Skip to main content

Security Architecture

Grand Central implements a comprehensive Zero Trust and Defense-in-Depth security architecture built on a hardened Azure Cloud platform, designed specifically for banking environments with SOC 2 Type 1 certification in place and Type 2 certification planned.

Security Overview

Zero Trust Architecture

Never trust, always verify approach with secure architecture and boundaries

Defense-in-Depth

Multi-layered security controls across ingress, API management, runtime, and egress

SOC 2 Certification

Type 1 certified with Type 2 certification planned for enterprise compliance standards

Continuous Security

Security integrated into SDLC with automated scans and monitoring

Core Security Philosophy

The platform is built on a ready and hardened Cloud Architecture on Azure, designed to be secure and compliant (SOC 2 Type 1 certified, Type 2 certification planned). The core security philosophy relies on Secure Architecture & Boundaries - Zero Trust and Defense-in-Depth.

Core Security and Access Components

The foundational security elements integrated into the platform components:
Azure Cloud Security FoundationAzure Key Vault provides centralized secret management for secure storage and access to cryptographic keys, secrets, and certificates including Secure secret storage and retrieval, Hardware Security Module (HSM) support, Access policies and audit logging, and Certificate lifecycle management.Microsoft Defender offers advanced threat protection and security monitoring across cloud resources including Real-time threat detection, Security recommendations and alerts, Vulnerability assessment, and Compliance monitoring.
Azure Active Directory IntegrationAzure Active Directory (AAD) is an enterprise identity and access management service providing Single sign-on (SSO) capabilities, Multi-factor authentication (MFA), Conditional access policies, and Identity federation support.Azure AD Privileged Identity Management (PIM) enables just-in-time privileged access management with Just-in-time access activation, Time-bound privileged access, Access review and approval workflows, and Privileged access monitoring.
Security-Integrated DevelopmentSecurity is integrated into the SDLC/Release Management Process, including Security Scans performed during Continuous Integration and Automated Checks during Peer Review.Continuous Integration Security: Automated security scans in CI/CD pipeline, Vulnerability assessment during builds, Code quality and security gates, Dependency security scanning.Peer Review Security: Automated security checks during review, Security-focused code analysis, Compliance verification, Security best practice enforcement.
Comprehensive Security MonitoringThe platform offers full monitoring of auditing events and logs, with comprehensive alerting capabilities for security events and compliance monitoring.Audit Logging provides comprehensive audit trail for all platform activities. Real-time Alerts deliver immediate notifications for security events. Security Analytics enable advanced analytics for threat detection.

Layered Security by Function

Security policies are enforced at multiple layers—Ingress, API Management, Runtime, and Egress—to ensure defense-in-depth protection.

Ingress Security

Ingress Security governs incoming traffic protection against external threats through multiple security controls:

Web Application Firewall

Entry-point security policies with application-layer traffic inspection, OWASP Top 10 protection, custom security rule enforcement, and geographic access controls

DDoS Protection

Defense against Denial of Service attacks with volumetric attack protection, protocol mitigation, application layer defense, and real-time analytics

IP Filtering (NACL)

Granular IP-based access control with allowlist/blocklist management, geographic IP filtering, dynamic reputation filtering, and custom policies

mTLS Support

Mutual Transport Layer Security for strong client authentication with certificate validation, bidirectional authentication, and revocation checking

API Management Security

API Management Security at the API layer handles authorization, authentication, and traffic control:

Policy Enforcement

API policies enforce Authorization (AuthZ) and Authentication (AuthN) with OAuth 2.0, OpenID Connect, JWT validation, RBAC, and API key management

Traffic Shaping

Advanced traffic control with rate limiting per client, circuit breaker patterns, quota management, throttling, and load balancing with failover

Credential Management

Comprehensive credential manager for egress authentication with secure storage and rotation, Azure Key Vault integration, and certificate-based auth

AKS Runtime Security

AKS Runtime Security implements strict security and isolation controls within Azure Kubernetes Services:

Network & Pod Security

Policy enforcement managed with Kyverno for pod security policies and standards, network policy enforcement, resource quotas and limits, and security context constraints

Workload Isolation

Application workload isolation per Namespace using Network & Istio Policies with tenant isolation, service mesh security, inter-service encryption, and traffic segmentation

Standards & Best Practices

Pod Security Standards incorporated into Helm charts with security-hardened images, least-privilege access, runtime monitoring, and compliance validation

Egress Security

Egress Security protects outgoing traffic to backend systems and external services:

Connectivity Support

Multiple secure connectivity options including Azure Private Link for private connectivity, Site-to-Site VPN for secure tunneling, ExpressRoute for dedicated connections, and Internet connectivity with enhanced security

Filtering & Authentication

Comprehensive filtering and authentication for outbound connections via IP filtering with Network ACL, mTLS support for mutual authentication, certificate-based authentication, and protocol-specific security controls

API Management Security

Grand Central’s API Management layer provides comprehensive security controls for the full API lifecycle:
API Security ControlsThe APIM layer provides comprehensive authentication and authorization controls to secure API access:Authentication Methods: API keys for simple authentication, OAuth 2.0 for secure token-based access, Integration with 1st and 3rd party Identity Providers (IDPs), Certificate-based authentication.Access Control: IP-based access control for geographic restrictions, User groups and subscription management, Role-based access controls, API product-level permissions.
Rate Limiting & Security PoliciesAPIM provides over 50 built-in policies for comprehensive API protection:Rate Limiting: Request throttling and quota management, Per-client rate limiting, Burst protection, Fair usage policies.Content Security: Request/response validation, Content filtering and sanitization, Payload size restrictions, Format validation.
Security Monitoring & InsightsComprehensive monitoring and analytics for security visibility:API Usage Analytics tracks usage metrics, performance data, and error monitoring. Security Event Logging provides comprehensive logs for security events and API access. End-to-End Request Tracing enables complete request tracing for security audit and investigation. Alerts & Notifications delivers real-time alerts for security events and policy violations.

Internal Security Architecture

Grand Central Internal Flow ensures secure request processing within the Grand Central tenancy through multiple security layers. The ingress flow follows: WAF (Web Application Firewall) → APIM (API Management) → NSG (Network Security Groups). The egress flow follows: AKS Runtime (Kubernetes Services) → NSG (Network Security Groups) → NAT Gateway (Network Address Translation). Internal Security Controls include Network Security Groups (NSG) for micro-segmentation, API Management policies and authentication, Container security and runtime protection, and Network Address Translation (NAT) for outbound traffic. Network Security provides comprehensive network-level protection and micro-segmentation:

Network Security Groups

Fine-grained network access control with Layer 4 traffic filtering (IP, ports, protocols), inbound and outbound security rules, micro-segmentation, and traffic flow monitoring

NAT Gateway

Secure outbound internet connectivity with static IP, controlled outbound access, network address translation, and enhanced security for outgoing traffic

Private Endpoints

Private connectivity to Azure services within VNET with elimination of public internet exposure, enhanced data protection, and network-level service isolation

Security Best Practices

Encryption Everywhere

  • TLS/mTLS for data in transit
  • Certificate-based authentication
  • End-to-end encryption protocols
  • Secure key management

Network Segmentation

  • Micro-segmentation with NSGs
  • Private network connectivity
  • Traffic isolation and filtering
  • Controlled access pathways

Access Control

  • Multi-factor authentication
  • Role-based access control
  • IP-based access restrictions
  • Comprehensive audit logging

Next Steps

Network Connectivity

Explore network architecture and connectivity patterns

High Availability & DR

Discover enterprise-grade resilience and disaster recovery

Platform Overview

Return to platform overview for complete picture