This long-standing managed services provider (MSP) operates the IT infrastructure used by financial services companies throughout Germany, including banks and insurance companies.
To support its clients’ digital transformation initiatives, the MSP is expanding its offerings to include cloud-based capabilities. However, banking clients that are designated as “critical infrastructure” are supervised by Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin), Germany’s financial services control body, as well as the European Central Bank (ECB). Plus, all clients must meet German and European Union (EU) data security and privacy regulations, including keeping certain data within German borders. This regulatory context significantly complicates the challenges of using public cloud platforms and services.
To prove to its clients that public cloud-based services are viable given the regulatory constraints, the MSP needed to build a production environment on Google Cloud Platform and complete a series of prototypes. Ultimately, the cloud provider planned to offer managed public cloud services along with on-premises private cloud infrastructure-as-a-service and container-as-a-service solutions.
To achieve its goal, the managed services provider’s internal team needed to gain sophisticated new skills in working with cloud-native services through hands-on experience building and running a regulatory-compliant production public cloud environment. Then, the team could establish a cross-functional Cloud Center of Excellence, offering their customers the opportunity to prototype cloud-first concepts and take advantage of methods for automatically provisioning cloud resources quickly.
Needing to get its teams up to speed with all aspects of public cloud, the managed services provider retained Kyndryl to provide education and hands-on professional services in designing and building a compliant Google Cloud Platform landing zone. Kyndryl conducted a cloud services and operations workshop. The four-day program introduced modern principles of service management and cloud operations to a cross-functional team of the managed services provider’s IT professionals.
In addition to the workshop, Kyndryl developed the managed services provider’s Public Cloud Security Concept document to be aligned with compliance requirements for designing the security architecture within Google Cloud Platform infrastructure. This document covers designing a secure multi-tenant architecture that isolates customer’s workloads, separates networks, and encrypts data at rest and in motion. Kyndryl helped the client identify Google Cloud Platform services that would not be compliant and should not be used, as well as those that, under certain circumstances, could meet EU and German requirements for financial services. This guidance mitigated the risk of non-compliance.
Together, experts from Google’s Professional Service Organization (PSO), Kyndryl and the MSP designed a Google Cloud Platform landing zone. This provides essential foundations—like identity and access management—for working on the service provider’s and their customers’ projects in the cloud. The objective was to establish a repeatable, best-practices architecture for managed services that will meet security and regulatory requirements. The design of the landing zone also accounts for elements that make the cloud infrastructure scalable, cost-effective, and easy to manage as a service.
As a single-sign-on (SSO) service, the global Google Identity service could not be used natively by German financial institutions without exposing Personal Information data. To ensure compliance of the SSO solution, and avoid the hefty fines of violating General Data Protection Regulation (GDPR), the team integrated the managed services provider’s active directory system by implementing a third-party single-sign-on solution along with the Google Cloud Platform landing zone. Only tokenized credentials are exposed to Google Identity; sensitive personal information is retained on premises along with authorization and authentication to Google Cloud Platform resources.
Finally, the Kyndryl team helped the managed services provider build a service and systems management integration that meets regulatory requirements for immediate availability of log data for monitoring and auditing. For example, Google Cloud Platform audit logs are shipped to the customer’s on-premises security and event management (SIEM) system.
As part of the Kyndryl solution, the team worked with the customer to implement infrastructure-as-code with HashiCorp’s Terraform solution, which is the industry best practice. With this approach, all configuration parameters are captured in HashiCorp’s Configuration Language (HCL) documents that are converted Terraform plans. When run in an end to end sequence, Terraform plans instantiate GCP resources (folders, projects, access rules, network paths to Google Computer Engine instances); all without manual intervention.
Further automation via Ansible playbooks loads applications and configures VMS for different roles. With these combined solutions, once configuration parameters have been set, the managed services provider can prepare a client’s cloud environment in less than a day rather than traditional approaches that take several weeks.
As a managed cloud services provider, Kyndryl’s customer needed a way to allocate cloud platform charges across internal clients and multiple external clients that are tenants on the cloud production environment. The Kyndryl team designed and developed a billing engine that runs in the customer’s on-premises container environment. It retrieves billing data from the cloud platform, calculates the splits, and sends the results to the customer’s SAP procurement system. The MSP became capable of flexibly billing for its services to the different institutions within its portfolio.
Both internal and external clients of the managed services provider used the Google Cloud Platform production environment to run various prototypes. The customer’s internal SAP team, for example, successfully created a one-to-one replica of an SAP instance for use as a testing environment in the cloud.
An external client, with Kyndryl’s assistance, built a solution for rerouting internet traffic to its banking portal. The prototype used Google Cloud Platform infrastructure to handle network traffic in the event of a distributed denial of service (DDOS) attack on the primary internet access route.
For another external client, the team prototyped use of the managed cloud service and infrastructure-as-code as a continuous integration / continuous delivery (CI/CD) environment for its DevOps team. This client also prototyped Cloud SQL database instances. All prototyping activities confirmed that the production environment is stable, compliant, and ready for managed cloud services business.
Learn more about how Kyndryl advances the vital systems that power human progress.
© Copyright Kyndryl, Inc. 2022
Kyndryl is a trademark or registered trademark of Kyndryl Inc. in the United States and/or other countries.
Other product and service names may be trademarks of Kyndryl Inc. or other companies.
This document is current as of the initial date of publication and may be changed by Kyndryl at any time without notice. Not all offerings are available in every country in which Kyndryl operates. Kyndryl products and services are warranted according to the terms and conditions of the agreements under which they are provided.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. Kyndryl products and services are warranted according to the terms and conditions of the agreements under which they are provided.