By Leo Vincke, Managing Director; and Thierry Miskaoui, Head of Customer Success – DiXiO
By Henry Su, Customer Solutions Manager – AWS
By Gloria Vargas, Global Account Manager – AWS
By Jack Iu, Solutions Architect – AWS
Financial institutions are migrating their core payments and transactional infrastructures to Amazon Web Services (AWS) to take advantage of the reliability, security, and agility provided by the cloud.
A key component of their transactional infrastructure is the connectivity to the SWIFT network and the availability of solutions to run this key workload fully in the cloud.
Financial services customers are looking to improve their scalability while maintaining the high levels of security required.
SWIFT has made progress offering small-footprint connectivity solutions, such as Alliance Lite2 and Alliance Cloud, to answer the needs of an increasing number of institutions who want to connect to the SWIFT network without having to deploy a large on-premises infrastructure (or use third parties such as service bureaus).
However, these solutions still rely on components that have to be installed, configured, and maintained by the customer including SWIFT Integration Layer (SIL) and SWIFT AutoClient, as well as on physical devices such as USB tokens or VPN boxes.
More importantly, customers have to maintain compliance with the SWIFT Customer Security Controls Framework (CSCF), and perform third-party audits on the SWIFT infrastructure every year. Those operational tasks require specific skills, not always available in mid-sized or even large organizations.
Customers are asking the following questions as they evaluate their migration from transactional infrastructures to AWS:
- How do I connect to SWIFT with a zero infrastructure footprint?
- If I already have infrastructure in the cloud, can I connect to the SWIFT network without managing SWIFT components?
DiXiO, as a SWIFT and AWS Partner, provides solutions to satisfy both of these questions on AWS. In this post, I will describe DiXiO managed services for SWIFT Connectivity, the architecture, deployment considerations, and the value-added services available to customers.
DiXiO’s managed services include the Serenity service, and DiXiO’s team of experts are available 24/7 to answer any questions, fix any issues, and proactively inform customers of all impacting changes from SWIFT. This includes new standard releases, ISO20022, security and CSCF updates, or innovations like gpi.
Small and Medium Size Customers Using SWIFT Alliance Lite2
For customers with transaction volumes up to a few thousand transactions per day (100,000 transactions per year), SWIFT Alliance Lite2 is the most cost-effective solution to provide access to the SWIFT network.
With SWIFT Alliance Lite2, the messaging and the communication interfaces are hosted directly on SWIFT’s servers. Customers only have to deploy a middle-ware component called AutoClient and secure the communications with SWIFT through one of the following options:
- Digital channel certificates and the use of either a physical virtual private network (VPN) box or the recently launched Alliance Connect Virtual VPN (both provided by SWIFT) to connect to the SWIFT network.
- Physical certificates stored on personal USB tokens and connect to SWIFT network directly over the internet.
With DiXiO Serenity Managed Services, customers benefit from SWIFT connectivity through AWS, with zero infrastructure on the customers’ side.
The case study showcased in this post details the implementation for a customer using Alliance Lite2 with SWIFT USB token certificates, but this pattern remains valid with a VPN option or with Alliance Cloud connectivity.
Figure 1 – Reference architecture for AutoClient.
AutoClient and USB Tokens with AWS
Since SWIFT AutoClient only runs in a Windows environment, DiXiO set up an Amazon Elastic Compute Cloud (Amazon EC2) Windows instance properly sized to run the AutoClient. From this instance, DiXiO only allows traffic to the SWIFT servers and blocks all incoming connections as required by SWIFT’s security framework.
To address the complexity of the AutoClient, DiXiO needs to access a certificate which is on a physical USB token. DiXiO set up a secure connection between its physical data centers and Amazon Virtual Private Cloud (Amazon VPC) that runs the EC2 instance to securely store the tokens. This means the customer grants DiXiO the right to manage its SWIFT token holding the AutoClient certificates.
With DiXiO’s Serenity service, DiXiO’s team manages the lifecycle of the AutoClient and SWIFT token certificates. This includes renewing passwords every 90 days, managing certificate expiration, and ensuring the AutoClient is always connected to SWIFT and available to the customer.
The control over the certificate remains in the customers’ hands since the security officers of the customer can, at any time, revoke the AutoClient certificate, which is effective immediately.
Secure File Transfers, MQ Messages, and APIs
With AutoClient and the secure connectivity to SWIFT running, DiXiO provides a secure way to send and receive files between customers’ existing back-office systems (core banking, enterprise resource planning) and their Amazon VPC.
To implement this secure connection, DiXiO offers several options for customers to integrate with their existing systems:
- Transfer files through SFTP using AWS Transfer Services
- Use MQ messaging with Amazon MQ
- API through Amazon API Gateway
The integrity of the files between the customer’s back-office systems and the SWIFT network can easily be guaranteed by using mechanisms such as LAU key.
Security and SWIFT Customer Security Control Framework
With the architecture described above, all of the components of the SWIFT Secure Zone are in the AWS account and managed exclusively by DiXiO. This means most of the controls of the SWIFT CSCF are handled by DiXiO natively, and the customer’s responsibilities are limited to controls related to operators’ PCs and generic controls such as security awareness trainings.
This setup greatly reduces the effort needed on the customer’s side to attest against SWIFT CSCF compliance every year. Refer to the Security Controls mapping table for more details.
The pattern described above was recently completed for Iznes, the first regulated, pan-European, DLT-based digital platform, with a quick implementation time that enabled the customer to remain fully cloud native.
“IZNES’ infrastructure being natively in the AWS Cloud, we needed a 100% cloud solution to plug onto SWIFT, ” said Jean-Robert Hervy, Managing Director and CFO at Iznes.
“Our market research showed that DiXiO is the only player offering cloud managed services to host SWIFT connectivity on AWS. The implementation was quick and straightforward. Overall, only a couple of weeks elapsed between the moment we received our BIC code and our first test messages on the SWIFT network.”
Besides these managed services around SWIFT connectivity, DiXiO has developed several value-added services in AWS that enable customers to integrate with SWIFT and benefit from the latest SWIFT innovations including:
- Unitary payment initiation through dedicated APIs as well as a user-friendly interface with templates.
- Management of universal confirmations and gpi tracker, allowing to trace in real time outgoing and incoming transactions.
- Sanctions screening through integration of SWIFT’s Sanction Screening solution.
- ISO20022 readiness and format conversion
Customer Onboarding and Migration
With the experience of many implementations, DiXiO has streamlined the customer onboarding process by automating most tasks. This allows DiXiO to deploy a new customer environment from scratch and integrate it with existing systems in a matter of days. A customer who already has its SWIFT BIC can test DiXiO’s managed services in AWS quickly.
For customers with existing SWIFT connectivity, it’s easy to switch from an on-premises infrastructure to DiXiO’s cloud solution by switching from sending files to their local AutoClient to sending them to DiXiO’s AWS solution through SFTP, MQ, or API. Customers can keep their local infrastructure as a backup initially and later disable it completely.
For more information, or if you’d like to test the service, you can contact DiXiO at [email protected].
The managed services described in this post are for an Alliance Lite2 setup and are also available for customers running SWIFT Alliance Access, Alliance Messaging Hub, or any other connectivity type.
DiXiO – AWS Partner Spotlight
DiXiO is an AWS Partner and SWIFT agent that provides off-the-shelf solutions to financial institutions who wish to connect to SWIFT in the cloud.
*Already worked with DiXiO? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.