Merchant Bank of Sri Lanka & Finance PLC (MBSL) is one of the country’s leading financial service providers. MBSL is listed on the Colombo Stock Exchange and is a finance company licensed by the Central Bank of Sri Lanka (CBSL). As one of the most stable finance companies in the country, with more than 40 branches across the island and customers with diverse financial needs, ensuring maximum security and compliance is a top priority.
The Head of IT at MBSL, Chamara Withanachchi, explained that the IBM i is the core banking system at the organization and functions as the heart of the MBSL network. This powerful operating system is one of the most secure systems available. “It’s designed in such a way that every object is protected with multiple security mechanisms,” Withanachchi said. “However, you cannot depend on default configurations. Additional controls are necessary to mitigate the risk of an internal security breach caused by a powerful user or administrator.”
Implementing Multiple Layers of Defense
Withanachchi knew he wanted to take a multi-layered approach to cybersecurity—a strategy that utilizes multiple controls to protect IT resources. Because multiple layers of security are implemented, no gaps are left exposed at MBSL. Taking this approach also helps the bank comply with the Baseline Security Standard and Regulatory Framework on Technology Risk Management and Resilience for Licensed Finance Companies issued by the Central Bank Sri Lanka (CBSL), which are the mandatory requirements that apply to all financial organizations in Sri Lanka.
To get started, Withanachchi partnered with HelpSystems, a trusted vendor he had worked with in previous roles at other organizations. “My experience with HelpSystems was a major factor. When you’re selecting a vendor, you have to see whether they’re a real IBM i vendor or whether they’re just trying to look the part. HelpSystems has been in the IBM i space for a long time—that’s one reason,” Withanachchi said of his decision to work with HelpSystems. “The support I got with product implementation in my past roles—that’s the other reason.”
Prioritizing Critical Solutions
Withanachchi and the IT team have implemented multiple Powertech software solutions over 5 years, starting with the highest priority items and working in stages to achieve compliance with CBSL’s requirements.
Virus and malware protection is required by both CBSL regulation and ISO 27001, so investing in Powertech Antivirus was an easy decision. But compliance isn’t the only reason. “Everyone thinks AS/400 or IBM i is not vulnerable to viruses,” Withanachchi said. “But that’s not true because IBM i has a file system called the IFS (integrated file system). Viruses can stay there without any activation, but when you access the IFS from a Windows environment, your Windows environment can get infected with the virus. So, to prevent that, we’ve implemented Powertech Antivirus in our production servers.”
MBSL also needed greater control and visibility into which users are accessing, downloading, and uploading data. “Let’s say an operator is accessing the servers through FTP. The system will validate by user name and password, but there’s no validation to say a particular user can access FTP and another user cannot. There’s no control unless you have a proper tool implemented on IBM i,” Withanachchi said. “We basically wanted to control who can download data, who can read data through FTP, or who can run an FTP command. We wanted to monitor who’s doing what.”
Powertech Exit Point Manager for IBM i delivers exactly the level of control and flexibility Withanachchi was looking for. His team uses this solution to control access to IBM i and they’ve configured dashboards through HelpSystems Insite to see what’s happening across the network. If users are trying to download critical data, the compliance team receives an alert.
Audit Reporting: From Four Days of Work to a Few Clicks
In a highly regulated industry like finance, implementing cybersecurity controls is only the first step. MBSL also needs to prove to auditors that all compliance requirements are met. Withanachchi chose to implement Powertech Compliance Monitor for IBM i because it’s so easy for interested parties outside the IT department, such as Audit and Compliance department users, to generate their own reports. “IBM i has journals and audit logs built into the OS, but it’s very hard for an operator without IBM i skills to filter the records they need,” Withanachchi said. “Before Compliance Monitor, generating reports for our audit department took 3-4 days. Now we don’t even need a day; we just click a few buttons.”
Managing Access to Sensitive Data
Powerful users with unrestricted and unmonitored access to sensitive data is a concern on any system, but locking down access too tightly can hurt productivity. Powertech Authority Broker for IBM i helps Withanachchi strike the right balance between security and efficiency. “Users will a high access level are a security risk. You don’t know when they’re going to expose your system or exploit some vulnerability. To manage that, we don’t have any super users. They’re all diverted to Authority Broker,” Withanachchi said. “With Authority Broker, the user gets the access they need and every screen is recorded. We have an entire audit trail in graphical mode and the reports are emailed to the compliance department.”
A solution MBSL uses heavily is Powertech Database Monitor for IBM i. “It’s a great tool in terms of data security,” said Withanachchi. “The compliance department can easily see who’s reading data and who’s made changes to particular transactions—all in real time.” Use of Database Monitor will soon be expanding across the organization, with the compliance team, auditors, and the risk team all leveraging the solution to improve their KPIs.
Cutting Password Reset Time in Half
With the highest priority security controls in place, Withanachchi turned his attention to a repetitive task overloading the IT team: password resets. His team found that a single IBM i password reset process could take an operator 10-20 minutes. “If the operator gets distracted, the user might need to call multiple times and open multiple support tickets for one reset,” said Withanachchi. To reduce those instances and improve the user experience, MBSL implemented Powertech Password Self Help for IBM i. “It saves our administrators time so that they can focus on more meaningful tasks, not user support. A reset now takes half the time it did before Password Self Help.”
This solution has been particularly valuable now that much of the team is working remotely. “Administrators are busy and it’s harder for users to contact them from home. When you give users self-reset capability, they will use that rather than calling the help desk,” said Withanachchi.
Better Security Delivers Peace of Mind
Now that Withanachchi has overseen the implementation of multiple Powertech solutions, he finds it easy to identify the greatest benefit. “In simple terms, I can sleep better,” he said. “In technical terms, we’ve achieved our goal of meeting compliance requirements and closing security gaps. We have peace of mind now because we have multiple layers of security protecting the systems we rely on.”
Get a free IBM i Security Scan to identify areas where your systems are secure and where they could be vulnerable.
Achieved regulatory compliance by implementing key security controls
Reduced audit reporting time from days to minutes
Cut password reset time in half