Securing, Virtualizing, and Micro-Segmenting Private Banking Infrastructure with Cisco
Cisco
Financial institutions, specifically those in the private banking sector, are often perceived as being traditional and highly conservative. For many organizations in the industry, that’s true. But just like in any other sector, agility may be the key to help smaller companies outpace their opponents.
Frankfurter Bankgesellschaft is a Swiss private bank headquartered in Zurich with a subsidiary bank and family office in Frankfurt. Owned by Landesbank Hessen-Thüringen (HELABA), we serve clients in Switzerland, Austria, and Germany, and provide private banking services under contract to Sparkassen-Finanzgruppe, Germany's largest network of retail banks. Our company helps high-net-worth individuals manage, protect, and maintain their assets.
Our current primary demographic is 50- to 70-year-old clients, most of whom come to us after spending decades building successful careers. In this age of entrepreneurship, however, our customer base is getting younger. They seek our help to secure and grow their financial assets and to leave a legacy for future generations. They expect a level of personalized service traditional banks can’t offer.
For this reason, and to comply with an increasingly complex European regulatory landscape, we recently upgraded our data center and our IT infrastructure.
Fewer Vendors, Fewer Problems
I joined the company about seven years ago and am in charge of our network and server infrastructure as well as IT security and physical security. When I started, our infrastructure was heterogeneous, with different equipment from a great variety of vendors. My predecessor was all about security but not uniformity or simplicity. For example, we were operating a chain of three different web proxies from three different vendors. The idea was to be more secure than with one system alone. Consequently, we had to configure, test and troubleshoot in three separate places. That made the system more prone to errors and actually less secure.
We also had independent IT departments in Zurich and Frankfurt and weren't using a common communication platform or a standardized network environment. I dealt with so many vendors that I used to joke I was putting on weight because of all the lunches they bought me where they’d try and upsell their products and services.
At roughly the same time, the Swiss Financial Market Supervisory Authority (FINMA) started to tighten their auditing of banks' IT infrastructure, imposing strict new data and privacy security regulations. It didn't matter whether you were a multinational investment bank like Credit Suisse or a small 130-person operation like ours—going forward, every financial institution had to adhere to the same rules and compliance standards.
I was faced with three challenges: I had to simplify network security, consolidate our infrastructure, and find ways to adhere to the strict new regulations imposed by FINMA. I wanted fewer interfaces and fewer people pushing around responsibility. That meant paring down our list of service providers to one supplier and one systems integrator. After looking at everything our existing partners offered, I chose Cisco as our primary vendor and Netcloud as our integrator.
A Quarter Century with Cisco
Both Cisco and Netcloud are masters at building relationships. I've worked with Cisco since I started in IT over 25 years ago. I became a Cisco customer in 2006 when I moved from consulting to working as a systems engineer for a bank roughly the same size as Frankfurter Bankgesellschaft.
Cisco has never disappointed, always offering the right solution at the right time. When we needed to consolidate our IP telephony setup, we went with Cisco Call Manager. We turned to Cisco again when we needed to upgrade our data center and bolster our network security.
I hadn't worked with Netcloud before joining Frankfurter Bankgesellschaft, but I knew one of their sales reps, Alain Kistler, who I’d called in 2013 to help us deploy Cisco Call Manager. He was promoted to chief managed services officer in 2015 and was allowed to keep only three of his customers. He chose Frankfurter Bankgesellschaft—which is a testament to the strength of our business relationship.
From my early days as a systems engineer, I’ve had a keen interest in network technology. However, while my colleagues from the client and server teams experienced fundamental changes with the dawn of virtualization, I didn’t see great innovations in networking. E.g., twenty-five years ago, we were using Telnet to access the command-line interface (CLI), configuring each switch separately. Today, most of us use SSH (i.e. encrypted Telnet) to access the same old CLI and still configure each switch separately. Yes, the network has become increasingly faster over the years, but nothing has changed in the way we deployed and operated it.
Therefore, I was very excited when I realized that Cisco’s software defined networking products, namely Application Centric Infrastructure (ACI) and Software Defined Access (SD-Access), were truly ringing in a new age of networking technology. Finally, the network is no longer a conglomerate of switches and routers but an intelligent entity in its own right.
We have an infrastructure lifecycle of about five years. Parts of the data center and campus infrastructure are continuously being replaced. Historically, server and data network equipment as well as mass storage and its associate fiber channel storage area network (SAN) had all been independent systems. They had different vendors and individual management tools. Whenever we renewed one of these essential building blocks, we had to check for compatibility and integration with the other components.
Troubleshooting often led to finger pointing among the different vendors, leaving us – the customer – out in the cold. Today, with Cisco’s hyperflex server and application centric network infrastructure, we can build our data centers (including server, network and storage) as a hyperconverged system, from a single source, with one centralized management tool. Last but certainly not least, the vendor is taking responsibility for compatibility issues.
The technology has finally caught up to the industry's needs.
Forcing Our Hand
Three years ago, Frankfurter Bankgesellschaft was about to take the leap and invest in new data center technology when a disaster forced our hand. Our subsidiary in Frankfurt was renting several floors of a big office building and also leasing space in the building's data center, which was located in the basement and was also being used by another Landesbank Hessen-Thüringen subsidiary.
One afternoon, a construction crew accidentally drilled into a water pipe. They tried to notify the building’s owner, but it was the end of the day on a Friday and they couldn't reach anyone. Water leaked into our data center overnight and shorted out one of our uninterrupted power supplies.
While our servers and data remained safe at all times, our Frankfurt office was cut off from accessing the network. We activated our business continuity plans, and brought the network back online the next morning. Even though our office was back online, the incident had a secondary impact. Our colocation facility used an oxygen reduction system (ORS) as fire prevention, and the leakage had made the room’s concrete more porous. As a result, fresh air was seeping into the data center, and we couldn't keep the oxygen levels low enough to ensure fire safety.
We had no choice but to move our servers, and it made more sense to install new equipment at another location than to relocate our aging infrastructure.
Deploying Cisco ACI and HyperFlex
We had already been looking at Cisco ACI technology as the bedrock of a secure data center network, and at Cisco HyperFlex as the primary architecture of our storage and compute infrastructure. Anticipating the investment, we had even skipped a few hardware-replacement cycles and had held onto some gear after it had reached end of life so we could upgrade everything at once. However, the data center accident forced us to implement our plans sooner than we expected.
We worked with Netcloud to deploy a virtual network based on the Cisco ACI platform, Cisco Nexus 9000, and Cisco Catalyst 9000 Series switches, and built a highly redundant stretched Cisco HyperFlex cluster to power our new data centers in Frankfurt. Moreover, this year we rebuilt our two data centers in Zurich with three additional HyperFlex Clusters, leveraging the ACI network we deployed at the end of last year. In addition, this year we replaced the campus network in our headquarter office buildings with Cisco SD-Access. While it is still a work in progress, the efforts to streamline our operations are well underway.
Securing Our Network with Cisco Tetration
The cornerstone of our new infrastructure is Cisco Tetration. It is a hybrid data center micro-segmentation cloud workload protection tool that integrates with Cisco ACI and adheres to European data residency regulations. I first heard about Tetration at Cisco Live about three years ago, and realized that it solved one of our most pressing security issues.
Firewalls are great at protecting us from external attacks, but are cumbersome to use when securing our network against internal threats. Cisco Tetration streamlines and simplifies the process.
Securing our networks starts in Cisco ACI, which dynamically defines network infrastructure and automatically assigns systems to endpoint groups, which are clusters of machines that share a similar purpose. Instead of using static IP blocks, ACI communicates via API with our firewall infrastructure and dynamically updates the rules that allow these systems to talk to one another based on a dynamic risk based approach.
Cisco Tetration then automates micro-segmentation and network monitoring, thus providing enhanced lateral security that secures our internal applications against vulnerabilities at the workload level. It uses machine learning to monitor and understand application behavior and automatically generate security policies across all our operations. Cisco Tetration also monitors and secures traffic across applications, identifies vulnerabilities, flags anomalies, remediates threats, and offers policy recommendations. It simplifies the work of our security experts and network engineers.
Leveraging Machine Learning and Human Intelligence
Cisco ACI and Cisco Tetration have given Frankfurter Bankgesellschaft the automation tools we need to streamline our processes and reduce human error. Software-defined networks and hyperconverged infrastructure offer scalable performance that meets our changing security and IT needs, but these technologies require a dynamic approach to system monitoring and configuration.
Automation allows our engineers to react to emerging threats in a timely manner. We can now focus on getting the security concepts right instead of continually updating the rules and monitoring the network 24/7. Cisco Tetration wades into the weeds and extracts the information we need so we can do a better job securing and maintaining our infrastructure. It has given us the perfect combination of machine and human intelligence.
Cisco also helped us react quickly to the COVID crisis. When we received the order to shelter in place, Frankfurter Bankgesellschaft pivoted to remote work in five business days. Our people were already working on VDIs running on our Cisco Hyperflex clusters but were probably unaware that their desktop boxes were logging into remote virtual servers at our data center. We set up secure remote access and moved our two-factor authentication system from our test platform to our production servers.
It's great to have this agility as part of our everyday operations, but Cisco supercharged our emergency response efforts.
The Tools We Need at a Price We Can Afford
Cisco helps Frankfurter Bankgesellschaft stay competitive and compliant in the European banking industry. As a small company that operates in a niche market, it’s important that we’re agile and adaptable. Today, we can pivot more quickly to introduce new wealth management products to our select clientele.
Cisco Hyperflex, Cisco ACI, and Cisco Tetration have given us the tools we need at a price that makes sense for a business our size. We are no longer tied to hardware lifecycles and can scale and secure our infrastructure as we add new customers and services. Cisco has freed our engineers to focus on engineering instead of administration—all while remaining compliant and playing with the same set of rules as the big banks.
Banks sometimes move slowly in matters of technology, but sometimes we have to take a leap of faith and update our tools and processes. Cisco and Netcloud made it easy for Frankfurter Bankgesellschaft to explore the IT landscape and adopt the best new technologies to secure our infrastructure and serve our customers.