Banking security personnel focus on the many threats to bank and customer information. It’s complicated work to keep employees, customers and customer investments protected. So if you’re in charge of security at a bank, it helps if you love a challenge.
Luckily, the person who oversees security at Commercial International Bank S.A.E. (CIB), Egypt’s leading private sector bank, thrives on the challenge.
“Ensuring we’re always secure is one of the core challenges that I love about my job,” says Shatssy Hassan, CIB’s Chief Security Officer (CSO). “We’re able to transfer this feeling of comfort to our customers and encourage them to work with a bank that cares about their investments and their information.”
CIB provides banking services for retail and corporate customers. It’s the largest private bank in Egypt, with over 1,000 ATMs across the country and over 210 branches across all Egypt governorates. Hassan has been the CSO since 2014.
In 2016, CIB began a five-year strategy to improve identity and access management (IAM) and identity governance. “This is an ongoing strategy that will be maturing in the future to ensure that we finally reach the objective of having a zero trust setup within the organization,” says Hassan.
Identity management at scale
Secure and transparent identity management of 8,000 employees
Rapid access
New hire access and staff transfers reduced from a week or more to < 1 day
CIB focused first on three main goals. The first was to onboard, transfer and offboard staff in a seamless and convenient manner, enhancing those processes to make them more efficient and less costly and reduce the turnaround time. Previously, it took more than a week to onboard new hires and grant them needed access, a process that involved many paper-based requests. Transferring staff across departments or to another branch also required a lot of manual effort and involved many paper-based requests. Prolonged leaves of absence and resignations needed to be further governed and controlled to ensure prompt revocation of unneeded access.
The second goal was to better manage and govern privileged identities for IT administrators on servers and systems. The previous manual, paper-based process lacked full visibility into these identities, which increased security risks. Full visibility, governance and control was essential to ensure IT administrators were granted the minimum privileges needed to fulfill their job. In addition, visibility and traceability of administrative actions performed was essential for monitoring and incident response at CIB’s Security Operations Center (SOC).
The final goal was to enhance customers’ authentication security processes by extending IAM control over CIB’s digital channels. Customers needed a seamless login experience with enhanced security and control.
It’s a good thing Hassan loves a challenge, because implementing this strategy would present several of them.
The first challenge was finding a partner to help with the plan. CIB studied and explored the marketplace for available solutions. “We knew creating a lot of customizations would lead to a very complex and unmanageable environment,” says Hassan. “We wanted to make sure that the platform would be flexible enough to accommodate our requirements and maintain out-of-the-box functionalities with minimal customizations.”
It determined IBM Security® had the governance platforms that could support the CIB strategy. IBM also was available for consulting, which was important to the team. The consultancy side helped CIB build proper governance models around its applications.
IBM Security introduced IBM Security Guardium®, IBM® Identity and Access Management (IAM), IBM Security Identity Governance and Intelligence (IGI), IBM Privileged Access Management (PAM), and IBM Security Verify Privilege Manager solutions. These solutions monitor the bank’s databases, protect sensitive servers, manage compliance, prevent separation of duties (SoD) violations, automate IT audits and build boundaries for identified threats. These features provide a more security-rich environment for the organization.
The second challenge was integrating the solutions into the legacy systems. CIB runs a complex IT environment with more than 120 applications. When it began executing the strategy in July 2017, the team took an agile approach.
“We decided to focus on quick wins that generated business values to the departments,” explains Hassan. “And we selected the applications that would bring visibility to the sensitive entitlements that staff had access to.”
The foundation setup integrated with CIB’s Human Resources (HR) systems and its domain controller system. Then it integrated the core banking application, which was finished in January 2018.
“By the time we had this up and running, we started integrating more and more applications with IBM, which were of a complex nature,” says Hassan.
The third challenge was transferring knowledge. This is another area where the IBM consultants were integral to the solution. The IBM team in Egypt supported CIB while it built up the internal team’s skill sets. Employees learned to troubleshoot, create workflows and integrate applications to maintain daily operations.
“We relied on IBM’s expertise and their support. Then they handed over the knowledge to the local identity access management team and CIB to resume the journey and start integrating more and more applications,” says Hassan.
There were many challenges integrating the strategy solutions into CIB’s existing systems. But they were worth the effort.
The second challenge was integrating the solutions into the legacy systems. CIB runs a complex IT environment with more than 120 applications. When it began executing the strategy in July 2017, the team took an agile approach.
“We decided to focus on quick wins that generated business values to the departments,” explains Hassan. “And we selected the applications that would bring visibility to the sensitive entitlements that staff had access to.”
The foundation setup integrated with CIB’s Human Resources (HR) systems and its domain controller system. Then it integrated the core banking application, which was finished in January 2018.
“By the time we had this up and running, we started integrating more and more applications with IBM, which were of a complex nature,” says Hassan.
The third challenge was transferring knowledge. This is another area where the IBM consultants were integral to the solution. The IBM team in Egypt supported CIB while it built up the internal team’s skill sets. Employees learned to troubleshoot, create workflows and integrate applications to maintain daily operations.
“We relied on IBM’s expertise and their support. Then they handed over the knowledge to the local identity access management team and CIB to resume the journey and start integrating more and more applications,” says Hassan.
There were many challenges integrating the strategy solutions into CIB’s existing systems. But they were worth the effort.
With its new solutions in place, CIB security processes are more streamlined and security rich. New hires no longer wait weeks before they can start helping customers. Instead, the new solution processes their access in a matter of minutes.
Likewise, transferring staff from one branch to another happens in minutes. Now CIB helps its understaffed branches faster when covering short-notice absences. Integrating applications has gotten easier, too. The team has 80 of its 120 applications on the system. When introducing a new application, the SOC follows a defined set of integration requirements that take place right away.
CIB has also lowered security risks with PAM. The SOC can see all the activities done by the IT administrators across all operating systems and databases. This ensures user activities agree with the user’s entitlements. The SOC can also record activities for investigation, if needed.
And all this happened without affecting the customer experience—except to make it better. By working with IBM, CIB made sure the user experience was seamless and straightforward.
“The in-depth strategy that we’ve implemented is now providing customers with more secure solutions,” says Hassan. “Our robust approach to our digital transformation strategy goes hand-in-hand with our security posture.”
CIB’s strategy reduced manual identity governance efforts by taking over the management of more than 8,000 employee identities while streamlining the fulfillment of business requirements.
CIB plans to continue working with IBM on its ongoing strategy towards zero trust. “The level of support we get from the local and global teams has been very outstanding. We'll continue to work with IBM Security in different domains to ensure that we are achieving the objectives of CIB’s security strategy.”
There’s no doubt security challenges will keep coming, but with their IBM Security partnership and strategy in place, Hassan and CIB are ready for them.
CIB (link resides outside of ibm.com) is a leading private sector bank in Egypt. Located in Cairo, it offers financial products and services to more than 1.4 million customers, including enterprises of all sizes, institutions, households and high-net-worth individuals. Its mission is to “transform traditional financial services into simple and accessible solutions by investing in people, data and digitalization to serve tomorrow’s needs today.”
Legal
© Copyright IBM Corporation 2022 IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504
Produced in the United States of America, March 2022.
IBM, the IBM logo, ibm.com, IBM Security, and Guardium are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copyright-trademark.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.