For more than 70 years, customers in East Africa have trusted Diamond Trust Bank (DTB) for their banking needs. Listed on the Nairobi Securities Exchange (NSE), the leading regional bank is an affiliate of the Aga Khan Development Network (AKDN) and has more than 130 branches and 24/7 digital branches across Kenya, Tanzania, Uganda and Burundi.
Assistant Senior Manager Aarif Mawani leads Diamond Trust Bank’s dedicated Identity and Access Management (IAM) team, an integral part of DTB’s larger cybersecurity function. As a virtual presenter at our CyberArk Impact 2022 event, Mawani described the organization’s Identity Security journey, along with valuable best practices for others to consider as they chart their course.
Building the Business Case for Identity Security
In 2019, the regulatory compliance landscape was changing quickly. The SWIFT Customer Security Controls Framework (CSCF) had recently gone into effect, requiring all financial institutions using the global messaging network to comply with heightened cybersecurity standards. Mandatory controls focused heavily on securing the member institution’s environment, knowing “who” and “what” has access to critical systems and applications, and detecting and responding to high-risk activity in operator sessions.
A strong emphasis on cyber governance led the Diamond Trust IAM team to examine existing privileged access controls and move to formalize an Identity Security program centered on a strong and consistent privileged access management policy. An enterprise-wide discovery scan of privileged identities, accounts and credentials provided a clear picture of the organization’s identity risk landscape. Harnessing these insights, the team presented a plan to senior leadership, who recognized intelligent privilege controls are the linchpin for securing critical assets and preserving trust.
Laying a Strong Foundation with Privileged Access Management
After a rigorous evaluation, the Diamond Trust Bank IAM team partnered with CyberArk on their journey to secure the expanding number of identities across their environment. Their mission was clear: “To ensure that privileged and non-privileged users, as well as non-user access to information and communications technology (ICT) resources, follow the principle of least privilege through the identity lifecycle,” explained Mawani.
With critical top-down support, the team got to work designing a program – “not a project,” he stressed – spanning people, processes and technology. The heightened SWIFT CSCF requirements helped to create a sense of urgency to prioritize and accelerate the onboarding process.
Pivoting Quickly: “Necessity is the Mother of Invention”
But just as Mawani and team began evaluating security configurations, the COVID-19 pandemic changed everything.
The bank works with numerous third-party vendors to deliver innovative services to its customers. Many vendor representatives worked on-site at DTB offices under the supervision of DTB personnel, until the pandemic forced everyone to work from home. Virtually overnight, the need for remote vendor connections – via VPN and other traditional remote tools – more than doubled. “The ability to monitor these sessions became a must for us,” said Mawani.
The team quickly pivoted to extend privileged access management controls to support off-site vendors. They obtained necessary stakeholder support by demonstrating the ability to provision, manage and secure third-party access to critical resources with full session isolation, monitoring and audit capabilities – all while leveraging biometrics for multi-factor authentication (MFA) instead of VPNs, passwords or agents.
In 2021, the team was also tapped to integrate CyberArk with the bank’s SWIFT-compliant systems, which entailed building autoIT scripts to enable web-based connections with session isolation and monitoring.
After successfully transforming these IT challenges into opportunities and achieving measurable wins, the Diamond Trust IAM team turned its focus to Identity Security expansion, such as establishing cloud least privilege to reduce cyber risk and enhance visibility, securing secrets used by the organization’s vulnerability management application and other non-human identities, and broadening identity-centric intelligence and threat detection capabilities.
Sharing Identity Security Success Factors and Lessons Learned
Mawani emphasized several key success factors and lessons learned throughout Diamond Trust Bank’s ongoing journey:
- Focus on the big picture. From session management to password management, your program must stay in sync with the broader cybersecurity strategy.
- Collaboration is key. A defined communication strategy focused on end-user awareness and education is critical for overcoming objections, an inevitable part of any major change initiative. Sharing real user benefits and experiences will help make good training materials great.
- Management buy-in isn’t enough. Most action happens on the front lines. You will need aggressive foot soldiers, so cultivate both employee and vendor champions.
- Stay vigilant about program fatigue. Remember, Identity Security is an ongoing program, not a point-in-time project.
- Tackle things in phases. Follow a program roadmap and a risk-based approach, drawing from data insights gleaned from discovery scanning exercises. Goal posts may need to shift from time to time, but the focus should always be to put the ball in the net. When you do, celebrate those milestones – they’re important.
Today, the Diamond Trust Bank IAM team is enabling the digital business by providing fast and secure connections for vendors in 14 different countries around the world – and counting. “Today, there is an equal volume of internal and external traffic accessing CyberArk,” says Mawani. “And the journey continues.”