Axis Bank’s head of enterprise architecture, Karthik Somasundaram, told the recent AWS India summit that the bank had embarked on a digital transformation journey in 2021 to migrate 70 percent of its on-premises data centre infrastructure to the cloud.
“Axis’ 20 percent of workloads are already on the cloud. It has deployed several mission-critical applications on AWS like the 'Buy Now Pay Later' product, loan management systems, WhatsApp banking and many more," Somasundaram said.
He added that the company uses services like AWS key management service, a fully managed service for cryptographic operations (KMS), AWS CloudHSM, a cloud-based hardware security module (HSM), AWS Identity and Access Management (IAM), AWS encryption SDK, and a client-side encryption library, to improve data security, compliance and customer experience.
Somasundaram added that Axis Bank has implemented a cloud-first agenda for all new applications. “The existing apps are re-engineered to be cloud optimised and take advantage of the OpEx model”.
We also automated the cataloguing and governance of these data across on-premise and cloud, he said.
Many of Axis Bank’s channel labs leverage the cloud-scale infrastructure on AWS using many managed services like Amazon EKS, EMR, Lambda, RDS, DocumentDB, DynamoDB services and CloudFront to enhance customer experience, he added.
Security is a key aspect to address while adopting the cloud, Somasundaram noted.
“Financial institutions deal with personally identifiable information (PII) among other sensitive data and it becomes important to have the right data protection mechanism,” he added.
To secure data across enterprises, Axis Bank has built a data production office with defined classifications of data elements for PII and sensitive personal data or information (SPDI), Somasundaram said.
“We have implemented a strong encryption strategy with AWS products to ensure the PII data is securely exchanged within the enterprise across the hybrid infrastructure.”
For securing data at rest, the bank deploys envelope encryption using AWS KMS in AWS storage services and certain databases like MongoDB, MySQL and more, the Axis Bank official said.
In the case of Oracle on Amazon Elastic Compute Cloud (Amazon EC2), Somasundaram said it can be integrated with HSM directly through PKCS #11 (Public-Key Cryptography Standard) libraries as a dependency.
“Our compliance policies do not allow our cloud-deployed apps to store data outside India. Hence we use our own dedicated HSM cluster,” he added.
Axis Bank onboards a managed service only if it has a service organisation control compliance (SOC2/3) and ISO 270001 compliance among other requirements.
“We ensure that SPDI data is tokenised or anonymised before it lands on the cloud. Thus PII data is encrypted with the bank's own keys generated in the bank's HSM cluster,” Somasundaram said.
KMS custom key
While there are three major ways to generate master keys in KMS, Axis Bank implements an option that uses a KMS custom key store, where the keys are mastered in the customer-managed HSM cluster.
The bank has implemented automation to dynamically scale the HSM cluster. It has also created a cryptographic office to manage role-based access control (RBAC).
For the data in transit, Axis uses message-level encryption to ensure PII data is not compromised by exploiting SSL termination points like load balancers.
“Our Internet apps embedded dependency on AWS encryption SDK library to perform envelope encryption for data in transit,” he explained.
For Internet and invisible channels, Axis deploys a different SDK that uses a combination of symmetric and asymmetric algorithms to encrypt, sign and exchange data.
Somasundaram said, Axis Bank is now in the pursuit of extending such a model to KMS-compatible software as a service (SaaS) providers to secure data using the bank's own keys.