Skip to main content
Grand Central provides secure, scalable connectivity patterns designed specifically for banking environments, ensuring enterprise-grade security and compliance.

Connectivity Overview

Multi-Layer Security

Defense-in-depth approach with multiple security layers and controls

Banking Standards

Compliance with banking security standards and regulatory requirements

Hybrid Architecture

Support for cloud, on-premises, and hybrid connectivity patterns

High Availability

Enterprise-grade uptime and disaster recovery capabilities

Azure Cloud Connectivity Architecture

The platform leverages Microsoft Azure’s enterprise-grade security and networking capabilities across multiple access patterns.

EBP Client Access

Web Application Firewall (WAF) provides the first line of defense, filtering malicious traffic and attacks before they reach application services. The WAF enforces DDoS protection and traffic filtering, SSL/TLS termination and inspection, rate limiting and throttling, and geographic access controls. Azure Kubernetes Service (AKS) hosts the container orchestration platform running EBP services. AKS provides secure multi-tenant isolation, automatic scaling capabilities, and integrated security controls for containerized workloads. BaaS Tenancy ensures secure multi-tenant environments for banking services. Each tenant operates in logical isolation with dedicated resources, preventing cross-tenant data leakage and maintaining strict security boundaries.

External System Access

TLS/mTLS Encryption secures all external system connectivity with mutual authentication. Both client and server certificates are verified, ensuring bidirectional trust before any data exchange occurs. VPN Connectivity establishes secure tunnel communication for point-to-point integrations. VPN gateways provide encrypted connectivity for fintech partners and open banking systems requiring dedicated network paths. Network Access Control Lists (ACL) enforce fine-grained network access policies. IP allowlisting restricts connectivity to authorized external systems only, with granular controls for each integration partner. External integration patterns include API-based connections with OAuth 2.0, file transfer protocols (SFTP/FTPS), message queue connectivity, and webhook endpoints with signature validation.

Grand Central Internal Processing

Request Flow follows a strict security path: WAF → API Management → Network Security Groups → AKS Runtime → NSG → NAT Gateway. Each hop enforces additional security controls and logging. Network Security Groups (NSG) provide micro-segmentation within the Grand Central tenancy. Traffic between components is restricted to explicitly allowed paths only, preventing lateral movement and limiting blast radius. API Management (APIM) enforces centralized policy controls including authentication verification, rate limiting, request transformation, and comprehensive audit logging for all API interactions. Container Security protects the AKS runtime environment with image scanning, runtime threat detection, and security policy enforcement at the pod level. NAT Gateway manages outbound traffic from the Grand Central tenancy, providing static IP addresses for backend system connectivity and simplified network ACL management.

Backend System Connectivity

Azure Private Link establishes secure, private connectivity to customer backend systems without exposing traffic to the public internet. Private endpoints eliminate public IP exposure and reduce attack surface. Network ACL controls granular traffic filtering for backend integrations. Access rules restrict connectivity based on source IP, destination port, and protocol, enforcing zero-trust network principles. VPN Gateway extends site-to-site VPN connectivity for secure network integration. Customer backend networks connect seamlessly to the Grand Central environment over encrypted tunnels. End-to-End TLS/mTLS ensures all backend communications remain encrypted. Certificate-based authentication verifies both Grand Central and backend system identities before establishing connections.

Network Security Architecture

Multi-Layer Protection StrategyPerimeter Security:
  • Web Application Firewall (WAF)
  • DDoS protection
  • Geographic access controls
  • Rate limiting and throttling
Network Security:
  • Network Security Groups (NSG)
  • Virtual Private Networks (VPN)
  • Private endpoints and links
  • Network segmentation
Application Security:
  • API authentication and authorization
  • Certificate-based authentication
  • Token validation and management
  • Input validation and sanitization
Data Security:
  • Encryption in transit and at rest
  • Key management services
  • Database encryption
  • Backup encryption
Authentication Methods
  • Multi-factor authentication (MFA)
  • Certificate-based authentication
  • OAuth 2.0 and OpenID Connect
  • SAML integration
Authorization Controls
  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Resource-level permissions
  • API-level authorization policies
Identity Providers
  • Azure Active Directory integration
  • External identity provider support
  • Federated identity management
  • Just-in-time (JIT) access
Banking Regulations
  • PCI DSS compliance
  • SOX compliance
  • Basel III requirements
  • Local banking regulations
Security Standards
  • ISO 27001/27002
  • NIST Cybersecurity Framework
  • SOC 2 Type 1 (Type 2 planned)
  • FedRAMP (where applicable)
Audit & Monitoring
  • Comprehensive audit logging
  • Real-time security monitoring
  • Compliance reporting
  • Incident response procedures
Encryption Standards
  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive data
  • Hardware Security Module (HSM) integration
Data Classification
  • Sensitive data identification
  • Data retention policies
  • Data sovereignty compliance
  • Privacy controls (GDPR, CCPA)
Backup & Recovery
  • Encrypted backup storage
  • Cross-region replication
  • Point-in-time recovery
  • Disaster recovery procedures

Connectivity Patterns

Cloud-Native Connectivity

API Gateway integration, container-to-container communication, service mesh architecture, and cloud-native security controls

Hybrid Connectivity

VPN site-to-site connections, ExpressRoute private circuits, hybrid identity integration, and on-premises data synchronization

Legacy System Integration

Protocol transformation (REST ↔ SOAP), message queue integration, file-based data exchange, and database direct connectivity

Partner Ecosystem

B2B API connectivity, third-party fintech integration, open banking compliance, and marketplace connectivity

Next Steps

Security Architecture

Explore comprehensive security controls and compliance frameworks

Network Connectivity

Learn about network architecture and connectivity patterns

High Availability & DR

Discover enterprise-grade resilience and disaster recovery capabilities