Tectonic Shift: Designing a WAN for banking and financial services firms

With cloud-based solutions such as mobility and software-as-a-service (SaaS) becoming commonplace, the wide area network (WAN) is undergoing a tectonic shift in terms of what is most suitable for an organisation, from an efficiency, performance, cost and stability perspective. The perimeter is not well defined any more and borderless infrastructure is becoming the norm. Shadow-IT and IoT as well as the need to access anything anywhere is changing the way we connect with anything. While the banking and financial services industry is at the bleeding edge of network technology globally, the adoption trends vary across countries. The central banking guidelines/compliance requirements are rife with grey areas in some countries, causing reticence in moving towards hybrid WAN technologies. In some cases, companies are required to host their main data centre/disaster recovery facilities on-premise to meet local regulations. Consequently, these companies deploy cloud-based solutions for many parts of applications. Instead, what is needed is an efficient, cost-effective and easily manageable WAN that provides a platform for many, subsequent features to be on-boarded while also satisfying any data sovereignty regulations.

A few perspectives to consider while designing a WAN for businesses/applications within organisations in the banking and financial services space follow:

The Indian scenario

Incorporation of internet circuits into the WAN is a welcome move that will allow cost savings through the deployment of technologies such as software-defined WAN (SD-WAN). Some private banks have started taking the plunge and hybrid is emerging as the way forward. A true hybrid scenario comprises a healthy mix of private MPLS and the public internet. Recently, two large private banks took the leap, redesigned their WAN and deployed SD-WAN in a hybrid scenario, mainly to handle application-aware traffic between the platforms. These banks have several hundreds of sites with myriad connectivity methods, where a single pane of glass for visibility and centralised management plays a key role in the digital transformation.

Challenges and security

Many large firms today run IP security (IPSec) on the internet to connect their various sites. IPSec has become the de facto standard for secure connectivity on the public internet, so much so that many network experts consider it to be more secure than a private network without encryption.

Most service providers today run well-established internet backbones, which are also protected against the most common threats. For instance, at Tata Communications, our global core is protected by a combination of vendor-based and home-grown prevention and remediation technologies such as our Distributed Denial-of-Service and Cyber Threat Intel services that enable multilayer threat detection and mitigation. We look at all aspects of the kill chain when securing against external and internal threats. The overall security posture improvement is a continuous cycle, which considers internet circuits in the core WAN as well.

Including proactive and predictive security technologies in the IT infrastructure is the need of the hour. Banks are already planning this as part of their security infrastructure through latest forms of managed FW, WAF, SIEM, CTI, SOAR, and decoy and deception technologies. The best use cases for some of these are with the internet underlay. Hence, there is a need to put more of that to use by incorporating internet circuits into the WAN. Where some security services are only offered on the central hubs or data centres, a WAN that incorporates the internet can help in selectively providing faster cloud connectivity with cloud-based security. The overall user experience can be enhanced in this case by avoiding any trombone effects caused by deploying centralised internet connectivity.

What will SD-WAN bring to the table?

The apprehensions regarding incorporating internet circuits into an organisational WAN revolve around performance issues, the lack of stability, non-deterministic nature of the internet, concerns over security and the lack of service-level agreements. SD-WAN as an overlay technology can tackle all of these. By providing end-to-end visibility at the application performance level and enabling application-based traffic steering between links at sites, organisations can now use the best link for successful functioning of a given application, and the associated user experience.

With most SD-WAN technologies that work on an internet underlay, there is always some form of encryption and segregation that is recommended, and this provides the same level of security as a private network. End-to-end visibility is a significant additional benefit. Providers also inherently offer inbuilt security at the network edge, with direct ownership and assurance. That said, care needs to be taken to account for the overheads introduced through various design additions before deployment, lest there be bandwidth crunches and application slowness or other issues.

Private networks still have an important part to play for many critical real-time apps. However, with SD-WAN, incorporating the internet in an organisation’s WAN is now easier. The internet also makes it easy to deploy certain unified communication solutions, where the cloud is the central piece.