Review of Amazon Web Services (AWS) for Financial Institutions (FIs) mission critical applications design

Abstract- Internet Technologies allow us to use any service online at our homes with ease. As more systems become online it will increase many potential issues, i..e application availability, data loss, cyber attacks. Financial Institutions are the core of any economy, so, these are more vulnerable to attacks, data losses and availability. Cloud Computing provides infrastructure, platform and software as services with high global standards for security, reliability and scalability. Due to these advancements in cloud computing, organizations are able to create cost effective and performant designs for their applications. Amazon is the leader in Cloud Computing, this paper reviews the Amazon Web Services(AWS) for FIs mission critical application design.?

Index Terms - Cloud Computing, Amazon Web Services, AWS, Financial Institutions, Mission Critical Application, Application Design, Cloud Model, Challenges to Design Financial Institutions Design

1. Introduction?

Financial Institution (FIs) applications are complex, inter-connected, highly distributed, with low latency to the end users. They require to available 24*7 to the user with low latency and near zero downtime for maintenance. They need mission critical technology for resilient, highly available, high throughput applications, with very less Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for disaster management. FIs must ensure data security, integrity, and compliances of global standards due to the regulatory framework. AWS offers a larger range of services and infrastructure to develop FIs mission critical applications with high availability, scalability, secure inter-connectivity, disaster recovery, data encryption, data backup, global distributed databases, auto code deployment and many more. This paper reviews the services provided by AWS for FIs mission critical applications.??

1.1 What is cloud computing?

According to Amazon “Cloud computing is the on-demand delivery of IT resources over the Internet with pay-as-you-go pricing. Instead of buying, owning, and maintaining physical data centers and servers, you can access technology services, such as computing power, storage, and databases, on an as-needed basis from a cloud provider like Amazon Web Services (AWS)”.[1]

All these cloud services providers change the industry tremendously, now anyone can leverage these infrastructure and services and quickly create mission critical systems for Banking, Hospitals, Gaming, IoT, Machine Learning and many more. Cloud revolutionized the industry, all global companies now using cloud services. Using the cloud is a win-win situation for both cloud provider and industry. As companies can use the infrastructure anytime with minimum cost without overburdening their finances for provisioning larger servers, hardware, data centers.

1.3 What are different offerings from AWS?

AWS is leader in Cloud Computing, In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services[2]

AWS offers hundreds of services within different product categories. Compute, Storage, Database, Network and Content Delivery, Analytics, Machine Learning, Security, Identity & Compliance.[3]?

These services are of global standard, which help organizations to move faster with cost efficiency, high performance, scalability, reliability, resiliency and sustainability for their applications and systems.?

1.4 What is Resiliency?

The ability for a system to recover from a failure induced by load, attacks, and failures.[4] The system could fail due to load on servers because of high traffic, cyber attacks, hardware failure and human errors.

Financial Institutions (FIs) that do not plan and design systems for recovery will lose business due to data loss and system downtime. They even have to face legal and financial losses due to non-compliance with data storage, integrity and security.??

FIs can leverage the AWS technology to create a resilient system by auto scaling of servers, placing servers to many locations to achieve high availability, services to auto detect any cyber attack i.e. Distributed Denial of Service (DDoS) attack, SQL injection, Cross Site Scripting(XSS) attack.?

1.5 What is Disaster Recovery?

Disaster recovery is the process of preparing for and recovering from a disaster. An event that prevents a workload or system from fulfilling its business objectives in its primary deployed location is considered a disaster.[5]

We can also divide the FIs applications into critical and non-critical. Transaction Processing could be a critical part whereas Reporting may not be critical. In the case of critical systems, Recovery Time Objective (RTO) and Recovery Point Objective (RPO) should be very less.

Based on the criticality of the application we can choose Disaster Recovery options.?

2. AWS Models?

2.1 AWS Computing Models

AWS provide three models for cloud computing [7]:

• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)

2.2 AWS Cloud Computing Deployment Models

AWS also provide three Cloud Computing Deployment Models [8]:

• ?Cloud
• Hybrid
• On-premises

For any FIs IaaS be the integral part needed for a resilient system. FIs can choose among deployment models based on compliance rules of their country and their efforts or investment to maintain a hybrid or On-premises servers. In the Cloud deployment models all the infrastructure managed by AWS, in case of Hybrid some part is in Cloud and remaining on-premises. This is used where the need for government compliance or organization is moving step by step into Cloud. In On-premises model AWS setup a dedicated Cloud at your location. This could be due to customers need to run applications with low latency and local data-processing requirements.[9]

3. Components of a FIs mission critical applications

3.1 AWS Infrastructure

The AWS Global infrastructure is built around Regions and Availability Zones (AZs). AWS Regions provide multiple, physically separated and isolated Availability Zones which are connected with low latency, high throughput, and highly redundant networking. These Availability Zones offer FIs an easier and effective way to design and operate applications and databases, making them more highly available, fault tolerant, and scalable than traditional single data center infrastructures or multi-data center infrastructures.[10]?

At the time of publication, the AWS Cloud spans 87 Availability Zones (AZs) within 27 geographic Regions, 400+ Edge Locations and 13 Regional Edge Caches. 17 Local Zones,28 Wavelength Zones for ultra-low latency applications, 115 Direct Connect Locations, within 245 Countries and Territories.[11]

3.1.1 Region?

AWS has the concept of a Region, which is a physical location around the world where we cluster data centers. We call each group of logical data centers an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate AZs within a geographic area.[11]

3.1.2 Availability Zones

An Availability Zone (AZ) is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.

3.1.3 Local Zones

AWS Local Zones place compute, storage, database, and other select AWS services closer to end-users. With AWS Local Zones, you can easily run highly-demanding applications that require single-digit millisecond latencies to your end-users such as media & entertainment content creation, real-time gaming, reservoir simulations, electronic design automation, and machine learning.

3.1.4 AWS Wavelength

AWS Wavelength enables developers to build applications that deliver single-digit millisecond latencies to mobile devices and end-users. Wavelength Zones are AWS infrastructure deployments that embed AWS compute and storage services within communications service providers (CSP) 5G networks.[12]

3.1.5 Amazon Elastic Compute Cloud (Amazon EC2)

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the Amazon Web Services (AWS) Cloud. No need to invest in hardware up front, AWS provides several purchasing options for EC2, based on your budget, type of application and time needed to run application. On-Demand EC2 are costly but you can use them anytime and then terminate, Reserved EC2 are reserved for a certain time period and cheaper than On-Demand types. Spot instances are cheapest but used for applications where interruptions could be handled.? Dedicated Hosts and Instances are also available for companies which follow compliance and their own licensing. This way AWS can speed up the development and deployment process of applications. Amazon EC2 launches as many or as few virtual servers as you need, configure security and networking, and manage storage.[13]

3.1.6 Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (Amazon VPC) gives you full control over your virtual networking environment, including resource placement, connectivity, and security.[14]

VPC with multiple regions and each region has multiple AZs with support to launch compute instances with networking, connectivity and security.[14]

By using AWS infrastructure for FIs could easily provide high availability of data centers or systems. FIs are able to create a VPC with multiple regions and multiple AZs in each region. Launch the compute instances in each AZs with connectivity to the on-premises and third party apps using public internet or private VPN connection or dedicated connection using AWS infrastructure. Security is based on security rules for inter and intra VPC communications of services. Each service has to follow authorization to access components of VPC.??

3.2 Servers Scalability

FIs traffic on servers is sometimes unpredictable due to new launches, on occasions or peak hours of the day. In the stock market major traffic in early working hours, no traffic after stock market closes. In the banking system high traffic is on weekends or public holidays. To predict traffic beforehand is a major role in critical systems i.e FIs. AWS provides services to take care of this sudden high traffic and low traffic.?

An application could be unavailable due to sudden bursts of traffic on servers, servers are not able to scale too fast and not able to auto scale due to lack of monitoring system. AWS with Auto Scaling Groups for EC2(Elastic Compute Cloud) could easily handle sudden bursts up to some level immediately.??

3.2.1 Auto Scaling Group (ASG)

AWS Auto Scaling Group could be launched in multiple Availability Zones(AZs), making it highly available. It has a mechanism to health check for EC2 instances, “AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost”.[15]

3.3 Load Balancers

When the traffic is high, a single server is not able to handle all the requests efficiently, in that case we need multiple servers to handle the requests. But clients need a single point of access for application, load balancers are the single point of access and “load balancer distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple Availability Zones. This increases the availability of your application”.[16]

Load balancer within a single AZ is not fault tolerant, so need multiple Load balancer in different AZs. Now single point access to applications provided by DNS. AWS has Route 53 DNS service with 100% Service Level Agreement (SLA). With this design FIs can create a distributed application with distributed load onto multiple servers with multiple locations, having a single point of access.

3.4 Highly Available Databases

All FIs Applications need to store the databases on multiple locations for security, data compliance and distributed clients. AWS provides several databases with High Availability and Disaster Recovery mechanisms. AWS Relational Database Service (RDS) and AWS Aurora are relational databases while AWS DynamoDB is a noSQL. All these databases have the ability to serve the FIs global clients with high availability and low latency.?

3.4.1 Amazon Relational Database Service (Amazon RDS)

It’s a managed database service and uses SQL as a query language. RDS supports MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server database (DB) instances.?

RDS provides two easy-to-use options for ensuring High Availability for databases.

“When provisioning a Multi-AZ DB instance, Amazon RDS automatically creates a primary DB instance and synchronously replicates the data to a standby instance in a different Availability Zone (AZ). In case of an infrastructure failure, Amazon RDS performs an automatic failover to the standby DB instance. Since the endpoint for your DB instance remains the same after a failover, your application can resume database operation without the need for manual administrative intervention”. [17]

3.4.2 Amazon Aurora

Amazon Aurora is a relational database service with MySQL and PostgreSQL-compatible editions.

“In Aurora PostgreSQL, a DB cluster is a collection of one read/write instance and up to 15 read instances, along with data storage (cluster volume) that spans multiple Availability Zones”[]. Six copies of data across three AZs.

By default, an Amazon Aurora cluster has only one primary compute instance performing read/write operations, and up to 15 read instances, along with data storage (cluster volume) that spans multiple Availability Zones. Each Availability Zone maintains two copies of the DB cluster data. By adding one or more Aurora Replicas to the cluster, you gain read scalability and high availability for your database cluster. If the primary instance in the cluster fails, Aurora automatically promotes an existing Replica to be the new primary instance.[19]

The following diagram illustrates the Aurora PostgreSQL architecture with a master and three Read Replicas:

3.4.3 AWS Aurora Global Database

AWS Aurora Global Database is designed for globally distributed applications, allowing a single Amazon Aurora database to span multiple AWS Regions. It replicates your data with no impact on database performance, enables fast local reads with low latency in each Region, and provides disaster recovery from region-wide outages.

Critical workloads with a global footprint, such as financial, travel, or gaming applications, have strict availability requirements and may need to tolerate a Region-wide outage.[20]

3.4.4 Amazon DynamoDB

Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database designed to run high-performance applications at any scale. DynamoDB offers built-in security, continuous backups, automated multi-Region replication, in-memory caching, and data import and export tools.[21]

With DynamoDB, you can create database tables that can store and retrieve any amount of data and serve any level of request traffic. You can scale up or scale down your tables' throughput capacity without downtime or performance degradation.

DynamoDB automatically spreads the data and traffic for your tables over a sufficient number of servers to handle your throughput and storage requirements, while maintaining consistent and fast performance. All of your data is stored on solid-state disks (SSDs) and is automatically replicated across multiple Availability Zones in an AWS Region, providing built-in high availability and data durability. You can use global tables to keep DynamoDB tables in sync across AWS Regions.[22]

3.5 Data Storage?

For FIs data storage is a major concern due to strict compliance, data need to store for a long period with minimum cost, it should be highly available and fault tolerant.?

For storing data in AWS there are many options depending on type, uses, accessibility, and cost.

Primarily data is stored in many AZs in a region except Elastic Block Storage(EBS).?

AWS S3 (Simple Storage Service), EFS (Elastic File System), FSx are few options where you can store your data.?

All the data storage services have encryption, auto Replication and Snapshots to store copies on multiple locations for backups and disaster recovery.?

3.5.1 AWS S3(Simple Storage Service)

S3 could be used for storing static data in a region and can be replicated to cross regions. S3 has different classes for frequent, infrequent and archive data, data could easily be moved from one class to another to save cost on storage. S3 provided unlimited storage capacity and data durability of 99.9999….(11 9s).

3.5.2 EFS (Elastic File System)

EFS is also a region storage Amazon EFS allows you to mount a single volume to multiple instances, and is stored redundantly across multiple AZ’s within that single region. EFS has data durability of 99.999… (11 9s) and availability of 99.99..(4 9s). [24]

3.6 Data Security

AWS Services improve ability to meet core security, confidentiality, and compliance requirements through AWS GuardDuty of underlying compute system EC2 instances. With the AWS Nitro System, a new generation EC2 instance, there's no mechanism for any system or person to log in to EC2 servers, read the memory of EC2 instances, or access any data stored on instance storage and encrypted EBS volumes.[25]

3.6.1 Amazon GuardDuty

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your Amazon Web Services accounts, workloads, and data stored in Amazon S3.

With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With GuardDuty, you now have an intelligent and cost-effective option for continuous threat detection in Amazon Web Services Cloud. The service uses machine learning, anomaly detection, and integrated threat intelligence to identify and prioritize potential threats.[26]

3.6.2 AWS Nitro Enclaves

AWS Nitro Enclaves enables customers to create isolated compute environments to further protect and securely process highly sensitive data such as personally identifiable information (PII), healthcare, financial, and intellectual property data within their Amazon EC2 instances. Nitro Enclaves uses the same Nitro Hypervisor technology that provides CPU and memory isolation for EC2 instances.[27]

3.6.3 AWS CloudHSM?

AWS CloudHSM provides hardware security modules in the AWS Cloud. A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys.When you use an HSM from AWS CloudHSM, you can perform a variety of cryptographic tasks:

• Generate, store, import, export, and manage cryptographic keys, including symmetric keys and asymmetric key pairs.
• Use symmetric and asymmetric algorithms to encrypt and decrypt data.
• Use cryptographic hash functions to compute message digests and hash-based message authentication codes (HMACs).
• Cryptographically sign data (including code signing) and verify signatures.
• Generate cryptographically secure random data.

If you want a managed service for creating and controlling your encryption keys but you don't want or need to operate your own HSM, consider using AWS Key Management Service[28]

3.6.4 AWS Key Management Service (AWS KMS)

AWS Key Management Service (AWS KMS) is a managed service that makes it easy for you to create and control the cryptographic keys that are used to protect your data.

AWS KMS integrates with most other AWS services that encrypt your data. AWS KMS also integrates with AWS CloudTrail to log use of your KMS keys for auditing, regulatory, and compliance needs.

3.7 Application Security

Application level security could be achieved by AWS Shield and AWS (Web Application Firewall) WAF. Shield protects your application from Distributed Denial of Service (DDoS) whereas AWS WAF protects from common attack patterns, such as SQL injection or cross-site scripting.

3.8 Network Security?

Network security is a major concern for FIs to protect it from unauthorized users, AWS provides network security at each level on VPC, Subnet and Instance level.?

3.8.1 AWS Network Firewall

AWS Network Firewall is a managed service that provides essential network protections for all of your Virtual Private Clouds (VPC).

AWS Network Firewall’s flexible rules engine lets you define firewall rules that give you fine-grained control over network traffic. [29]

3.8.2 Access Control List?

A network Access Control List (ACL) allows or denies specific inbound or outbound traffic at the subnet level.

3.8.3 Security Groups

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. Associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

3.9 Messaging Services?

AWS messaging services enable different software systems and end devices–often using different programming languages, and on different platforms–to communicate and exchange information. You can use AWS messaging services to send and receive data in your cloud applications. The underlying infrastructure is automatically provisioned for high availability and message durability to support the reliability of your applications.[30]

Two most popular and reliable messaging services in AWS are SQS (Simple Queue Service) and SNS(Simple Notification Services), apart from this other services are also there, but for any FI SQS and SNS are most important. These services decouple the applications so that if one part is overloaded or unhealthy it should not impact on other parts.?

3.9.1 Amazon SQS

Simple, flexible, fully managed message queuing service for reliably and continuously exchanging any volume of messages from anywhere. Here, consumers continuously poll the queue for message, read the single message or in batches, process it and send the result to other service.?

3.9.2 Amazon SNS

Simple, flexible, fully managed publish/subscribe messaging and mobile push notification service for high throughput, highly reliable message delivery. [31]

It is used where multiple subscribers wait for a message. Subscriber can register to publisher and as soon as message is received by publisher, it will deliver to subscriber.?

4. Conclusion

AWS services are able to achieve highly resilient and highly available systems with AWS backed infrastructure, and auto scaling, load balancing, distributed databases, reliable storage, network & data security, data backup and scalable inter communication with AWS Services. Global FIs system can be designed for distributed clients with low latency and high availability. FIs can plan for disaster recovery, compliances and regulations based on their countries.?

We can further explore AWS serverless services that could be used instead of provisioned services, where FIs or organizations don’t need to provision resources and infrastructure beforehand, Cloud automatically scales according to requirements of your end users. In serverless services organizations don’t need to maintain infrastructure management tasks like capacity provisioning and patching, so you can focus on writing code that serves your customers.[32]

References?

[1] https://aws.amazon.com/what-is-cloud-computing/

[2] https://aws.amazon.com/about-aws/

[3] https://aws.amazon.com/products/

[4] https://d1.awsstatic.com/Industries/Financial%20Services/Overview/Resilient%20Applications%20on%20AWS%20for%20Financial%20Services.pdf

[5] https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-workloads-on-aws.html

[6]https://docs.aws.amazon.com/whitepapers/latest/disaster-recovery-workloads-on-aws/disaster-recovery-options-in-the-cloud.html

[7] https://aws.amazon.com/types-of-cloud-computing/

[8] https://aws.amazon.com/types-of-cloud-computing/

[9] https://aws.amazon.com/blogs/compute/running-aws-infrastructure-on-premises-with-aws-outposts/

[10] https://aws.amazon.com/about-aws/global-infrastructure/

[11] https://aws.amazon.com/about-aws/global-infrastructure/regions_az/

[12] https://aws.amazon.com/wavelength/features/

[13] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

[14] https://aws.amazon.com/vpc/

[15] https://aws.amazon.com/autoscaling/

[16] https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html

[17] https://aws.amazon.com/rds/ha/

[18] https://aws.amazon.com/blogs/database/readable-standby-instances-in-amazon-rds-multi-az-deployments-a-new-high-availability-option/

[19] https://aws.amazon.com/blogs/database/failover-with-amazon-aurora-postgresql/

[20]https://aws.amazon.com/rds/aurora/global-database/

[21] https://aws.amazon.com/dynamodb/

[22] https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

[23] https://aws.amazon.com/s3/

[24] https://aws.amazon.com/efs/

[25] https://aws.amazon.com/compliance/data-protection/

[26] https://www.amazonaws.cn/en/guardduty/

[27] https://aws.amazon.com/ec2/nitro/nitro-enclaves/

[28] https://docs.aws.amazon.com/cloudhsm/latest/userguide/introduction.html

[29] https://aws.amazon.com/network-firewall/

[30] https://aws.amazon.com/messaging/

[31] https://aws.amazon.com/messaging/

[32] https://aws.amazon.com/serverless/

[33]https://www.c-sharpcorner.com/article/top-10-cloud-service-providers/

Author- Mr. Jag Mohan

(AWS Certified Solutions Architect - Professional)