AWS for Industries

Part 4: Building a Multi-Layer Security Strategy for BBVA’s Global Data Platform on AWS

This is the fourth post of a six-part series detailing how BBVA migrated its Analytics, Data, AI (ADA) platform to AWS. In this post, we explore how BBVA developed and implemented a comprehensive multi-layer security strategy to protect petabyte-scale financial data while enabling secure access for over 6,500 advanced users across their global operations. We’ll examine how BBVA leveraged AWS services to build a robust security framework that balances stringent data protection requirements with operational efficiency and user experience.

Read the entire series:

Challenges

In today’s financial services landscape, institutions face the dual challenge of enabling seamless data access while maintaining stringent security controls. BBVA confronted this challenge head-on during its ambitious global data platform migration.

Managing sensitive financial data at scale presents unique security considerations. With over 6,500 advanced users and 40,000 consumers accessing more than 8.4 petabytes of data daily, BBVA’s platform handles a vast array of confidential information, including Personal Identifiable Information (PII), payment transaction data, critical business intelligence, and regulatory compliance data.

The platform serves multiple business units across BBVA’s global operations, making fine-grained access control critical to its security architecture. Each user must be granted access strictly to the data they need and are authorized to use, following the principle of least privilege. This granular approach to access management ensures data segregation between business units while enabling collaborative work where appropriate.

For a platform of this scale and sensitivity, implementing a comprehensive security strategy was paramount. This meant developing a full suite of preventive, detective, and corrective controls to protect against potential threats, detect security incidents in real-time, and respond effectively to any security events.

The migration to AWS presented both opportunities and challenges. A key security objective was to maintain strict data protection while improving the user experience. BBVA’s existing on-premises isolation solution was approaching end-of-life and struggled to scale with the organization’s growing use cases. This created an imperative to implement a modern security framework that could enforce robust access controls, keep sensitive data within AWS secure boundaries, scale elastically with user demand, and provide a frictionless experience for legitimate users.

Amazon AppStream emerged as a compelling solution to these challenges, offering enhanced security capabilities while addressing the limitations of the legacy solution. This post explores how BBVA architected their security controls to protect petabyte-scale financial data while enabling their global workforce to operate efficiently in the cloud.

Solution overview

BBVA has implemented a comprehensive data security strategy built on multiple layers of defense:

Figure 1 – BBVA AWS Modern Data Architecture

  • User access to AWS accounts is controlled through AWS Identity and Access Management (IAM) roles, granted specifically for projects they are working on. AWS IAM Roles follow the principle of least privilege, with permissions precisely tailored to specific datasets and tables based on business requirements. This ensures users can only access resources essential for their roles.
    The mappings of accounts, roles, and employees is handled internally through BBVA’s identity management systems.
  • AWS Key Management Service (KMS) encrypts all data at rest in AWS accounts. Additionally, AWS Glue Data Catalog and Amazon Simple Storage Service (Amazon S3) buckets are protected with restrictive resource policies to prevent unauthorized access.
  • AWS Lake Formation provides an additional layer of access control for Amazon S3 and AWS Glue operations, working in conjunction with AWS IAM roles to create a comprehensive permissions framework.
  • Amazon AppStream 2.0 implements data loss prevention measures by limiting data exfiltration, restricting copy-paste functionality, and preventing unauthorized file downloads during sessions. AppStream streaming sessions are further protected through a combination of controls that limit access to only federated users and enforce AWS IAM policy conditions requiring connections from specific VPCs.
  • A centralized security monitoring framework in the security account provides both detective and corrective controls across the organization. This framework ingests logs from all accounts, continuously monitors for security events, and implements automated responses to detected incidents. These automated remediation workflows ensure rapid response to potential security threats while maintaining consistent security standards across the platform.
  • BBVA is using AWS Backup service to maintain an immutable backup of its critical resources and data, including Amazon S3 and Amazon DynamoDB.

This multi-layered approach ensures robust protection of BBVA’s sensitive data while maintaining operational efficiency.

First Layer: Identity and Role-Based Access Control

The foundation of BBVA’s security architecture begins with comprehensive identity and role-based access control. BBVA central Identity Provider (IdP) handles authentication and Global Identity and Access Management (GIAM) manages authorization. Users are mapped to specific groups within GIAM, which provisions three primary role categories for each business unit: data-scientist, data-analyst, and sandbox-owner. When a user is assigned to a business unit with a specific role category, the internal BBVA Identity API launches the creation of a SageMaker profile associated with the user. This profile matches the user ID for tracking and monitoring purposes.

The data roles (data-scientist and data-analyst) provide controlled access to essential AWS services. Data scientists can leverage Amazon SageMaker for machine learning workflows, while both roles can utilize Amazon EMR for big data processing, along with other data analytics services based on their specific role requirements.

The sandbox-owner role is designed for administrative and governance functions, enabling management of account quotas, security parameter configuration, working hours enforcement, and resource utilization monitoring. Sandbox owners are accountable for AWS account cost management, ensuring efficient resource utilization and budget adherence within their domain.

All roles interact through the console of the BBVA Global Data Platform, named ADA (Analytics, Data, AI), which serves as a centralized control interface. Through this console, users can manage engines, execute and monitor jobs, generate reports, and control account spending. This unified interface ensures consistent security policy enforcement while providing users with the tools they need to perform their tasks effectively.

BBVA 4 - Figure 2

This foundational layer ensures that access control begins at the identity level and flows consistently through all subsequent security layers, creating a robust and manageable security framework.

Second Layer: Data Security and Encryption

The second layer of defense focuses on protecting data at rest and in transit through comprehensive encryption strategies for both AWS Glue Data Catalog and Amazon S3 buckets.

During BBVA’s migration, a proper cataloging of data was required to enhance control, management, and permission handling. To achieve this, BBVA opted for a combination of AWS Glue Data Catalog and AWS Lake Formation. The AWS Glue Data Catalog serves as a managed persistent technical metadata store, allowing BBVA to store, annotate, and share metadata in the AWS Cloud. AWS Lake Formation complements this by providing centralized governance, security, and global sharing capabilities for analytics and machine learning data.

AWS KMS keys encrypt the AWS Glue Data Catalog. This encryption extends to all metadata objects within the Data Catalog, including databases, tables and partitions. The encryption settings are managed at the account level, ensuring consistent protection of metadata across all catalog resources.

Data stored in Amazon S3 buckets is encrypted using customer-managed keys through AWS Key Management Service (KMS). Additionally, policies are configured to restrict external access. For data in transit, BBVA enforces encrypted connections using TLS, ensuring secure data transmission. Furthermore, mechanisms are in place to prevent data exfiltration and unauthorized access to objects through direct links.

BBVA’s ADA platform categorizes data into various security levels, including a tokenized level for sensitive personal information that must not be stored in clear text. To further strengthen data security, all information stored in the ADA platform is encrypted at rest using AWS KMS with Customer Managed Keys (CMKs). This approach gives BBVA full control over the encryption keys, allowing for more granular access management and meeting stringent regulatory requirements in the financial sector.

Data is segregated across storage locations based on a combination of parameters, enabling optimized storage, usage, and auditing. This includes criteria such as geographical region, internal entity, and data security level.

Third Layer: Data Lake Governance with AWS Lake Formation

The third layer of defense leverages AWS Lake Formation as a central governance mechanism for BBVA’s data lake. AWS Lake Formation provides comprehensive capabilities to secure, manage, and share data for analytics and machine learning workloads, while maintaining fine-grained access control over data stored in Amazon S3 and its associated metadata in the AWS Glue Data Catalog.

AWS Lake Formation implements its own permissions model that complements and enhances the existing AWS IAM permissions framework. When you grant Lake Formation permissions on a Data Catalog table, you can include data filtering specifications to restrict access to certain data in query results and engines integrated with Lake Formation. This model enables sophisticated access controls to achieve column-level security, row-level security, and cell-level security. These granular controls are enforced consistently across the AWS Glue catalog, ensuring precise data access governance.

A key strength of AWS Lake Formation is its cross-account data sharing capabilities. BBVA leverages this feature to share data securely across principals (which can be an AWS account, user, role, or SAML entity) within its AWS Organization. This powerful combination enables secure and centralized access to data lake resources on Amazon S3 and its metadata in AWS Glue Data Catalog, eliminating the need to grant users or roles fine-grained direct access to Amazon S3 data or fine tune bucket policies.

Given BBVA’s scale, with numerous business units and thousands of tables, managing individual permissions at the table level would be impractical and error-prone. To address this challenge, BBVA leverages AWS Lake Formation Tags (LF-Tags) as a scalable solution. These tags enable efficient categorization of data lake objects – including Amazon S3 locations, databases, tables, and columns – and streamline the assignment of permissions to principals.

BBVA implements a comprehensive access management strategy through AWS Lake Formation for each of the different business units. Each one has specific data access requirements and operational responsibilities. Users within a business unit inherit the data access permissions granted to their unit, enabling them to execute jobs and access both their unit’s data and any additional authorized datasets.

Through a custom developed profiling API, BBVA has automated catalog management workflow, LF-Tag management, access management and cross business units access requests through their ADA console, eliminating the need for direct catalog and permissions management in the AWS console.

Fourth Layer: Secure Application Streaming with Amazon AppStream 2.0

The fourth layer of defense employs Amazon AppStream 2.0, a fully managed application streaming service that provides secure, on-demand access to desktop applications from any location. This service forms the critical interface between BBVA’s end users and the data platform, combining security with exceptional user experience.

AppStream 2.0’s robust security capabilities focus on comprehensive Data Loss Prevention (DLP). The service provides precise control over data movement, including configurable copy/paste limitations and granular file transfer controls, significantly reducing the risk of unauthorized data exfiltration and human errors.

BBVA seamlessly integrates access control and authentication into BBVA’s security framework. When users access AWS through the ADA console, they are automatically redirected to secure AppStream sessions. The security framework restricts streaming sessions to federated users only, while implementing access limitations to specific VPCs through AWS IAM policy conditions. These controls are fully integrated with BBVA’s existing authentication mechanisms, ensuring a consistent and secure access model.

BBVA’s Security team manages AppStream fleets across numerous accounts, each with its own specific use case and usage pattern. To ensure optimal performance and resource efficiency, BBVA has implemented and fine-tuned sophisticated scaling strategies for each fleet. Dynamic scaling policies automatically adjust fleet capacity based on real-time utilization metrics. When capacity utilization approaches configured thresholds, the fleet automatically scales out to maintain performance and user experience. Conversely, when demand decreases, the fleet scales in to optimize costs.

Complementing the dynamic scaling, BBVA has implemented customized scheduled scaling policies aligned with each account’s unique platform usage patterns and working hours. These policies proactively adjust fleet capacity during core business hours when maximum capacity is needed, while reducing resources during off-peak hours. For accounts with 24/7 operational requirements, fleets maintain continuous availability with optimized capacity. Meanwhile, accounts with standard business hours or limited weekend activity have their fleets automatically shut down during off-hours and weekends, significantly reducing costs while maintaining service levels aligned with actual business needs.

To efficiently manage this large-scale deployment, BBVA’s Security team has developed automated solutions for fleet management and maintenance. These tools enable programmatic updates of AppStream images across all fleets and systematic management of fleet configurations, ensuring consistent security standards while minimizing operational overhead. This automated approach allows rapid deployment of security patches, application updates, and configuration changes across the entire fleet infrastructure.

Application streaming fleets supporting BBVA’s platform are strategically deployed across different cloud regions to ensure optimal service availability and performance with minimal latency for users in various geographical locations. The combination of dynamic and scheduled scaling ensures consistent performance during peak usage while maintaining cost efficiency during lower demand periods.

From an operational perspective, AppStream 2.0 significantly simplifies application management through centralized control. This eliminates the need for local software installation and maintenance while providing consistent application experiences across all user devices. The platform reduces endpoint security risks and enables access from a web browser, enhancing both security and usability.

BBVA Blog 4 - Figure 2

Fifth Layer: Detective and Automated Response Controls

The fifth layer of BBVA’s security architecture implements a comprehensive detective and automated response framework centralized in a dedicated security account. This layer provides continuous monitoring and automated remediation capabilities across the entire AWS organization.

At its core, the framework ingests AWS CloudTrail logs from all accounts within the organization, creating a centralized repository of all API activities and resource changes. These logs undergo real-time analysis using SQL-based filtering to detect security-relevant events and potential compliance violations. The monitoring system focuses on several critical areas, including detection of unencrypted resources, ensuring logging and monitoring services remain enabled, identification of non-compliant resources and monitoring for unauthorized resource access attempts.

Complementing the real-time analysis, the framework executes comprehensive batch processing during non-business hours. These nightly runs perform deeper analysis and compliance checks that might be too resource-intensive for real-time processing. This dual approach ensures both immediate detection of critical security events and thorough periodic validation of the entire infrastructure against BBVA’s security policies.

When violations or non-compliant configurations are detected, either through real-time analysis or batch processing, the system automatically triggers appropriate responses. These may include immediate remediation of non-compliant resources, automated encryption of unprotected resources, notification to security teams for manual review or creation of security incidents for tracking and resolution.

This centralized approach ensures consistent security policy enforcement across all accounts while providing rapid response to potential security risks. The automated nature of the controls reduces the mean time to detect and resolve security issues, enhancing BBVA’s overall security posture.

Sixth Layer: Orchestrating backups with AWS Backup service

The sixth layer of BBVA’s security architecture leverages AWS Backup to implement comprehensive data protection and immutability controls across the entire platform, with particular emphasis on the data lake’s critical resources. This service provides centralized and automated data protection across Amazon S3 buckets and Amazon DynamoDB tables throughout all AWS accounts.

BBVA utilizes AWS Backup’s features to enforce an immutable backup model. Once created, backup copies cannot be deleted or modified by any user, including administrators, during a predefined retention period. This immutability provides an essential defense against both accidental deletion and malicious attempts to compromise data integrity, while helping meet regulatory requirements for data retention and protection.

The backup strategy implements different retention periods based on data criticality and compliance requirements. AWS Backup policies automatically create point-in-time recoverable backups, enabling BBVA to restore data to any point within the retention window if needed. This capability is crucial for:

  • Protection against accidental deletions or modifications
  • Recovery from potential ransomware attacks
  • Meeting regulatory requirements for data retention
  • Maintaining audit trails and historical records
  • Supporting disaster recovery scenarios

The centralized security framework monitors backup operations, ensuring compliance with backup policies and retention requirements across all accounts. The automation provided by AWS Backup, combined with the immutability features, strengthens BBVA’s overall security posture while reducing operational overhead in managing data protection.

Conclusion

Through this comprehensive security architecture, BBVA has achieved several critical security outcomes and benefits:

  • Enhanced Data Protection: The multi-layered security approach, combining AWS IAM, Amazon S3 encryption, AWS Lake Formation controls, AppStream 2.0’s isolation capabilities, and automated security monitoring, has significantly strengthened the protection of sensitive financial and customer data across all stages of data handling.
  • Improved Access Management: Fine-grained access controls through AWS Lake Formation and federated authentication have enabled BBVA to manage user permissions more effectively across their global organization, ensuring users can access only the data they need.
  • Cost-Effective Scalability: The cloud-native security controls and intelligent AppStream scaling policies automatically adjust to platform demands, supporting over 6,500 users while optimizing resource utilization and maintaining consistent security standards.
  • Proactive Security Posture: The centralized detective controls provide continuous monitoring and automated remediation, enabling both real-time incident response and comprehensive nightly compliance validation, significantly reducing security risks and mean time to remediation.
  • Regulatory Compliance: The implemented security controls, including encryption at rest, data catalog protection, strict access policies, and automated compliance checking, help meet financial industry regulations and data protection requirements across different geographical regions.
  • Enhanced User Experience: Despite the robust security measures, users maintain productive access to their required data and analytics tools through a seamless streaming experience, with performance optimized through strategic regional deployment and scaling policies.
  • Operational Efficiency: The development of automated tools and processes enables BBVA to efficiently manage AppStream fleets across more than 200 accounts, handling everything from security updates to fleet configurations programmatically. This automation, combined with customized scaling policies and centralized management capabilities, has significantly reduced administrative overhead while improving security visibility and response capabilities.
  • Comprehensive Data Governance: The combination of AWS Lake Formation permissions and AWS IAM policies provides granular control over data access at the column, row, and cell levels, enabling secure data sharing across organizational boundaries while maintaining strict control.
  • Resilient Data Protection: The implementation of AWS Backup with vault lock capabilities ensures platform-wide protection against both accidental and malicious data loss, while maintaining compliance with data retention requirements and providing reliable recovery options.

These outcomes demonstrate how BBVA successfully balanced the need for stringent security controls with business agility, cost optimization, and user productivity in their cloud transformation journey.

Related resources

BBVA, a global financial services company, implemented Amazon AppStream 2.0 to enable remote working for over 86,000 employees during unprecedented circumstances. The solution helped BBVA maintain business continuity while protecting sensitive applications and meeting regulatory requirements. This implementation reduced project deployment time by 90% compared to on-premises solutions while ensuring security and operational efficiency for their workforce across 30+ countries. For more information see BBVA: Helping Global Remote Working with Amazon AppStream 2.0

Alberto Sagrado Amador

Alberto Sagrado Amador

Alberto Sagrado Amador is a Security Consultant within AWS Global Financial Services (GFS) Professional Services team. With more than 8 years of experience in financial services security, he specializes in designing and implementing robust security architectures for complex financial institutions, with focus on cloud security, identity management, and automated controls. Throughout his career at AWS, Alberto has helped national and international financial services organizations navigate their cloud security journey while meeting strict regulatory requirements. His customer-obsessed approach and deep understanding of both financial industry requirements and AWS security capabilities has enabled customers like BBVA to implement comprehensive security frameworks that balance stringent controls with operational efficiency.

Clara Calonge Briega

Clara Calonge Briega

Clara Calonge Briega is a Cloud Security Architect at BBVA Technology. Graduated in telecommunications engineering and computer scientist, she has focused her professional career on cyber security, specializing in cloud cybersecurity in the last years. Over the last two years, she has been involved in designing and implementing security strategies for different data platforms in BBVA.

Héctor Reguera

Héctor Reguera

Héctor Reguera is a Security Architect within BBVA’s Data Security team. With over 14 years of experience in the banking sector, he brings deep expertise in enterprise and solution architecture. Over the last two years, he has focused on designing and securing data-driven architectures, contributing to BBVA’s broader cybersecurity strategy with emphasis on data protection, governance, and secure architectural patterns.

Javier Morillas

Javier Morillas

Javier Morillas is a cybersecurity professional with over 20 years of international experience across companies like BBVA, NatWest, and AWS. He currently leads the Data Security Architecture team at BBVA, driving secure design and innovation. Javier holds certifications including CISM, CISSP, and AWS (Solutions Architect, Advanced Networking, and Security Specialties).

Juan Luis Aranda

Juan Luis Aranda

Juan Luis Aranda is a Cloud Security Architect at BBVA Technology. He has over seven years of experience building NextGen data platforms for BBVA, designing and implementing its baked-in security from the ground.