Since 1870, Deutsche Bank has offered financial services to enterprises, governments, institutional investors, and individuals worldwide. Google cloud migration requires software developers to build a secure, scalable, and reliable certificate management solution for cloud workloads to better serve and protect our customers.
Deutsche Bank worked with Google Cloud Professional Services to rapidly and securely encrypt data in transit for hundreds of apps. Since the company’s business-critical applications need tens of thousands of network communication encryption certificates daily, it was no easy accomplishment.
The value of certificates
Digital identities are crucial to infrastructure and application security, and X.509 certificates are used to represent them. These have been frequently used to secure network communication, email, and general encryption. Widespread adoption of service-oriented solution architectures has increased certificate-secured entities. Each digital certificate must be renewed before expiration to work.
The industry is shortening certificate durations to reduce security threats, but this increases renewal frequency. Failure to renew, cancel, or distribute trustworthy certificates can cause service disruptions and security breaches.
Google Cloud CA Service
Extension of on-premises PKI services to cloud applications relies on Google Cloud Certificate Authority Service (CAS). CAS brings enterprise certificate management from on-prem to the cloud and provides convenient tools and services for an automated and integrated solution that complements CAS integrations by serving as a fully managed central authority for all enterprise workloads running in public clouds.
The ability to issue custom organization certificates flexibly, securely, and on-demand is just the beginning of our certificate management journey. With dozens of managed services from Google Cloud, CAS certificates must be used beyond present use-cases to ensure cloud-on-prem system connection.
Thus, a centralized, automated custom certificate lifecycle management solution is needed to relieve application developer teams of cloud services configuration, concentrate the responsibilities, and make them manageable by a small team.
Large-scale certificate management issues
Business preferences and organizational and legal needs for certificates vary. Our sector is extensively regulated and security-focused, therefore we have more goals. Here are some key ones:
Operation
Reduce cost, availability, and security threats by automating as much as feasible.
Make certificate management transparent for apps to relieve application teams of certificate expiration and renewal concerns.
Security
Maintain strong client trust for internet-facing apps. Secure applications with public certificate authorities (CA) certificates and the strictest identity verification measures to protect the brand and users.
Define production and non-production trust boundaries. Certificates must be issued by separate trust anchors to prevent data breaches and improve production security.
Validate application domain ownership for certificate issuance. Enterprises run thousands of apps and services. They must restrict application subdomain use. Thus, applications requesting certificates for unauthorized subdomains must be denied.
Governance
- Use only recognized CA certificates. Companies control cryptographic services to manage trust and reduce risk.
- Organizational certifications should be monitored. Inventorying certificates with their owners, locations, and algorithms helps report and respond to present and future cryptographic risks. Possible threats from the post-quantum revolution.
- When regulators require specific certificate kinds, utilize them. EU Directive for Electronic Payment Services (PSD2) requires QWAC and QSEAL certificates from trust service providers established in the EU eIDAS Regulation.
Managing so many certifications requires automation.
Automate certificate management
We solve our certificate management problems with CAS and other Google Cloud services. The figure below shows its high-level architecture.
This method helps in various situations:
- Initial enrollment and certificate provisioning: Use IaaC to provision a new certificate with a valid identity (Subject, Subject Alternative Name) that meets organization security policy.
- Update certificate content: Modify a certificate’s SAL.
- Certificate renewal: Create a fresh re-validated certificate before the expiration date and replace the expired certificate automatically without application team intervention.
- Certificate revocation: If a certificate key is compromised or lost, revoke the certificate to invalidate and stop data exchange over network connections.
- Trust Anchor management: Provide current Trust Anchors (authorized root CA certificates) for certificate-validating services and apps. Distribute and store trusted CA certificates in client and server programs for TLS validation.
- Certificate Authority renewal: Certificate Authority certifications expire and must be renewed. Following industry best practice, CA lifespans are decreasing.
Effects and Gains
Once the central certificate management solution is implemented, enterprises should realize many benefits.
Deutsche Bank has a security staff that centrally handles all certificates. Without automated regular procedures and compliant PKI services, Deutsche Bank would be much smaller. Eliminating manual steps and automating certificate management has cut expenses and application disruptions. Since deploying the solution to production, certificate expiration has not caused application issues.
Due to reputation, cost, and regulation compliance, organizations need high application availability, especially for internet-facing services. Built with Google Cloud services, certificate management automation is modern, reliable, and future-proof, meeting high availability and scalability needs without additional effort.
Our solution simplifies data in transit encryption for application teams and complements Deutsche Bank’s defense-in-depth strategy. Key creation with high entropy is secure and weak keys are prevented. Besides the owner program or resource, these important cryptographic assets are encrypted throughout the operation. We can now securely reduce certificate lifetime.
A team of experts in their difficult field monitors, controls, and takes responsibility for certificates. CAS stores and monitors all Deutsche Bank cloud-based internal certificates.
Conclusion
Google Cloud services like Cloud Key Management Service and Certificate Authority Service helped us scale certificate management with minimum resources. CAS was in beta when Google used it for our cloud architecture, and Google built a dependable certificate management platform in Google Cloud and met their aims.
[…] your startup is considering switching from Amazon Web Services (AWS) to Google Cloud, you should know the technological differences. Thank goodness current cloud platforms are […]
[…] A cloud estate’s commitment to sustainability can help to guarantee long-term operational effectiveness, cost savings, and compliance with the increasingly stringent global environmental regulations.Businesses can significantly reduce their environmental impact, future-proof their operations, and gain competitive advantages in an eco-aware market by aligning with sound sustainability practices. […]
[…] Google are happy to inform that the Cloud Firewall’s fully qualified domain name (FQDN) capability is now generally available. Customers may normally access FQDN as part of the Cloud Firewall Standard tier, which also offers geolocation filtering and interaction with Google Cloud Threat Intelligence. Additionally, Google added additional IP reputation lists to our support for Google Cloud Threat Intelligence and made IPV6 and GKE node pool support for IAM-governed tags available in Public Preview. […]
[…] proactive scheduling to stateful applications while balancing cost and availability, is what Google are announcing today to help. Operator for Stateful HA is in […]
[…] Google are unveiling today the details of the South Pacific Connect program, which will assist improve the resilience and dependability of digital connection in the Pacific by deploying two new transpacific subsea cables, Honomoana and Tabua. […]
[…] Cloud project: Prior to starting, confirm that a Google Cloud project has been established, that billing has been enabled, that Spanner access control has been […]
[…] for a while, is a great source of data for training xAI models, such as Grok. It’s still not Google, […]
[…] close connection with BigQuery, Delivery Hero’s primary data warehouse, as well as additional Google Cloud resources. Vertex AI Pipelines train models and store metadata in Vertex AI Models Registry. Cloud […]
[…] Although Hasura is free software, it is also available in fully managed versions on a number of cloud service providers, such as Google Cloud. […]
[…] various document kinds. However, today’s developers may use text embedding models, PaLM 2, and Google Cloud PaLM2 and AI Documents to create a “Ask your documents” application for staff members. […]
[…] mutual authentication (mTLS) using digital certificates. Businesses commonly use it with a private certificate authority (CA) to authenticate consumer identities before providing information and […]