I want to strengthen security measures to protect the safety of using SaaS

Minna Bank, Ltd. (hereafter, Minna no Bank), which opened in May 2021, is a digital bank that aims to be a completely new bank that mainly targets the digital native generation. The bank was the first in the industry to build a full-cloud banking system. We have designed a zero-based banking system so that all services such as account opening, ATM deposits and withdrawals, and transfers can be completed on a smartphone. The service has been provided since May 2021, but the number of accounts opened has already reached about 500,000 (as of December 2022). Zero Bank Design Factory Co., Ltd. (hereafter, Zero Bank Design Factory) is responsible for the development and operation of Minna no Ginko's banking system. The company aims to create new value through the development of a new digital banking system, and also plans to provide the system to other companies aiming to enter the banking business.

Minnano Bank uses numerous SaaS services, but security is something we must always keep in mind. In particular, inadequate or overlooked security settings, such as access permissions, can lead to incidents such as information leaks, so accurate verification is essential. However, SaaS configurations have become increasingly complex in recent years, with frequent additions and changes to features, so even if a configuration is completed once, it is impossible to know whether it will remain correct. "To enhance the security of our banking systems, we previously implemented a Cloud Security Posture Management (CSPM) product to evaluate the security of IaaS, PaaS, and other settings. However, this product did not cover SaaS, and configuration verification was relied upon manually. Meanwhile, at the end of 2020, an incident occurred in Japan in which a configuration error in a certain SaaS allowed a third party to view information. Since this SaaS was also used by our bank, we once again felt the need to strengthen our countermeasures," said a representative.

Covers all major SaaS, confirms sufficient functions in PoC and adopts

So Minnano Bank began researching whether there were any products that could cover SaaS as well. They learned about Falcon Shield. They learned about it from other financial institutions at a meeting of the Financial ISAC (Financial ISAC), a general incorporated association that shares and analyzes cybersecurity information among Japanese financial institutions.

"We had originally introduced Prisma Cloud from Macnica, and since the company was also a distributor of Falcon Shield, we decided to contact them right away."

After receiving an overview of Falcon Shield from Macnica, the bank conducted a PoC around March 2022. The main focus of this PoC was to confirm whether Falcon Shield was compatible with the SaaS used by the bank.

"Our bank uses around 30 different types of SaaS, and Falcon Shield was able to cover the nine main ones, specifically Salesforce, Office 365, SharePoint, and Intune. Other things we wanted to check included whether there were any false positives, how many items it could detect, whether it would properly issue alerts, and whether it could be integrated with a SIEM. Falcon Shield fully met our expectations."

The bank decided to officially adopt Falcon Shield and move into full-scale operation, but encountered difficulties in the process of internally evaluating each of the items detected by Falcon Shield. "First, our security team made a primary assessment and then we consulted with the person in charge of each SaaS to decide whether or not action was necessary. Some SaaS detected a large number of items, so we had to spend hours discussing them internally to determine whether or not corrections were necessary."

After firmly confirming the effects in this way, the bank will start full-scale operation from July 2022. The PoC environment was used during actual use, and there was no need to reconfigure the SaaS linkage, so it was possible to start using it smoothly.

Information is listed and visualized for easy risk management, and complies with international security standards

Regarding the effectiveness of Falcon Shield, the person in charge said, "Risk management has become easier because the information is listed and visualized. The interface is easy to use and the situation can be understood intuitively, so there is almost no confusion in operation. Above all, there is a great sense of security in knowing that the settings status can be properly checked, unlike before."

Even after the start of operation, the evaluation of the detected items continues. For example, when we reviewed the settings for Slack, we found that the session timeout interval was set differently depending on the environment, and there was internal debate about how appropriate it was.

"Falcon Shield complies with international security standards such as CIS and SOC2, and suggests how to configure the system in such cases. Thanks to this, we are now able to provide configuration instructions with objective evidence. Some of the SaaS we use is shared with our parent company, Fukuoka Financial Group, so we also report the detection results and other information to the parent company's security personnel."

Another benefit of introducing Falcon Shield is that it has reduced operational burden.

"If there is a problem with the settings, you will be notified by email alert. Also, by linking with SIEM, we can check a large number of alerts in a list, so there is no extra load." Although the SaaS staff were aware of some of the detected items, they were unable to deal with them due to lack of time.

"Falcon Shield prioritizes the detected risks that need to be addressed, making it easier to start responding. Also, by adding comments to each alert on the SIEM side, we have made it possible to share among team members the policy for dealing with each alert."

Increase target SaaS and strengthen security measures

Everyone's Bank is considering increasing the use of SaaS in the future.

"In that sense, I would like to see an update regarding support for domestically developed SaaS, which we use frequently."

In addition, by linking using APIs, security-related information is aggregated and centralized in SIEM. We also aim to take measures to prevent leaks.

"With this implementation, Macnica was there to intervene when we made inquiries to the vendor, so we were able to communicate in Japanese and receive replies smoothly. We look forward to their continued support in the future."

*The information and company names mentioned in the text are from the time of the interview (December 2022).