Citigroup: Security Architecture and Engineering for EKS

How a multinational bank leveraged the benefits of managed Kubernetes with cloud native secure-by-design principles
Featured image

About Citigroup

Citigroup is an American multinational investment bank and financial services corporation headquartered in New York City. Citigroup serves more than 200 million customer accounts and does business in more than 160 countries and jurisdictions. Their clients include 90% of global Fortune 500 companies.

Security Architecture and Engineering for EKS

Citigroup sought to leverage the benefits of Kubernetes in the public cloud for its grid compute risk calculation platform. However, previous attempts had failed to meet the necessary levels of security and usability. Using a threat model-driven approach, ControlPlane defined the security architecture and led the platform engineering effort to secure an Amazon Elastic Kubernetes Service (EKS) platform.

We delivered a secure, self-service platform that fully leveraged the scalability and flexibility of Kubernetes in the public cloud, providing greater computing power than was previously available on-premises with minimal security risk.


Citigroup needed to host its grid compute risk calculation platform in the public cloud to overcome hardware constraints that limited the speed and effectiveness of the platform.

They were unable to leverage the benefits of Kubernetes due to security and usability challenges. The bank needed a secure, scalable, and user-friendly platform solution to fully realize the potential of cloud-based grid computing.


ControlPlane defined the bank’s EKS security model, setting a reference security architecture for other projects and integrating platform-integrated guard rails and policy, enabling developer self-service.

  • Threat model driven security architecture for the bank’s EKS platform on AWS

  • Platform engineering on EKS to secure the system and apply policy guard rails with Open Policy Agent (OPA)

  • Security and policy tooling integration with Twistlock and Calico Enterprise to satisfy requirements for soft multi-tenancy and self-service

These solutions provided multiple benefits to the client, including:

  • Scalability and flexibility of large-scale cloud bursting to overcome the previous hardware constraints

  • Robust security and policy architecture for EKS that addressed the bank’s specific risks and requirements for a self-service platform

  • Quantified platform security controls ensured with a threat model-driven approach to ensure maintainability

Business Outcomes

The client’s EKS platform went live for grid compute risk calculation, fully leveraging the scalability and flexibility provided by Kubernetes in the public cloud, to provide greater computing power than was previously available on-premises with minimal security risk.

The client measurably Increased developer velocity, reduced workload deployment time, and greater platform scalability as developers gain secure-by-design self-service capabilities. The pioneering work provided a framework to unlock further access to additional public cloud services for operators, once assured and integrated with the platform

ControlPlane’s expertise in Kubernetes and their collaborative efforts with Citigroup demonstrated their dedication to driving innovation and delivering secure solutions in the cloud-native ecosystem.

Similar case studies:  
cloud kubernetes platform-engineering aws all