Skip to main content
Grand Central provides secure, scalable connectivity patterns designed specifically for banking environments, ensuring enterprise-grade security and compliance.

Connectivity overview

Multi-layer security

Defense-in-depth approach with multiple security layers and controls

Banking standards

Compliance with banking security standards and regulatory requirements

Hybrid architecture

Support for cloud, on-premises, and hybrid connectivity patterns

High availability

Enterprise-grade uptime and disaster recovery capabilities

Azure cloud connectivity architecture

The platform uses Microsoft Azure’s enterprise-grade security and networking capabilities. The following sections describe the access patterns for different system types.

EBP client access

EBP client traffic enters the platform through the following layers:
  • Web application firewall (WAF) - provides the first line of defense, filtering malicious traffic and attacks before they reach application services. The WAF enforces DDoS protection and traffic filtering, SSL/TLS termination and inspection, rate limiting and throttling, and geographic access controls.
  • Azure Kubernetes Service (AKS) - hosts the container orchestration platform running EBP services. AKS provides secure multi-tenant isolation, automatic scaling capabilities, and integrated security controls for containerized workloads.
  • BaaS tenancy - ensures secure multi-tenant environments for banking services. Each tenant operates in logical isolation with dedicated resources, preventing cross-tenant data leakage and maintaining strict security boundaries.

External system access

External systems connect to Grand Central using the following mechanisms:
  • TLS/mTLS encryption - secures all external system connectivity with mutual authentication. Both client and server certificates are verified, ensuring bidirectional trust before any data exchange occurs.
  • VPN connectivity - establishes secure tunnel communication for point-to-point integrations. VPN gateways provide encrypted connectivity for fintech partners and open banking systems requiring dedicated network paths.
  • Network Access Control Lists (ACL) - enforce fine-grained network access policies. IP allowlisting restricts connectivity to authorized external systems only, with granular controls for each integration partner.
External integration patterns include API-based connections with OAuth 2.0, file transfer protocols (SFTP/FTPS), message queue connectivity, and webhook endpoints with signature validation.

Grand Central internal processing

Internal traffic flows through these components:
  • Request flow - follows a strict security path: WAF → API Management → Network Security Groups → AKS Runtime → NSG → NAT Gateway. Each hop enforces additional security controls and logging.
  • Network Security Groups (NSG) - provide micro-segmentation within the Grand Central tenancy. Traffic between components is restricted to explicitly allowed paths only, preventing lateral movement and limiting blast radius.
  • API Management (APIM) - enforces centralized policy controls including authentication verification, rate limiting, request transformation, and comprehensive audit logging for all API interactions.
  • Container security - protects the AKS runtime environment with image scanning, runtime threat detection, and security policy enforcement at the pod level.
  • NAT gateway - manages outbound traffic from the Grand Central tenancy, providing static IP addresses for backend system connectivity and simplified network ACL management.

Backend system connectivity

Backend systems connect to Grand Central through these options:
  • Azure Private Link - establishes secure, private connectivity to customer backend systems without exposing traffic to the public internet. Private endpoints eliminate public IP exposure and reduce attack surface.
  • Network ACL - controls granular traffic filtering for backend integrations. Access rules restrict connectivity based on source IP, destination port, and protocol, enforcing zero-trust network principles.
  • VPN gateway - extends site-to-site VPN connectivity for secure network integration. Customer backend networks connect seamlessly to the Grand Central environment over encrypted tunnels.
  • End-to-end TLS/mTLS - ensures all backend communications remain encrypted. Certificate-based authentication verifies both Grand Central and backend system identities before establishing connections.

Network security architecture

Defense in depth applies a multi-layer protection strategy across the following areas:Perimeter security - controls at the network edge include:
  • Web Application Firewall (WAF)
  • DDoS protection
  • Geographic access controls
  • Rate limiting and throttling
Network security - internal network controls include:
  • Network Security Groups (NSG)
  • Virtual Private Networks (VPN)
  • Private endpoints and links
  • Network segmentation
Application security - application-level controls include:
  • API authentication and authorization
  • Certificate-based authentication
  • Token validation and management
  • Input validation and sanitization
Data security - data protection includes:
  • encryption in transit and at rest
  • Key management services
  • Database encryption
  • backup encryption
Identity and access management covers the following:Authentication methods - supported methods include:
  • Multi-factor authentication (MFA)
  • Certificate-based authentication
  • OAuth 2.0 and OpenID Connect
  • SAML integration
Authorization controls - access is governed by:
  • Role-based access control (RBAC)
  • Attribute-based access control (ABAC)
  • Resource-level permissions
  • API-level authorization policies
Identity providers - integration options include:
  • Azure Active Directory integration
  • External identity provider support
  • Federated identity management
  • Just-in-time (JIT) access
Compliance and governance address the following:Banking regulations - the platform supports:
  • PCI DSS compliance
  • SOX compliance
  • Basel III requirements
  • Local banking regulations
Security standards - alignment includes:
  • ISO 27001/27002
  • NIST Cybersecurity Framework
  • SOC 2 Type 1 (Type 2 planned)
  • FedRAMP (where applicable)
Audit and monitoring - capabilities include:
  • Comprehensive audit logging
  • Real-time security monitoring
  • compliance reporting
  • Incident response procedures
Data protection is implemented as follows:Encryption standards - encryption includes:
  • AES-256 encryption for data at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive data
  • Hardware Security Module (HSM) integration
Data classification - controls include:
  • Sensitive data identification
  • data retention policies
  • data sovereignty compliance
  • Privacy controls (GDPR, CCPA)
Backup and recovery - capabilities include:
  • Encrypted backup storage
  • Cross-region replication
  • Point-in-time recovery
  • Disaster recovery procedures

Connectivity patterns

Cloud-native connectivity

API Gateway integration, container-to-container communication, service mesh architecture, and cloud-native security controls

Hybrid connectivity

VPN site-to-site connections, ExpressRoute private circuits, hybrid identity integration, and on-premises data synchronization

Legacy system integration

Protocol transformation (REST ↔ SOAP), message queue integration, file-based data exchange, and database direct connectivity

Partner ecosystem

B2B API connectivity, third-party fintech integration, open banking compliance, and marketplace connectivity

Next steps

Security architecture

Explore comprehensive security controls and compliance frameworks

Network connectivity

Learn about network architecture and connectivity patterns

High availability and DR

Discover enterprise-grade resilience and disaster recovery capabilities