HPV Landing Zone

Security Case Study

About HPV

Hamburger Pensionsverwaltung E.G. (HPV) was founded in 1994. The Company's line of business includes providing insurance agent and broker services for a range of insurance types. HPV offers a comprehensive pension service. It advises its members in the field of company pension schemes, designs new pension schemes and prepares the reports for the balance sheets. In addition, the HPV manages entitlements and pensions for its members, and it administers entire pension and benefit funds. HPV currently looks after over one million pension commitments and assets worth around 11 Billion Euro.

The challenge

The IT-Infrastructure of Hamburger Pensionsverwaltung E.G. (HPV) grew in size and age over the years. A modernization of the old data center would have brought very high investment costs for the company. Also the current infrastructure needed a very high effort for the ongoing operation and maintenance of systems.

Additionally the main business application was built in a traditional and monolithic architecture and lacked proper scaling. The application needed to be replaced by a complete redevelopment using a modern software architecture, using microservices and latest technologies.

HPV is regulated by the German federal Financial Services Authority (BaFin) and needs to fulfil very high security requirements. Security requirements, compliance and regulations in the public cloud needs to be established in a verifiable manner. Continuous monitoring of the security and changes of all resources is mandatory. The new environment also must withstand an external security audit from an independent third party.

HPV decided to embrace all the challenges by moving their workload to the public cloud. Enterprises migrating to Amazon Web Services (AWS) with multiple applications and distributed teams often lack centralized governance, management, or security systems.

The solution

With the implementation of AWS Landing Zone, we enabled HPV to configure and provision a secure, scalable, automated, multi-account AWS environment aligned with AWS best practices. It gives HPV a granular, centralized control over their cloud workloads, with a consistent level of security and compliance across all accounts.

Core elements of AWS Landing Zone include a multi-account approach with multi-account monitoring, security baseline with preventative and detective controls,identity and access management, centralized security logging, automation with infrastructure as code (IaC) and a Account Vending Machine with add-on for a flexible environment extension. The Account Vending Machine as the heart of the automation system ensures automatic, fast and compliant provisioning of new AWS environments.

To properly test all changes and updates of the AWS Landing Zone Solution we have implemented a staging environment with a deployment pipeline to keep both Landing Zone environments in sync.

A full comprehensive notification system was set up to inform the teams for critical security alarms in their communication channels.

A multi-cloud network architecture with an integration to the account provisioning was implemented to support a rapid evolution of applications and business with a secure connection to the on-premise world and other clouds.

Results and Benefits

Increase Speed and Agility

Reduction of time to market through automation and agile provisioning of secure AWS environments. This results in a dramatic increase in agility for the organization, since the cost and time it takes to experiment and develop is significantly lower. Increase the focus on the business instead of operation.
Secure Integration

A secure connection between on-premise datacenter and cloud workloads was performed to leverage the flexibility and scale of services. The customer can scale securely with superior visibility and control. Deep integrated security services allow us to automate and reduce risks.

AWS offers regulated entities in Germany a strong compliance framework and advanced tools and security measures to evaluate, meet, and demonstrate compliance with applicable legal and regulatory requirements. Establishing a baseline for cloud security protects the company's data and applications and complies with regulations from GDPR and BaFin.