How Commerzbank safeguards its data with VPC Service Controls

Google Cloud’s VPC Service Controls (VPC-SC) can help enterprises keep their sensitive data secure while using built-in storage and data processing capabilities. Since its inception, VPC-SC has been deployed as a foundational security control by many Google Cloud customers. As an integral part of a defense-in-depth solution, VPC-SC can play a crucial role in helping prevent data exfiltration from Google Cloud due to insider threats or credential compromise.

How does it work?

VPC-SC allows Google Cloud customers to create isolation perimeters around their managed cloud resources and networks. Once an isolation perimeter is established, access to managed resources across the perimeter boundary is denied while preserving the data access within the perimeter. Customers can set up granular ingress and egress rules and can selectively approve access across perimeter boundaries.

In the event of a credential compromise or insider threat scenario, VPC Service Controls acts as an extra layer of defense that can help prevent data exfiltration to un-authorized organizations, folders, projects, and resources.

Commerzbank's journey with Google Cloud security

Commerzbank, the leading bank for the German Mittelstand, is a trusted partner to approximately 26,000 corporate client groups and 11 million private and small business customers. With a client-focused portfolio of financial services, their mission is to provide the right products and industry knowledge to help their clients execute and maximize business opportunities.

Google Cloud has been a crucial part of Commerzbank's cloud security journey since 2019. They use Cloud Logging and Cloud Asset Inventory to get an overview of their cloud assets, while Pub/Sub and BigQuery programmatically help them to define a wide range of security use cases. Cloud Functions and Cloud Run are employed to evaluate and find appropriate security measures, with the findings being reported to the Security Command Center. A common foundation of these services is their serverless nature, eliminating the burden of infrastructure management and resulting in millisecond-fast security at a very low cost.

Shifting threat vector landscape from IP to API

Christian Gorke, Vice President and Head of Cyber Center of Excellence, Big Data, and Advanced Analytics at Commerzbank, drives the mission to foster a secure, scalable, and standardized public cloud, creating the infrastructure and framework to help the organization become a cloud-first business.

“Big Data and Advanced Analytics (BDAA) was the first business unit at Commerzbank to move workloads into the public cloud. We started with a small set of business cases and a strong focus on data protection, information security, as well as cloud operations and compliance since we fall under the strict regulations of the financial industry. At this point, our main infrastructure consisted also of hardware management including security control efforts on IP-based level,” he said.

“However, the further we scaled and matured on the cloud, a clear shift happened from an on-premises setup into a cloud-first operation. Consequently, the majority of operations and data transfers now take place via API endpoints instead of IP addresses. In fact, over 90% of all use cases for our BDAA Google Cloud resources use API-only communication. So even though well-known security controls like firewalls exist, 90% of our assets that use API communication cannot be protected by these firewall rules. At this point, we realized that the threat vector landscape has shifted. We need to understand the API threat model and, hence, a new technology is required to help secure data access and transfer,” Gorke said.

Addressing lateral data movement and data exfiltration

Part of securing data and preventing unwanted data transmission in the cloud comes down to setting up the right identity management controls. Commerzbank saw the need for identity management control increase tenfold by moving to the cloud. While managing identities and access is relatively straightforward, it’s not as simple to control where the data is flowing.

“Think of on-premises technology as a large house: There are many separate rooms, but to get from one to the other, you need to know where you’re going and have specific keys. The cloud, however, functions like one large hall where anyone can approach someone else and ask for information. There are no walls, literal or figurative, blocking you from accessing data,” said Gorke.

As a result, data movement control grows immensely important. The goal is to prevent unauthorized data movement, which can be described here as a combination of two elements: First, “Data Exfiltration,” the malicious or accidental act of transferring data from company asset to outside asset, and “Lateral Data Movement,” the malicious or accidental act of moving data within company assets. This results in immediate risks, for example of data control loss, data loss, or reputation loss.

Controlling data flow with VPC Service Controls

BDAA at Commerzbank evaluated several solutions to control data flow and protect their data on the cloud. Besides standard requirements in the field, such as access management, their assessment was based the following criteria:

• The solution needs to control the flow of data to prevent unauthorized data movement.
• The solution needs to be a cloud-first technology to reduce the maintenance burden.
• The solution needs to address external security drivers, such as international and regional regulatory requirements, as well as internal security standards, controls, and necessities.
• The solution needs to be context-aware in a Zero Trust architecture sense to base controls on identities, actions, directions, and other factors.
• The solution needs to allow for hierarchical access management to separate control definition from control application.
• The solution needs to have built-in monitoring and logging capabilities, allowing measure of effectiveness, usage, and limits as well as alerting.

VPC Service Controls met all the requirements by fully integrating into the services which are being used by their applications. This enabled Commerzbank to use VPC-SC to mitigate data exfiltration, control data sharing, and establish separated environments across the organization.

In a nutshell, VPC Service Controls functions as a firewall for Google Cloud APIs. With secure data pipeline capabilities and defined perimeter controls, VPC Service Controls allowed Commerzbank to scale their application environment while mitigating data exfiltration risks.

Three data flow boundaries to secure data

In Commerzbank’s deployment the VPC Service Controls are applied to fulfill three perimeter types which they call “data flow boundaries”: the organization level, the application level, and the software-stage level.

“With VPC Service Controls, we have defined perimeter boundaries called Data Flow Boundaries that protect data by keeping everything in the right place, and accessible to only the right people and processes. This not only helps us prevent attacks or data exfiltration in or out of the organization or lateral data movement, but also ensures we’re not exposing data between different Data Flow Boundaries such as applications or stages. By using VPC Service Controls, we can achieve a better level of control over where, how, by whom, and when data is allowed to be accessed,” said Gorke.

Commerzbank’s usage of VPC Service Controls is fully automated, operating on a Zero Trust framework, and validated by Google Cloud Security experts. Starting early 2021, Commerzbank was one of the first financial services institutes in the European Union to leverage this technology at scale.

Building a scalable and secure infrastructure

With VPC Service Controls, the Cyber Center of Excellence at Commerzbank set the standard for controlling data flow. It began with a vision of a Zero Trust, cloud-centered infrastructure for securing data, and culminated with a deeper investment in cloud-first services of Google Cloud. By establishing clear objectives, focusing on cloud-first services, and standardizing on organization-wide use of VPC Service Controls, Commerzbank’s BDAA unit simplified data protection and prevented exfiltration.

Gorke and his colleagues are continually evaluating the impact of VPC Service Controls on their business to identify opportunities for improvement and scalability. On one dashboard, they measure effectiveness, such as the number of attacks, projects affected, and attack origins. A second dashboard monitored usage of VPC Service Controls, helping them effectively operationalize and plan for the future.

For financial organizations, it’s essential to protect customer data at all costs. At the same time, they want to employ future-proof technology to empower businesses, engineers, and data scientists to create the most value for their customers. VPC Service Controls is a classic example of how it can help financial organizations achieve both objectives, helping them take advantage of public cloud services while boosting overall security.

You can learn more about VPC Service Controls using this documentation and check out Commerzbank’s Google Cloud security journey by listening to Christain Gorke’s session at Google Cloud Next’23.