Issues of limitations on the number of simultaneous connections and rising costs that arise from the VDI-type Internet separation infrastructure

Tsukuba Bank, which was established in March 2010 through the merger of Kanto Tsukuba Bank and Ibaraki Bank, has made "active support for local small and medium-sized enterprises" one of its key policies and is contributing to the creation of a rich and sustainable local community. The bank is also actively working on SDGs, and has steadily increased the amount of sustainable finance it has implemented, mainly through services such as the "Tsukuba Sustainability Linked Loan" and "Tsukuba Green Loan."

Tsukuba Bank is also focusing on security measures for the IT systems that support its internal operations. Takasaki Takayuki, Chief Researcher of the System Planning Group in the Administrative Management Department at the bank, says, "In response to the Financial Services Agency's security guidelines, we established a CSIRT in 2017 and are strengthening security measures across the organization."

As a pioneer in this effort, Tsukuba Bank has also been working on so-called Internet isolation, which involves separating the Internet connection environment from the bank's internal network.

However, this internet separation system had many issues. Shiozaki Haruaki, a researcher in the System Planning Group of the Bank's Administrative Management Department, explains, "At our bank, we used Virtual Desktop (VD) to separate the internet, but the host server for the cloud service we had contracted had capacity constraints, and the number of people who could connect to the internet at the same time from each branch was limited to a maximum of around 140. In addition, as technology advanced and the amount of internet-based business at the bank increased, the number of employees who needed internet access grew to nearly 600, and there were always people waiting in line to use the internet."

There were three main challenges with the VDI method.

Looking for new solutions to move away from VDI

Therefore, the Bank of Tsukuba began considering replacing the VDI method with a new Internet separation platform. In early 2023, we started PoCs for Menlo Security 's web isolation "MenloSecurity Isolation Platform" and secure web gateway "Menlo Security Global Cloud Proxy". (Hereinafter the two products are collectively referred to as Menlo Security)

"The truth is, I had heard explanations about Menlo Security and seen demonstrations at Financial ISAC conferences and exhibitions, and I had been very interested in the ease of connecting to the Internet. I also had in the back of my mind the idea that Menlo Security 's system could solve the problem of downloading encrypted files. I had always wanted to introduce it, and the opportunity finally came," said Takasaki.

Having actually experienced Menlo Security through a PoC, I found it to be a solution that fully lived up to my expectations.

"Not only can we support our current 600 or so employees, but we also have ample room for simultaneous Internet connections, even if the number of users continues to grow in the future. Performance via the secure web gateway was also good. The management console UI was easy to understand, and we were able to learn the various settings in a short amount of time. Macnica 's support was also very friendly, and they responded quickly to our various inquiries, so we decided that the system could be easily operated by the members of the systems operations group." (Shiozaki)

However, we did not start out considering the introduction of Menlo Security. When considering replacing VDI, we researched a variety of solutions, but could not find a solution that beat Menlo Security. We contacted other regional banks that had already introduced Menlo Security and asked about their user impressions, and found that Menlo Security had received positive reviews, which gave us peace of mind in deciding to introduce it.

"During the implementation process, because Menlo Security itself was a SaaS cloud service, we didn't have to put in much effort to build the infrastructure, and we didn't rely too much on the implementation vendor. This gave us the time to work together as a team within the bank to carry out UAT. There were some aspects that were more difficult than with a typical system implementation, but as a result we were able to accumulate knowledge within the bank, which enabled us to respond quickly to subsequent operations. I would also like to express my gratitude to the team members who worked hard to test more than 300 cases." (Shiozaki)

Not only VDI but also secure web gateways are unified with Menlo Security

In preparation for the introduction of Menlo Security 's Web Isolation, we considered whether to use a multi-proxy configuration with the existing secure web gateway, or to use the secure web gateway included in the Menlo Security Web Isolation license, and ultimately decided to standardize on Menlo Security. The benefits are cost reduction and improved operability.

"With our previous proxy, the logs were not well organized and were difficult to analyze, but with Menlo Security 's Secure Web Gateway, the logs are easy to view and the management screen allows for detailed settings, making it easy to understand and stress-free. I got the impression that Menlo Security is a very simple system. Also, previously, the proxy would block uploads that it recognized as uploaders, but upload control was not sufficient. With Menlo Security, we have strengthened our security policy and are now able to control uploads satisfactorily." (Shiozaki)

The number of simultaneous connections to the Internet has increased. SSO implementation using SAML has improved convenience.

Menlo Security, which was officially introduced in November 2023, has brought numerous benefits to Tsukuba Bank. The first is reduced operational costs.

"Compared to upgrading while keeping VDI, we expect costs to be reduced by at least 35% over a five-year period. Furthermore, with VDI, it was necessary to add host servers, so we expect the benefits to be even greater than that," said Takasaki.

Menlo Security also contributes to improving the efficiency of various operations within the bank.

"The significant increase in the number of simultaneous internet connections has eliminated waiting in line for internet-only terminals, which has reduced stress for employees and improved work efficiency. In addition, in conjunction with this renewal of the internet isolation infrastructure, we built an in-house portal site that brings together links to various SaaS and web-based business systems. With Menlo Security, all of this access can be done with SAML-based SSO (single sign-on), which has greatly improved convenience. Employees have also been pleased with the ability to copy and paste data between internet-connected virtual browsers and on-premise business systems," says Shiozaki.

Of course, the benefits of enhanced security, which is absolutely essential in the financial industry, are also evident.

"For example, it is now possible to deploy encrypted files attached to emails in a virtual Box and inspect them, greatly improving the security of information exchanged with the outside world," says Shiozaki.

Takasaki continues, "When we were revamping our internet isolation infrastructure, we asked an external auditing firm to perform a third-party evaluation of our cybersecurity, but they didn't point out any particular issues. As a result, we can use Menlo Security with peace of mind."

Regarding support, Shiozaki said, "Whenever we have a problem, Macnica provides support in Japanese, which gives us a sense of security, even more so than with our previous VDI. And when an emergency occurs, we're grateful to have Japanese members of Menlo Security standing by to respond flexibly."

Security that adapts to the changing times: Considering the introduction of zero trust in the medium to long term

Building on the results achieved by implementing Menlo Security, Tsukuba Bank plans to further strengthen its security measures, and one of the future directions it is looking at is the introduction of zero-trust security.

"Due to the nature of banking work, we will need to maintain security measures based on perimeter defense for the next few years. However, it is also true that the way our employees work is changing significantly in the wake of the COVID-19 pandemic, so we must review our security measures to keep up with the times. For that reason, we are considering a variety of measures, including zero-trust security solutions and initiatives that utilize AI," said Shiozaki.

In this environment, expectations for Menlo Security and Macnica are also rising.

"What kind of security measures are desirable for our bank? Even if we were to move to zero trust security, what scheme should we use to implement it? We would appreciate it if you could think about this with us from the planning phase and provide support as a trusted partner," said Shiozaki.

Of course, Menlo Security and Macnica also intend to fully support Tsukuba Bank's efforts, and the challenge of the three companies working as one team will continue for the long term.

User Profile