Locking down Cloud Run: Inside Commerzbank's adoption of custom org policies

Usually, financial institutions process multiple millions of transactions daily. Obviously, when running on cloud technology, any security lapse in their cloud infrastructure might have catastrophic consequences. In serverless setups for compute workloads Cloud Run on Google Cloud is employed. That's why we are happy to announce the general availability of Google Cloud's custom org policies to fortify Cloud Run environments and ensure it can be aligned seamlessly to fulfill the weakest up to stringent regulatory standards.

Financial service institutions operate under stringent global and local regulatory frameworks and bodies, such as regulations from the EU’s European Banking Authority, US Securities and Exchange Commission, or the Monetary Authority of Singapore. Also, the sensitive nature of financial data necessitates robust security measures. Hence, maintaining a comprehensive security posture is of major importance, encompassing both coarse-grained and fine-grained controls to address internal and external threats.

Tailored Security, Configurable to Customer’s Needs

Custom Org Policies for Cloud Run provide fine-grained control over Cloud Run configurations. It is now possible to dictate:

• Network Access: Reduce unauthorized access attempts by precisely defining VPC configurations and ingress settings.

• Deployment Security: Mandatory binary authorization is able to prevent potentially harmful deployments.

• Resource Efficiency: Constraints on memory and CPU usage ensure getting the most out of  cloud resources.

• Stability & Consistency: Limiting the use of Cloud Run features to those in general vailability (GA) and enforcing standardized naming conventions enables a predictable, manageable environment.

This level of customization enables building a Cloud Run environment that's not just secure, but also perfectly aligned with unique operational requirements.

Addressing the Complexities of Commerzbank's Cloud Run Setup

Within Commerzbank’s Big Data & Advanced Analytics division, the company leverages cloud technology for its inherent benefits, particularly serverless services. Cloud Run is a crucial component of our serverless architecture and stretches across many applications due to its flexibility. While Cloud Run already offered security features such as VPC Service Controls, multi-regionality, and CMEK support, granular control over all Cloud Run’s capabilities was initially limited.

Diagram illustrating simplified policy management with Custom Org Policies

Better Together

The introduction of Custom Org Policies for Cloud Run now allows Commerzbank to directly map its rigorous security controls, ensuring compliant use of the service. This enhanced control enables the full-scale adoption and scalability of Cloud Run to support our business needs.

The granular control possible due to Custom Org Policies has been a game-changer. Commerzbank and customers like it can now tailor their security policies to their exact needs, preventing potential breaches and ensuring regulatory compliance.

A Secure Foundation for Innovation

Custom Org Policies have become an indispensable part of the cloud security toolkit. Their ability to enforce granular, tailored controls has boosted Commerzbank’s Cloud Run security and compliance. This newfound confidence allows them to innovate with agility, knowing their cloud infrastructure is locked down.

If you're looking to enhance your Cloud Run security and compliance, we highly recommend exploring Custom Org Policies. They've been instrumental in Commerzbank’s journey, and we're confident they can benefit your organization, too.

Looking Ahead: We're also eager to explore how to leverage custom org policies for other Google Cloud services as Commerzbank continues to expand its cloud footprint. The bank’s commitment to security and compliance is unwavering, and custom org policies will remain a cornerstone of Commerzbank’s strategy.