This article was originally published on TABBForum on August 27, 2019.

With so much riding on the rails of organizations’ networks, CIOs at financial services companies are prone to taking a cautious approach to upgrading. But this trepidation has put the financial services industry years behind the curve on adopting software-defined WANs and realizing the full potential of cloud computing.

The financial services industry is understandably conservative and does not like making changes to its technology infrastructure. Replacing one system with another can feel like trading the devil you know for one you don’t. With so much riding on the rails of enterprise wide area networks (WANs), CIOs at financial services companies are prone to taking a cautious approach. However, this trepidation has put the financial services industry years behind the curve on adopting the transformational technologies of cloud computing and software-defined WANs (SD-WANs).

Day by day, more banks and capital markets firms are migrating at least some of their applications to the cloud. Most employ a multi-cloud strategy, splitting their workloads among Microsoft Azure Cloud, Amazon Web Services (AWS), and Google Cloud Platform (GCP). This allows the very conservative companies to use the different cloud providers in a primary, backup, and tertiary nature.

The Costly Legacy

Moving workloads to the cloud puts pressure on conventional WANs – the kind built on MPLS circuits leased from telecommunication providers. Also known as a legacy hub-and-spoke WAN, this infrastructure is based on the construct of application workloads that are hosted in an on-premises data center. Branch locations that need access to applications typically have one or more MPLS circuits to bring network traffic directly into that data center in a secure fashion. This WAN architecture has served financial services companies remarkably well for decades, but it fails miserably in serving traffic to and from cloud applications.

A New WAN Approach is Needed

As the paradigm of where enterprise applications are hosted changes, so too must the WAN that carries data from the branch offices to the cloud. Under the legacy hub-and-spoke architecture – which predates the cloud by decades – all network traffic comes into an enterprise data center before being forwarded into the cloud. Like a hairpin turn on a mountainside, the route the data travels is long and circuitous, which increases latency. And we all know that latency is a killer in financial services.

Many financial services companies have and are transforming their network and moving to the cloud. One way they are doing this is by having their data center resources hosted in the cloud where their applications already are or are going. Facilities that host this data center-like infrastructure are known as CloudHubs, or sometimes communication hubs or performance hubs. A CloudHub consists of racks of networking equipment typically deployed in carrier-neutral, colo data centers. These data centers are then interconnected with high-capacity, low-latency circuits that create a high-performance core network.

At the edge of this network, an enterprise can interconnect with its existing carrier services, whether they are MPLS networks, dedicated internet access networks, Ethernet, or private line services. The company also can directly connect to its branch offices, remote and mobile users and partners, and of course, its core on-premises data centers.

One advantage of the CloudHub architecture is that it brings an enterprise’s network traffic into “peering centers” where other cloud-based applications are hosted – applications such as Office 365, Salesforce, ServiceNow, Workday, and other popular SaaS applications. Properly designed, CloudHub-based network connectivity is the most optimized means of connecting to various cloud and SaaS platforms, and the resulting architecture translates to applications that are now screaming fast.

Of course, no financial services company – any company, really – would give a thought to using a CloudHub architecture without assurances that data and application security is as good as or better than what the legacy WAN architecture provides. An enterprise can build its own security stack and deploy it in the CloudHubs it utilizes, or the company can engage with a service provider that has already built and deployed regional CloudHubs that are fully configured with a strong security stack. Either way, DIY or “as a service” CloudHubs can have the range of security services an enterprise needs, including a next-generation firewall, anti-virus/anti-malware, intrusion detection/prevention, data loss prevention, and more. These are the same tools that are typically deployed in an on-premises datacenter.

Steps to Evolve Your Costly Legacy Network (WAN Transformation)

Financial services companies with an eye toward a competitive advantage are already transforming their networks to increase productivity and business agility and to decrease overall costs, shifting expenses from capex to opex. A cloud-ready WAN architecture built on a CloudHub core network enables this and more. In fact, financial services companies can evolve their networks in short order with the following recipe:

Step 1: Map the apps

The enterprise must understand where its users and applications are, and how traffic flows between them. This entails documenting which applications are in the on-premises data center, which ones are in the cloud, and if they are in the cloud, where they are hosted (geographically) relative to where the users are. This will help optimize interconnection with those applications for the best performance.

Step 2: Deploy CloudHubs

Having mapped the users and apps, the enterprise can strategically deploy its CloudHubs to optimize performance between the end user environments and the cloud environments, and to get direct cloud interconnect. CloudHubs are virtual data centers, so it’s possible to deploy both distributed compute and distributed security. At this point the cloud-based data center is becoming more of an application hub that can support many capabilities, such as load balancing, network monitoring, application performance management, and more.

Step 3: Add SD-WAN

Now, add an SD-WAN overlay to achieve something really powerful. With application-aware routing, traffic can be routed based on application and/or user. Security policies can be applied dynamically, and the enterprise can leverage enhanced analytics using data from the overlay network, the underlay network and the various transport circuits. An enhanced analytics platform enables faster correlation of data, which in turn leads to quicker resolution of problems.

The Benefits to Dumping Your Legacy

A WAN transformation provides myriad benefits. By creating a much more flexible, adaptable network, a financial services company can be a more agile business. A new branch or remote location (like an ATM or service kiosk) can be turned up in hours rather than weeks or months.

There are good opportunities for cost reductions. Companies can retain their MPLS circuits for their most important applications, if desired, and replace or install other circuits based on more cost-effective transport choices.

Security can be centralized in CloudHubs instead of needing to distribute it out to each and every branch that needs internet or cloud access. This eliminates the hairpinning of traffic through a corporate data center for the purpose of applying security to the traffic.

CloudHubs have a global reach – even in traditionally hard-to-serve places such as China. Global enterprises can have consistent network performance over the CloudHub grid throughout the world.

Creating a WAN backbone architecture based on CloudHubs connected with high-speed links is the future of wide area networking. It’s a proven architecture that even the most change-averse firms can embrace.

How can we help? 

We love talking about software-defined networks and the cloud! Let us know if we can help by filling out the form. Cheers!