We worked on a fintech application recently to receive the remittance from foreign countries people by one of the top banks in Bangladesh.
Since the solution is in on-premise capacity, the shared architecture was proposed in migrating to AWS cloud. Having the solution on-premise was a major challenge to be accessible in global capacity. Cloud migration will be helping them to resolve that bottleneck and be global with following fintech compliance in a short time.
We wanted to make sure that the architecture of the infrastructure is aligned with the compliance.
I have shared the overall AWS architecture below:
Considering the City Bank remittance application to be a public internet facing application, we recommend the following security guiding principles to be applied :
•Security groups: Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. When you launch an instance, you can associate it with one or more security groups that you’ve created. Each instance in your VPC could belong to a different set of security groups. If you don’t specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC. For more information, see Security groups for your VPC.
•Network access control lists (ACLs): Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level. For more information, see Network ACLs.
•VPC Flow logs: Flow logs capture information about the IP traffic going to and from network interfaces in your VPC. You can create a flow log for a VPC, subnet, or individual network interface. Flow log data is published to CloudWatch Logs or Amazon S3, and it can help you diagnose overly restrictive or overly permissive security group and network ACL rules. For more information, see VPC Flow Logs.
•Traffic mirroring: You can copy network traffic from an elastic network interface of an Amazon EC2 instance. You can then send the traffic to out-of-band security and monitoring appliances. For more information, see the Traffic Mirroring Guide.
•Next Generation Firewall(NGFW) – Fortinet Fortigate VM
•AWS IAM – Identity and Access Management with granular access control policies and RBAC
•Amazon GuardDuty – Machine Learning based Threat Detection service based on VPC Flow Logs, DNS Logs
Fortinet FortiGate Next-Generation Firewall features
Application Control
Web Filtering
FortiCloud Sandbox
Antivirus
Intrusion Prevention
Virus Outbreak Protection Service
Content Disarm & Reconstruction
IP Reputation & Anti-botnet Security
Mizan's Paradigm 