Bitpanda

Cloudflare helps Bitpanda boost their app and IT security without performance trade-offs as they grow from small startup to major fintech player

Bitpanda makes investing accessible for everyone. Founded in 2014 in Vienna, Austria by Eric Demuth, Paul Klanschek and Christian Trummer, Bitpanda removes the barriers to investing by harnessing the innovative power of digitized assets and blockchain technology.

With more than 500 team members and over 2 million users, the company is one of Europe's fastest-growing fintechs.

The user-friendly, trade-everything platform empowers both first-time investors and seasoned experts to invest in the stocks, cryptocurrencies and metals they want — with any amount of money.

Challenge: Mitigate increasingly frequent and severe DDoS and other automated attacks

When Bitpanda started experiencing DDoS attacks, it had been in business for only about two months and had a very small customer base. To mitigate the attacks, Bitpanda signed up for the free plan on Cloudflare, which includes Cloudflare DNS, Cloudflare CDN, basic DDoS protection, and a limited number of Cloudflare Rules which trigger certain actions whenever a request matches one of the URL patterns a user defines. As Bitpanda grew, it upgraded to a paid subscription and added Rate Limiting, which helps protect against DDoS and other automated cyber attacks.

Over the past two years, Bitpanda experienced a significant growth spurt, and the company saw a corresponding rise in automated attacks against its APIs and customer accounts. Cyber criminals were scanning Bitpanda’s APIs for vulnerabilities and launching credential-stuffing attacks against its customers. These automated attacks degraded performance and put customers at risk of account takeovers (ATOs).

Christian Trummer, CTO and co-founder of Bitpanda, knew it was time for them to upgrade to a Cloudflare Enterprise plan, which offers the most robust toolset that Cloudflare has to offer, as well as 24/7, prioritized customer support by phone, chat, and email. Because Bitpanda was migrating to a Zero Trust security architecture, Trummer also added Cloudflare Access, which uses Zero Trust rules to help teams secure corporate applications. Access provides simple, secure access to digital assets in specialized use cases

Bitpanda leverages Cloudflare Access to restrict access to internal assets. For example, Bitpanda used Access when the company deployed a beta version of a certain product and needed to limit access to a select group of beta testers.

Previously, Bitpanda had used a VPN, which was complex to configure and maintain and difficult for end users to use. Access eliminated the administrative overhead associated with the VPN, freeing up Bitpanda’s team to focus on internal projects instead of maintaining a VPN, and reduced the company’s potential cyber attack surface.

“Access is much simpler and more secure than a VPN for limiting access to internal assets. We just activate it and add users,” Trummer says. “It just works!”

In addition to authenticating users and preventing malicious actors from accessing Bitpanda’s network, Access also gives the company visibility into user activity inside the system, which supports Bitpanda’s Zero Trust model.

“Access provides us with Zero Trust user authentication, granular control over user access, and complete visibility into user activity,” Trummer says. “This is key to Zero Trust, which recognizes that threats can be internal as well as external.”

The Cloudflare security suite stops DDoS and other automated attacks that threaten both site performance and integrity of customer accounts

Shortly before upgrading to Cloudflare Enterprise, Bitpanda experienced a massive DDoS attack that took its systems offline. When the internal team was unable to mitigate the attack on their own, Trummer contacted Cloudflare, and a support representative suggested adding some Cloudflare Rules, which stopped the attack.

“That attack was the catalyst for us to upgrade to Enterprise,” Trummer recalls. “Bitpanda had grown to the point where we needed the most comprehensive solution available, and there was no question that we were going to buy it from Cloudflare.”

Since upgrading, Trummer is elated that his team no longer has to spend so much time monitoring threats and mitigating them. Freed from having to engage in security monitoring and defense, Bitpanda’s engineers can spend their time developing new products and enhancing current ones.

“I can’t imagine not having Cloudflare as a security partner. Our software engineers want to spend time building products for our customers, so we need a partner with that expertise who can focus on security for us,” Trummer says. “Our cloud services provider offers a WAF and other security tools, but we haven’t looked at them because we’re so happy with Cloudflare. We have no reason to shop around.”

In addition to the Cloudflare Web Application Firewall (WAF), DDoS protection, Cloudflare Rules, and Rate Limiting, Bitpanda depends on Cloudflare DNS services to secure its domains from DNS attacks and keep its platform online. Prior to Cloudflare, Bitpanda had used another DNS provider, but they had several incidents where their DNS went offline for hours, and the provider’s support team provided no help.

“They lost our trust,” Trummer says. “We trust Cloudflare to provide a secure environment. Over the years, Cloudflare has consistently provided us with professional, top-quality service, and I look forward to expanding our partnership as Bitpanda continues to grow.”

Bitpanda
Related Case Studies
Key Results
  • Cloudflare Access enables Bitpanda to limit access to internal assets.

  • Access supports Bitpanda’s Zero Trust model with strong authentication and visibility into user activity.

  • Bitpanda depends heavily on Cloudflare WAF, Rate Limiting, and Cloudflare Rules to prevent DDoS and other automated attacks.

Access provides us with Zero Trust user authentication, granular control over user access, and complete visibility into user activity. This is key to Zero Trust, which recognizes that threats can be internal as well as external.

Christian Trummer
CTO and Co-Founder

Bitpanda had grown to the point where we needed the most comprehensive solution available, and there was no question that we were going to buy it from Cloudflare.

Christian Trummer
CTO and Co-Founder