Dominican Republic Superintendency of Banks creates digital well-being for users as they progress their security project with Azure

The Superintendency of Banks is the entity in charge of supervising the financial sector in the Dominican Republic. Until 2021, this institution had no cloud services.

Like many public bodies, migrating to the cloud was challenging, but it was an exceptional case. "We are cloud enthusiasts and, as supervisors, we are aware that when cybersecurity best practices are taken into account, it substantially improves the risk position of institutions," says James Pichardo, CISO of the Superintendency of Banks of the Dominican Republic. 

In 2020, the Superintendency chose to adopt both modern Intune management and mobile device management and data protection. After a good first experience, in 2021, it decided to take its infrastructure to the highest level. "In two years, we identified everything Microsoft could offer us and began developing initiatives aimed at resolving issues," summarizes Juan Daniel Pujols, Deputy Director of Cybersecurity of the Superintendency of Banks of the Dominican Republic.

A cybersecurity plan based on three strategies

• Efficient security: Through passwordless authentication and multi-factor authentication. 
• Data protection: A process that seeks to create all the conditions so that users can tag documents and emails. 
• Analytics: To be able to proactively resolve issues, not only for security and information, but also for the user experience. 

Implementation 

At the start of the project, a pilot group of 50 users was created, each of which was supplied with different Windows Hello for Business devices, starting with learning how to use fingerprints and PIN numbers. From there, configurations for mobile devices were generated. 

After nine months of the pilot project, the Superintendency considered replicating its cybersecurity project in five phases of instruction for 700 users. "Users were emailed explaining how it works, what the authentication methods are, and when IT would integrate the mobile device into their Microsoft account," Pujols explains. 

All roads lead to Zero Trust 

Today's financial institutions need a new security model that effectively adapts to the complexity of the modern environment, spans the hybrid workplace, and protects people, devices, applications, and data, wherever they may be. That's why for the Superintendency, all paths led to the implementation of a Zero Trust security project. In this regard, Pichardo highlights: "We saw that we had to take an evolutionary step towards a digital wellness reality where the user sees security as an ally that makes life easier and not an impediment." 

The overall Zero Trust scheme is not based solely on passwords to log into Windows; it is a server for all internal network resources. For example, if a non-Windows operating system is accessed and behind it is a firewall, the Superintendency will use the Zero Trust architecture to give administrators access behind the firewall. Both the network, applications, and information are controlled by the entire Microsoft Zero Trust framework. "No matter which device, data, or region of the network, this centralized policy server is designed to assess user posture and whether it meets access requirements." 

Be a current and future benchmark

The regulatory entity seeks to be able to fully consolidate itself as a body with passwordless authentication. "We want to become fully passwordless in all applications, that is, remove the password from the GPO and remove them from the domain," Pujols says in terms of the Superintendency's aspirations going forward. 

In addition to considering Microsoft as a governance structure for cybersecurity metrics, the Superintendency implemented technical best practices in modern management and passwordless authentication. 

It has also developed ProUsuario Digital, its central business application that addresses the inquiries, complaints, and claims submitted by users of financial institutions and other bodies regulated by the Superintendency of Banks. To build it and other internal applications, it was necessary for developer teams to connect to Microsoft's management system. 

These efforts support the vision of the supervisory body, which is to be an exemplary government institution in the Dominican Republic. "We seek to become a Zero Trust success story from start to finish that serves as a reference for all other banking entities," concludes Pichardo.