Customer Stories / Financial Services / Germany
Governance at Scale as a Small Team Using AWS Organizations with Volkswagen Financial Services
Learn how Volkswagen Financial Services scaled its governance and security management practices using AWS Organizations.
Eight-person team
manages governance across 1,600 accounts
Dramatically reduced
time to remediation
Centralized management
of AWS account security
Reduced time to market
by centralizing governance policies
Hundreds of thousands of euros saved
in initial costs
Overview
The Managed Platform Services (MPS) team of Volkswagen Financial Services (VWFS) needed a team of eight engineers to manage the diverse security requirements of more than 1,000 developers so that the company could scale rapidly while meeting fast-changing regulatory requirements. VWFS launched its Mobility2030 strategy to develop a comprehensive, overarching mobility platform in close collaboration with the brands of the Volkswagen Group. The envisioned platform will give customers fast, digital, and flexible access to mobility. “IT is not an end to itself,” says Crispin Weissfuss, head of MPS at VWFS. “Our mission as a platform team is to empower our business teams to do what they do best—develop great products for our end customers.”
VWFS has more than 1,600 accounts on Amazon Web Services (AWS) across 48 markets around the globe. For a scalable solution that balances security and freedom for developers, MPS uses AWS Organizations, which lets organizations easily allocate resources, group accounts, and apply governance policies. The MPS team is using AWS Organizations to establish governance at scale, build greater visibility into its security posture, and dramatically cut time to remediation.
Opportunity | Using AWS Organizations to Automate Operations for a Team of Eight Managing 1,600 AWS Accounts
VWFS provides services such as financing, leasing, insurance, and mobility solutions to its customers in a highly regulated financial services environment. When the MPS team began using AWS in 2017, it had to oversee the technology of dozens of developers working in accounts with disparate configurations. “We identified areas where we could do the heavy lifting for customers,” says Weissfuss. “We wanted to handle centralized security and compliance so that a product team only needs to take care of the security of its application.” For example, the MPS team enforces encryption of block storage and databases and manages identity and access centrally.
The MPS team was determined to find the sweet spot between, on the one hand, standardizing security controls for 1,600 accounts and more than 350 production workloads, and on the other hand giving engineers the freedom to develop products using the advantages of the cloud. “We want to provide our teams with all the tools they need, tied together with one identity provider to log on,” says Jan Christophersen, DevOps engineer at VWFS. “They need source code storage, a ticketing system, secrets management, and somewhere to put their application on AWS. We are eight engineers, so we must be efficient and automate everything that we can.”
Using AWS, our velocity is just higher, and we have more time to invest in features because we’ve automated most of the governance and security operations.”
Crispin Weissfuss
Head of Managed Platform Services, Volkswagen Financial Services
Solution | Drastically Reducing Time to Remediation While Saving Hundreds of Thousands of Euros
The MPS team splits each of its workloads into four AWS accounts that represent different stages—development, integration, preproduction, and production—with centralized accounts for compliance, monitoring, and auditing. MPS defines central configurations, security mechanisms, audit requirements, and resource sharing across all VWFS accounts. The team uses more than 40 AWS services and applies the AWS Organizations service control policies (SCPs), a type of authorization policy for managing permissions in an organization and helping make sure that accounts stay within an organization’s access control guidelines.
The MPS team created a centralized dashboard to facilitate reports for security officers, a separate team that monitors for threats and vulnerabilities. To track resource changes across all 1,600 accounts, MPS uses AWS Config, which continually assesses, audits, and evaluates the configurations of resources on AWS, on premises, and on other clouds. MPS centralizes the creation, updating, and deletion of AWS Config rules across all AWS accounts, and it uses APIs from the AWS Organizations management account to enforce governance at scale.
For vulnerability management at scale, the team uses Amazon Inspector, an automated vulnerability management service. “That was the game changer for us,” says Weissfuss. “Now, we have everything automated. We’re using AWS to do a lot of heavy lifting with continual scaling, autoactivation, automatic code scanning—all of which lead to us being even more efficient.”
Amazon Inspector works seamlessly within AWS Organizations so that the MPS team can automatically onboard new AWS accounts, scan code, and view aggregated finding data from all VWFS accounts. Previously, vulnerability scanning was complex; it took days to pour through findings from each account to report to security officers. Using Amazon Inspector, the MPS team achieved a dramatic cut in mean time to remediation. For example, in December 2021, a vulnerability in the common open-source library Apache Log4j affected online services globally. “Because we were using Amazon Inspector, we could simply identify the vulnerability in minutes and remediate it in a short time,” Weissfuss says. “Teams at other companies using other technologies took days to identify affected resources.” Plus, VWFS estimates it saves hundreds of thousands of euros in licensing fees by using the Amazon Inspector pay-as-you-go model.
The MPS team also gains operational insights and automatically deploys software patches across large groups of instances using AWS Systems Manager, a secure management solution for resources on AWS and in multicloud and hybrid environments. Using AWS Systems Manager, teams can view a dashboard of information about resources across all AWS accounts. “The resolution time is way faster now,” says Weissfuss. “As an example, a zero-day bug recently affected 80 servers and 10 different product teams on three continents, and all the machines were fixed within 24 hours.”
To centralize findings while monitoring compliance, the MPS team uses AWS Security Hub, which performs security best practice checks, aggregates alerts, and facilitates automated remediation. By connecting AWS Security Hub to AWS Organizations, the MPS team can automatically activate it across all AWS accounts. Using AWS Security Hub, the team continuously aggregates and prioritizes alerts from AWS Config, Amazon Inspector, AWS Systems Manager, and other AWS services. It has accelerated account provisioning by 15–20 minutes per batch. Moreover, MPS employs a cloud native application protection platform built on CloudGuard by Check Point Software Technologies, an AWS Partner. This enhances the provisioning of contextual insights, empowering customers to enact proactive security measures and intelligent preventative strategies throughout the application lifecycle.
Outcome | Driving Efficiency and Automation in Centralized Governance and Security Operations
With an ever-increasing number of accounts, the MPS team is looking to expand its use of AWS Organizations, such as by managing IP addresses within a virtual private cloud using Amazon Virtual Private Cloud (Amazon VPC), which defines and launches AWS resources in a logically isolated virtual network. The team hopes to improve efficiency using Amazon VPC IP Address Manager (IPAM), a feature that makes it simpler to plan, track, and monitor IP addresses across AWS workloads. “With just eight engineers, we always need an edge that makes us more efficient,” Weissfuss says. “Using AWS, our velocity is just higher, and we have more time to invest in features because we’ve automated most of the governance and security operations.”
About Volkswagen Financial Services
Volkswagen Financial Services, a business division of Volkswagen AG, coordinates the company’s financial services around the world and provides services such as financing, leasing, insurance, and mobility solutions.
AWS Services Used
AWS Organizations
AWS Organizations lets you create new AWS accounts at no additional charge. With accounts in an organization, you can easily allocate resources, group accounts, and apply governance policies to accounts or groups.
AWS Systems Manager
AWS Systems Manager is a secure end-to-end management solution for resources on AWS and in multicloud and hybrid environments.
Amazon Inspector
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure.
AWS Security Hub
AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables automated remediation.
More Financial Services Customer Stories
Get Started
Organizations of all sizes across all industries are transforming their businesses and delivering on their missions every day using AWS. Contact our experts and start your own AWS journey today.