Regulatory-Compliant Cloud Platform with Secure API Gateway and Workload Identities for a Bank

Background

A financial institution was in the midst of a comprehensive cloud transformation programme. The goal was to progressively migrate existing applications into an Azure-based platform architecture. Regulatory requirements were demanding: both ISO/IEC 27001 and the European DORA regulation (Digital Operational Resilience Act), which obligates financial companies to meet strict IT security and resilience standards, had to be considered from the outset. In particular, a viable concept for secure service-to-service communication and for handling secrets and credentials in a containerised environment was missing.

Measures

Wenske Cyber Solutions was embedded in the platform architecture unit to support security-relevant architectural decisions. We designed and implemented an Azure API Management gateway with mutual TLS authentication (mTLS), securing communication between Azure Kubernetes Service, ingress controllers, and Azure Key Vault. For applications running in AKS, we developed a workload identity model based on Entra ID, which assigns each application its own identity and thus eliminates the need for static credentials. Secret management was built on Managed Identities and multiple Azure Key Vaults to centrally and audit-securely manage credentials, certificates, and API keys. Additionally, we developed a cloud placement strategy with a refactoring roadmap that determines which legacy applications should be migrated in what order.

Results

The bank now has a cloud platform whose security architecture is designed from the ground up for regulatory audits. Communication between services is consistently encrypted and authenticated. Static credentials in application code or configuration files have been completely eliminated. The refactoring roadmap gives the internal platform team a clear basis for further migration without having to reassess security questions at every step.