Standard Bank of South Africa was well-positioned to transition to work from home using Microsoft identity and access management

The cybersecurity team at Standard Bank of South Africa thrives on pioneering security work, and it has a primary objective of being always-on and always-secure, says Arshaad Smile, the bank’s Head of Office 365 and Cloud Security. In 2017, the bank, which is one of the top five banks in South Africa, advanced its security by adopting Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra and Microsoft Endpoint Manager for identity and device management. As a result, it’s become a security leader in the banking industry, and it has transitioned smoothly to remote work during the recent health crisis.

Established in 1862, Standard Bank is the largest banking group in Africa by assets, offering universal financial services across Sub-Saharan Africa. The bank employs more than 50,000 employees, operates across 20 countries on the African continent, and it has been listed on the Johannesburg Stock Exchange (JSE) since 1970.

The search for a comprehensive security and identity solution

Prior to 2017, Standard Bank relied extensively on perimeter security for the protection of data, with file shares and applications behind firewalls. The bank used several on-premises security controls such as intrusion detection systems (IDS), intrusion prevention systems (IPS), and antivirus software.

Standard Bank faced several challenges that led the organization to seek a modern security solution. Team members sought an identity and device management solution that would make it easier for the bank to securely support remote work and comply with the myriad of data regulations in the multiple countries in which it operates. They also required a solution that would improve the bank’s security posture, especially given the ease with which users could access services and share files with those outside the organization.

As the bank embarked on its cloud journey, SaaS services like Office 365 and Microsoft Power Platform, including Microsoft Power Apps, signaled a change in how employees used technology. They started to expect access from any device and from anywhere, which posed new challenges for the cybersecurity team.

“It meant that we were always looking to make sure that we can deliver these services in a secure manner,” says Smile.

A shared commitment to security

Implementing Microsoft 365 emerged as one of the best options to consolidate security and identity in one platform, support remote workers, bolster device security, and meet data regulations.

Standard Bank prioritized securing partner and customer identities, access, and devices. In 2017, Standard Bank moved to Microsoft 365 E3, which included Microsoft Intune, now part of Microsoft Endpoint Manager. It also implemented Azure AD, which enabled it to move users away from shadow IT, shared file storage, and other unsecured access. Instead, Microsoft 365 services gave employees the flexibility they wanted while providing security with the control it required.

“Azure AD and Microsoft Endpoint Manager brought a lot of capability with them, which meant that we could move away from the disparate solutions that we had and start leveraging capabilities that came with the product,” says Smile.

Implementing the myriad of features and services in an environment as complex as Standard Bank's was always going to be a daunting task. Microsoft supported Standard Bank's security team by providing expertise and direct access to Product Engineering via the "Get to Production" team, which helped with detailed implementation and architectural guidance. Besides adapting features to meet the bank’s specific requirements, the team also helped onboard the bank’s other security vendors onto features like Azure AD single sign-on.

“The investment that Microsoft makes in security certainly shows,” says Smile. “Standard Bank would raise feature requests, and Microsoft would respond accordingly as per requirements. Microsoft has provided us with the tools and capabilities to be successful in achieving our security goals. We had phenomenal support directly from the various product owners.”

In return, the bank has shared valuable feedback with Microsoft and helped improve products by participating in private previews and testing new functionality before release.

Securing a remote workforce with a Zero Trust strategy

As part of adopting the Microsoft solution, the bank embraced the Zero Trust security model, which advocates adaptive controls and continuous verification to prevent and respond to threats more quickly and efficiently. Standard Bank's early implementation of Microsoft 365 security capabilities has resulted in a Microsoft Secure Score of 82 percent, which is 43 percent higher than similar organizations’ average, and the highest score possible under its current license.

This solution has also helped the bank consolidate licensing costs, invite people outside the company to collaborate securely by enforcing adaptive policies through Azure AD Conditional Access, and offer highly secure access to email on mobile devices.

“Our main driver for using Microsoft Intune is to provide access to Microsoft 365 services from any device in a way that provides assurance that the security requirements, policy governance, and regulatory requirements are all met,” explains Smile. “Enrolling devices with Intune enables the bank to evaluate devices against the bank’s compliance policies and set authentication and access controls based on a device’s compliance state.”

Smooth transition to work from home

Microsoft 365 and Azure AD adoption have paid dividends as the country moved into a lockdown and employees were forced to work from home. Microsoft 365 allowed the bank to scale services rapidly and support its employees working from home.

Now, approximately 100,000 employee devices, including 60,000 Windows devices, are registered with Microsoft Intune so users can gain access to Microsoft applications, like OneDrive for Business, Microsoft Teams, and other business applications securely from their Windows and mobile devices. Mobile access management prevents users from cutting, copying, pasting, or saving to the local device, preventing data leaks. PIN and fingerprint functionality lets users access apps from mobile and macOS devices. Users can also unlock and reset their passwords using self-service password reset, reducing demand on the internal service desk.

“With Microsoft 365, every employee could have email access on their mobile device, regardless of role,” says Smile. “Suddenly, remote access became a high priority and something that everyone wanted, because Microsoft 365 enabled secure access to data from any device and from any location. The Zero Trust model has been pivotal to achieve the desired configuration for users, and Conditional Access has helped enable it.”

Azure AD Application Proxy has proven to be another of the bank’s most valued capabilities, allowing users to more securely access more than 150 of the most commonly accessed on-premises web applications from outside the corporate network. As a result, the bank has markedly fewer VPN users compared to other similarly sized financial institutions.

When employees were required to work from home, the bank quickly switched from an on-premises Configuration Manager environment to co-management of Intune-registered devices integrated with Conditional Access. With the integration of Configuration Manager and Intune, the bank can patch Windows-based devices via the internet, which became a priority since users were no longer connecting to the bank’s internal network every day.

“We enabled co-management with the assistance of Microsoft,” concludes Smile. “Azure AD and Microsoft Intune helped the bank to become remote-enabled, and reduce the risk of unpatched devices connecting to the corporate network.”

Find out more about Standard Bank of South Africa on Facebook, Twitter, YouTube, and LinkedIn.