Istanbul is home to more than 15 million people and stretches over 594 square miles. Each day, citizens and visitors rely on İstanbulkart, a pre-paid multipurpose card, to pay their fares when using the city’s extensive public transport system. The card is now used for more than just travel—it’s integrated with COVID-19 safety measures from the Turkish Ministry of Health and with Mastercard advantages, and is accepted by thousands of food and drink retailers. For the public agency responsible for İstanbulkart, the pressure is on to provide reliable customer experiences, or risk bringing the city to a halt. 

That organization is BELBİM A.Ş. (BELBİM), an electronic money and payments services provider, which continues to develop and expand İstanbulkart. Security is a top priority for BELBİM, which seeks to protect its customers from disruption at all times. At the same time, the organization must demonstrate compliance with rules including the General Data Protection Regulation (GDPR), ISO 27001, the Payment Card Industry Data Security Standard (PCI DSS), plus policies outlined by the Central Bank of Turkey and the Digital Transformation Office of the Presidency of Turkey.

Olcay Nisanoğlu, IT Director at BELBİM A.Ş., says, “As an electronic payments provider, we’re an attractive target for cyber-attacks. We aim to protect our IT infrastructure from both external and internal threats. One of our primary goals is to closely control access to sensitive data—and we recognized that this was one area where we could improve.”

BELBİM struggled to manage access for privileged accounts efficiently using its previous solution. The organization has a diverse workforce that includes temporary employees and third-party contractors. To meet compliance mandates, BELBİM must be able to monitor, log and report on privileged sessions for all users.

“Our legacy solution for privileged access management was overly complex and offered limited reporting capabilities,” recalls Nisanoğlu. “As a result, it was time-consuming and challenging for our IT team to grant and withdraw access, or extract the information required by regulatory bodies. We also saw an opportunity to strengthen our cyber-security posture by better protecting privileged accounts. Our goal was to find a solution that combined robust security with user-friendliness, to reduce risk without limiting productivity.”

BELBİM reduced licensing costs by

40%

freeing up funds for service enhancements

Cuts resources dedicated to privileged access management by

50%

boosting productivity

Drives down time spent on investigating and reporting on IT security incidents by

20%

enhancing efficiency

Taking a fresh approach

To help transform its approach to privileged access management (PAM), BELBİM engaged IBM Business Partner Bilgi Birikim Sistemleri (BBS). BBS recommended that the organization deploy IBM Security® Verify Privilege Vault, a powerful PAM solution that is easy to implement and use.

“BBS have a long history of success  with similar projects, making them the right choice of partner for us,” comments Nisanoğlu. “Their support team is highly skilled and always responsive. BBS was able to demonstrate why IBM Security Verify Privilege Vault was the ideal fit for our use case.”

With help from BBS, BELBİM rolled out the IBM solution quickly and efficiently. The organization now uses IBM Security Verify Privilege Vault for continuous discovery and end-to-end management of all service, application, administrator, and root accounts.

Olcay Nisanoğlu

Olcay Nisanoğlu, IT Director

“Thanks to BBS, we were able to deploy IBM Security Verify Privilege Vault in just a couple of days,” says Nisanoğlu. “The IBM solution supports multiple connection types including web links, SSH, SecureCRT, and RDP, which allows us to comprehensively protect our environment. Today, 100 different users from inside BELBİM and more than 40 external companies have privileged accounts that we manage with IBM Security Verify Privilege Vault.”

Using IBM technology, BELBİM offers users secure access to business-critical applications such as its financial systems infrastructure and database. The organization takes advantage of built-in features to store privileged credentials in an encrypted, centralized password vault. Since the IBM solution monitors and records all privileged sessions, BELBİM has gained a full audit trail.

Nisanoğlu explains, “Using IBM Security Verify Privilege Vault, authenticated users can securely connect to any system without needing to know its admin password. We now have complete visibility of privileged accounts, with every keystroke they make logged by the IBM software.”

Bolstering security, empowering users

With the IBM technology in place and BBS expertise at hand, BELBİM is in a better position than ever when it comes to security of its IT systems. The organization has acquired additional layers of protection against internal and external threats without inconveniencing users.

“Passwords are like the front-door key to our organization: our first priority is to secure them,” says Nisanoğlu. “Thanks to IBM Security Verify Privilege Vault and BBS, we’re confident in this first line of defense against compromise of our systems.”

By automating key tasks using the IBM solution, BELBİM is benefiting from significant efficiencies. The organization’s IT team expends fewer resources on managing privileged accounts and demonstrating compliance with regulatory obligations.

“Since the project with IBM and BBS, we’ve seen substantial cost and time savings,” comments Nisanoğlu. “For example, we’re saving 40 percent on PAM licensing. We spend 50 percent less time administering privileged accounts and granting access to new users. Our IT security teams devote 20 percent less time to investigating and reviewing PAM incidents, and we can generate the reports required by regulators in 80 percent of the time it took before.”

BELBİM is planning to extend the solution with IBM Security Verify Governance to optimize user access beyond privileged accounts. As the organization investigates how it can make life easier for Istanbul’s citizens and visitors, IBM Security solutions help it to achieve its goals while moving towards a zero-trust strategy.

Nisanoğlu concludes, “By introducing elements of the IBM zero-trust approach to security, we’re increasing our cyber-resilience, while still empowering our users to work effectively. As a result we can focus on our core mission: keeping Istanbul moving for citizens and visitors alike.”

About BELBİM A.Ş.

BELBİM A.Ş. (BELBİM) is an affiliate of İstanbul Metropolitan Municipality, which has exclusive authority to manage electronic fund collection systems (EÜTS). Over time, BELBİM has extended EÜTS to include financial technology services and is regulated by the Central Bank of Turkey. In 2015, with İstanbulkart, BELBİM transformed into an electronic money institution by obtaining an operating license from the Banking Regulation and Supervision Agency (BRSA).

Belbim A.S.

About Bilgi Birikim Sistemleri

Bilgi Birikim Sistemleri (BBS) is one of the foremost IT systems integrators operating in Turkey. The company offers skills in hardware, software and services, providing solutions in a wide range of areas including virtualization, network infrastructure, security, maintenance, and more.

Bilgi Birikim Sistemleri

© Copyright IBM Corporation 2023. IBM Corporation, IBM Software, New Orchard Road, Armonk, NY 10504

Produced in the United States of America, December 2023.

IBM, the IBM logo, ibm.com, and IBM Security are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at www.ibm.com/legal/copytrade.shtml.

This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.

The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.

The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.