Considering introducing network separation as part of security measures, but a decline in business efficiency is inevitable

Shizuoka Chuo Bank is a regional bank with 43 branches mainly in Shizuoka Prefecture. In its 15th medium-term management plan, which began in April 2024, the bank aims to be a regional financial institution that develops together with its customers and the local community, and is trusted as their best partner, by deepening its business model of "visit frequency management" under the basic policy of "deepening customer-centricity," continuing to provide support that is close to its customers and the local community, and proactively working on new measures that take into account the external and internal environments and issues it recognizes.

In recent years, the threat of cyber attacks has become more serious day by day, and attacks targeting the bank have also increased. Fortunately, the bank had never been victimized, but as its business has diversified, the number of terminals connected to the Internet within the bank has increased, making the risk of attacks greater than before. As a financial institution that holds a large amount of personal information, the bank cannot tolerate any leakage of such information. Therefore, the implementation of drastic security measures was urgently needed.

FISC (Financial Information System Center), an external organization of the Financial Services Agency, has formulated security standards that financial institutions should follow, and in its guidelines, it recommends separating internal networks that use confidential information from networks that connect to external environments. The bank decided to consider responding to this guideline as part of its security measures, but Yoshikazu Watanabe, Board Director and head of the bank's systems department, said, "Because our bank started considering network separation late, we had many opportunities to hear about other banks that had already implemented it. Network separation can be broadly divided into physical separation and logical separation, but no matter which examples we looked at, we felt that they did not suit our bank's work environment."

The bank uses "NEXTBASE," a shared-use service for regional financial institutions, for its core system, and users exchange information among themselves. Isao Sato, manager of the Systems Planning Group in the Systems Department and in charge of information security, said, "What we learned from the interviews is that whether physical or logical separation is adopted, a decline in work efficiency is unavoidable. Even if we forcefully introduce it while prioritizing security measures, we are sure to receive complaints from the workplace and management about the reduced convenience, and we were struggling to come to a conclusion."

Physical separation requires separate terminals for different purposes, which means two terminals are required. This increases procurement costs and management efforts, and doubles the space required to place the terminals. In addition, using separate terminals reduces business efficiency.
"I've heard from other banks that they've received a lot of feedback from the field saying that it's difficult to use and they want something to be done about it. Also, USB memory sticks and other devices are used to transfer files between terminals, but if there is a virus on that memory stick, the infection will spread in an instant. This means that 100% security cannot be guaranteed," says Sato.

On the other hand, if you use a method of logical (virtual) separation within a single terminal, it is not as difficult to use as physical separation, but because not all business processes can be completed by screen transfer alone, the business flow will have to be changed. Also, if you build a system for a virtual environment such as VDI with logical separation, the system will become more complex.
"At another bank, I heard that major changes to procedures, such as needing a supervisor's approval every time a file was downloaded, caused confusion on the ground. Also, setting up a new server in an on-premise environment increases the operational burden," says Sato.

Network separation is possible without compromising usability MKI's support system that is close to users is also highly rated

Shizuoka Chuo Bank has been considering network separation since 2020, and while gathering information, it received a proposal from a major system integrator regarding Menlo Security.
"We appreciated the fact that it allows network separation without impairing usability. We were also attracted by the fact that it is a cloud-based service, which helps keep costs down and makes operation easy," said Sato.

Furthermore, in the winter of 2020, he was contacted by chance by Menlo, who introduced him to Mitsui Knowledge Industry (MKI).
"As we spoke with the MKI staff, we got the sense that they were willing to work closely with us. In addition, the cost was also very advantageous. At the time, Menlo Security had little experience in being implemented by domestic financial institutions, so to be honest, we were a bit worried, but we appreciated MKI's support system and decided to adopt them," said Watanabe.

With support from MKI and Macnica, it was implemented in a short period of time and network separation was achieved without changing the system configuration or operation.

Shizuoka Chuo Bank conducted a PoC with the support of MKI and Macnica in February 2021 and decided to adopt it in April. They have completed the deployment to all branches. "MKI came up with a way to connect to Menlo Security without making much change to our existing system configuration. They also taught us the details of how to set it up, which allowed the work to proceed smoothly and quickly, and we were able to implement it in a short period of time. At the beginning of the implementation, there were some cases of slowing down in access to the Internet, but thanks to Menlo and MKI conducting an on-site investigation, we were able to identify the cause," said Sato. It has been four years since the bank introduced Menlo Security, and it has continued to operate stably to this day. In addition, there have been zero virus detections on the terminals where it was installed, and network isolation has been ensured.
"The operation is the same as before, so I don't think users are aware that Menlo Security is installed. When downloading a file, Menlo Security checks it, so there is a slight delay, but I think users have gotten used to it by now." (Watanabe) It has also been well received from administrators. Compared to physical and logical separation, the major advantage is that it has low costs and operational burdens. However, as an exception, there are sites used for special business purposes, such as sites that require a certificate to connect or sites that connect by registering a global IP, and they set up a bypass to access them without going through Menlo Security.

The management screen is easy to understand and it is easy to check the status. We are considering integrating email security in the future.

The Systems Department refers to the Menlo Security management screen every month to report to management, and says that it is easy to check the situation as it is visually easy to understand with graphs and other displays. "Security and usability tend to be in a contradictory relationship, where increasing one reduces the other, but I think Menlo Security makes it possible to achieve both at a fairly high level," said Sato. Looking ahead, they also plan to consider integrating email security and other aspects into Menlo Security, with the aim of further reducing costs and operational hassle.

User Profile