SWIFT Alliance Connect Virtual Evolves Payments Connectivity for the Cloud
Global financial services markets are preparing to kick off the transformational migration to the new messaging standard, ISO20022. The coexistence period defined by SWIFT starts in November 2022. Since the publication of AWS’s guidance for migrating the SWIFT client connectivity stack to cloud, we have seen all sizes of financial services institutions and corporate treasuries accelerating their AWS migrations. This will enable these companies to realize the efficiency, resiliency, and security of the cloud.
AWS customers, SWIFT and AWS Partners are working together to evolve the connectivity stack. We’ve identified opportunities to reduce friction and move toward cloud-native solutions, while maintaining the highest levels of security and compliance. In April 2022, SWIFT announced a crucial step in this direction with the general availability launch of Alliance Connect Virtual. This is a new network connectivity solution that lets users deploy their SWIFT VPN connections in the public cloud, instead of hosting the hardware in their own data centers. Alliance Connect Virtual is planned for production implementations on AWS by end of Q2/2022.
Alliance Connect Virtual is initially available for production implementations as a single VPN configuration for customers with small and medium sized SWIFT messaging volumes using SWIFT’s messaging solutions for example Alliance Lite2. Simultaneously, pilots are underway for dual VPN configurations suitable for Full Stack customers with regional and global SWIFT gateways.
Evolving a cloud-friendly SWIFT stack
The high levels of security required to connect core transactional applications to SWIFT have traditionally relied on hardware devices. It uses SWIFT HSMs to sign messages and store private keys and associated information, as well as SWIFT Alliance Connect VPNs to establish secure VPN tunnels to the SWIFT Multi-Vendor Secure IP Network (MV-SIPN). For customers migrating to the cloud, the specialized hardware devices required by SWIFT require a hybrid approach. The devices remain at the customer’s data center or are migrated to a colocation partner. SWIFT, in collaboration with customers and cloud providers, has worked to provide a software cloud native alternative to the existing VPN device, Alliance Connect Virtual. This will aid customers as they continue to migrate critical applications to the cloud.
This combined effort continues the guidance from SWIFT on high availability reference architecture to run Alliance Message Hub (AMH) on AWS, as well as the updates to the SWIFT Customer Security Control Framework that reflect the shared responsibility model and controls under the responsibility of AWS.
SWIFT Connectivity Reference architecture
The availability of Alliance Connect Virtual lets SWIFT customers implement a cloud-native SWIFT connectivity stack on AWS. The new implementation guidelines have been updated in our AWS QuickStart for SWIFT Client Connectivity, including revised security control mapping aligned with SWIFT’s CSCF 2022.
The reference architecture shown in the figure above represents an example pattern for the SWIFT Lite2 implementation on AWS. This includes the newly released software vSRX, which replaces the previous hardware VPN device. With this fully AWS-based environment, customers can deploy their connectivity stack in multiple Availability Zones or Regions. Furthermore, they can define business continuity or disaster recovery environments, in addition to regional SWIFT gateways to fit their messaging needs.
The deployment of the new Alliance Connect Virtual component can be completed using the AWS CloudFormation template that SWIFT provides to AWS customers when they subscribe to the new solution. The template can be deployed together with the SWIFT Client Connectivity on AWS Quick Start to complete the end-to-end SWIFT Connectivity infrastructure.
Customers using the new Alliance Connect Virtual can initially use internet connectivity. Future versions will provide options for VPN clustering for high availability and private-leased line connections through AWS Direct Connect as provided by SWIFT Network Partners.
For customers requiring SWIFT HSMs, the patterns described in our AWS Quick Start outline the options for leveraging colocation providers and establishing network connectivity between AWS and the SWIFT HSM through AWS Direct Connect.
From a security perspective, customers must comply with SWIFT’s Customer Security Controls Framework (CSCF) and attest against SWIFT’s mandatory security controls. As AWS and SWIFT continue to evolve the connectivity options, AWS will provide customers with the required third-party assessment certificates for the CSP controls under AWS responsibility. This may help reduce the required time and resources that the financial institutions invest during the CSP attestation period. Updated CSCF guidance for an AWS deployment, including the new software vSRX component, is available in our AWS QuickStart for SWIFT Client Connectivity.
By 2025, 85% of global high-value payment clearing and the majority of cross-border payments will converge on the ISO20022 standard as their unifying language. Next generation payment platforms, built with APIs and event-driven architectures, are leveraging cloud technology to address this transformation. This is not only a technical upgrade, but also an opportunity to create new business models. These new platforms must remain securely and reliably connected to SWIFT for cross-border transactions.
The evolution of the SWIFT connectivity stack toward cloud-friendly solutions is a strategic focus of the collaboration between AWS, SWIFT, and the industry. Alliance Connect Virtual is a key milestone toward a stack that enables the accelerated transformation pace in the payments industry.
Stay tuned for our upcoming posts in this series, Evolving Payments Connectivity for the Cloud, which will cover best practices in deployment automation, security, compliance monitoring, new AWS Partner solutions, and much more.