Business challenge

Commercial International Bank S.A.E. (CIB) needed a solution that could handle IAM in a more automated manner while not hindering ongoing business activities.

Transformation

By implementing the IGI solution with IAM professional services, CIB strategically built a mature and effective user-identity role matrix.

Results

Reduces operational costs

by cutting manual, labor-intensive identity governance

Accurately links access rights

to the correct function of a user’s business activity

Promptly detects separation of duties violations

for users and business roles and identifies areas of risk

Business challenge story

Clouded visibility into user activities

Within any organization, management teams need to be able to identify security gaps quickly. For banks, monitoring which users have access to what resources — and how they’re using those resources — is critical. As the leading private sector bank in Egypt, CIB continuously looks for ways to ensure security. The bank runs a complex and challenging IT environment with over a hundred applications within its security operations center (SOC). Still, there were gaps in how it handled certain aspects of security. CIB relied on a manual, paper-based process to respond to user access requests, for example.

Randa Essa, CIB’s Head of Information Security Management, explains: “All of the applications’ access requests were handled in a silo sort of manner; a huge operational effort to grant or deny access within the joiner / leaver/ transfer processes. HR was disconnected and it was purely manual.”

When onboarding new hires, the bank’s security team had a tedious process in place for getting new employees the right access to perform their jobs. The process entailed manually notifying HR, engaging in a series of back-and-forth formalities with managers and gathering information on what access activities a new user’s role requires — and then waiting an additional period of time for that user’s access to finally come through. The lengthy turnaround times for granting identity access were costly and inefficient for CIB’s operations.

CIB faced the challenge of aligning business values to security maturity levels within the organization. The bank needed to continuously assess security maturity to ensure improvement while adhering to Central bank of Egypt security regulations and meeting the increasing requirements of internal and external security auditors.

It was critical that CIB automated a complete identity governance framework within the context of a broader IAM program, provide a seamless user experience and deliver a mature security posture. In addition, balancing security controls applied to privileged access and the business support from the IT team was a challenge. CIB aimed to build a more mature IAM strategy to achieve this balance.

“We didn’t have visibility to who had access to what,” Essa says. “We had no mapping of what permissions users were required to have for their business role. There was not much assurance that the right access was granted to staff or if users were being given excessive access that wasn’t required to perform their business activities.”

CIB needed a more effective way of handling its identity governance. The bank required a solution that would give its security team proper visibility into what users had been granted access to and to make sure that that access coincided with users’ job titles and functions. CIB looked to industry vendors that could provide a specific yet flexible solution for the company.

We run a very complex and challenging environment. Without the proper controls, you cannot protect what you can’t see — the lack of visibility was taxing.

Shatssy Hassan, Chief Security Officer, Commercial International Bank S.A.E.

Transformation story

Identifying and filling in the security gaps

CIB teamed with IBM Security to overhaul its security environment and to ensure that the right people would have the right access at all times. The bank implemented the Identity Governance (IGI), and Verify Privilege solution from IBM to target these issues.

Shatssy Hassan, CIB’s Chief Security Officer, explains: “From our previous platform experience, we knew creating a lot of customizations would only lead to a very complex and unmanageable environment. We wanted to make sure that the platform would be flexible enough to accommodate our requirements, maintain out-of-the-box functionalities and needed minimal customizations.”

IGI helps CIB manage compliance with regulations and prevents separation of duties (SoD) violations. The solution provides the bank’s security team with the ability to set policies to ensure SoD controls based on business activities. IGI also eliminates manual efforts on IT audits and builds boundaries for threats that may be perceived, providing a more security-rich environment for the organization. IBM Security Verify Privilege software helps protect CIB’s most sensitive servers by eliminating the need for shared privileged users’ passwords.

With the implementation came an IBM consultancy team that was on the ground in Egypt supporting CIB while it built up the internal team’s skill sets. Employees gained troubleshooting knowledge about system issues, workflow creation and the integration of selective applications to maintain the bank’s daily operations.

“IBM’s proposal did not just focus on the technical aspects of program and implementation,” Essa explains. “It also involved a consultancy side that helped us build the proper governance model around our identities and different business activities.”

The IBM team helped us build customized workflows on the platform while maintaining the original system and keeping its out-of-the-box functionality.

Shatssy Hassan, Chief Security Officer, Commercial International Bank S.A.E.

Results story

Closing the gap on security risks

What began as a vision for a comprehensive and effective SOC in 2016 turned into so much more. Even though the transition to the automated IGI platform was difficult at times, CIB now has strong governance when it comes to accurately linking access rights to the correct function of a user’s business activity. The bank can also promptly detect SoD violations for users and business roles and can identify areas of risk.

Reaching a high maturity level with role-based access control is a target for any organization because of the implications for productivity. At CIB, IBM Security experts helped the banking institution achieve this maturity level using the IGI software with a managed services-based approach. This approach helped the client reduce manual identity governance efforts by taking over the management of more than 8,000 employee identities while streamlining the fulfillment of business requirements.

Using some of the unique capabilities of IGI, such as the role mining, IBM Security helped CIB rapidly build a mature and accurate identity roles matrix and configure the right translation between IT and business stakeholders. IAM program success around the world is very low due to a lack of strategic direction. Based on the strategy proposed by IBM Security experts, a business-oriented and outcome-driven approach was applied instead of depending on the technology’s out-of-box capabilities.

“With full visibility of user access in terms of what different system privileges each have, we can avoid any fraudulent activities that might take place or security risks,” Hassan says. “Without having one centralized inventory of user entitlements across the different applications, we wouldn’t have been able to accomplish such a parallel.”

Building a seamless integration between the IAM solution and Verify Privilege provided the team with a 360-degree view of the privileged account usage. It empowered the governance team to control privileged access without affecting business support.

With the new system in place, the team was able to weed out the inactive user accounts that had been lying dormant and clean up user entitlements. The security team now has a clear mapping of the function and role of staff positions instead of just a title from HR. Naming conventions scattered across multiple systems have been cleaned up and integrated into the system. Proper user permissions are now granted automatically based on what has been built into the system.

This goes without saying, but there’s been a huge reduction in errors. Having an automated system over the manual paper process has significantly helped us manage risk.

Shatssy Hassan, Chief Security Officer, Commercial International Bank S.A.E.

Commercial International Bank Logo

About Commercial International Bank S.A.E.

Established in 1975, CIB (external link) is Egypt’s leading private sector bank, serving over 1.4 million customers. Located in Cairo, the financial institution offers a wide range of financial products and services to a variety of customers, including enterprises of all sizes, institutions, households and high-net-worth individuals. With a mission to transform traditional financial services into simple and accessible solutions by investing in people, data and digitalization to serve tomorrow’s needs today, CIB has succeeded in becoming the most profitable commercial bank operating in its country for over 40 years.

Take the Next Step

To learn more about the IBM solutions featured in this story, please contact your IBM representative or IBM Business Partner, or visit: