Professional Documents
Culture Documents
WP SD WAN For Financial Services
WP SD WAN For Financial Services
SD-WAN For
Financial Services
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Addit onal,y as dig t al ser v ices gro,w ret ail bank s wil be
e x p r i e n c a n d b e a t t h e co m p e t i o n , b u t a l s o d u e to t h e
f o c u s i n g o n p r o v i d n g m o re c o m p l e x o p e r a t i o n s , w h i l e
i n c re a s o f c y b e r s c u i t y r i s k .
simpler trans c tions wil be per fo med onlie. According to a
from June 2020 3
: “ Branches’ focus will evolve
kiosks).”
1
Source: 2021 Technology Spending Intentions Survey by Enterprise Strategy Group
2
Source: Venture Scanner data; Deloitte Center for Financial Services analysis, April 2021
2
3
Source: Reshaping retail banking for the next normal, McKinsey, June 2021
4
Source: 2021 banking and capital markets outlook, Deloitte, December 2020
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
This evolution mainly relies on the cloud, and especially on or simply they are unable to load customer information
the public cloud. In that context, corporate data centers are on their screens, as they can’t reliably connect to the main
nolongeratthecenterofallbusinessapplication
data
trazc.
center.Manybankshavedizcultiesexpandingtheir
This implies providing a secure network connection to all locations, opening up new branches or connecting to remote
customers with maximum uptime. ATMs as it can take as much as four months to provision
anewMPLScircuit.Theymayalsonothavesuzcient
Additionally, as the number of remote workers also increases
bandwidth to accommodate disaster recovery plans and
andbrick-and- mortarlocationsdecrease,Qnancialservices
backups in remote sites.
organizations are witnessing a virtualization of their
workforce and therefore must also provide reliable and Additionally, banks often have limited IT budgets that
secure connectivity to their employees. prevent them from investing in new expensive MPLS lines
or modernizing their network infrastructure to improve
Network infrastructure application quality of service.
Banks often rely on a legacy MPLS network to connect
branches to the headquarters. According to Deloitte5 in Cybersecurity threats
its 2018 Banking Industry Outlook, “The potential for cyber Duetothesensitivityoftheirdata,Qnancialservices
risk has been increasing with greater interconnectedness in the organizations are a main target for cybercrime and data
banking ecosystem, rapid adoption of new technologies, and breaches. Cyberattacks range from stealing money, to
continued reliance on legacy infrastructure designed for a stealing personal identifying information including social
different age.” security numbers, leaks of credit card numbers, DDoS
attacks, ransomware and more.
In fact, many banks have had to face multiple mergers and
acquisitions which increased the complexity of the network. As the volume of transactions continues to increase,
Also, business-critical applications including CRM software, cyberattacks have become a major concern for banks,
ozceapplicationsandcustomer-facingapplications
and
are
duringtheCOV D-9pandemic,
1 Qnancialinstitutions
shifting to the cloud. This creates bottlenecks when cloud experienced a spike of digital attacks. According to a
trazcisbackhauledtothecorporatedatacenterDeloitte
forsecurity
study 6 on banking and capital markets outlook,
reasons.Veryoften,brancheshavedizcultymaintaining
most respondents said they will increase spending on
consistent high-quality video and voice over IP services, cybersecurity technology in 2021.
5
Source: 2018 Banking industry outlook, Deloitte, 2018
3
6
Source: 2021 banking and capital markets outlook, Deloitte, December 2020
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
The interconnectivity of banks is another factor of risk. that often provide limited bandwidth, especially at
In a 2020 report by the Federal Reserve Bank of New
7
branch sites. Additionally, as the number of cloud-hosted
YorkoncybersecurityrisksandtheUSQnancialsystem,
applications
a have increased proportionally over the years,
cyberattackononeofthemostactivebankscoulda
Qnancial
ect organizations,stillusingtraditionalroute
38% of the network. WANarchitectures,mustbackhaulcloud- destinedtrazc
to the main data center for security reasons. This results
To prevent – or at least minimize – cyber risk, it is essential
in added delay (latency) and leaves remote branches in a
that banks secure their transactions and their network
dizcultsituationtohandlebusinessoperationsezcie
connections.
more business-critical applications rely on the cloud.
Regulatory Compliance The Aruba EdgeConnect SD-WAN edge platform can
Financial services are one of the most regulated industries. actively use broadband internet and 4/5G LTE services
Most regulations are in place to protect the consumer that are less expensive than private line services.
frompotentialfraudandtobringtransparencytoQnancial
TheArubaEdgeConnectSD-WANedgeplatformsimpliQes
services’ operations. Many regulations deal with data security
the WAN infrastructure and supports a number of advanced
and require establishing secure network connections, for
performance features to overcome the lack of reliability of
example, between branch locations and the data center to
internet and LTE connections. Features include:
protect customer data. Other requirements such as PCI Data
Security Standard (PCI DSS) establish security standards Path Conditioning: Internet and wireless links often
for protecting credit cardholder data, especially when su erfrompacketlossandjitterandaremoreproneto
vulnerabilities exist anywhere in the transaction process outages. With the Aruba EdgeConnect Forward Error
including point-of-sale devices, servers and web sites. Correction (FEC) feature, lost packets are automatically
reconstructed. This is accomplished by periodically sending
Financial services organizations are required to demonstrate
parity packets, using a technique similar to RAID disk drive
compliance while dealing with limited resources to enforce
arrays, to rebuild dropped data packets without having to
regulations, as well as potential data security issues and
retransmit them. Depending on the application quality of
other threats.
servicerequirements,theFECratiocanbespeciQedinthe
EdgeConnectBusiness ntentOverlay(B O)conQguration.
SD-WAN USE CASES SPECIFIC TO FINANCIAL
For example, for applications that demand very high quality
INSTITUTIONS
and availability such as real-time voice or video, a 1:1 ratio
Many of the challenges mentioned above will be addressed
can be used; for less demanding applications, an adaptive
aspartofanoverallenterprisee ort.Basedonafewuse
FECalgorithmmaybespeciQedthatautomaticallyadjust
cases, let’s take a look at how adopting an advanced SD-
the error correction packet ratio based on the current rate
WANplatformcanhelpQnancialservicesbettertacklethese
of packet loss at any given time. In addition, when load-
challenges.
balancingtrazcbetweenmultipleWANtransportservice
Use case #1: Simplify network infrastructure while using tunnel bonding, Packet Order Correction (POC)
reducing costs re-orders any packets that arrive out of sequence at their
destination.
Many banks continue to subscribe to legacy MPLS services
Cost-
Complex Inefficient Expensive Simple Agile
effective
Aruba EdgeConnect enables financial institutions to move from a complex architecture to a simple, cost-effective network infrastructure
Figure 3. Aruba EdgeConnect enables financial institutions to move from a complex architecture to a simple, cost-effective network infrastructure
7
Source: Cyber Risk and the U.S. Financial System: A Pre-Mortem Analysis, Federal Reserve Bank of New York, January 2020 4
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Parity calculated
for packets Lost packets rebuilt
3P 2P 1P 2P
3 2P 1
3 2 1 3 1
Packets lost over WAN
Figure 4. Forward Error Correction: packets lost in transmit across the WAN are automatically rebuilt
Forward Error Correction: packets lost in transmit across the WAN are automatically rebuilt
Tunnel Bonding and Dynamic Path Control: The Aruba Business ntentOverlaysareusedtoconQgurethepolici
EdgeConnect tunnel bonding feature combines multiple that control how EdgeConnect automatically and seamlessly
WAN transport services to create a single, higher bandwidth steersapplicationtrazc.Linkbondingpoliciesinclude h
logical link. Link bonding policies optimize the connection availability” for applications such as video over IP which
speeddependingonthetypeoftrazcandbusinessneeds.
requires the highest levels of performance and availability.
Forexample,WANconnectionsfromtwodi erentservice
Because data packets traverse one link and error correction
providers can be bonded to increase the speed of delivery. packets traverse the other link, failover is instantaneous
In another example, an MPLS service, an internet broadband intheeventofatransportoutage.The highthroughput(
link and a 5G/LTE connection can be bonded together. linkbondingpolicydistributestrazcacrossmultiplepa
such that the aggregate bandwidth is used, providing higher
bandwidth and performance than possible on any single link.
OtherlinkbondingpoliciesprovideadditionalRexibili
networkmanagerscanalsodeQnecustompolicies.
Figure 5. Business intent overlays enable financial institutions to create virtual networks based on the needs of the business
5
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Figure 6. Simplify and accelerate deployments with a top-down model and business-driven policies
6
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Use Case #3: Accelerate backups and improve disaster • Round Trip Time measurement: It reduces the round-
recovery plans trip time (RTT) measurement by using the actual latency
Most enterprise disaster recovery planning includes data to insteadoftheQxed-lengthacknowledgementtimertha
be backed up in one or more remote locations that could normally used in case of lost packets.
be hundreds of miles away from the main location. As • High Speed TCP:tmodiQesthecongestionmechanism
the distance between remote sites and backup locations by optimizing the congestion window size, that regulates
increases, latency increases, resulting in a slower data the times at which the segments are sent into the
transfer. With data sets now measured in terabytes, the network. It may indeed take a very long time for the
transmission of data for backup purposes can take several congestion window to recover in a standard TCP
hours or can fail when WAN transport services become congestion control technique. With High-Speed TCP,
impaired. window congestion size is increased by a larger amount
and decreased by a smaller amount.
Aruba Boost WAN OptimizationsigniQcantlyacceleratesthe
Data deduplication and compression: due to the amount
transmission of data by applying TCP protocol acceleration as
ofdatatobesentfromthebranchozcetothebackupsite
well as data deduplication and compression:
combinedwithotherapplicationtrazc,networkcongest
TCP Protocol acceleration: delays are caused in latent can occur. To minimize the amount of data to be transmitted,
environments by window scaling and acknowledgment Aruba Boost employs sophisticated data deduplication and
procedures. Aruba Boost TCP Acceleration overcomes these data compression algorithms. Duplicate data is removed and
delays with four key components: replacedwithaQngerprintandapointersothatonlythe
• Window scaling: Aruba Boost increases by a factor of necessary data is transmitted across the WAN. The original
250 the transmitting window size, which corresponds data is stored in a disk cache so that data is reconstructed
to the amount of data that can be sent before an with the duplicate data at the destination. Data compression
leverages an LZ (Lempel-Ziv) compression algorithm to
acknowledgementissentback.Bydoingso,itsigniQcantly
increases the maximum possible transfer rate. reduce the amount of data transmitted. Data compression is
• Selective acknowledgement: It supports selective applied both for the payload and the IP header.
Without Dedupe
Transfer Every Byte
With Dedupe
Cache Duplicates, Only Send Unique Data
Figure 7. Data reduction: Eliminate overhead of redundant packets traversing the WAN
7
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Use Case #4: Secure access and protect customer data By successfully implementing SASE, financial services
ThesecurityperimeterofQnancialinstitutionscan move from a heavy branch to a thin branch model.
isdissolving.
AsthepaceofdigitizationofQnancialserviceshastisindeedcommontoQndmanydiscretenetworkand
accelerated, more transactions are now being carried out in
securityappliancesinbranches,includingrouters,Qrew
thecloud. nfact,fewerQnancialapplicationsnowreside in WAN optimization controllers. Besides equipment
VPNs, and
thecorporatedatacenters,whilemoretrazcisheading to
sprawl, thelocalsta rarelyhastheskillsandtimetoop
the public cloud. and maintain them. By moving to a thin branch model and
Financial institutions must protect customer data when using adopting a SASE architecture, branches can simplify their
cloud applications to meet compliance requirements. They network infrastructure and increase security.
also must provide secure access from anywhere to their Aruba EdgeConnect SD-WAN reduces equipment sprawl by
customers as well as their employees, as remote working is centrally managing and automatically deploying network
the new norm. controls, but also it includes advanced security features such
Backhaulingcloudapplicationtrazctothemaindata asazone- basedQrewallandautomatestheorchestratio
center
for security inspection is no longer a viable solution, as it to third party cloud security providers. Aruba security
provides a poor customer experience. capabilities rely on three pillars:
focuses on users and provides security and access services automatically pushed to branches with zero-touch
close to the users, instead of securing a limited perimeter. provisioning.Newbranchozcesaresetupquicklyandeasil
SASE combines advanced WAN edge network functions and security policy changes can be automatically distributed
including SD-WAN with core network security features such to hundreds or thousands of branches in minutes while
as ZTNA, CASB, SWG, FWaaS, and more hosted in the cloud minimizing errors.
rather than physical appliances.
ArubaEdgeConnectembedsanapp- userawareQrewall,
Segmentation is achieved with an end-to-end zone-based The integration of Aruba ClearPass Policy Manager with
QrewallinArubaEdgeConnect.Businessintentoverlays
Aruba EdgeConnect
and adds identity knowledge of users,
WAN interfaces are assigned to zones. Network managers devices and roles with authentication capabilities such as
canthenallowordenytrazcbetweenzones.Forexample,
RADIUS,
a TACACS+, and OAuth2 to manage network access
zoneforcustomerscanbedeQned,andanotheroneforand
theenable a dynamic segmentation, anywhere on the
bank’s accounting systems. A rule can then be set to deny network – wired or wireless infrastructure. Through role-
access from the customer zone to the accounting zone. based access policies, users and devices are automatically
assigned the proper access control policy and dynamically
segmented from other users and devices.
9
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Automated orchestration with best-of-breed third-party It is also possible to deploy a virtual instance of EdgeConnect
cloud security providers in any or all of the four public cloud providers including
Financial institutions can choose best-of-breed security AWS, Microsoft Azure, Google Cloud and Oracle Cloud
services to integrate with Aruba EdgeConnect thanks to the nfrastructure.This bookended(solutionprovidesadva
security
First- packetiQ applicationclassiQcationfeature. Arubaand predictable application performance.
EdgeConnectidentiQesapplicationsontheQrstpacket and
The automated security orchestration ensures that no
sendsthecloudapplicationtrazctoathird- party cloud-
data breach happens, no malware is downloaded, and no
delivered security service that provides best-in-class security command-and-control servers are connected.
functionssuchasCASB,SWGandZTNA,whiletrazcfrom
suspicious applications is sent to the data center for further
inspection. The orchestration and integration with cloud
securityvendorsarefullyautomatedenablingQnancial
institutions to quickly deploy multiple security partners.
Corporate
Firewall
Direct internet breakout
to trusted applications
Branch
Built-in Zone-Based
Firewall with: Integrate with cloud security providers
• Deep Packet Inspection
• Intrusion detection
• Micro segmentation
10
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
Use case #5: Meet PCI DSS compliance mandates PCI DSS (Payment Card Industry Data Security Standard)
According to a 2020 Nilson report , fraud losses of card
9 speciQestwelverequirementsaroundcardholderdata
transactions from merchants, as well as acquirers of card reduce credit card fraud. Any organization that processes
transactions from ATMs reached $28.65 billion in 2019, up cardholder data is required to comply. The Aruba
2.9% from $27.85 billion in 2018. EdgeConnect SD-WAN platform assists organizations in
meeting compliance for nine of the twelve requirements
Fines for non-compliance can vary from $5,000 to $100,000
while the three remaining are not applicable.
permonthuntilthemerchantortheQnancialservice
achieves compliance.
1 nstallingandmaintainingaQrewallconQgurationProtection
toprotect ofdeviceandcontrolplanes;secureconQgurationand
cardholder data. change management
2 Changing vendor-supplied defaults for system passwords and Password policies including default password warning
other security parameters.
3 Protecting stored cardholder data. Boost WAN optimization network memory function may store packet
contentsonaRashdriveordiskinwhichcaseitisencryptedusin
AES-128
4 Encrypting transmission of cardholder data over open, public Data and management interface encrypted using AES-256
networks.
5 Protecting all systems against malware and performing regular Directselectednetworktrazctoanti-malwareandsandboxing
updates of anti-virus software. products from Aruba security partners using automation,
orchestration, and drag-and-drop service chaining
6 Developing and maintaining secure systems and applications. Vulnerability assessments with each new release Issue patch updates
as required
7 Restricting access to cardholder data to only authorized N/A
personnel
8 Identifying and authenticating access to system components. Multipleuniqueloginsfordierentuserroleswithappropriate
privilege levels; Optionally support authentication with RADIUS or
TACACS+; Enforce the use of multi-factor authentication for all
non-console administrative access and remote access to the
cardholder data environment
9 Restricting physical access to cardholder data. Provisions for backup and disaster recovery; EdgeConnect
conQgurationandsnapshotsmaybestoredosite.
10 Tracking and monitoring all access to cardholder data and Full audit logs of user logins and all change management actions
network resources.
11 Testing security systems and processes regularly. N/A
9
Nilson report, December 2020, issue 1187, https://nilsonreport.com/publication_newsletter_archive_issue.php?issue=1187
11
WHITE PAPER SD-WAN FOR FINANCIAL SERVICES
AI Ops
SD-WAN
Overlay
Corporate
Data Center
Branch
IoT
13
© Copyright 2021 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without
notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
WP_SD-WANforFinancialServices_RVK_120321
Contact us at www.arubanetworks.com/contact