Central America’s largest bank builds customer trust by using CyberArk to protect critical services

Summary

Over four million customers across Central America rely on BAC Credomatic and the security of its services to protect their money and personal information. With CyberArk as a core part of its cybersecurity posture, the bank has increased customer trust.

Company profile

Beginning operations in 1952 with the creation of the Bank of Central America in Nicaragua, BAC is an organization with more than 70 years of experience whose 19,800 employees provide financial solutions to more than 4.4 million clients throughout Central America. During the 1990s, BAC became the first Financial Group with a presence in all Central America. The stated purpose of BAC is to “reimagine banking to generate prosperity in the communities it serves.” With this in mind, beginning in 2022, BAC launched an initiative to become the first Financial Group to be Net Positive, meaning that it will create more positive economic, environmental and social value than its footprint produces. In addition, BAC stated intent to be a bank that offers financial solutions of triple positive value focused on the lives of people and the planet they inhabit, meaning that with the same excellence and rigor that BAC works to maximize economic value, the organization will also maximize and share social and environmental value with all stakeholders. Thanks to its regional leadership in digital transformation and innovation, it has developed digital banking that is currently used by more than 2.1 million customers on a regular basis. Likewise, BAC has received more than 60 international awards and recognitions in recent years.

Employees: 19,800

Challenges

Over four million customers across Central America use BAC, the region’s largest bank, to pay the weekly food bills, hold life savings and manage money for businesses and, as BAC is shifting many applications to the cloud, more than two million of those customers are relying on those cloud-based digital services. The region has also experienced rapid changes to the cybersecurity threat landscape, with the number and sophistication level of cyberattacks growing year over year. The COVID-19 pandemic saw bad actors, phishing and ransomware attacks increase. Recently, a successful attack in Costa Rica hit several public organizations.

BAC is charged with ensuring it has the best processes and technology in place to protect its customers, their assets as well as the bank and its staff. Given the high reputation of BAC, one wouldn’t expect to hear Vinicio Chaves, the Senior Cybersecurity Manager at BAC, state that security technology is not their main goal, but that is precisely what he believes, and for good reason.

“BAC uses technology to ensure it is secure. But every day, I remind my team that is not our true purpose,” explained Chaves. “The real purpose is building trust in the services we deliver to customers. It is to assure the mother working nine-to-five to provide food for her family that her details and her money are protected by BAC.”

The bank works hard to minimize threats and ensure it meets cybersecurity standards demanded by regulations, such as Payment Card Industry (PCI). Identity security takes center stage in the bank’s cybersecurity strategy. Whether it is an end-user, system or process, identity security is essential to detection, prevention and protection.

The IT environment at BAC is mainly on-prem and includes legacy systems. However, the bank is migrating to the cloud and adopting a cloud-first strategy for any new services. “Rather than a threat, we see the cloud as an opportunity,” said Chaves. “Whether it is a new product or service or 25-year-old application, we design them to be secure in the cloud.”

“As a leading bank in Latin America charged with securing millions of customers, we needed a security solution that could deliver the highest standards of protection,” shared Chaves. “We evaluated several different products, and we came to believe that CyberArk was, and still is, the best solution to protect identities. Additionally, the variety of features that CyberArk provides is a big differentiator.”

Chaves added that not only does CyberArk protect identity and password rotation, it also has several other features like CyberArk privileged threat analytics (PTA) to spot accounts with uncontrolled access rights, plus fast, easy and secure privileged access for remote users. Integration was another key reason for choosing CyberArk.

“We have a mix of different IT platforms from legacy technologies, SQL databases and Linux to Windows and services in cloud providers, and we have not seen one scenario where we could not integrate CyberArk.”

– Vinicio Chaves, Senior Cybersecurity Manager, BAC

Solutions

BAC uses two key CyberArk solutions to manage identity security: CyberArk Privileged Access Manager Self-Hosted and CyberArk Secrets Manager Credential Providers. The latter, for instance, is helping protect the exponential cloud adoption of the bank. Going from manual processes that would be impossible to sustain, to a streamline and automated workflow to manage secrets for every service created in our public cloud providers.

Recently IT Security brought together developers and systems architects from different countries and departments to ensure that no passwords, credentials or secrets were enabled in services or applications that are not controlled by CyberArk. The goal was to emphasize that the bank uses CyberArk PAM to centralize all security processes. For example, if there is an incident in Guatemala with the core online account system, a specialist at the head office can investigate and mitigate that incident.

To help with deployment, BAC used the CyberArk Jump Start Package along with CyberArk Consultancy Services. “CyberArk professionals are the specialists, having worked with many clients around the world on best practices for identity security and privileged access management,” elaborated Chaves. “We spelled out our requirements and used CyberArk Jump Start to improve deployment, discover what to protect first and develop a roadmap to enable different integrations and processes.”
For ongoing support and day-to-day operations, BAC works with local CyberArk business partner, Soluciones Seguras.

Results

“CyberArk has enabled BAC to create trust in its technology and services,” explained Chaves. “Just a few accounts have access to millions of customers, but those accounts are protected by CyberArk. Passwords are rotated automatically, and if there are any anomalies, CyberArk immediately triggers an alert for us to investigate. We put CyberArk at the core of our technology to enable BAC to protect customers.”

One of the objectives in developing stronger identity security and privileged access was to improve compliance with international banking standards. At the time, local regulations, such as those in Costa Rica, did not require a privileged access management solution, but PCI compliance did. Not only does CyberArk meet PCI requirements, but it has also been used to establish best-practice cybersecurity.

“We saw CyberArk as a means to deploy core cybersecurity concepts at the bank, and now it is the standard for every mission-critical platform. This meant BAC was already fully compliant when threat levels increased, and local regulators wanted tougher standards.”
– Vinicio Chaves, Senior Cybersecurity Manager, BAC

Additionally, BAC has developed a method to measure the impact and cost of risk. It applies a score to factors such as threat level, confidentiality information integrity and controls that lower the risk. As one of the bank’s mission-critical security controls, CyberArk has lowered the bank’s security risk score.

Chaves explained how CyberArk improves identity security management. BAC has several external vendors who access its systems. Setting up VPNs and user access for each vendor would, in the past, take up to a month to accomplish, including bank staff physically traveling to each vendor. With CyberArk Vendor Privileged Access Manager, it reduces the time required to just two hours, providing secure third-party access to critical internal resources without the need of agents, VPNs, or passwords with audit capabilities. Now the process is faster, more secure and done remotely.

“BAC is leading the change in banking in Central America to make services better and more secure for customers. But digital services must be trustworthy, so customers are confident they do not need to go to a branch,” concluded Chaves. “Given increasing risk in regions like Costa Rica, people are naturally worried about their money. Using CyberArk to put cybersecurity and identity management at the core of operations, BAC has built trust in its ability to protect customers.”

Key benefits

• Builds customer’s trust that their money is safe
• Decreases identity security management processes from a month to two hours
• Improves international and local regulatory compliance
• Improves ability to meet cybersecurity insurance standards
• Enables the bank to confidently transition applications to the cloud