN) to establish a secure and private encrypted tunnel from Afreximbank’s network or device to the AWS global network.

Afrexim Bank’s banking application’s infrastructure is hosted in Ireland Region of AWS. The infrastructure is designed by following the recommended best practices provided by AWS. The complete Infrastructure is consisting of 3 main environments which are Production, Development, and Staging. Development environment resources are kept in a separate Virtual network and Production and Staging are kept on the same Virtual Network. Secure connections are established with Next-generation Firewall from Bank’s premise to AWS network. To make the environment highly available and sustain from any failure in AWS DC, the infrastructure is expanded to multiple Availability Zones. AWS Elastic Load balancer is used to route requests to all the server in a balanced manner.

For managing the AWS Account, we have used AWS IAM service. AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS services. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users and applications can access.

For Safeguarding the WEB Applications, we have used AWS WAF Service. AWS WAF is a web application firewall that monitor the HTTP and HTTPS requests that are forwarded to an Amazon API Gateway API, Amazon CloudFront or an Application Load Balancer. AWS WAF also control access to content. Based on conditions that specify, such as the IP addresses that requests originate from or the values of query strings, API Gateway, CloudFront or an Application Load Balancer responds to requests either with the requested content or with an HTTP 403 status code (Forbidden).

To Authenticate the user access to the Application we have used AWS Cognito Service. Amazon Cognito provides authentication, authorization, and user management for web and mobile apps. Users can sign in directly with a username and password, the two main components of Amazon Cognito are user pools and identity pools. User pools are user directories that provide sign-up and sign-in options for app users. Identity pools enable to grant users access to other AWS services.

For Monitoring the provisioned resources and Auditing users we have used AWS CloudWatch & AWS CloudTrail services. Amazon CloudWatch monitors your Amazon Web Services (AWS) resources and the applications you run on AWS in real time. You can use CloudWatch to collect and track metrics, which are variables you can measure for your resources and applications. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.

For Managing the SSL certificates, we have used AWS Certificate Manager (ACM) service. ACM handles the complexity of creating and managing public SSL/TLS certificates for your AWS based websites and applications. We can use public certificates provided by ACM (ACM certificates) or certificates that you import into ACM. ACM certificates can secure multiple domain names and multiple names within a domain. You can also use ACM to create wildcard SSL certificates that can protect an unlimited number of subdomains.

For Afreximbank Infra, we have configured Active Directory(AD) Services, for the purpose of User & DNS Management of Development, Staging and Production Environments. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud. AWS Managed Microsoft AD is built on actual Microsoft Active Directory and does not require you to synchronize or replicate data from your existing Active Directory to the cloud. You can use standard Active Directory administration tools and take advantage of built-in Active Directory features, such as Group Policy and single sign-on (SSO). With AWS Managed Microsoft AD, you can easily join Amazon EC2 and Amazon RDS for SQL Server instances to your domain and use AWS Enterprise IT applications such as Amazon WorkSpaces with Active Directory users and groups.

• Considerable drop in the overall cost of operations for Afreximbank.
• Successful results for Alpha, Beta and User Acceptance Testing of the entire infrastructure on AWS in order to validate the functionality of the entire system.
• Ensuring 100% business continuity of the applications and operations of Afreximbank.
• Successful implementation and testing of failover and failback in the Disaster Recovery scenario.
• Meticulous analysis and rigorously performed stress testing for the application and infrastructure.
• Perform security vulnerability assessment of the application and infrastructure to analyze any penetration points

• Lowest TCO for the infrastructure implementation and application setup was achieved.
• Embedded Inline threat and data loss prevention into core banking application.
• Automated and Manual Endpoint Detection and Response to protect the critical infrastructure was implemented.
• Achieved 100% successful alpha, beta, user acceptance and stress test scenarios and subsequent cases.
• Achieved 0% penetration points for the application and infrastructure.
• Ensuring 100% business continuity for Afreximbank through 24/7 Managed Support Services by Citrus Consulting Services.