Top five Taiwanese financial group uses CyberArk Identity Security Platform to strengthen cloud security and DevOps identity management

Summary

KGI Financial Holdings has actively promoted digital transformation in recent years. KGI Financial has focused on IT transformation, introducing a modern DevOps model and a new type of cloud environment, with the aim of improving IT environment flexibility and bringing new services to market faster. During the development and transformation process, KGI Financial faced many challenges, including identity verification, account inventory, and multi-cloud management. KGI Financial uses the CyberArk Identity Security Platform as the foundation of multiple solutions deployment to ensure Zero Trust and strengthen information security control in its vast and growing IT environment.

Company profile

KGI Financial Holdings is a large financial group headquartered in Taiwan. KGI Financial implements the digital transformation strategy and develops a hybrid multi-cloud IT environment. Services include consumer finance, corporate finance, financial management, trading and investment, and insurance.

Employees: 13,000+

Challenges

In the ever-changing global economy, determining how to bring new products and services to the market faster is crucial. Therefore, KGI Financial has actively promoted digital transformation in recent years, especially in terms of IT transformation, introducing modern DevOps models, and the development of new types of cloud environments with the aim of increasing their agility and expediting the introduction of new products and services. In the process of development and transformation, the company is faced with many difficulties, including identity verification, account inventory, multi-cloud management, and more.

The cornerstone of cybersecurity at KGI Financial is understanding and managing Identity Security. Chief Information Officer Terence Yeung shared, “For a financial company like KGI Financial that has thousands of users, Identity Security is a complicated problem, especially when employees move to different departments or subsidiaries or their roles and functions change.”

Although the company was controlling identity, its processes were complex. They had limited identity tools, so when someone needed an account with multiple levels of access, it had to be processed manually. In addition, access permissions could get outdated between audits, further complicating access management. Every year, KGI Financial ran a manual inventory to check identity status. “This was an excruciating and time-consuming process,” added Terence. “We could not say for certain whether there were problems with identity management, so we used an annual inventory to audit identities. We had to check with the employees themselves or their managers to verify whether there was something wrong with their permissions. And as it was manual, there was always the risk of mistakes.”

Further compounding the risks of manual processes, KGI Financial works with many third-party vendors who need access to business systems and temporary accounts to provide their services. The company also needed to do a manual inventory to check any permissions still in place after a vendor had completed its work.

Solutions

Initially, KGI Financial used CyberArk Privileged Access Manager (PAM) Self-Hosted. They have expanded to use the integrated CyberArk Identity Security Platform to support the company’s transition to a hybrid and multi-cloud environment. Additionally, in response to future digitalization and the Zero Trust challenges posed, CyberArk and KGI Financial established a strategic partnership to continuously implement measurable risk-reduction identity security controls based on the CyberArk Blueprint framework and focused on three major areas: Implementing intelligent privileged controls across the company’s hybrid and multi-cloud environment, using a modern future-proof identity security infrastructure and adding agility to the DevOps environment. The specific solutions that KGI Financial uses from the CyberArk Identity Security Platform are:

• CyberArk PAM Self-Hosted
• CyberArk Cloud Entitlements Manager (CEM)
• CyberArk Workforce Identity
• CyberArk Secure Web Sessions (SWS)
• CyberArk Identity Security Shared Services

Future solutions include:

• CyberArk Secrets Manager to protect DevOps pipelines and non-human credentials used in robotic process automation (RPA) environments
• CyberArk Vendor PAM

To support deployment, KGI Financial used the CyberArk Blueprint for Identity Security Success. This program protects against the three most common attack scenarios by drawing on best practices CyberArk has learned in collaborating with its customers, spanning over 8,000 customer deployments around the world, with 20 years of deployment experience. The CyberArk Blueprint helps organizations address the security vulnerabilities that pose the greatest potential threat to them as quickly as possible, while also aligning the benefits of cybersecurity with their investment.

Further leveraging the integrated nature of the CyberArk Identity Security Platform, KGI Financial is currently expanding the use of CyberArk Workforce Identity solutions. Lifecycle Management helps KGI Financial simplify and streamline identity management while the other capabilities of the solution will enable the company to provide employees a modern single-sign-on and context-aware, password-less multifactor authentication experience to access business applications.

“KGI Financial wanted a partner that has in-depth experience securing all types of identities no matter the environment where they exist,” explained Terence.

“When people ask us why we chose CyberArk, it is because of its comprehensive approach to Identity Security centered on intelligent privileged controls. It is important that we can meet the challenges of deploying and securing our hybrid and multi-cloud environment, and to meet new regulations. CyberArk was the best choice to ensure KGI Financial can confidently and securely innovate new solutions and services for our customers.”

Terence Yeung, Chief Information Officer, KGI Financial Holdings

The CyberArk solutions support KGI Financial’s cloud strategy by implementing least privilege access and protecting cloud-native working sessions. The company uses CyberArk CEM to scan cloud environments, report on the privileges and access developers and other users have in cloud environments and remove unused permissions.

In addition, KGI Financial has deployed CyberArk Secure Web Sessions to audit, monitor, and protect user activity within cloud-based business applications. They can now easily reconstruct users’ specific sessions down to every click, uncover mistakes, and reverse actions as needed.

Together, these solutions help KGI Financial adopt a defense-in-depth, Zero Trust approach to identity security across the company’s multi-cloud environment.

Results

“Because of the use of the CyberArk Identity Security Platform, users can use accounts with appropriate permissions at appropriate and approved time points under an efficient automated management mechanism; this is beneficial when it comes to managing identities and privileges.”

Lucian Hsieh, Vice President of Information Technology, KGI Financial Holdings

Lucian continued sharing that “The platform provides effective and feasible risk control measures. At the same time, in the face of various new information technology platforms and structures, with CyberArk’s integrated solutions we can manage and control them in a timely manner.”

KGI Financial estimates that after using CyberArk CEM, the typical identity and privilege access review process has been reduced to 30 minutes.

With CyberArk, the company can examine who has access to the highest-risk accounts, how they are used, and when privileged access is no longer needed. “The CyberArk Identity Security Platform helps us manage those with high-level cloud permissions and ensures that they do not have them when not needed,” said Vice President of Information Technology at KGI Financial, Alan Tsou. “It helps us strengthen the management of our cloud entitlements and underpins our Zero Trust strategy.”

Through CyberArk, the efficiency of managing cloud permissions has greatly improved.

“Cloud entitlements management is a significant issue that major enterprises must face in the process of cloud adoption. CyberArk Cloud Entitlements Manager has greatly reduced the amount of time we spend reviewing privileges across our cloud platforms.”

Alan Tsou, Vice President of Information Technology at KGI Financial Holdings

“In addition to setting identity security controls to protect the access of our employees and vendors, another area of focus for KGI Financial is securing the non-human identities that exist across applications and DevOps environments,” Alan added. “DevOps automations increase the efficiency of application development and operations; however, it also exponentially proliferates identities that can be targeted or misused to compromise the business.” In the future, the company also expects to include DevOps Tools Chain into the scope of its identity security program.

CyberArk Secrets Manager simplifies the process of protecting all the non-human identities that exist across cloud, on-premises, containerized, CI/CD pipeline, and DevOps environments.

Through CyberArk Secrets Manager, centralized audit records can be established, and scalability, performance, and availability can be achieved, avoiding security risks caused by secrets scattered on various platforms or clouds.
Moreover, CyberArk Secrets Manager also has the function of integrating with the existing CyberArk PAM Self-Hosted, which not only supports the local architecture, but also can continue to expand the architecture after the system is connected to the cloud. In addition to reducing management risk, this structure can also unify personnel management skills.

KGI Financial has a strong commitment to its customers and regulators. As such, the company leverages CyberArk’s extensive and global experience supporting auditing and regulation requirements to address and protect its customers and the assets of the company. Furthermore, they also plan to use the CyberArk Identity Security Platform to reduce risk across its subsidiary and group operations.

“The adoption of the cloud helps businesses innovate and be more agile, but it also proliferates identities. Identity Security is of utmost importance to KGI Financial, and CyberArk is an essential part of our cloud security strategy,” concluded Terence. “In terms of identity security, there is no end to the topic. There are two elements present in the majority of attacks: compromising identities and misusing privileges. Identity security helps protect our digital transformation and our customers and enable operational efficiencies.”

Key benefits

• Improves ability to control Identity Security across its multi-cloud environment
• Reduces cost and resources used for security operations
• Reduces time spent on reviewing cloud entitlements to 30 minutes or less
• Reduces the risk of errors and mistakes
• Ensures better local and international regulation compliance