AWS Partner Network (APN) Blog
How Financial Institutions Can Innovate Faster with Virtusa’s Open Innovation Platform on AWS
By Ramesh Selvaraj, Sr. Director, Cloud Computing – Virtusa
By Dinuth De Zoysa, Sr. Cloud Architect and Open Banking Architect – Virtusa
By Hussain Shabbir, CCoE Lead and Sr. Director – Virtusa
By Néstor Gándara, Sr. Global Partner Solutions Architect – AWS
Virtusa |
Financial institutions need to keep up with fast-changing market conditions while increasing digital adoption. They can achieve digital transformation by creating new products, optimizing backend processes, and offering new services that use emerging technologies, innovative platforms, and partner ecosystems.
To provide an end-to-end digital experience to customers, financial institutions need capabilities to rapidly validate ideas and conduct experiments or proofs of concept (PoCs) with an ability to iterate quickly towards the final solution.
Virtusa’s Open Innovation Platform (OIP) is hosted on Amazon Web Services (AWS) and helps banks and financial services firms to achieve these goals quickly, efficiently, and at low cost. It offers companies the ability to reduce time to market for digital products and services through rapid test and learn capabilities.
Virtusa Corporation is an AWS Premier Consulting Partner that provides digital business strategy, engineering, and IT services. Virtusa has eight AWS Competencies in areas like Financial Services, DevOps, and Data and Analytics.
Challenges Faced in Product Innovation
As financial institutions attempt to transform digitally, they face a multitude of challenges, particularly from new-age tech companies such as high-tech and challenger banks. These disruptors harness the power of emerging technologies for agility, lower service margins, and customizable financial services for customers.
As digital adoption increases, financial institutions need to define robust product development processes and build partner ecosystems to become more agile and responsive to changing customer preferences.
Although most organizations are investing in an innovation infrastructure, they often struggle to reap the benefits these ecosystems could potentially offer.
On one hand, organizations struggle to generate real activity and identify the right PoCs for innovation. On the other, there is significant effort required to move these experiments to production. All of this makes it difficult to measure and quantify real outcomes from such initiatives.
Organizations need to think beyond innovation marketplaces to achieve the end objective of driving customer experience, improving topline, and reducing operational costs.
For this, organizations must optimize digital strategies with “customer first” principles and build capabilities to rapidly validate ideas and conduct experiments with an ability to iterate quickly towards the final solution. They also need to focus on an end-to-end digital product development approach.
Virtusa’s OIP Solution
Virtusa’s Open Innovation Platform (OIP) on AWS removes the friction points in the current product development processes. It enables financial institutions to reimagine innovation and accelerate their digital journey with the help of a digital twin environment in the cloud.
OIP provides organizations with the ability to rapidly test and adopt emerging technologies, build a transformation ecosystem, and rapidly deploy solutions into the production environment.
.
Figure 1 – Open Innovation Platform (OIP) solution journey.
OIP drives the ideation to solution journey for financial institutions with the help of these enablers:
- Partner and API ecosystems to enable the onboarding of third parties, including customers, tech providers, and other required partners and their APIs.
- Customer-first ideation that is based on Amazon’s “Working Backwards” methodology, allowing organizations to center the customer in any initiative.
- Digital twin environment that enables rapid development of digital products and services. The digital twin makes use of synthetic data that gets generated in line with the production data schema and metadata requirements with business functionalities exposed as APIs.
- Multi-organizational team assembly to connect cross-functional team members working towards common objectives.
- Standardized development to create solutions over an on-demand cloud integrated development environment (IDE) that are in line with organizations’ coding standards.
- Well-defined path to production based on integration with organizational code repositories and the DevOps pipelines.
- Open Banking sandbox to build innovative solutions using financial data to solve pain points for businesses and consumers. This includes Payment Services Directive 2 (PSD2) and Consumer Data Rights (CDR) APIs.
- Pre-trained AI models and model building capabilities to build faster AI-based solutions.
Virtusa’s OIP on AWS provides an integrated view of the product lifecycle from ideation to production. It drives significant value across the innovation lifecycle and provides compelling returns on innovation investment by:
- Lowering the cost of product development enabled by the rapid validation of ideas for faster innovation, thereby saving time and effort.
- Building new revenue sources and alternate business models in collaboration with fintechs.
- Enabling objective approach product funding by a “shift left” approach to the experimentation outcomes.
Solution Platform Explanation
OIP uses products and solutions from AWS to deliver secure innovation for end customers, allowing them to use native AWS services and solutions.
Further, OIP was designed and evaluated based on the five pillars of the AWS Well-Architected Framework: operational excellence, security, reliability, performance efficiency, and cost optimization.
Figure 2 – Open Innovation Platform (OIP) architecture. Click to enlarge.
OIP comprises more than 40 microservices with customer-centric features and functionalities such as partner onboarding, API onboarding, ideation, experimentation, and community.
All microservices are Dockerized, and container images are stored in Amazon Elastic Container Registry (Amazon ECR). Kubernetes deployment configurations for each microservice are templatized using Helm charts, and these version-controlled Helm charts are maintained in Amazon Simple Storage Service (Amazon S3).
Amazon Elastic Kubernetes Service (Amazon EKS) is used to deploy all microservices. The Horizontal Pod Autoscaler and Cluster Autoscaler are configured to automatically scale in/out the microservice replicas and the cluster node group. On-demand OIP online IDEs are provisioned by dynamically deploying Visual Studio Code-based custom Docker images to Amazon EKS.
Terraform is used for infrastructure as code (IaC) for AWS infrastructure provisioning, database schema setup, microservices deployment and configurations, setting up third-party monitoring and tracing tools in Amazon EKS, and deploying updates to OIP to Amazon EKS.
Depending on the customer requirements, OIP can be deployed with or without on-premises hybrid network connectivity. When OIP exposes customer internal APIs or systems to external partners, the AWS Direct Connect dedicated network connections between on-premises and AWS expects to be established. The Direct Connect Gateway is attached to the OIP Amazon Virtual Private Cloud (VPC) through AWS Transit Gateway.
OIP uses multiple AWS services for data persistence: application data is mainly stored in Amazon Aurora (MySQL), while multiple S3 buckets are used to store private and public documents, and OIP Online IDE instance user data is persisted with Amazon Elastic File System (Amazon EFS).
An Application Load Balancer-based ingress controller is set up and configured in EKS to expose the required services with host and path-based routes. Two Amazon CloudFront distributions are created with the origin of Application Load Balancer and a public S3 document bucket for fast and secure content delivery.
An AWS WAF Access Control List is configured for both CloudFront distributions with the rules for cross-site scripting, SQL injection, bad bots, allow lists, IP reputation lists, autoblock, and more.
AWS Certificate Manager is used by Application Load Balancer and CloudFront distributions to generate public SSL certificates. An Amazon Route 53 hosted zone is created for the OIP domain, and multiple subdomains are used to expose various OIP services.
Multiple monitoring tools are used to monitor applications and the AWS infrastructure services. Amazon CloudWatch dashboard and alarms are configured to monitor all OIP AWS resources. Various metrics are created and consolidated to the CloudWatch dashboard.
ElasticSearch, Grafana, Kibana, WeaveScope, Istio Kiali, and other tools are also set up and configured to monitor application health, tracing, and troubleshooting.
Multiple continuous integration and continuous delivery (CI/CD) tools are used across the software delivery lifecycle. AWS CodeCommit is used to version control all application code and deployment scripts, while AWS CodePipeline is used for the CI/CD pipeline.
All application and microservice build binaries are packaged as Docker images with version tags maintained in Amazon ECR. Application and microservice Kubernetes deployment configurations are packaged, version-controlled, and managed in S3 as Helm charts. All application components are deployed to EKS as containers.
Figure 3 – Open Innovation Platform (OIP) areas.
Security of OIP
Virtusa’s OIP on AWS integrates with internal systems, external systems, and partner environments. Security is a key consideration in OIP across the entire application and infrastructure stack.
Microservices have integrations with AWS-native services to deliver platform functionalities. AWS Identity and Access Management (IAM) role-based access control is implemented to grant required permissions to microservices to interact with AWS services using Amazon EKS service accounts with least privileges.
OIP user access is managed through Keycloak, which is an open-source IAM solution aimed at modern applications and services. Keycloak makes it easier to secure applications and services with little to no code by maintaining a user directory, role-based access controls, OIDC support, SDK operations, and more. It can be replaced with RedHat Single Sign-On (SSO) with a commercial license.
Figure 4 – Keycloak workflow.
Bank APIs and third-party and partner APIs that are onboarded on OIP using the self-onboarding wizards automatically get configured with Amazon API Gateway with AWS Lambda authorizers by adding an extra security layer.
Open Banking APIs interact with multiple parties such as the open banking registry, account and payment information service providers, data holders, data recipients, and customers.
Custom security profiles based on TLS certificates, client credentials, and authorization code grant-based authentication and authorization flows are implemented in Amazon API Gateway’s Lambda authorizers. API consumers can subscribe to these APIs through OIP and generate access tokens based on the subscription. API subscriptions are evaluated through the Lambda authorizers.
The OIP platform is exposed to the public through Amazon CloudFront, which has viewer certificates configured with AWS Certificate Manager.
Application components that need to be exposed to the public expect to be configured with an ingress in EKS to expose it through Application Load Balancer, and the CloudFront distribution is configured.
Additionally, public S3 buckets are exposed with another CloudFront distribution with ACM and origin access identities.
AWS WAF is configured on CloudFront distributions to protect OIP against common web exploits and bots, such as SQL injection and cross-site scripting that may affect availability, compromise security, or consume excessive resources. Application components can only be accessed with HTTPS.
AWS Shield Standard automatically defends against most common, frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is enabled depending on customer requirements.
All application components are deployed in private subnets, including an EKS cluster with Node groups and database components. Public subnets have NAT gateways, Application Load Balancer, and optional bastion server only.
AWS Key Management Service (KMS) customer-managed keys are used to encrypt the data at rest in Amazon Elastic Compute Cloud (Amazon EC2), Amazon Relational Database Service (Amazon RDS), and S3. Kubernetes secrets are used to store application secrets that are encrypted with a KMS key.
AWS Systems Manager Patch Manager is used to automate the process of patching managed instances with both security-related and other types of updates. Amazon Inspector uses best practices to automatically assess applications for exposure, vulnerabilities, and deviations.
In addition, Virtusa’s AWS Landing Zone creates a centralized logging solution. Where the Log Archive account contains a central S3 bucket for storing copies of all AWS CloudTrail and AWS Config log files, Amazon GuardDuty is used to detect any malicious activity.
CloudWatch alarms are created with ServiceNow integration to create severity tickets based on GuardDuty findings. The OIP platform persists all data to either an RDS database or S3 document storage.
Case Studies and Benefits
Virtusa’s OIP accelerates the product development journey by removing friction points in the existing processes and unlocking new business models and revenue opportunities for financial institutions.
OIP also enables financial institutions to lower the cost of product development through the ability to rapidly validate ideas and take them to production faster, thereby saving time and effort.
OIP has helped to create various global marketplace ecosystems and assisted banks and financial institutions in their digital transformation journeys.
OIP Helps AFIN Launch APIX Global Marketplace
ASEAN Financial Innovation Network (AFIN) is a cross-border, open-architecture platform that drives financial inclusion through a networked API banking technology marketplace.
Virtusa customized its Open Innovation Platform to align to AFIN’s region-specific requirements for APIX. It allowed financial institutions to quickly discover, conceptualize, and deploy industry solutions within their infrastructure or through the cloud for operational efficiency, revenue opportunities, and better risk and compliance.
APIX had successfully built an ecosystem of more than 60 financial institutions and over 350 fintechs from across the globe. The platform enabled industry leaders to work with partners in solving critical issues in the financial services industry.
Read the full Virtusa-AFIN case study >>
Virtusa Enables Emirates NBD’s Digital Transformation Journey
Emirates NBD (ENBD) is one of the top banks in the Middle East based out of Dubai. The bank has been leading digital Open Banking transformation initiatives in the region.
Emirates NBD partnered with Virtusa to develop a cloud-based, gamified Open Banking sandbox that enables developers and fintechs to ideate, build and publish API applications, and create minimum viable products (MVPs).
OIP provided a simulated banking space to experiment and create real-world apps and services. The platform consists of over 200 APIs and 900 endpoints covering retail, corporate, and small or mid-size business lines.
The OIP platform enabled ENBD to build one of the first Open Banking transformation ecosystems in the region. It allows ENBD to quickly evaluate and certify fintechs with reduced onboarding time by 75% and co-create solutions in collaboration with these partners.
ENBD has been able to build over 25 PoCs in partnership with over 50 fintechs globally.
Read the full Virtusa-Emirates NBD case study >>
Conclusion
Virtusa’s Open Innovation Platform (OIP) on AWS removes the friction points in current product development processes. Financial institutions can reimagine their customer experience and innovate and accelerate their digital journey with the help of a digital twin environment in the cloud.
OIP provides organizations with the ability to rapidly test and adopt emerging technologies, build a transformation ecosystem, and rapidly deploy solutions into the production environment.
Virtusa – AWS Partner Spotlight
Virtusa is an AWS Premier Consulting Partner and global provider of digital business strategy, engineering, and IT services and solutions. Virtusa accelerates clients’ cloud adoption through technical, training, and GTM investments.
Contact Virtusa | Partner Overview
*Already worked with Virtusa? Rate the Partner
*To review an AWS Partner, you must be a customer that has worked with them directly on a project.