Cloud Platform
Cloud Platform Apps
Contact us
Try it

See Resources

INDUSTRY: Consulting / Services

BUSINESS: Arval, a BNP Paribas subsidiary, provides vehicle fleet financing and long-term contract hire.

SCOPE: 8 sales subsidiaries: Milan Assago, Milan Cinisello, Brescia, Verona, Treviso, Bologna, Ancona, Bari, Florence, Rome Eur, Rome Tiburtina, Turin

SIZE: 750 employees. 110,000 vehicles managed.

BUSINESS CHALLENGE: Migrate vulnerability analysis from manual processes to automated and seamless processes, and maintain regulatory compliance.

OPERATIONAL CHALLENGE: With limited resources and tight budgets, Arval’s security managers needed to accomplish more by putting an automated, effective vulnerability management program in place.

Qualys Enterprise


  • High-performance, automated vulnerability analyses.
  • Comprehensive reports that intelligently inform management, operations, and internal auditors.
  • Qualys’ international reach, and the availability and competence of technical support teams.
  • Discovery and management of all networked assets.
  • Ease of deployment, implementation, and automated management capabilities.
Envelope Print

Arval Service Lease Italy Automates Risk and Compliance Management

Despite limited IT resources, Arval managed to dramatically improve how it reduces risk and manages regulatory compliance.
Arval home page

Whether you’re a small business or a large corporation, budgets are growing tight. And while IT investments still need to be made, they must be cost effective with proven efficiencies. Arval Holdings, Ltd., founded in 1989 and Europe’s leading fleet management company, is no different. Its parent company, the $37 billion banking giant BNP Paribas, falls under the jurisdiction of many international laws, regulations, and European directives, so maintaining regulatory compliance for all of its subsidiaries is vital. As part of those efforts, BNP Paribas periodically audits Arval’s IT practices.

“Qualys is a completely independent, automated platform. I can schedule regular scans on our internal and external networks. Not only is it very accurate, but it doesn’t disrupt our network operations. We’ve never had any performance issues from running Qualys.”

Fabio De Maron,
Senior Manager, Information System Security Officer, Arval Service Lease Italy

Fabio De Maron

It’s no surprise then that Arval must maintain an extremely high level of security and always be ready to demonstrate a healthy risk posture. In its effort to reduce security risks, the company faces two challenges: its IT teams and security managers must do more with tight resources and it must comply with increasingly stringent regulatory compliance demands.

To improve effectiveness, several years ago, Arval’s main security group successfully automated entire functions of its IT security, including patch deployment, antivirus signature updates, network monitoring, and vulnerability analysis. While this helped reduce many layers of risk, the benefits were not sustainable. What Arval then sought was repeatable, enforceable, and verifiable vulnerability and risk management processes. In that way, instead of periodically improving security following ad-hoc vulnerability assessments, Arval’s vulnerabilities would be mitigated continuously throughout the company.

Fabio De Maron leads the security efforts for one of those groups, Arval Service Lease Italy. Founded in Florence in 1995, with 750 employees, twelve sales offices, and 110,000 managed vehicles, Arval Service Lease Italy has grown to become the most relevant long-term leasing and fleet management company in Italy. The challenge for De Maron is that his IT team comprises only himself and two other engineers. “It’s a small but effective team, and there’s no time to waste,” says De Maron.

Arval Service Lease Italy: Mitigating Risk

To help Arval Italy put in place streamlined and repeatable vulnerability assessments across its 180 primarily Windows-based servers, Arval’s central corporate security group provided De Maron the Qualys Security and Compliance Suite – the leading vulnerability assessment appliance from Qualys, Inc. “At first, I wasn’t sure how useful Qualys would be,” says De Maron. “There are plenty of technologies that don’t work anywhere near as well as promised,” he says.

His skepticism quickly shifted to optimism: “In a short time I learned just how powerful the Qualys service would be.” De Maron explains just how simple Qualys was to set up, with only a few parameters to customize: “We were ready to go very quickly. We targeted a section of our network for an assessment, and we received reliable results right from the beginning.”

For De Maron, understanding his overall security posture and regulatory compliance status previously had been time consuming and costly to implement. However, the Qualys Security and Compliance Suite removed many of the network auditing, vulnerability management, and policy compliance inefficiencies that were wasting De Maron’s time.

Qualys automated the process of vulnerability management and policy compliance for Arval Italy’s small IT team: rapid network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking. Policy compliance features enable De Maron to audit, enforce, and document compliance with internal security policies and regulations.

“Within a month, I learned how useful Qualys truly is,” says De Maron. “Not just the results, but a real Swiss Army knife of tools to get a job done that previously was complex, difficult, and expensive.” Prior to the Qualys deployment, Arval Italy would have to contract security consultants to help De Maron perform most of its vulnerability assessments. That meant budget had to be opened and time scheduled for each and every assessment, something that’s not ideal in today’s environment of fast-moving threats. “Now with Qualys, we’re able to do these assessments ourselves,” he says.

Perhaps more important: these assessments are more accurate and less disruptive to Arval’s network.

“Qualys is a completely independent, automated platform. I can schedule regular scans on our internal and external networks,” he explains. Yet, automation alone isn’t enough, as any vulnerability assessment solution would be useless if it failed to identify security gaps correctly. “Not only is it very accurate, but it doesn’t disrupt our network operations. We’ve never had any performance issues from running Qualys.”

While that kind of performance is rare – as many vulnerability scanners are notorious for dragging down network traffic and systems – it’s the convenience and security that’s proven the most beneficial to De Maron.

That flexibility, accuracy, and automation saves time and improves security. And so does the fact that Qualys maintains and supports Qualys with thousands of the most recent security checks. Also, all of that new vulnerability and security data is updated automatically. “Whether it’s new vulnerability data, or enhancements to their software, the system is updated continuously by Qualys. I’m just as impressed by the technology as I am in how much easier it’s made our job of managing security,” says De Maron.