Protection of KredoBank's processing servers

KredoBank is a Ukrainian bank founded in 1990 and headquartered in Lviv. It belongs to the largest Polish bank PKO Bank Polski. KredoBank's service network consists of 82 branches in 22 regions of Ukraine and Kyiv. KredoBank is one of the twenty largest banks in Ukraine.

SAFE OPERATION AND DATA PROTECTION OF A FINANCIAL INSTITUTION DEPEND ON THE LEVEL OF MATURITY of ITS INFRASTRUCTURE AND THE RESILIENCY OF THE CYBERSECURITY COMPLEX

There is no doubt that in our reality one of the strategic directions of the bank's development is cybersecurity. Not only the IT service is responsible for it, but also the business as a whole, because the protection of customer data, their reliable storage and processing, the confidentiality of banking operations depend on the effectiveness of the built protection system in general and the whole range of actions and professionalism of the staff, in particular.

Financial institutions that care about their reputation and take into account business risks carefully monitor updates, possible threats and follow security guidelines put forward by the international community and the National Bank of Ukraine.

In accordance with the NBU Decree #95 dated September 28, 2017 on the approval of the Regulations on the organization of measures to ensure information security in the banking system of Ukraine, in particular, it refers to the need to filter data centre traffic, KredoBank purchased equipment and software to build a failsafe solution for the protection of processing servers.

Since the bank had previously built the network infrastructure of data centers based on the Cisco ACI architecture, the Cisco Firepower 4110 NGIPS Appliance was able to optimally meet the needs in terms of quality and compliance with traffic security requirements.

The system was deployed at two sites. The selected firewalls serve as service devices for the ACI factory. The main task of the equipment is to inspect traffic that is redirected using the same ACI factory. The firewalls themselves are implemented as separate logical devices in multi-instance mode on Firepower 4110 hypervisors.

The failover technology made it possible to combine all firewalls into one logical system. Platform management interfaces, firewalls and interfaces for failover are all connected to the classic network, and these devices are managed from the existing FMC system.

Information interaction between system components at the network level occurs through the use of protocols based on open standards included in the IP protocol. And information exchange between systems occurs through a single information environment, using standard data exchange protocols with the provision of the required number of optical communication channels between devices.

As a result, the developed technical solutions ensure continuous functioning of the system 24 hours a day, 365 days a year. The system provides a high degree of availability, designed with no single points of failure for functionally critical elements.

Fault tolerance is provided by the following means:

  • Use of highly reliable equipment
  • Duplication and redundancy of communication lines
  • Duplication and redundancy of software, firmware and hardware critical for the operation of the system as a whole.

To ensure information security, the following security policies have been configured on firewalls:

  • Policy for filtering traffic from/to the processing network at the L4-L7 level. This policy has been moved from the existing ASA firewall context to the processing network.
  • IPS policy for the processing network.
  • Filtering policy based on dynamically loaded lists of potentially dangerous FQDNs/addresses.

As a result, KredoBank received a comprehensive protection system for processing servers based on the Cisco Firepower 4110 NGIPS Appliance platform, which included high-quality fault-tolerant equipment, software that meets the IT and business requirements of the institution.

Artur Cieslar, Deputy Chairman of the Board of KredoBank: “KredoBank always operates in accordance with European standards and maintains its systems and infrastructure at a safe level. The Bank pays maximum attention to the protection of financial information and is active both internally by developing its own infrastructure, and externally. This is why we plan to continue working on implementing cutting-edge technologies in order to ensure that our bank meets the highest security and quality standards for financial services”.

Dmytro Zhukovskyi, Director of Information Technology Department “IT-Integrator”: “Our team has significant experience in the implementation of the Cisco ACI architecture, including in the banking sector, as well as the integration of Cisco Security products, which allows us to demonstrate high performance and operate real cases from practice. We should note that such projects are always a new challenge and an impetus for improvement. For many years, KredoBank has been demonstrating a highly professional approach to organizing an IT infrastructure and a security complex. 98% of the Bank's business processes work online”.

Print version