DZ Bank builds zero trust security strategy with CyberArk

DZ BANK Implements CyberArk PAM and Secrets Manager to Improve Identity Security

Company profile

DZ BANK AG, is part of the Volksbanken Raiffeisenbanken cooperative financial network, which is one of the largest private financial services organizations in Germany. DZ BANK acts as the central institution for around 800 cooperative banks, supporting them and strengthening their competitive positions. DZ BANK also operates as a commercial bank.

Industry: Financial Services
Annual Revenue: €3.1 billion EUR (3.3 billion USD)
Employees: 31,400

Challenges

“Like many organizations, DZ BANK is moving away from the perimeter as the primary defense to safeguard the IT infrastructure,” said Jan Thielmann, IT security specialist at DZ BANK. “That is because IT generally is moving toward cloud computing, and that demands a new approach to protecting your people and assets. That is a Zero Trust security framework where all users, inside or outside the network, are authenticated, authorized and continuously validated before being granted access to applications and data.”

This security strategy set DZ BANK on a journey to strengthen and improve the way it handles Privileged Access Management. By leveraging solutions from the CyberArk’s Identity Security Platform, DZ BANK implemented an Identity Security strategy based on the principle of least privilege to enable Zero Trust. This strategy delivered key benefits for DZ BANK such as enabling digital transformation, satisfying audit and compliance requirements, reducing cyber risks as well as driving operational efficiencies.

Alongside the shift toward cloud computing and remote working, the bank recognized that entities in the industry are facing increasing and more sophisticated cyberattacks, from organized and coordinated attacks to random, ad hoc phishing expeditions. “The threat is certainly more challenging. Because of changes like cloud computing, software as a service and remote working, internal identities are getting exposed in the outside world,” explained Thielmann.

Satisfying Audit and Compliance Requirements

Because of the increased risk for all organizations, regulators require financial institutions to show they can meet the growing threat of cyberattacks and that they have the necessary policies and solutions in place to manage privileged identities. As with other banks and financial institutions, DZ BANK operates a three-tiered defense model comprising operational security, information security and internal auditing. Policies given to the bank by external regulator frameworks and the bank’s own policies, based on the first and second lines of defense, steered DZ BANK toward creating a sustainable privileged access infrastructure.

“The key issue is the amount of control you have over your accounts,” stated Thielmann. “Impersonation is often a part of an advanced cyber attack, and we need a central trust anchor to know, when, where and how an access attempt is made.”

Solutions

DZ BANK conducted an extensive review of several privileged access management solutions, finally deciding to use CyberArk.

“DZ BANK chose CyberArk because of its reputation in the market, its functionality and the extent to which CyberArk can be modified to fit an existing infrastructure,” commented Thielmann. “We also liked the security features CyberArk provides, like the ability to manage all privileged accounts and an application-based secrets retrieval system.”

DZ BANK has implemented a CyberArk Identity Security solution comprising CyberArk Privilege Access Manager, Conjur Secrets Manager Enterprise and CyberArk Identity. The solution also includes the CyberArk Premium Support service package. Currently, DZ BANK is predominantly an on-prem environment, but the bank has established two hyperscale cloud environments that are protected by CyberArk.

The CyberArk solution was implemented jointly between DZ BANK, CyberArk and CyberArk’s business partner, Computacenter. DZ BANK found that CyberArk Conjur and CyberArk Identity integrated quickly and easily with the bank’s emerging cloud environment.

Enabling Digital Transformation: Migrating from On-Premises to the Cloud

CyberArk deployment at DZ BANK has evolved from an on-premises privileged access security foundation to the cloud to a more holistic approach to secrets management. Deployment started with Privileged Access Manager Self-Hosted for securing operational systems as well as technical and database accounts. Then deployment extended into applications and integrating Privilege Access Manager with delivery systems to make sure applications got secure and correct passwords. Now the bank is extending the CyberArk platform to job scheduling systems and into the cloud using CyberArk Identity and CyberArk Conjur.

DZ BANK’s CyberArk Identity Security solution integrates with the existing SIEM and IAM operations in the security operations center, where an incident response system handles alarms resulting from CyberArk. Because of the flexibility of CyberArk, DZ BANK was able to customize and retrofit the CyberArk products with the bank’s existing security infrastructure and policies.

DZ BANK had some of its own technical challenges to overcome but found a positive post-sales experience with CyberArk. “The implementation and time to value with both CyberArk and its partner was seamless and quick to succeed,” summarized Thielmann. “Along the journey, CyberArk advice and support has been great, particularly because CyberArk has such a good understanding of, and experience with, the banking sector and the challenges we face.”

Results

CyberArk Improves Identity Security

“When it comes to identity security and especially Privileged Access Management, CyberArk is the key service DZ BANK uses to protect our IT infrastructure. Since integrating CyberArk into our environment, privilege management and security have definitely improved. Fundamentally, it always comes back to having control over privileges and being able to manage secrets.”

– Jan Thielmann, IT Security Specialist, DZ BANK AG

As well as control, CyberArk brings greater insight into the use of privileges within the bank’s infrastructure. CyberArk enables the bank to integrate secrets storage with existing applications that deliver credentials to applications securely.

Beyond the CyberArk solutions and support, DZ BANK benefits from the large ecosystem CyberArk has built over several years. This provides access to various integrations, plugins and a marketplace containing pre-defined solutions for many of the problems and challenges banks face, especially with non-standard integrations.

CyberArk also supports compliance for the bank. “Compliance auditors have some challenging expectations, so you need to prove that a certain privilege is only used when necessary, and that it is used in CyberArk Privilege Access Manager, Conjur Secrets Manager Enterprise, and CyberArk Identity. The solution includes the CyberArk Premium Support and helps us reach that goal,” shared Thielmann. “Without dedicated privilege access management, it would be very hard to meet many of these compliance-related security controls and standards. CyberArk is a key factor in achieving these controls.”

Key benefits

  • Supports establishment of a Zero Trust security strategy
  • Delivers a significant improvement in privileged access management
  • Increases control over how privileges are managed
  • Improves visibility of access management operations
  • Helps meet compliance and auditing regulations

Talk to an expert

Understand the key components of an Identity Security strategy

Get a first-hand look at CyberArk solutions

Identify next steps in your Identity Security journey