Cloud operations in a regulated environment: no compromises on security and compliance
Deutsche Pfandbriefbank AG (pbb) is one of Germany's leading mortgage banks. Like all financial institutions, it operates under strict regulatory requirements: BaFin, MaRisk, and GDPR. At the same time, pressure grew to move from a fully on-premise infrastructure to a modern, scalable cloud environment. The constraint: no compromises on security, no operational downtime during migration.
CCsolutions took full technical responsibility for the complete migration to Microsoft Azure Kubernetes Service (AKS), from planning through to production operations.
Challenge: migration without risk to critical banking processes
pbb ran its entire application landscape on-premise. Dependence on legacy infrastructure, high operating costs, and limited scalability made migration unavoidable. The requirements were clear:
- No data loss, no production downtime during migration
- Full traceability of all deployments for compliance audits
- Disaster Recovery with defined RTO values
- Security architecture that meets regulatory requirements
The migration had to be completed in under 6 months.
Solution: Azure Kubernetes with GitOps and zero-trust networking
CCsolutions designed and implemented a complete AKS infrastructure built from the ground up for compliance and operational reliability.
Infrastructure as Code with Terraform: The entire Azure infrastructure was described declaratively with Terraform. Every infrastructure change is versioned, reviewable, and reproducible, providing a direct audit trail for compliance requirements.
GitOps deployments with Argo CD: All application deployments are managed through Argo CD. The desired system state is defined in the Git repository; Argo CD continuously ensures the actual cluster state matches it. No more manual kubectl apply. Every change has a commit, an author, and a timestamp.
Zero-trust with Istio and Open Policy Agent: The service mesh encrypts all internal traffic (mTLS) and controls which services are allowed to communicate. OPA (Open Policy Agent) enforces security policies at cluster level. No container starts without a policy check.
CI/CD with Azure DevOps: A complete deployment pipeline from code commit to production, with automated tests, security scans, and rollback mechanisms.
Observability with Grafana: Centralized monitoring of all cluster metrics, logs, and alerts via Grafana, with defined SLO dashboards for banking operations.
Results: complete migration in 6 months
The migration was completed within the defined timeframe with no production outages:
- 100% on-premise to Azure: All workloads run in AKS, no legacy servers remain
- Disaster Recovery under 75 minutes: Fully automated recovery process, regularly tested
- GitOps deployments: Every deployment has a complete audit trail: name, timestamp, diff
- Compliance-ready: Security architecture meets BaFin and MaRisk requirements
- Operational stability: No unplanned outages since go-live
Technology stack
| Area | Technology | |---|---| | Cloud | Microsoft Azure / AKS | | Infrastructure as Code | Terraform | | GitOps | Argo CD | | CI/CD | Azure DevOps | | Service Mesh | Istio | | Policy Engine | Open Policy Agent (OPA) | | Observability | Grafana |
Summary
The pbb migration shows that even highly regulated industries like financial services can benefit from modern cloud infrastructure, provided security and compliance are treated as core architecture from the start, not as an afterthought.
If you are facing a similar migration and want to know what is realistic for your specific infrastructure, talk to us. In a free 45-minute call, we will analyze your situation.