Case Study: Cloud Migration of a Financial Services Provider — Security from the Start

A financial services provider has migrated its core applications to the Azure Cloud – with security as an integral part from day one. Result: DORA compliance maintained, operating costs reduced by 22%.

TL;DR

A financial services provider with 2,000 employees has migrated its core applications from on-premises to the Azure Cloud – with security as an integral part from day one. Result: Regulatory compliance (DORA, BaFin) maintained, security posture measurably improved, operating costs reduced by 22%.

Initial Situation

The company operated its core applications (portfolio management, CRM, reporting) on its own hardware in two data centers. The infrastructure was outdated, operation was expensive, and scaling for new regulatory requirements was difficult.

The biggest hurdle: The BaFin-regulated financial sector has special requirements for cloud usage (MaRisk, BAIT, DORA). Every migration must be approved in advance.

Security-First Approach

The project team defined security requirements before the architecture:

Landing Zone:

Azure Landing Zone with hub-and-spoke topology
Azure Firewall as a central egress point with TLS inspection
Private endpoints for all PaaS services (no public access)
Azure Policy for compliance enforcement (no resource without encryption at rest)

Identity and Access:

Azure AD with conditional access and privileged identity management
Just-in-time access for administrative rights
Passwordless authentication for all employees

Monitoring:

Microsoft Sentinel as cloud SIEM
Custom detection rules for industry-specific threats
Automated playbooks for the 10 most common alert types

Regulatory Implementation

The BaFin requirements were addressed as follows:

Data location: All data in Azure Region Germany West Central (Frankfurt)
Outsourcing management: Complete documentation of cloud usage as outsourcing
Exit strategy: Documented plan for remigration within 90 days
Audit capability: Log retention of 7 years, unalterable in Azure Immutable Storage

Results

22% lower operating costs through replacement of own hardware
Patch cycles reduced from 30 days to 48 hours
99.99% availability (vs. 99.5% on-premises)
Passed BaFin audit without objections
DORA compliance from day one of productive use

Key Facts

Industry: Financial services (BaFin-regulated)

Cloud: Microsoft Azure (Region Germany West Central)

Project duration: 12 months

Cost reduction: 22% compared to on-premises

Compliance: DORA, MaRisk, BAIT without objections

Fact: According to Gartner, by 2026 over 75 percent of all financial services providers will migrate business-critical workloads to the cloud – an increase of 45 percent compared to 2023.

Fact: The IBM Cost of a Data Breach Report 2024 estimates the cost of a data breach in the financial sector at an average of $5.9 million.

Frequently Asked Questions

Is cloud migration possible for regulated industries?

Yes, if regulatory requirements are integrated into the architecture from the start. Key factors are data location (EU/Germany), documentation of outsourcing, and a verifiable exit strategy.

Which cloud region is suitable for German financial services providers?

Azure Germany West Central (Frankfurt) or AWS eu-central-1 (Frankfurt). Both meet the BaFin requirements for data location within the EU.

Which compliance requirements specifically apply to cloud workloads in the financial sector?

In addition to NIS2, financial services providers are subject to the DORA regulation, which sets strict requirements for digital operational resilience. Cloud workloads must be encrypted, auditable, and stored with geo-redundancy. Furthermore, BaFin guidelines require complete traceability of all data accesses.