CxC Connectivity by Convergia
CxC Connectivity by Convergia

African Bank Adopts Zero Trust Access Strategy with New Integrated SD-WAN Security Architecture


In 2017, African banks and financial institutions lost a staggering $248 million to cybercrime, prompting one forward-thinking African bank to reassess its cybersecurity measures. Despite having adequate protection, their existing system faced challenges of complexity and manual processes, endangering their operations and customer trust. Connected via MPLS, with access controlled through ACLs, the architecture was not only costly but also vulnerable to errors and cyber threats. Operating under a two-vendor security strategy further compounded complexities, leading the bank to seek a more unified and efficient solution to combat evolving cyber threats. 


The bank’s five branches were connected to the company’s two data centers via multiprotocol label switching (MPLS), and access was controlled mostly via access control lists (ACLs). This was costly in terms of both communications charges and administration overhead, as any configuration change required site visits from skilled personnel. It also exposed the bank to the additional risk of security vulnerabilities arising from user configuration errors. At the time, like many of its peers, the bank operated under a two-vendor security strategy to provide a double layer of protection. 


The basic idea, once prevalent, was that if one vendor failed to detect an attack, it could be caught by the second. But as technology and the quality of shared threat intelligence have advanced throughout the industry, it is now widely accepted that any benefits are overshadowed by the increased cost, complexity, and potential vulnerabilities of having to master and manage two different yet overlapping security systems. 


The previous network also lacked a usable solution for remote virtual private network (VPN) access. This shortcoming would have proved especially problematic as the COVID-19 pandemic swept the country, resulting in a surge in demand for high-bandwidth remote access from the bank’s staff. 


After drawing up a detailed list of all such current and anticipated future requirements, the bank evaluated a shortlist of security vendors before finally deciding on Fortinet. “Not only did the Fortinet solution outperform the others in all the areas we looked at, but the pricing model made it by far the most convenient and cost-effective,” comments the bank’s Chief Information Security Officer (CISO). “With Fortinet, unlike most of the others, important networking functionality like software-defined wide-area networking (SD-WAN) as well as a full range of security features are already supported in the FortiGate Next-Generation Firewall (NGFW). These security features allow us to certify our security posture against banking-specific requirements such as SWIFT’s Customer Security Programme.” 


“The SD-WAN capability alone has yielded a 50% reduction in cost, as we were able to replace MPLS with inexpensive broadband connectivity,” adds the CISO, “and no additional hardware or licensing was required.” The chosen configuration consisted of FortiGate NGFWs for the SD-WAN linking the branches, with FortiSwitch, FortiWiFi, and FortiAP providing a consistent connection experience and security policy for both wired and wireless users. For additional security, availability, and optimization of the bank’s applications, FortiADC was deployed within the data center. With advanced security features such as a web application firewall (WAF), protection from viruses and distributed denial-of-service attacks (DDoS), as well as various application connectors, FortiADC brings easy deployment and full visibility to an organization’s application and service delivery network 


As with any organization that accepts, transmits, or stores customer financial data, the bank must comply with a range of security standards and regulations, such as the PCI DSS. Meeting such compliance mandates is an ongoing process involving continuous assessment and reporting that can prove costly and time-consuming without the appropriate tools. Thanks to the security rating capability within the FortiOS operating system, the CISO and his team are now able to continually check their bank’s infrastructure against industry standards such as PCI DSS, thus avoiding the need to hire expensive external consultants. 


“Fortinet’s intuitive graphical user interface–based management, with options like the security rating feature and the advanced reporting capabilities of FortiAnalyzer, has helped enormously with compliance,” adds the CISO. “Overall, we have achieved our objectives of increased security, visibility, and control,” he concludes, “and at the same time, we have reduced our operating expenses. And thanks to Fortinet’s ongoing training program, even the cost of bringing on new staff has been cut significantly.”