AWS Partner Network (APN) Blog
How to scale for growth, leverage your data and drive down total cost of ownership (TCO)
By Angelo Malatacca, Partner Solutions Architect, AWS,
By Simon Larsen, Strategic Advisor, REGDATA,
By Gilles Ducret, CTO, REGDATA,
By Nicolas Prince, CEO, REGDATA
 |
| Regdata |
 |
Introduction
Today’s CIO’s and CTO’s are faced with the competing objectives of delivering scalable, global platforms in order to lower TCO and leverage their data assets vs. strengthening data security, controls and complying with increasing and varying local regulations.
To achieve the first objective, companies look to leverage capabilities such as SaaS solutions.
Organizations are increasingly adopting cloud-based solutions to improve operational efficiency. According to Gartner’s research, by 2025, 85% of enterprises will use a cloud-first principle for their workloads[1]. Popular approaches include:
- SaaS solutions for standardized processes
- Multi-entity single instance (MESI) architectures for consolidated operations
- Cloud data platforms for scalable data management
These solutions can deliver performance benefits while maintaining security through proper controls and governance frameworks[2].
Companies must comply with various data regulations and privacy standards. These requirements often lead to additional costs and operational overhead. To meet compliance obligations, organizations typically implement data vaults, local instances of key applications, and local or private cloud storage solutions. These measures help satisfy local data regulations, data privacy standards, and data residency requirements.
The complexity of applying and managing these controls and standards is further compounded by the myriad manners in which they are applied, i.e. by not using a common pattern across a company’s IT landscape.
The RegData Protection Suite (RPS) enables organizations to maintain a single, global IT landscape by separating data security controls from core infrastructure, allowing platforms to scale efficiently while reducing costs. Through its intelligent compliance engine, RPS automatically tokenizes sensitive data and selectively de-tokenizes it at authorized points of use. This unified approach ensures both regulatory compliance and data accessibility while eliminating the need for separate regional infrastructure.
RPS thereby removes the need for costly data vaults or local duplicated architectures to manage data residency requirements.
In this article, we introduce RPS and present a case study of its application in a leading SaaS platform in banking: Temenos Transact, which powers banking transactions worldwide for some of the largest banks globally.
REGDATA is an AWS Partner and AWS Marketplace Seller providing data control, protection and compliance services aimed at regulated organizations looking to migrate to Cloud at scale and in full confidence.
Roadblocks to global reach
Most Swiss and European banks still operate legacy banking IT systems in-house, with systems historically replicated locally in multiple locations to meet local business and compliance requirements[1]. This has resulted in a diversification of business and operating models across locations, a high fixed cost base and rapidly growing technical debt.
In order to address the cost and risk associated with such legacy architectures, banks are today seeking new, cloud-based “Multi Entity, Single Instance” architectures that allow them to streamline and standardize their operating model, centralize operations, drive down costs and reduce technical debt.
A key consideration, however, is how to address local data regulatory or data residency requirements, such that these do not become roadblocks on a bank’s modernization journey.
How REGDATA works
To protect your application landscape, REGDATA has developed integration patterns that can be implemented on SaaS solutions and / or on applications built in-house / operated on premise.
The following illustrates how the REGDATA Protection Suite (RPS) integrates with two key Temenos services:
– Temenos Infinity: The RPSProxy dynamically protects and unprotects confidential customer data (CIDs) when accessed through a SaaS Temenos Banking Portal and Mobile application.
In this case, the context involved to dynamically unprotect data is the following one:
Worldwide customer accessing exclusively his/her data.
RPSProxy integration Pattern for Temenos infinity
– Temenos Transact: Temenos Transact calls directly the RPSEngine via JavaAPIs.
Here, the context involved to dynamically unprotect data is the following one:
Enable a banking transaction by unprotecting relevant confidential fields for the required location (e.g. Luxemburg, Switzerland, …)
RPSAPIs integration pattern for Temenos Transact
GLOBAL CONTEXTUAL REACH with RPS
In order to operate a Temenos SaaS application using a MESI (Multi entity, Single instance) architecture for the execution of banking transactions across multiple locations, the solution must allow local entities to remain in control of their data (e.g. how it is protected, where it is accessed, etc.).
To achieve this, RPS orchestrates the protection and unprotection of data outside the application database, making contextual decisions on whether to unprotect the data or not depending on criteria such as:
- The user accessing the data
- The role of that user
- The location of the user
- The involved location
Consequently, only authorized users in an authorized location within the bank will be able to access confidential data in clear related to Temenos Transact application. For example, only an authorized user in Luxembourg will be able to access unprotected Luxembourg confidential data, stored in a Temenos SaaS outside the country.
For such protection services, we recommend 2 types of deployment patterns for Temenos:
Full RPSPlatform deployed at Temenos SaaS environments
All the protection-unprotection are performed in the Temenos SaaS environments.
The process begins when a bank user requests customer data from Temenos Transact. The system then retrieves encrypted or tokenized data from its customer database, where REGDATA has previously secured the sensitive information.
To access this protected data, Temenos Transact communicates with the RPSEngine through the RPSAPI. The RPSEngine evaluates access policies and, if the user has appropriate permissions, decrypts or detokenizes the data before returning it to the user in clear text.
RPSPlatform deployment pattern in Public Cloud tenant (AWS)
Full RPSPlatform deployed at Bank environments
All the protection-unprotection are performed in the Bank IS system and all RPS Components are installed in the Bank IS environments. This can be on-premise or in the bank’s Cloud tenant.
Users access the system through the RPS Proxy, which interfaces with the RPS Platform for data protection, policies, reporting, and security. The system connects with Temenos applications (Infinity and Transact) while maintaining region-specific encryption keys through the Key Management Service.
This architecture ensures that sensitive data processing remains within the bank’s controlled environment, whether hosted on-premise or in their AWS Switzerland cloud tenant, providing both security and regulatory compliance across jurisdictions.
RPSPlatform deployment pattern in Bank’s private datacenter
Key benefits of implementing rps to achieve global contextual reach
- Straight-forward application of your data protection policies as set by the Board / Executive Committee into your mission critical applications running on AWS
- Suitable and applicable data protection techniques in a cross-applications landscape running on AWS :
- From a CRM application to Temenos Transact
- From Temenos Transact to Temenos FCM
- From Temenos Infinity to Temenos Transact
- Escape the legacy Business model and embrace New Business Model using modern, future state architectures.
With the granular and highly abstract RPSConfiguration module, banks can choose their preferred configuration pattern to cover in-scope legal entities.
Banks can either consolidate in a central instance all the legal entities of the bank protected by RPS with a single encryption key, or it can apply a different encryption key per legal entity, for example where different compliance and or internal security policies apply.
The REGDATA Protection Suite provides a stack of services, starting from Digital services at the top, moving through Client Services, Shared Services, OPS/BPO, IT App Support, and Applications.
New business model using using modern, future state architectures.
All your business applications and technical layers (Hosting /Infra/IT app Support, …) are fully available, aligned, consistent, up to date at the same time offering a consistent client experience and a high level of security-availability-integrity regardless geographical location. Each customer type has different security access levels, ensuring appropriate data protection and access control across all service layers
Conclusion
The RegData Protection Suite (RPS) offers a unique solution to the challenges faced by today’s CIOs and CTOs in balancing the need for scalable, global platforms with the necessity of robust data security and compliance. By abstracting the handling of data security and control framework from the IT landscape, RPS allows for consistent application of data protection policies across an organization’s data journey. This eliminates the need for costly data vaults or local duplicated architectures, thereby driving down total cost of ownership. Furthermore, RPS’s integration with key services like Temenos Infinity and Temenos Transact ensures that data protection and compliance are maintained without compromising the efficiency and effectiveness of these platforms. The New Business Model becomes a real competitive edge for banks looking to scale across multiple locations.
REGDATA – AWS Partner Spotlight
REGDATA is an AWS Partner specialized in enabling Corporate companies in a secured and lawful way.