We adopted EAA for remote work before COVID-19. In that sense, honestly, having EAA saved us. Without EAA, we might not have been able to do business.Kazuhito Ozawa, Senior Cyber Security Specialist, Corporate IT Business Unit
The bank's cyber security efforts
PayPay Bank Corporation (formerly Japan Net Bank, Ltd.) is the first Internet-only bank in Japan, and has been engaged in settlement, deposit, and loan operations over the Internet for 20 years. Since opening in 2000, the bank’s mission has been to “make financial services as familiar as breathing,” and has committed to providing financial services that are easy to use. To support this mission, the bank changed its name from Japan Net Bank, Ltd. to PayPay Bank Corporation in 2021 to accelerate and progress cashless transitions.
Within the organization, the Cyber Security Office is protecting customer assets from cyber attacks. “Specifically, our duties cover company financial services and all security measures. The Security Operation Center (SOC) gathers, monitors, and analyzes traffic logs, and is responsible for banking system and Internet banking security measures, system risk assessment of services each business unit requests, and security checks on outsourcing,” explains Masanobu Fujikawa, head of the Cyber Security Office within the bank’s Corporate IT Business Unit.
Challenges in enabling remote access
The bank had been working on building a remote application access system for a number of years, streamlining its business operations by allowing employees remote access to corporate applications and strengthening its Business Continuity Plan (BCP).
A breakthrough came in 2016. “We established a remote access project team to explore BCP and operational efficiency and introduced a remote access tool in 2017. However, the tool only lets us send and receive emails and explore some documents. We thought it would be better to have full remote desktop access to improve our operational efficiency,” says Kazuhito Ozawa, Senior Cyber Security Specialist in the Corporate IT Business Unit.
In April 2019, the Human Resources department started to promote remote working for employees. With this working practice reform and the Tokyo 2020 Olympic Games coming up, which would increase remote working across all of Tokyo, the Human Resources Department wanted to accelerate the remote access project.
Eliminating network level outside-to-inside access
The first thing the Cyber Security Office looked into was creating a VPN tunnel that would enable remote desktop access. However, as Mr. Fujikawa explains, “A VPN would require us to permit outside-to-inside access through our firewall. That raised the risk of infiltration by attackers, so we wanted to avoid VPNs given our need for high security. A VPN also required us to build a separate authentication platform, and the cost of building a new authentication platform would have been a burden.”
Instead of VPN, they started to evaluate Akamai Enterprise Application Access (EAA) as a Zero Trust Network Access (ZTNA) solution. The bank had already been using other Akamai solutions, and learned about EAA through their Akamai account team. The bank initially evaluated EAA and two other remote access products, and eventually conducted a proof-of-concept (POC) with EAA and another product.
Mr. Ozawa explains their reasons for selecting EAA based on the POC. “We needed to ensure that employees only had access to specific applications they needed for their role and EAA allowed us to easily do that. All we had to do was to deploy a virtual machine connector inside our network which communicates directly between our applications and the EAA servers on the Akamai platform. The connector also integrates with our Identity Provider (IDP) which allows us to grant access to specific applications based on user or group identity. In addition, we can limit access by region, source Ip address and so on. This eliminates the need for network level access through a VPN.”
EAA’s logs are integrated with the bank’s SIEM to provide insights into application usage. “We gather logs about who logged in, when and for how long and send the data to HR. That helps the company better manage its workforce by checking overtime work, understanding working patterns and trends, and so on,”says Mr. Fujikawa. EAA also provides precise controls to prevent unauthorized access. “EAA can restrict access by region, source IP, etc. With VPN, having control at this level is difficult, so I’m glad we adopted EAA.”
Plans for SaaS authentication
The bank is currently using EAA for remote desktop access. “For now, our application servers are located on premise, and EAA enables secure access to these from the outside,” Ozawa states, describing a desire to work with SaaS applications in the future. “We think Zero Trust security is going to be necessary as our SaaS and IaaS usage grows. EAA will become more active at that point,” concludes Mr. Ozawa.
EAA supporting remote work during COVID-19
A year after the bank’s full adoption of EAA, remote work became a critical component of business due to the COVID-19 pandemic. When the Japanese government declared a national emergency, the bank already had EAA in active use and so was able to quickly adapt to this new working environment
According to Mr. Ozawa, “We adopted EAA for remote work before COVID-19. In that sense, honestly, having EAA saved us. Without EAA, we might not have been able to do business.”
About PayPay Bank Corporation
Japan’s first dedicated Internet bank, established in 2000 as an online banking pioneer. The bank is engaged in settlement, savings, and loan services for individuals, corporations, and sole proprietorships. It has pioneered numerous services and initiatives, as the first to offer these within Japan and among all banks. The bank is a Sumitomo Mitsui Banking Corporation and Z Holdings group company, and changed its name from Japan Net Bank, Ltd. to PayPay Bank, Ltd. on April 5, 2021. While taking advantage of strengths cultivated over the past 20 years, the bank plans to further strengthen ties with the Z Holdings Group and aim to become even more accessible and convenient.