case study of videoconferencing implementation
Over the past decade, banks have become the center of IT innovation and the highest culture of developing and operating IT services. However, due to strict regulation, the implementation of even simple and familiar services in banks often requires complications.
I am Mikhail Nikiforov, a K2Tech expert on videoconferencing. We prepared this article together with my colleagues – Olga Trofimova, head of consulting at K2 Cybersecurity and Vasily Kuts, director of industry solutions at commercial banks at K2Tech.
I would like to talk about the specifics of the requirements for IT infrastructure in banks and use an example to show how the implementation of these requirements is reflected in fairly standard projects.
Regulatory requirements for information security in banks
Banking IT systems are subject to a fairly large number of requirements in the field of information security from both Russian legislation and international organizations:
The regulator of the banking and financial sector of Russia is the Central Bank. It develops regulations that define the requirements for IT and information security management in banks and other financial organizations.
When making payments and transferring funds, banks must comply with the requirements of the Central Bank of the Russian Federation and the national standard for money transfer systems GOST R 57580.1-2017 “Security of financial (banking) transactions…”.
When processing data from payment cards issued by foreign payment companies (Visa, MasterCard, American Express, Discover Card, JCB), the bank is obliged to comply with the requirements of the payment card security standard PCI DSS.
As subjects of critical information infrastructure, banks fall under the requirements of Federal Law No. 187 “On the security of the critical information infrastructure of the Russian Federation” and the decree of the President of the Russian Federation No. 250 “On additional measures to ensure information security of the Russian Federation”.
In connection with the processing of personal data (including data of employees, clients and counterparties), banks must comply with the requirements of the Federal Law of 27.07.2006 No. FZ-152 “About personal data”.
According to the requirements of the Decree of the President of the Russian Federation No. 250, banks must stop using information security tools and information security services provided by companies from “unfriendly” countries by January 2025;
Additional requirements for information security arise when connecting certain services, for example, integration with the Unified Biometric System (UBS) for identifying and authenticating citizens by face and voice.
To meet all these information security requirements in banks, it is necessary to implement a comprehensive information security system. The key features of its construction are:
In order to take into account all information security requirements before designing and implementing an information security system, the bank needs to determine the required level of protection, including determining the level of protection of personal data when processing them in ISPDN (personal data information systems), the level of protection in accordance with the requirements of the Central Bank of the Russian Federation, the presence and level of importance of significant critical information infrastructure objects.
When designing and implementing an information security system, current information security threats defined in accordance with legal requirements must be taken into account.
The legislation of the Russian Federation in the field of information security, in particular GOST R 57580.1, imposes increased requirements on technical means of protection used in banks. Thus, in addition to traditional means of antivirus protection and firewalling, banking organizations must also use SIEM and WAF class solutions.
When designing a security system, banks must take into account the availability and form of compliance assessment of information security solutions, especially when using certified solutions. For example, cryptographic means of encrypting personal data transmitted over open channels must have a certificate from the FSB of Russia.
The bank's internal IT infrastructure should be segmented. Servers used for payment transactions are placed in a separate segment. It is necessary to allocate resources that require Internet access (DMZ allocation) to a separate segment.
In addition to technical means, the bank must implement organizational measures to protect information. The bank's structure also includes a division responsible for information security management and subordinate to the deputy head of the organization (in accordance with the requirements of presidential decree No. 250).
If a bank develops software on its own, it is essential to implement SDLC and DevSecOps practices.
In the event of incidents, the bank's information security (IS) service must correctly and promptly inform all interested regulators, including the National Coordination Center of the FSB of Russia, FinCERT of the Central Bank of the Russian Federation and Roskomnadzor (in the event of incidents related to leaks of personal data).
The legislation obliges the bank to maintain the effectiveness of the protection system and conduct periodic audits of the information security for compliance with the requirements of the Central Bank of the Russian Federation and the legislation on personal data. The bank must promptly send a report on compliance with the requirements of GOST R 57580.1 to the regulator in the form established by GOST R 57580.2.
To implement all of this, both technical means of protection and mechanisms at the application software level are used: identification, authentication, authorization, logging, integrity control, encryption at the application level, and so on.
The presence of functions related to information security in the same Active Directory (for example, group policies) makes it a means of information protection.
In addition to mandatory requirements, a bank may voluntarily decide to comply with additional requirements in the field of information security. For example, to implement a commercial secret regime in accordance with the requirements of Federal Law No. 98-FZ, or to ensure that the information security management system complies with the requirements of STO BR IBBS (Bank of Russia Standard for Ensuring Information Security of Banking System Organizations) or ISO 27001:2022. Then, when designing a security system, the requirements of these documents are also considered.
Internal requirements of banks for IT systems
“Self-restrictions” of banks in using certain solutions are stricter than the regulator's requirements. For example, banks are not prohibited from using clouds for certain tasks, or from transferring masked, anonymized data there. But in fact, banks accumulate both the installation of application services, and data, and the development infrastructure in their own circuit.
When developing internal restrictions, the bank takes into account not only regulations, but also assessments of the consequences of leaks: fines, financial and reputational losses. And those who decide to implement something unsafe also risk their careers. Therefore, banks raise the maximum number of services in the internal circuit. Of course, this complicates the allocation of on-demand resources compared to public clouds. And when we come to do a pilot project, waiting for several months for the resources that the client will allocate to us in their private infrastructure is the norm.
As a result, banks are like bastions from the point of view of information security. The focus of information security on protection against internal fraud is increasing. And recently, our clients in banks began to request distributions of the implemented solutions for research. And in order to deploy something, we need to physically come to the circuit with a server, install it, configure it there, deploy it. And take only logs from there.
Another feature of banks, as well as retail, where a minute of downtime costs millions, is high requirements for uptime and speed of application services. Transactions must be carried out, videoconferencing must not fail, and so on. When there are failures, heads fly.
Which solutions are the most difficult to import substitute?
Some solutions are quite common, but projects to replace them are long and expensive. For example, large heavyweight corporate data warehouses on Oracle and systems like Siebel used in the role of BPM (business process management). Projects to migrate from such systems to domestic solutions will take 1 year or more and will drain significant resources. Also, to predict the stability of the product development roadmap, it is important what stack domestic analogues are based on: in-house development or development based on open-source solutions. The transition is also complicated by the meager line of domestic NGFW analogues, although we are already doing a good job with this.
Therefore, potential customers put off replacing all these systems until the last minute.
Risks of AI implementation in banks
The Central Bank has not yet created regulations for the use of AI in banks, but they will probably appear soon. The Central Bank has issued report on the discussion of the application of AI in the financial marketIn a nutshell, the introduction of AI, according to the Central Bank, creates risks:
in the field of data circulation and information security (leakage of personal data and other confidential information, cyber attacks, digital fraud);
development and distortion of the work of AI models (hallucinations, errors in testing and validation, lack of control, incorrect interpretation of results);
ethical risks and risks of violation of consumer rights;
the use of deepfakes and generative AI in general in fraud;
dependence on large market participants developing AI tools, macroeconomic risks and risks of financial instability, the need to use foreign solutions.
So far, according to our observations, AI in banks is used where the consequences of a single small error are small: segmentation of the lead and user base for promotions, customization of user experience, BI, automation of support. If AI gets access to personal data, real information about products, to making management decisions, then this will be a completely different story.
The nuances of engaging contractors in the implementation and operation of IT systems
Formally, if the contractor's work is somehow related to information security, then he needs a license from the FSTEC for activities on technical protection of confidential information (TPCI). And an organization implementing cryptographic protection tools (CIPF) needs special licenses from the FSB of Russia.
In fact, it is difficult to imagine the deployment of any infrastructure without the deployment of security tools. So the implementation of any infrastructure solutions requires the contractor to have at least an FSTEC license.
Banks' internal IT services have long had top expertise and solve a huge number of problems on their own. When they do involve integrators, they turn out to be excellent clients: they understand well what they want and speak the same language as the integrators.
How IT requirements in banks affect the implementation of simple projects: a case study of videoconferencing implementation
I will give an example of how a fairly simple project becomes much more complicated due to regulation. One of the top Russian banks with dozens of representative offices in Russia contacted us to implement a videoconferencing service (VKS). VKS was supposed to be used, among other things, for communications with corporate clients, contractors, partners.
The project solved two problems at once:
Transition to a single vendor solution. Before the implementation, each team used something different for communications: Teams, Skype for Business, Cisco, Zoom. All of this was determined by personal preferences and user experience. At some point, it became too difficult to administer so many systems, and employees were constantly confused about where to go to meetings.
Import substitution. Everything is standard here: having lost support, the bank wants to remove the risks of the collapse of communication solutions, which can happen at any moment.
We proposed to implement a videoconferencing solution from IVA — a mature vendor with more than 10 years of history on the market, an experienced team, adequate engineers and technical support. We trust their solutions and they are always on our shortlist for client implementations.
Elements of the solution. The main element of the IVA VKS infrastructure is the server to which clients connect to participate in a video call. Clients can be software, web, or videophones.
The web client allows you to connect to a conference without downloading the client, via a link. This is essential for working with partners, contractors and large clients.
If clients are connected to different VKS servers, they are not in the same conference. But they can still be combined, for this purpose the servers themselves are connected – a trunk (cascade connection). This point will be key in solving this case.
Selecting a solution architecture. Although the task of implementing VKS is quite trivial, the CONVENIENT ←→ SAFE slider in banks is definitely turned up to maximum security. So in this project it was necessary to figure out how to connect callers from the internal network and the Internet, which are isolated from each other.
When we were thinking about how to implement VKS at the architectural level, we had several options:
Hosting a VKS server | Details | Pros | cons |
Opening ports | |||
In the DMZ | To connect to the VKS server from the internal network and from the Internet, ports are opened on the border of the DMZ with the internal network and the Internet. | Easy to set up. | I am categorically not satisfied with the information security due to the opening of ports. |
WAF | |||
On the internal network | The DMZ contains WAF for filtering traffic, Nginx/TURN servers for proxying audio and video. Internal network users have direct access to the VKS server, Internet users connect via WAF, Nginx/TURN. | This scheme is recommended by the vendor. | It is necessary to open too many ports, check the compatibility of VKS with a specific WAF. |
VPN | |||
On the internal network. | Internal network users have direct access to the VKS server. External users connect via VPN installed on trusted devices. | The scheme suits the information security, the operating process is understandable to the user. | You cannot connect third-party users who do not have a corporate VPN. |
Two VKS servers | |||
Two video conferencing servers are installed: in the DMZ and in the internal network. | Internal users connect to the internal server, external users connect to the server in the DMZ. A cascade (trunk) is created between the two servers. | The scheme suits the information security service. | An additional VKS server is needed, a separate license is required for it. Manual operations of the employee organizing the conference are required to create a cascade. |
Now, in 2024, the optimal solution would be a session border controller. But in 2023, when we were doing this project, IVA did not have it yet. Now it does, in their line it is called IVA SBC. SBC allows you to securely establish connections between videoconferencing subscribers in the internal network and the Internet. The solution with a session border controller is similar in terms of network topology to the solution with a WAF. Only instead of a WAF server, an SBC is placed in the DMZ, which can additionally filter video communication protocols and does not require direct opening of multiple ports from the Internet, which was the reason for the security service's refusal of this scheme. We have already successfully implemented IVA SBC in several projects. So today this solution would be the simplest. |
Initially, the customer's information security department agreed on the first option, with opening a large number of ports. During implementation, they realized that they were not ready to provide access from the Internet to the bank's internal network. Information security services are like that – sudden, but relentless, it is unrealistic to convince them otherwise. So we went further with the options.
The WAF option did not satisfy the information security service either. The VPN option fatally complicated the use of the server for non-bank employees.
In the end, we did the DMZ option. It is the most stable and secure, although not the most convenient:
Internet users can initiate a connection only to a server in the DMZ, but not to an internal one;
The cascade is initiated from the VKS server in the internal network, which connects to the server in the DMZ.
Implementation and development plans of the VKS. We started implementing the project in early 2023. The total duration of the implementation project, including documentation, was 4 months. The following stages of implementation can be distinguished:
Piloting stage took up 30% of the project time and allowed us to check the integration with the bank's systems: Cisco phones and terminals, Active Directory. In addition, we implemented access to the videoconferencing from the customer's entire infrastructure: data centers, subnets, local sites. This is a separate stage, because in banks, approvals for network access are long and tedious.
During the piloting, we encountered another standard feature of banks – they do a lot of things themselves because they cannot let us in. We deployed a pilot zone with IVA solutions at the customer's, but the solutions themselves were tested only by the customer's technical specialists during the piloting period.
During the piloting, the VKS server was launched as a VM with testing of the possibility of 20-30 connections.
Scaling stage solution implemented during the piloting. In addition to the main server that controls the conference, a specialized video processing server is raised, which increases the video communication capacity to hundreds of participants. In addition, all VKS servers are implemented as a fault-tolerant cluster.
Implementation of a VKS server in DMZ. The server is installed as a VM, connected to the VKS server in the internal network and to the Internet.
Further development possibilities of the system. The VKS is deployed in the Moscow data center. The customer's regional divisions, communicating via VKS through secure trunk channels, thus send traffic through the Moscow data center from all over the country. If it is necessary to scale the system, remote VKS servers can be installed in regional offices.
Results
From an IT perspective, banks are simultaneously over-regulated and technologically advanced. Requirements for IT infrastructure in banks are largely determined by the requirements of regulatory documents for information security. They determine both the features of specific solutions being implemented and the organization of their maintenance.
At the same time, banks themselves develop strict internal requirements. Even what is not prohibited by the regulator, banks do not allow themselves because of fines, reputational risks, losses. For example, banks are very careful when using clouds, even FZ-152-compliant, and prefer to create everything in-house.
The implementation of even the most uncomplicated projects, such as VKS, leads to a more complex architecture, higher costs, and a more complex business process, which includes manual operations. But this is a conscious choice of banks.
