I want to strengthen security measures to protect the safety of using SaaS

Minna Bank, Ltd. (hereafter, Minna no Bank), which opened in May 2021, is a digital bank that aims to be a completely new bank that mainly targets the digital native generation. The bank was the first in the industry to build a full-cloud banking system. We have designed a zero-based banking system so that all services such as account opening, ATM deposits and withdrawals, and transfers can be completed on a smartphone. The service has been provided since May 2021, but the number of accounts opened has already reached about 500,000 (as of December 2022). Zero Bank Design Factory Co., Ltd. (hereafter, Zero Bank Design Factory) is responsible for the development and operation of Minna no Ginko's banking system. The company aims to create new value through the development of a new digital banking system, and also plans to provide the system to other companies aiming to enter the banking business.

Now, everyone's bank uses a number of SaaS services, but one thing we always have to keep in mind is security. In particular, inadequacies or omissions in security-related settings, such as access rights, can lead to incidents such as information leaks, so accuracy is required for confirmation. However, in recent years, SaaS settings have become more complicated, and functions are added and changed frequently, so even if you set them once, you may not be sure if they are correct all the time. Akira Takahashi, Managing Director of Minna no Bank Cyber Security Group, said, "In order to improve the security of our banking system, we have introduced CSPM (Cloud Security Posture Management) products that evaluate the security of settings such as IaaS and PaaS. At the end of 2020, however, this product did not cover SaaS, and it relied on humans to check the settings. We had an incident in Japan where we were able to do this.Since our bank was also using this SaaS, we felt the need to reinforce our countermeasures."

Covers all major SaaS, confirms sufficient functions in PoC and adopts

Therefore, Minna no Bank began investigating whether there was a product that could cover SaaS. I learned about the existence of "Adaptive Shield". The information was obtained from other financial institutions at a meeting of the General Incorporated Association Financials ISAC (Financials ISAC), which shares and analyzes information on cybersecurity by Japanese financial institutions.

“Since we had originally installed Prisma Cloud from Macnica and they were also an Adaptive Shield distributor, we decided to inquire about it right away,” said Takahashi.

The bank received an overview of Adaptive Shield from Macnica and conducted a PoC around March 2022. The main point of this PoC was to confirm whether Adaptive Shield was compatible with the SaaS that the bank was using.

“There are about 30 types of SaaS that our bank uses, and AdaptiveShield was able to cover the major 9 of them, specifically Salesforce, Office365, SharePoint, and Intune. There were questions such as whether there were any false positives, how many items were detected, whether alerts would be raised properly, and whether SIEM linkage was possible, but Adaptive Shield did a good job of meeting our expectations.” (Mr. Takahashi)

Therefore, the bank decided to officially adopt Adaptive Shield. Although it was decided to move to production operation, there was a difficulty in the process of evaluating each item detected by Adaptive Shield in-house. “First, our security team made a judgment as a primary evaluation, and then discussed with the person in charge of each SaaS and decided whether or not countermeasures were necessary. We also held internal discussions and decided whether or not correction was necessary.” (Mr. Takahashi)

After firmly confirming the effects in this way, the bank will start full-scale operation from July 2022. The PoC environment was used during actual use, and there was no need to reconfigure the SaaS linkage, so it was possible to start using it smoothly.

Information is listed and visualized for easy risk management, and complies with international security standards

Regarding the effectiveness of Adaptive Shield, Kenji Ninomiya, group leader of the Cyber Security Group at Minna no Bank, said, "By listing and visualizing information, risk management has become easier. The interface is easy to use, and the situation can be understood intuitively. Since it can be done, there is almost no confusion about operation.More than anything, unlike the conventional system, it gives me a great sense of security that I can check the settings properly.”

Even after the start of operation, the evaluation of the detected items continues. For example, when we reviewed the settings for Slack, we found that the session timeout interval was set differently depending on the environment, and there was internal debate about how appropriate it was.

“Adaptive Shield complies with international security standards such as CIS and SOC2, and suggests settings in such cases. Thanks to this, we can explain the setting instructions with objective evidence. Since some of the SaaS we use is jointly used with our parent company, Fukuoka Financial Group, we also pass on detection details to the parent company's security staff." (Mr. Takahashi)

Another benefit is that the introduction of Adaptive Shield has reduced the operational load.

"If there is a problem with the settings, you will be notified by an alert email. Also, by linking with SIEM, you can check a large number of alerts in a list, so there is no extra load." (Mr. Takahashi) Some of the detected items were known to the person in charge of SaaS, but they were unable to handle some of them.

“Adaptive Shield ranks the detected risks that need to be dealt with first, making it easier to take action. We are also devising ways to share policies among members to deal with alerts.” (Mr. Ninomiya)

Increase target SaaS and strengthen security measures

Everyone's Bank is considering increasing the use of SaaS in the future.

"In that sense, I would like to see an update on the support for domestic SaaS, which is often used." (Mr. Takahashi)

In addition, by linking using APIs, security-related information is aggregated and centralized in SIEM. We also aim to take measures to prevent leaks.

"With this installation, Macnica came in between us when we contacted vendors, so we were able to communicate in Japanese and received responses smoothly. We look forward to continued support in the future." (Mr. Ninomiya)