Commerzbank: Building security into the foundations of cloud banking with Google Cloud

About Commerzbank

Commerzbank is the leading bank for the German Mittelstand and a strong partner for around 28,000 corporate client groups and around 11 million private and small-business customers in Germany. The Bank’s two Business Segments – Private and Small-Business Customers and Corporate Clients – offer a comprehensive portfolio of financial services. Commerzbank transacts approximately 30 per cent of Germany’s foreign trade and is present internationally in almost 40 countries in the corporate clients’ business. The Bank focusses on the German Mittelstand, large corporates, and institutional clients. As part of its international business, Commerzbank supports clients with German connectivity and companies operating in selected future-oriented industries. Following the integration of comdirect, private and small-business customers benefit from the services offered by one of Germany’s most advanced online banks combined with personal advisory support on site. Its Polish subsidiary mBank S.A. is an innovative digital bank that serves approximately 5.6 million private and corporate customers, predominantly in Poland, but also in the Czech Republic and Slovakia. In 2021, Commerzbank generated gross revenues of some €8.5 billion with around 46,500 employees.

Industries: Financial Services & Insurance
Location: Germany

Tell us your challenge. We're here to help.

Contact us

Commerzbank builds security into the foundations of its cloud operations, automating tasks with Google Cloud to reduce years of work to mere milliseconds while boosting efficiency.

Google Cloud results

  • Saves many resources by automating time-consuming manual security processes with Google Cloud
  • Reduces risk of human errors to zero, increasing security while relieving employees from security pressures
  • Replacing manual security tasks with a reliable automated system improves employee confidence in the security system and productivity
  • Speeds up Commerzbank’s cloud transformation, ensuring the highest security for use cases migrated to the cloud

Creating millisecond fast security and compliance

Banking in the cloud is quickly becoming the new norm. According to a Google Cloud survey, 83% of financial services companies now deploy cloud technology as part of their primary computing infrastructures. Remarkable numbers for an industry whose cloud transition was considered comparatively slow just a few years ago. What changed?

For some banks, it’s security. As one of the most heavily regulated businesses, financial services companies handle highly sensitive data that can’t be compromised. Security standards that have grown over decades can’t just be lifted and shifted into the cloud - they must be redesigned. That’s exactly what Commerzbank has done to enable its move to the cloud.

"A critical driver of our cloud adoption has always been the capabilities that cloud brings when it comes to processing huge amounts of data, e.g., to derive insights. But at the moment of saving data in the cloud, we need to make sure it’s protected under strict security standards - at all times. That’s why we partnered with Google Cloud."

Christian Gorke, Head of Cyber Center of Excellence, Commerzbank

"At Commerzbank, we discovered the benefits of the cloud pretty early on," says Christian Gorke, who leads the bank’s Cyber Center of Excellence team. As part of Commerzbank’s key area Big Data & Advanced Analytics (BDAA), Gorke’s team brings expertise in data protection and information security to cloud migration use cases.

"A critical driver of our cloud adoption has always been the capabilities that cloud brings when it comes to processing huge amounts of data, e.g., to derive insights. But at the moment of saving data in the cloud, we need to make sure it’s protected under strict security standards - at all times. That’s why we partnered with Google Cloud."

Banking on Google Cloud for features and compliance

Commerzbank’s goal is to run 85% of its decentralized apps in the cloud by 2024, using a hybrid multi-cloud approach. Google Cloud has been a crucial part of that journey since 2017. For Gorke and his team, its advanced features and compliance standards are the right fit to help Commerzbank build security into the foundations of its cloud operations.

"In the area of security compliance, Google Cloud had an edge over competitors, offering FIPS 140-2 level 3 certification while others only offered level 2," says Gorke. "With BigQuery and VPC Service Controls, Google Cloud also offered unique features that are crucial for us, such as the ability to control data between all services, segregate applications and data, encrypt all data at rest, and unique automatization capabilities."

Building security into the foundations

What makes Commerzbank’s new cloud security approach stand out is that it’s built-in, not bolted on. As a result, most employees won’t need to make a conscious effort to secure data or configure the right application segregation settings such as firewalls, it’s all automated. Commerzbank calls this approach 'invisible security'.

Gorke explains how it works: "Commerzbank’s invisible security is a four-step approach. First, we leverage Cloud Logging and Asset Inventory to get a complete overview of all our assets in the cloud. Next, we implemented a filter and action layer based on Pub/Sub and BigQuery, which allows us to programmatically define a wide range of security use cases. Then we evaluate the right security measures event-based using Cloud Functions and Cloud Run, depending on the previous security use case. Then we find the right security measures with BigQuery and Cloud Functions. Finally, we report the findings to Security Command Center and all relevant on-prem systems. Note that our solution is based only on cloud-native services which enables us to leverage the highest availability and robustness available on Google Cloud."

The result of this interplay of Google Cloud solutions is a constant, automated and especially autonomic level of security that enables Commerzbank’s employees to focus on their work instead of all possibly security issues. When, for example, an employee forgets to set a customer-managed encryption key for a Cloud Storage bucket, invisible security swoops in, provisions a cryptographic key across all systems involved and sets all required permissions and security settings automatically. This happens within milliseconds after bucket creation, so the employee gets a secured bucket before he can even interact with it. Gorke and his team put an emphasis on transparency: while the whole process is automated, every step of it is transparent, meaning that employees may always know why decisions are made - if they have the interest to care. They are also always notified whenever any automated action happens to their resources.

"The process of finding, understanding, repairing, and reporting security issues used to take hours to days. For example, solely the provisioning of cryptographic key material needed to be done nearly 1,800 times, which adds up to multiple years. With our Google Cloud-powered invisible security system, that work happens in milliseconds, automatically, freeing us of this resource-hungry burden."

Christian Gorke, Head of Cyber Center of Excellence, Commerzbank

Another capability of the invisible security solution is decision making. This is important because the system will not always enforce measurements because it would break certain use cases. For example, if a landing zone has been setup automatically including VPC Service Controls, changes to this specific configuration might be intended by the use case to realise business value. However, this deviation might violate the default landing zone security configuration. Hence, the invisible security system raises a finding and forwards it to internal systems and Security Command Center. Then, the owner of the resource can review the finding and decide on next steps.

"Users don’t need to do anything," explains Gorke. "Whether you’re creating a database or uploading data to a bucket, security is happening automatically, 24/7. That’s not just a gain of convenience for our employees, at the same time it frees up a lot of resources that needed to be spent on manual security calibrations."

Invisible security, visible impact

Since going live across BDAA in September 2021, invisible security has had a significant impact on Commerzbank’s cloud operations. The time savings are significant, says Gorke: "The process of finding, understanding, repairing, and reporting security issues used to take hours to days. For example, solely the provisioning of cryptographic key material needed to be done nearly 1,800 times, which adds up to multiple years. With our Google Cloud-powered invisible security system, that work happens in milliseconds, automatically, freeing us of this resource-hungry burden."

But invisible security isn’t just faster, it’s also more secure than the previous approach, explains Gorke. "Manual security systems are prone to human error. There are millions of resources and log entries, and even in the best-run systems employees can miss one now and again. By implementing invisible security, we eliminate a whole class of security issues."

Making a difference for employees

The invisibility of Commerzbank’s cloud security approach is especially uplifting for the bank’s employees. Precautions they once had to take into account for every decision are fully automated today, relieving them of the pressure and manual efforts of maintaining the bank’s high-security standards.

"Our employees think it’s genius," says Gorke. "Invisible security has taken a huge burden off their shoulders. They trust the system, knowing it’s simply more realiabile at security than a human ever could be. And they have a lot more time for other work: we have a huge range of diverse use cases today, and if each of them saves by invisible security a day per week, that’s a massive productivity booster."

With less time spent on standard security issues, Commerzbank’s team can be more responsive to customer queries. And by being able to move to the cloud securely, Commerzbank can deliver on all the benefits of the cloud. That includes increased reliability and performance and more seamless customer experiences, while further reducing the risk of data breaches and other vulnerabilities.

"With our invisible security solution, we haven’t just made Commerzbank more secure while saving a lot of time and resources, we’ve been able to rethink what security means in the cloud. Together with Google Cloud, we’ve developed new standards that increase the understanding of the cloud - not just for us, but for everyone."

Christian Gorke, Head of Cyber Center of Excellence, Commerzbank

Built-in security for a new age of cloud banking

Today, Commerzbank has hundreds of thousands assets on Google Cloud, and Gorke and his team are continually expanding their use of Google Cloud solutions. Currently, they are also building user interfaces with Service Catalog to make it easy for employees to deploy assets, tools, and solutions on Google Cloud with security built in.

But in the long run, invisible security isn’t just a tool for BDAA or Commerzbank, but a milestone for the cloud transformation of the financial services industry as a whole. Gorke and his team are at the forefront of cloud security, designing a path for highly regulated financial institutions to move to the cloud securely. In some areas, such as VPC Service Controls, the security experts at Commerzbank and Google Cloud have jointly created new industry standards.

"In the end, we achieved four major principles for our cloud users" states Gorke. "First, non-security employees can focus on their actual work and don't need to be security experts; second, security becomes invisible to the user but able to be experienced and comprehensible; third, by making operations autonomic and leveraging cloud-native solutions a very high reliability is given; and fourth, trust into the cloud is established by inherently providing engineered-in security."

Looking ahead, Gorke sees the future of banking in the cloud, and invisible security as part of its foundation: "With our invisible security solution, we haven’t just made Commerzbank more secure while saving a lot of time and resources, we’ve been able to rethink what security means in the cloud. Together with Google Cloud, we’ve developed new standards that increase the understanding of the cloud - not just for us, but for everyone."

Tell us your challenge. We're here to help.

Contact us

About Commerzbank

Commerzbank is the leading bank for the German Mittelstand and a strong partner for around 28,000 corporate client groups and around 11 million private and small-business customers in Germany. The Bank’s two Business Segments – Private and Small-Business Customers and Corporate Clients – offer a comprehensive portfolio of financial services. Commerzbank transacts approximately 30 per cent of Germany’s foreign trade and is present internationally in almost 40 countries in the corporate clients’ business. The Bank focusses on the German Mittelstand, large corporates, and institutional clients. As part of its international business, Commerzbank supports clients with German connectivity and companies operating in selected future-oriented industries. Following the integration of comdirect, private and small-business customers benefit from the services offered by one of Germany’s most advanced online banks combined with personal advisory support on site. Its Polish subsidiary mBank S.A. is an innovative digital bank that serves approximately 5.6 million private and corporate customers, predominantly in Poland, but also in the Czech Republic and Slovakia. In 2021, Commerzbank generated gross revenues of some €8.5 billion with around 46,500 employees.

Industries: Financial Services & Insurance
Location: Germany