February 23, 2022
By Kristen Stelzer | 5 minute read
Banking security personnel focus on the many threats to bank and customer information. It’s complicated work to keep employees, customers and customer investments protected. So if you’re in charge of security at a bank, it helps if you love a challenge.
Luckily, the person who oversees security at Commercial International Bank S.A.E. (CIB), Egypt’s leading private sector bank, thrives on the challenge.
“Ensuring we’re always secure is one of the core challenges that I love about my job,” says Shatssy Hassan, CIB’s Chief Security Officer (CSO). “We’re able to transfer this feeling of comfort to our customers and encourage them to work with a bank that cares about their investments and their information.”
CIB provides banking services for retail and corporate customers. It’s the largest private bank in Egypt, with over 1,000 ATMs across the country and over 210 branches across all Egypt governorates. Hassan has been the CSO since 2014.
In 2016, CIB began a five-year strategy to improve identity and access management (IAM) and identity governance. “This is an ongoing strategy that will be maturing in the future to ensure that we finally reach the objective of having a zero trust setup within the organization,” says Hassan.
The in-depth strategy that we’ve implemented is now providing customers with more secure solutions.
Shatssy Hassan
Chief Security Officer, Commercial International Bank S.A.E.
CIB focused first on three main goals. The first was to onboard, transfer and offboard staff in a seamless and convenient manner, enhancing those processes to make them more efficient and less costly and reduce the turnaround time. Previously, it took more than a week to onboard new hires and grant them needed access, a process that involved many paper-based requests. Transferring staff across departments or to another branch also required a lot of manual effort and involved many paper-based requests. Prolonged leaves of absence and resignations needed to be further governed and controlled to ensure prompt revocation of unneeded access.
The second goal was to better manage and govern privileged identities for IT administrators on servers and systems. The previous manual, paper-based process lacked full visibility into these identities, which increased security risks. Full visibility, governance and control was essential to ensure IT administrators were granted the minimum privileges needed to fulfill their job. In addition, visibility and traceability of administrative actions performed was essential for monitoring and incident response at CIB’s Security Operations Center (SOC).
The final goal was to enhance customers’ authentication security processes by extending IAM control over CIB’s digital channels. Customers needed a seamless login experience with enhanced security and control.
It’s a good thing Hassan loves a challenge, because implementing this strategy would present several of them.
We relied on IBM’s expertise and their support. Then they handed over the knowledge to the local identity access management team and CIB to resume the journey and start integrating more and more applications.
Shatssy Hassan
Chief Security Officer, Commercial International Bank S.A.E.
Overcoming obstacles one by one
The first challenge was finding a partner to help with the plan. CIB studied and explored the marketplace for available solutions. “We knew creating a lot of customizations would lead to a very complex and unmanageable environment,” says Hassan. “We wanted to make sure that the platform would be flexible enough to accommodate our requirements and maintain out-of-the-box functionalities with minimal customizations.”
It determined IBM Security™ had the governance platforms that could support the CIB strategy. IBM also was available for consulting, which was important to the team. The consultancy side helped CIB build proper governance models around its applications.
IBM Security introduced IBM Security Guardium®, IBM® Identity and Access Management (IAM), IBM Security Identity Governance and Intelligence (IGI), IBM Privileged Access Management (PAM), and IBM Security Verify Privilege Manager solutions. These solutions monitor the bank’s databases, protect sensitive servers, manage compliance, prevent separation of duties (SoD) violations, automate IT audits and build boundaries for identified threats. These features provide a more security-rich environment for the organization.
The second challenge was integrating the solutions into the legacy systems. CIB runs a complex IT environment with more than 120 applications. When it began executing the strategy in July 2017, the team took an agile approach.
“We decided to focus on quick wins that generated business values to the departments,” explains Hassan. “And we selected the applications that would bring visibility to the sensitive entitlements that staff had access to.”
The foundation setup integrated with CIB’s Human Resources (HR) systems and its domain controller system. Then it integrated the core banking application, which was finished in January 2018.
“By the time we had this up and running, we started integrating more and more applications with IBM, which were of a complex nature,” says Hassan.
The third challenge was transferring knowledge. This is another area where the IBM consultants were integral to the solution. The IBM team in Egypt supported CIB while it built up the internal team’s skill sets. Employees learned to troubleshoot, create workflows and integrate applications to maintain daily operations.
“We relied on IBM’s expertise and their support. Then they handed over the knowledge to the local identity access management team and CIB to resume the journey and start integrating more and more applications,” says Hassan.
There were many challenges integrating the strategy solutions into CIB’s existing systems. But they were worth the effort.
Automated security and zero trust benefits
With its new solutions in place, CIB security processes are more streamlined and security rich. New hires no longer wait weeks before they can start helping customers. Instead, the new solution processes their access in a matter of minutes.
Likewise, transferring staff from one branch to another happens in minutes. Now CIB helps its understaffed branches faster when covering short-notice absences. Integrating applications has gotten easier, too. The team has 80 of its 120 applications on the system. When introducing a new application, the SOC follows a defined set of integration requirements that take place right away.
CIB has also lowered security risks with PAM. The SOC can see all the activities done by the IT administrators across all operating systems and databases. This ensures user activities agree with the user’s entitlements. The SOC can also record activities for investigation, if needed.
And all this happened without affecting the customer experience — except to make it better. By working with IBM, CIB made sure the user experience was seamless and straightforward.
“The in-depth strategy that we’ve implemented is now providing customers with more secure solutions,” says Hassan. “Our robust approach to our digital transformation strategy goes hand-in-hand with our security posture.”
CIB’s strategy reduced manual identity governance efforts by taking over the management of more than 8,000 employee identities while streamlining the fulfillment of business requirements.
CIB plans to continue working with IBM on its ongoing strategy towards zero trust. “The level of support we get from the local and global teams has been very outstanding. We'll continue to work with IBM Security in different domains to ensure that we are achieving the objectives of CIB’s security strategy.”
There’s no doubt security challenges will keep coming, but with their IBM Security partnership and strategy in place, Hassan and CIB are ready for them.