Business challenge

VLI needed to advance its security technology to meet myriad government compliance and safety regulations, and allow workers to access the right systems at the right time to do their jobs.


To secure its business, protect its assets and manage user access, VLI integrated and deployed a suite of solutions from the IBM Security portfolio of products.


99% faster

granting user access requests, from five days to seconds


employee satisfaction and productivity

Helps minimize

risks of malware and ransomware attacks

Business challenge story

Rules, regulations and user access

What does it take to move over 38 million tons of agricultural, steel and mineral products around Brazil each year?

For VLI, it requires 8,000 kilometers of railway, 100 locomotives, 6,700 railway cars, eight intermodal terminals, four strategically located shipping ports, 8,000 employees and 1,000 contractors.

As complex as logistics and transportation are, the challenges extend far beyond simply moving products from Point A to Point B. As an owner and operator of an integrated logistics system of rails, ports and terminals, VLI must address myriad government regulations related to compliance, security, safety and other factors.

To comply with rail regulations set forth by Brazil's national regulator for the ground transportation sector, the Agencia Nacional de Transportes Terrestres (ANTT), VLI must demonstrate how it safely manages its trains and railways. Further, in 2014, the company was organized as a holding company, a business model that is subject to numerous governance laws and regulations, in addition to certain operational and security rules that must be followed.

“We are a company with many government regulations,” explains Thiago Galvao, Chief Information Security Officer (CISO) at VLI. “In Brazil, port regulations require us to have specific controls and processes in place related to security. In the end, the regulations are related to technology, so identity management is important for me.”

As part of the procedure of loading and unloading cargo, truck drivers and rail operators had to repeatedly sign on to systems to access reports and transactions, slowing the process and reducing productivity. Despite the company having large IT and development teams, there was no way to trace or track privileged users accessing VLI servers. The process of onboarding new employees and granting them access to systems and applications took weeks because it was handled manually. And the company also relied on labor-intensive paper-based processes to manage user life cycles and carry out other controls related to user access.

When Galvao joined the company in 2018, he immediately recognized the need for identity and access management (IAM) solutions. “We had nothing for identity in the past,” he says. “I made an assessment and showed the board the risks, and how important it is to have a system in place to control user access.”

We decided on IBM for a combination of reasons: the technology, local support and price.

Thiago Galvao, Chief Information Security Officer, VLI

Transformation story

A portfolio of security solutions

VLI’s approach to choosing a provider for its identity governance and administration (IGA) initiative was a meticulous six-month process. A key driver for the project was business enablement; specifically, having the ability to provide the right users with access to the right resources at the right time. Ultimately, VLI chose IBM for its local presence and support, its breadth of offerings and the cost effectiveness of its solutions.

“We started the RFP process looking at a lot of solutions,” Galvao recalls. “We created scenarios. We made benchmarks. We looked at how solutions integrated. And we created scorecards.”

He continues: “We decided on IBM for a combination of reasons: the technology, local support and price. We validated the technical integration and that the solution works for us. We validated that IBM can attain our expectations. But it was also very important that I have support in Brazil because we need to have a relationship too. IBM paid attention to us. And the third reason was the price. So we made a big investment in IBM.”

Today, VLI is IBM’s first client to deploy solutions across the full portfolio of IBM Security Identity and Access Management products. To help with the integration and deployment, VLI turned to IBM Business Partner Qriar, a technology firm that specializes in cybersecurity solutions. Qriar has engaged with VLI since the initial request for proposal (RFP) answering phase. It is working with the company throughout the entire project, from planning and defining the architecture to rolling out, installing, configuring and customizing IBM products according to the client’s needs and best practices.

VLI rolled out the solutions in four phases. Phase 1, which began in September 2019 and finished two months later, focused on IGA. During this time, the company deployed IBM Security Identity Governance & Intelligence (IGI) Enterprise Edition software and the Microsoft Azure Active Directory platform. The IBM software automates processes that used to be labor-intensive, such as access certifications, access requests and password management. It also delivers detailed reports and recertification campaigns to ensure users are only given the access rights they need to do their jobs.

In Phase 2, VLI deployed three solutions from IBM’s Privileged Access Management suite: IBM Security Secret Server, IBM Security Privilege Manager for Client and IBM Security Privilege Manager for Server technologies. Security Secret Server software helps protect VLI’s most sensitive servers by eliminating the need for shared privileged users’ passwords. The session recording feature records all of the action executed on the servers, thereby providing extensive auditing trails and helping VLI manage compliance with strict identity governance requirements.

IBM Security Privilege Manager technologies help VLI minimize the risk of malware and ransomware attacks by reducing the number of non-administrative users who have administrative privileges on endpoints. VLI can also configure lists of trusted and untrusted applications and commands, and customize elevation policies.

In Phase 3, VLI deployed the enterprise and virtual enterprise editions of IBM Security Verify Access (formerly IBM Security Access Manager software, or ISAM) and IBM Security Directory Suite Enterprise Edition technologies.

In addition to simplifying the authentication architecture, Security Verify Access software provides single sign-on (SSO) capabilities for web-based and non-web-based systems, helping boost productivity of line workers. In the future, the company can expand its virtual edition to enable multifactor identification or logins without passwords. With the robust and scalable directory of Security Directory Suite technology, VLI can store the identities of internal and external users and take advantage of powerful replication and high-availability features.

Today, VLI is in Phase 4, which involves integrating its IGI solutions with its SAP ERP. Ultimately, the IBM technologies will be connected to more than 10 key IT systems and subsystems. They will also help support VLI´s IAM standards for integration with the remaining applications, both existing and new ones.  

Results story

From trucks to trains, company-wide gains

By deploying IBM Security solutions, VLI has realized benefits from the loading docks to the bottom line.

The software automates processes that used to be labor-intensive, such as access certifications, access requests and password management. In the past, these activities could take up to five days, creating delays and worker frustration. Now access requests are granted automatically upon a manager’s approval, or 99% faster than before.

“We have 8,000 employees and about 1,000 contractors and customers,” explains Galvao, “so about 9,000 people who need access to our different systems to move the trains. It’s critical for timing — a new driver can’t be waiting to unload a truck. He needs access to records about product movements and transactions.”

By eliminating the delays and frustration associated with system access, employee satisfaction and productivity improved. “We measure our performance according to the total weight of cargo we move through the rail,” says Galvao. “In April 2020, we achieved the highest number in the history of the company.”

The IBM solutions are also helping minimize risk related to cyberthreats and system access by unauthorized people. Galvao concludes: “A key point is risk and avoiding attacks. Before, users who left the company might still be activated in the system. It was because we didn’t have standards. We maybe had external people using our systems and we didn’t know who.

“Now I have controls. Now we are investing in identity solutions and increasing the number of integrations.”

VLI Logo


Founded in 2011 with headquarters in Belo Horizonte, Brazil, VLI is the country’s leading rail-based logistics solutions operator. The company controls an integrated system of more than 8,000 km of railroads, 700 locomotives, 6,700 railway cars, four ports and eight intermodal terminals across 10 states. It also operates in five logistic transport corridors across Brazil. VLI serves the industrial, steel, agricultural and mineral industries. VLI staffs roughly 1,000 contractors and 8,000 employees.

About Qriar

Based in São Paulo, Brazil, Qriar specializes in developing, integrating, implementing and customizing cybersecurity solutions. Areas of expertise include privileged access management, identity governance and management, user authentication and API security management. During the IBM Think Digital 2020 conference, the company was awarded the IBM Excellence Award for Outstanding Growth in the IBM Security category. The award recognizes IBM Business Partners who have demonstrated excellence and delivered exceptional client experiences and business growth. Qriar was founded in 2016.

Take the next step

To learn more about the IBM solutions featured in this story, please contact your IBM representative or IBM Business Partner, or visit the following websites: