Title: AWS re:Inforce 2024 - How BBVA relies on Amazon AppStream to avoid data exfiltration (DAP303)

Insights:

• Regulatory Compliance: BBVA operates in a highly regulated environment, requiring compliance with evolving guidelines across multiple locations.
• Amazon AppStream: Key to BBVA's architecture, enabling secure pixel streaming of applications to end users, ensuring data remains on AWS.
• Security Measures: AppStream ensures all application data stays on AWS, with only encrypted pixels, keyboard, and mouse data traversing remote protocols. It supports multifactor authentication and AWS VPC Interface Endpoints to keep traffic within the AWS backbone.
• Centralized Management: BBVA uses centrally managed images for application deployment, simplifying updates and ensuring consistency across all end users.
• Global Presence: BBVA is a Spanish bank with a significant global footprint, operating in over 25 countries with more than 120,000 employees and 70 million active customers.
• AWS Journey: BBVA began testing AWS in 2012, with production workloads starting in 2016. They have since expanded globally, accelerated by the COVID-19 pandemic.
• AWS Infrastructure: BBVA uses 12 AWS organizations and nearly 600 AWS accounts, expecting to grow to 1,000 accounts within the next year. They utilize over 100 AWS services, including big data, AI, and IoT.
• Security Policies: BBVA defines security policies for each AWS service, outlining best practices and requirements to control and remediate potential risks.
• BBVA Landing Zone: A custom multi-account environment with strict security and network baselines, ensuring standardized deployment and management across all accounts.
• Data Protection Strategy: BBVA embeds security in the design of all architectures, focusing on minimizing attack surfaces, controlling outbound connections, and segmenting permissions and networks.
• Amazon AppStream Implementation: BBVA uses AppStream to provide secure access to internal resources, especially during the COVID-19 pandemic and for data platform migration.
• Heindal System: An internal system developed by BBVA to manage AppStream fleets, integrate with their identity provider, and control access and configurations.
• Single Sign-On Architecture: BBVA's solution to securely pass session context information into AppStream sessions, using encrypted storage and one-time use API tokens.
• Future Plans: BBVA plans to migrate AppStream fleets to the new Spain region, implement blue-green deployments for fleet updates, and embed new administrative tools within AppStream.

Quotes:

• "Financial services customers, as you probably know, is a highly regulated environment, such as healthcare or government."
• "Amazon AppStream will offer, will enable that application in a secure pixel stream to the end users."
• "BBVA is a Spanish bank with a strong global presence. It is present in more than 25 countries as of now."
• "The journey of BBVA on AWS started a long, long time ago. So they started to test AWS in 2012."
• "We are using over 100 AWS services. As you may see, within these services are not the typical infrastructure as a service and computing services."
• "A security policy for us is just a set of best practices and requirements in terms of security."
• "We aim to control all the outbound connection to the public internet in order to avoid potential data breaches or exfiltration of information through public channels."
• "The solution that we found for all of these challenges and use cases was, of course, Amazon AppStream."
• "Heindal is basically a global and central entry point for all the fleets that BBVA has, over 100 fleets right now."
• "The idea is to keep using the session context functionality but not pass the content through this functionality."
• "We are restricting the configuration of bidirectional copy-paste like copying from the remote session to the local session, download files, printing files, all of this is totally blocked by Heindel."
• "We aim to be as close as possible to our customers and our internal users."