INDUSTRY: Financial Services
BUSINESS: Arval, a BNP Paribas subsidiary, provides vehicle fleet financing and long-term contract hire. It represents one of BNP Paribas' six business units.
SCOPE: 30+ countries
SIZE: 5,500 employees and manages around 3,000 servers in its highly-distributed computing environment.
BUSINESS CHALLENGE: Migrate vulnerability analysis from manual processes to automated and seamless processes that support its ITIL best practices framework, as well as maintain regulatory compliance.
OPERATIONAL CHALLENGE: With limited resources and tight budgets, plus rising regulatory constraints, Arval's security managers needed to accomplish more by putting an automated, effective vulnerability management program in place.
Founded in 1989, Arval operates its operational leasing and fleet management services throughout most of Europe. In its efforts to reduce security risks, Arval faces two ongoing challenges: the company’s IT teams and security managers must do more with tight resources, while also complying with increasingly stringent regulatory compliance demands. Arval needs to maintain high levels of security, and always be ready to demonstrate a healthy security posture. Its parent company, BNP Paribas group, audits Arval’s IT practices three times every year.
Arval’s challenges are not uncommon. To face its ever increasing IT obligations, the company has adopted the ITIL® (Information Technology Infrastructure Library) best practices process and the information security management ISO 27001 systems to streamline its operations. Arval also has successfully automated entire functions of its IT security efforts, including patch deployment, antivirus signature updates, and network monitoring. But there was an additional, yet vital, function it still needed to streamline: vulnerability analysis. “We audit certain subsidiaries twice a year. We check for full compliance with the security policy, of which vulnerability analysis is just one aspect,” says Jean-Marc Lecoint, Arval’s Corporate Information Security Officer.
While this helped to reduce some levels of risk, the benefits were transient. Arval needed repeatable, enforceable, and verifiable processes in place. “It may enable us to correct problems for the time being, but what we are interested in is a long-term guarantee. That cannot be achieved by simply correcting a vulnerability; we need to follow a process,” says Lecoint.
Why Arval chose Qualys:
The challenge for Lecoint and his security team lay in achieving higher levels of security and regulatory compliance despite shrinking IT management resources; thus, optimization was essential. “Security tends to work on a reduced rather than a constant budget. That was what it was like for me: they would take away two of my resources while asking me to deliver an even better service than the year before,” says Lecoint.
Security manpower at Arval is tight. In fact, just one employee spends about half of their time on vulnerability analyses and compiling associated reports, in addition to tracking other security indicators. "The only way to make headway under such conditions is to earmark human expertise for analysis tasks and not for repetitive manual tasks," says Lecoint. He knew that choosing the right vulnerability management and compliance tool would be essential if that goal was to be achieved.
Not only would the solution have to be capable of accurately identifying vulnerabilities, but also able to feather tightly within its ITIL management practices while requiring as little manual labor as possible.
To find the best system, Arval conducted trials of three vulnerability management solutions for nearly a year. For a number of reasons, following the evaluation, Arval selected Qualys. Qualys Enterprise is designed for large, distributed networks, and supports an unlimited number of device assessments. Delivered as an on demand service over the Web, Qualys Enterprise makes deploying, maintaining, and updating vulnerability management servers and software all problems of the past. Arval now relies continuously on Qualys to assess the security of both its internal and externally-facing infrastructure. Most important, Qualys scales to meet Arval’s demand. “We are currently deploying one subsidiary overseas every month, so we need a solution that can keep up with our expansion,” says Lecoint.
In addition to the quality and insight provided by Qualys’ reports, Qualys excelled with its highly-attentive customer service and technical support. “We place a lot of importance on this criterion. We were on the lookout for a true technical player active in the international arena and capable of deploying staff to Germany or Spain within 48 hours,” says Lecoint. “Thanks to Qualys’ software as a service model, and compared to others—meaning for the purchase price of a simple application—we are benefiting from the solution, maintenance, service, and easy implementation inherent in the model, as well as the minimal management. This enables us to focus on troubleshooting. My teams are no longer tied up writing down a number of problems, but actually tackling the underlying causes,” says Lecoint.
The ability to accurately identify vulnerabilities was just the beginning for Arval. The company’s remediation processes needed to be incorporated throughout its existing IT management and change control processes. “The strength of the Qualys solution lies in its indicators, enabling us to deal with the entire vulnerability management chain and deliver the product to the appropriate decision-makers according to their [unique] requirements,” says Lecoint. An important part of those efforts is Qualys’ ability to help Arval discover and manage all of its networked devices — desktops, servers, routers, etc. — that can be utilized to build custom reports that are useful throughout all levels of administrators and business leaders.
“Thanks to Qualys’ software as a service model, we are benefiting from the solution, maintenance, service, and easy implementation inherent in the model, as well as minimal management.”
"Why should vulnerabilities only be dealt with by the IS department? For example, business managers are also affected, but they do not speak IS language, they only talk about risks and costs," says Lecoint.
Qualys’ reporting features also have enabled Arval to continuously monitor its internal auditing and compliance efforts. “It has allowed us to go and see the Permanent Audit Unit [a group entity in charge of internal audits] and ask for the Fundamental Tracking Points (FTP) that they want to check in our subsidiary. The Qualys solution then lets us send them the points on a regular basis, as part of a proactive approach,” says Lecoint.
Qualys supports Arval’s ITIL change management and best practices to deliver its IT services. “The CAB (Change Advisory Board) will validate the change requests for the resolution of incidents, by taking into account the potential impacts,” says Lecoint.
From network discovery to vulnerability identification through verified remediation, Qualys provided the structured, measurable, and demonstrable vulnerability and regulatory compliance risk management automation that Arval sought.