2019 EDITION
BUILDING A CYBER-RESILIENT ECOSYSTEM: st a major 21 century challenge p.09 IT OUTSOURCING: Standards as vectors of trust p.12 DEVSECOPS: Added Security p.20 CASE STUDIES: Banque de Patrimoines Privés, LuxTrust p.26
Together towards the energy transition Enovos is committed to make the energy transition happen. As an expert in green energy production, Enovos helps you implement your photovoltaic project, from planning to operation of your installation. Together, we have everything to gain. Let’s make Luxembourg’s future greener. Visit renewables.enovos.lu and become a partner of the energy transition.
Energy for today. Caring for tomorrow.
03
KEY FIGURES
EDITORIAL YVES
50%
Photo credit: EBRC
REDING
C EO - EBRC
ABOVE ALL, DIGITAL NEEDS TRUST. Increasing complexity, exponential digitisation, unbridled globalisation, acceleration and automation of exchanges that are now taking place in dimensions beyond the reach of human beings, human civilization is moving at a dizzying speed towards its possible future(s). Forced digitisation makes it possible to better cope with complexity but also generates more uncertainty and drastically reduces decision-making time. In this continuous, particularly turbulent digital torrent, much like a kayaker, we must be ready, physically and mentally, at all times, to anticipate, prevent, detect, confront and avoid the obstacles in the river, as well as expected and unexpected events, ward off threats, be resilient and at the same time surf the wave, accelerate, take advantage of the flow and opportunities, rebound, recover, jump into the flow again, in order to achieve our ambitious goals and those of our company, our organisation, our team. Our ambition is to accompany our clients in the digital torrent: to give them confidence and show our trustworthiness, offering them both agility and security. The essence of Cyber-Resilience by EBRC, our Trusted Services Europe, comprises trusted services, Tier IV data centre services, certified and hybrid sovereign cloud services, support for IT operations all the way up to DevOps, support services provided by our Trusted Advisors. In our increasingly complex and uncertain world, building a trusted digital ecosystem is key.
reduction of the carbon footprint of EBRC clients, thanks to the innovative “Green IT” programme
+400
clients entrust EBRC with the partial or full management of their ICT and their security
+33%
growth since 2015
100%
10
data centres locations in Europe: England, France, Switzerland, Germany, Luxembourg
3
Tier IV certified data centres (Uptime Institute)
+70
Awards & Certifications
100%
data centres availability since 2000
green energy supply
4X
€76.4M
Best WorkPlace since 2014
of turnover in 2018
Only together will we be able to build the trusted digital ecosystem that we all need throughout the digital Europe. Our future is being built today, together. Enjoy reading!
40
FinTech clients
+200
employees
2019 EDITION
04
2019 EDITION
TABLE OF CONTENTS 06 /
TRENDS
36 /
— Which innovation(s) to meet the socio-economic challenges facing our society? P.06 /
— “Powered by EBRC”: Boosting client development and business hybridisation P.36 /
— Building a cyber-resilient ecosystem: a major 21st century challenge P.09 / 12 /
PARTNERS PROGRAMME
— “Powered by EBRC” member companies P.37 /
S OLUTIONS
— IT Outsourcing: standards as vectors of trust P.12 / — Hybrid Cloud, DevOps, Object Storage: boost your transformation P.18 / — DevSecOps: added security P.20 / — Trusted Advisory Services, the path to resilience P.23 /
38 /
26 /
CASE STUDIES
— Banque de Patrimoines Privés certified ISO 22301, a first in Luxembourg P.26 /
NEWS
— EBRC and Wallix Group join forces to strengthen the protection of critical assets in Europe P.38 / — Out of Band Management, the ultimate Cyber-Resilience within a data centre P.41 /
— The combination of security and trust at the center of LuxTrust strategy P.30 / 34 /
TESTIMONIALS
— Video: our clients testimonials P.34 /
Publisher: EBRC, 5 rue Eugène Ruppert, L-2453 Luxembourg / Phone: +352 26 06 1 / marketing.support@ebrc.com / Printed in November 2019 with 1,500 printed copies issued — Graphic realisation: Nicolas Bœuf / Farvest Group — Cover: Mikado — Editorial management: Jean-François Hugon, EBRC / Alexandre Keilmann, Farvest Group
TRUST US WITH YOUR SENSITIVE DATA IMAGINE YOUR DIGITAL BUSINESS WE BUILD IT TOGETHER
TRUSTED SERVICES EUROPE It is much more than a certified European IT Service Provider guaranteeing you high protection. It is first and foremost an international team of 300 experts at your service to advise and help you achieve your goals. Discover our “Trusted Services Europe”
Advisory
Managed Services
Cloud
Security
Resilience
Data Centre
www. e b rc .c o m
06
TRE NDS
Marc Giget President of the Club de Paris des Directeurs de l’Innovation
| New innovation strategies 2018-2020
Author: Alexandre Keilmann
WHICH INNOVATION(S)
TO MEET THE SOCIO-ECONOMIC CHALLENGES FACING OUR SOCIETY? On 28 March 2019, Marc Giget, President of the Club de Paris des Directeurs de l’Innovation, travelled to Esch-Belval to lecture at the first edition of WOOP (World of Opportunities) in Luxembourg at the initiative of InTech and sponsored by EBRC. Prior to his speech to a packed audience, he answered to the questions of Jean-François Hugon, EBRC Head of Marketing. Here is a look at the discussion focused on the major current socio-economic challenges, including the aims of innovation and the impact of digitisation.
T
he Club de Paris des Directeurs de l’Innovation,
JFH: Based on this recent study, what major
which brings together around one hundred global
socio-economic trends will our societies face?
groups including many leaders in their respective
Could future crisis emerge from future changes
fields, recently published the outcomes of its
and imbalances they could create?
study entitled “New innovation strategies 2018-
MG: Above all, we are witnessing a significant increase,
2020”. As its name suggests, it is based on an analysis of
even an explosion, in the world’s population. It is lower
these international groups’ strategies and their perception
than expected in China and India, but Africa continues its
of the challenges with which humanity must now contend.
strong development, leading to a redistribution of the world’s
—
T H E
SOCIO- ECONOM IC
CHAL L E NGE S
FACING
O UR
SO CIE TY
—
07
AI? A MYTH, PURE AND SIMPLE! IT IS IN NO WAY COMPARABLE TO HUMAN INTELLIGENCE, EMOTION AND EMPATHY.
population. Europe, for its part, will soon only account for
JFH: What findings have you made regarding the
8% of the world’s population. Furthermore, this increase is
evolution of cyber-threats?
accompanied by a concentration in cities, where 65% of
MG: This increasingly sophisticated cyber-threat will continue
the population can be found which further account for 60%
to grow in the next 3 to 4 years, with a serious advantage
of the GDP (according to McKinsey, the 600 largest cities
given to hackers in the current context. The Paris Club and
create 60% of global GDP). In addition to these demographic
its members are working to understand this changing world,
changes and an ageing population, we should also mention
with the aim of exchanging best practices in order to deal
the global warming, the ecological transition, and the fact
with these risky situations. The fact that the situation is
that analyses show that purchasing power is not increasing,
deteriorating should not be ignored. Awareness is needed.
and has not increased for several years. This downward
We will then have to regroup to put the pieces back together
trend toward stagnation is a major challenge for companies
because, as History has shown before, the solution will not
which tend to turn to the high-end, the premium segment,
fall into our laps!
when it would be more appropriate to offer cheaper products and services.
JFH: How do you interpret this digital
With a significant economic risk and the announced return
transformation of our environment? Are we
of a major crisis, with a gigantic gobal debt (320% of global
facing a major disruption?
GDP), interest-free loans, significant speculation and the
MG: I do not believe that it is a disruption, but rather a digital
emergence of cryptocurrencies... I wonder whether we are
transition. I would also like to make a distinction between
now better equipped to deal with a potential economic
“megatrend” and “transition”: in the first case, we observe the
crisis. Then there are also the open conflicts, in Europe
world and see it change. In the second case, we decide to act
and beyond, and the uncertainties associated with Brexit
and manage that change. Therefore, it is more appropriate to
and the idea that other countries could emulate the United
speak of a digital transition rather than a disruption. We are
Kingdom, with the fear of a three-tier Europe, but also the
creating a virtual world, but it is not a Copernican revolution
rise of protectionism, particularly in the United States,
like the invention of the telephone, the printing press or the
which inevitably reduces trade while driving up the prices
advent of aviation. It is also necessary to clarify the term
of certain goods.
“disruption” which is too often overused and misused both
2019 EDITION
08
—
T H E
SOCIO- ECONOM IC
CHAL L E NGE S
FACING
O UR
SO CIE TY
—
in French and English. In French, it means a “cut” or “break”,
during that time that the four stated objectives of innovation
while in English it refers to an “ordinary destabilisation”.
were described: to improve the human condition, to harmonise
Technological developments do not create a social disruption.
relations between people, to create the ideal city and finally
People continue to use cameras, whether they are analogue
to improve our relationship with nature. These principles have
or digital, Amazon performs mass distribution; there are many
remained unchanged and are still the basis for innovation
telling examples. We are currently witnessing a rationalisation
today. Technology is changing, of course, but philosophy is
of existing systems, although it is not profoundly changing
not. Let us therefore return to these uniting values that are
our civilisation. We are therefore in a period of sustained
based on this “foundation of truth”. For example, scientific
stagnation. I believe that the digital transition which we
innovation, while often discreet, advances and accumulates
speak of today is simply a technological illusion!
knowledge. It results in the development of new technologies, which do not create a disruption, nor a break, but transform old technologies. As the American economist Joseph Schumpeter
THE RENAISSANCE WAS A TRUE HUMANIST REVOLUTION. IT IS DURING THAT TIME THAT THE FOUR STATED OBJECTIVES OF INNOVATION WERE DESCRIBED: TO IMPROVE THE HUMAN CONDITION, TO HARMONISE RELATIONS BETWEEN PEOPLE, TO CREATE THE IDEAL CITY AND FINALLY TO IMPROVE OUR RELATIONSHIP WITH NATURE.
observed during his years of research, destruction often occurs before creation, creating social movements and causing people to fear a lack of information. Today, this destruction occurs faster and is much more violent, while creation takes longer than initially expected, creating a significant delay. I therefore invite leaders and entrepreneurs to train their employees and share their visions while organising the transition from one state to another. They have a key role to play with regard to preparing for the future. In France, traditional TV channels pay their taxes, while streaming platforms such as Netflix pay nothing. In a way, they use technology to bypass traditional methods. Leaders can never be blinded and must anticipate changes.
JFH: Marketing feeds on buzzwords, of which
JFH: Did we not neglected the role of innovation
artificial intelligence is one. Do you believe that
in improving the human condition in our
it is a promising technology? If so, what might it
societies? What recommendations could you
achieve?
give to entrepreneurs, project leaders or
MG: AI? A myth, pure and simple! It is in no way comparable
decision-makers in order to develop innovation?
to human intelligence, emotion and empathy. This wave of
MG: CEOs and business leaders do not pay enough attention
digitisation would bring few innovations and would only
to the digital transition, and as a result, 80% of projects do
barely impact productivity, which is a far cry from a supposed
not succeed. What is the reason for these failures? Digital
Renaissance: digital becomes a simple and commonplace
is pushed onto employees while they should be the drivers
convenience.
of the transition based on their desires and expectations. Tech, tech and more tech. The human dimension is often
JFH: With regard to innovation, you often
overlooked. Digital technology should be at the service of
make reference to the Renaissance, a period
employees. We have gone so far as to ask people to robotise
in History that saw the development of many
themselves. Fortunately, today, humans are naturally coming
innovative methods and techniques, the
back to the fore in these discussions, but the transition is
appearance of patents, the birth of “capital
violent, because we walked down the wrong path for too
ventures”, the invention of design and R&D. Why
long. As was the case during the Renaissance, let us prioritise
is that period so representative of innovation?
human thought and manage this transition towards the
How do you consider it different to our times?
emergence of a society of shared progress!
MG: The Renaissance was a true humanist revolution. It is
09
TRE NDS
Author: Alexandre Keilmann Photo credit: Olivier Dessy
Yves Reding CEO - EBRC
BUILDING A CYBER-RESILIENT ECOSYSTEM:
A MAJOR 21ST CENTURY CHALLENGE Senior business managers believe the increased threat of cyber-attacks is a major risk to the global economy. This was one of the findings of a survey conducted by the World Economic Forum, and published at this year’s Davos conference. This “Global Risks Report” suggested that cyber-threats rank alongside concerns about climate change and geopolitical instability as factors contributing to reduced business confidence. Indeed, 29% of chief executives surveyed expected growth to decline in 2019, compared to 5% in 2018.
B
usinesses have become increasingly worried about these threats in recent years, affecting organisations of all sizes and in every sector. Yves Reding, CEO of EBRC (European Business Reliance Centre) has seen how
managers have become increasingly concerned about the steep rise in the volume and sophistication of cyber-threats to their organisations. EBRC’s vision is to be a European centre of trust and excellence for the protection and management of sensitive
2019 EDITION
10
TRE NDS
ENISA has been organising crisis management exercises relating to major risks at a European level for a number of years.
information. It is a well-established player, with its 200
For more than 20 years, EBRC has been finding solutions
staff generating €76m of turnover annually. Furthermore, it
to the challenge of protecting and managing valuable data.
is supported by the firm DIGORA, in which EBRC has an
It is the mission and main concern of all of us here.
equity stake. DIGORA specialises in data management and databases and employs 130 experts in France and Morocco.
How do you explain the current situation, the
Underpinning EBRC’s work are its Tier IV data centres which
extent of the threats and the reasons for the
offer the highest level of security and availability. From these
increased number of security incidents?
foundations the firm provides trustworthy cloud computing
YR: We all face a wide range of cyber-security threats. Most
services, IT outsourcing options and related consulting to
common attack vectors are malicious software (malware),
demanding international clients. These businesses need to
such as web-based or web-application attacks, or phishing.
be sure that their data and processes are well protected
Denial-of-service attacks, which seek to flood networks to
and always available, as well as meeting the requirements
render them unavailable, are becoming more common, powerful
of their regulators. EBRC clients come from a diverse range
and sophisticated. Identity theft, botnets (IT networks which
of sectors including finance, health, essential services,
spread malware), attacks on data security, and data leaks
international institutions, defence, space, and more.
continue to grow. Even a few years ago, we couldn’t have
Yves Reding, EBRC’s CEO, discusses the threats faced by
imagined how these technologies would develop. Record
managers, and how to move towards Cyber-Resilience and
breaking events occur more frequently because increasing
thus reduce cyber-risk.
numbers of criminals, states, businesses, organisations, and cyber-terrorists are all involved in developing these threats.
Mr. Reding, aren’t CxO’s worries about
Digitalisation is growing quickly, and new threats rise to meet
cyber-threats exaggerated?
each innovation. The fundamental problem is that defence
YR: Over the last ten years, business managers have been
systems develop in a linear fashion, while threats increase
keenly aware of fluctuations in the global economy, as we can
exponentially. This mismatch is dangerous to the on-going
see from the survey presented to the last World Economic
digital revolution.
Forum. These concerns have been exacerbated by four main factors: increasing protectionism, geopolitical instability, the
Is the IT ecosystem aware of these changes?
challenge of climate change, and cyber-risk. EBRC clients’
YR: Digital represents a new world in which different risks
business cultures tend to be highly sensitive to risk, particularly
are sometimes hard for people to understand. In the physical
when it comes to digital data and systems. Much of their
world, risks are more clear and present. It’s natural for us to look
business is centred on making critical transactions and
left and right before crossing roads because we understand
communicating sensitive information in complete security.
instinctively the threat traffic poses. Compare this to the
—
B UILDING
A
CYBE R-RE SIL IE NT
E CO SYSTE M
11
—
digital world where such reflexes can be underdeveloped.
Four international standardisation norms relate closely to
A DDoS attack can be launched without fanfare from the
Cyber-Resilience:
other side of the planet. We need a major, quick culture
• ISO 27001: information security management,
change by users of cyberspace, in both their private and
• ISO 22301: business continuity management,
professional lives. The European Commission is taking
• ISO 31000: risk management,
steps, including the Network and Information Security
• ISO 22316: security and resilience.
(NIS) directive, which seeks to help build a resilient cyber ecosystem. This includes working to protect the operators of essential services such energy provision, transport networks, health, payments systems and more. As well, the European cyber-security agency ENISA will be given more powers. It has been organising crisis management exercises relating to major risks at a European level for a number of years. In 2016, EBRC participated in the Cyber Europe exercise which simulated massive, coordinated attacks on European cloud providers. What advice would you give to businesses
WE ALL FACE A WIDE RANGE OF CYBER-SECURITY THREATS. MOST COMMON ATTACK VECTORS ARE MALICIOUS SOFTWARE (MALWARE), SUCH AS WEB-BASED OR WEBAPPLICATION ATTACKS, OR PHISHING.
wishing to prepare themselves against cyber-threats? Where should they start?
For ICT businesses, it is important that they have ISO 20000
YR: Traditional strategies are no longer appropriate for a
certification which relates specifically to IT service management,
world of ever more numerous and sophisticated cyber-
using best practice such as ITIL techniques.
threats. It’s no longer worth thinking about whether an
Personal-data protection can also be guaranteed for some
attack will occur, but rather when it will happen and how
players with ISO 27018 certification. Essential services
strong it will be. Organisations have to know that they can’t
operators and other highly sensitive sectors use a range
eliminate risk, so their security and business continuity
of specific norms, such as health data hosting certification
plans must be based on how risk should be managed
which meets ISO 27001, 20000, and 27018 standards.
and mitigated. This means moving from notions of cyber-
At EBRC, we have understood the importance of standards
security towards Cyber-Resilience. Just like our immune
for many years, and have integrated these and best practice
system, they need to react to attacks by containing and
into how we work. This helps us predict our clients’ needs
then eliminating harm. Users of digital systems need to
and the potential threats they might face. We have built a
be permanently vigilant to identify, protect and respond
Cyber-Resilience culture using a process of continual
to threats, including the ability to recover and rebound.
improvement. This has almost become part of our staff’s
Senior management needs to instil a Cyber-Resilience
DNA and thus informs all our activities.
culture which will help build instinctive cyber-security
Furthermore, Cyber-Resilience works best through shared
reflexes. This is part of the idea of “digital hygiene” which
experience and via multi-disciplinary teams. EBRC’s 400 clients
involves building an organisation and processes to enable
have a wide variety of business cultures, but they all face
the system to develop immunity.
similar risks and threats. We offer them extra support by working to create a Cyber-Resilience ecosystem at the
When seeking a partner to help manage a
European level. If we work alone in our individual countries,
security ecosystem, what certification is
we will fail to maximise impact. Alternatively, we can drive
indispensable when making an evaluation?
forward the creation of mechanisms across the single market.
YR: Standardisation certification helps clients understand
It is for data management specialists such as us to show the
which suppliers they can trust. These standards oblige
way forward. The ultimate aim is to ensure trust for clients
service providers to adopt procedures which drive permanent
and stakeholders in cyberspace.
improvement.
2019 EDITION
12
SO L UTIONS
Philippe Dann Head of Risk & Business Advisory - EBRC
Author: Alexandre Keilmann Photo credit: EBRC
IT OUTSOURCING:
STANDARDS AS VECTORS OF TRUST To discuss the importance of the certifications held by EBRC, the company specialised in the management of sensitive information, we met with Philippe Dann and Jean-François Hugon, respectively Head of Risk & Business Advisory and Head of Marketing at EBRC. During this interview, the two experts also listed the numerous advantages that the company derives from those certifications and from which customers also clearly benefit, including the standardisation aspect and the ability to build a relationship of trust. “EBRC’s ambition is to position itself
strategy. From the creation of new
is also part of the strategy of constant
as a centre of excellence in Europe
services to integration, including the
and continuous improvement promoted
in the area of the management and
management of sensitive information,
by EBRC and its experts, based on the
protection of sensitive data”, starts
each of the EBRC business lines
Deming Wheel principle (see page 17
Philippe Dann explaining: “To achieve
are now covered by very specific
“Cyber-Resilience Lifecycle”), or the
this, we have set several mechanisms
certifications”. This certification
PDCA cycle – Plan, Do, Check, Act.
in motion, and notably a certification
process, becoming ever more rigorous,
TRUST US WITH YOUR SENSITIVE DATA DEVELOP AND BOOST YOUR AGILITY AND SECURITY
TRUSTED ADVISORY SERVICES It is an international team of 300 experts at your service to advise you in Risk Management, Cyber-Resilience, IT transformation and to help you achieve your goals. Discover our “Trusted Services Europe”
Advisory
Managed Services
Cloud
Security
Resilience
Data Centre
www. e b rc .c o m
14
SO L UTIONS
We operate in fields such as finance...
— N AVIGATING IN
...or health with specific measures.
These are therefore key aspects in EBRC
a European framework for electronic
INCREASINGLY REGULATED
international development and in its
identification and trusted services to
ENVIRONMENTS
positioning as a “European centre of
facilitate the emergence of the digital
As these various standards and
excellence”. The certifications, which act
single market. In particular, it covers
certifications are regularly audited,
as a “business card” for the company,
the subject of electronic signatures
they represent a convincing guarantee
demonstrate its ability to meet these
and repeals Directive 1999/93/EC. The
for EBRC customers and prospects,
very specific standards. “We operate
ANSSI is one of the national bodies
formally demonstrating the quality and
in fields such as finance or health with
responsible for the implementation
know-how of the services offered by
specific measures, respectively PFS
of this regulation. In short, they help
the Luxembourg-based company. In
(Professional of the Financial Sector)
to break down the barriers to entry
addition, external audits carried out by
in Luxembourg and HDS (Hébergeurs
that we may encounter and ensure the
certifying bodies represent a significant
de Données de Santé – Health Data
customers and stakeholders of a given
time saving for customers: this advanced
Hosting) in France, requiring us to opt
ecosystem that we speak the same
certification approach reinforces trust
for certifications and standards inherent
language. These cascading certifications
in an increasingly digital and regulated
to the sector regulation. The certification
provide an additional guarantee insofar
environment, particularly with the GDPR.
process has the added benefit of
as they are regularly audited. Finally, they
“The arrival of the NIS Directive had
enabling us to access a regulated market
demonstrate the maturity of a know-how
also an impact: it requires companies
and improves the quality of responses
that we have built through a process. The
to implement effective checks. With its
and services. I could mention eIDAS
audit phases facilitate the continuous
current certifications, EBRC is already
as an example: this regulation mainly
improvement of our services, which is
in a position to carry out such checks
concerns public sector bodies and
perfectly in line with our approach of
and to prove that it meets regulators’
trusted service providers established
delivering Trusted Services and actively
expectations”, says Philippe Dann.
in the European Union. It establishes
contributes to Cyber-Resilience”, adds
—
S TANDA R DS
AS
V E CTO RS
O F
TRUST
—
15
EBRC HAS CURRENTLY OVER 70 LOCAL AND INTERNATIONAL CERTIFICATIONS AND AWARDS, WHICH, COMBINED, ENABLE CUSTOMERS TO EVALUATE OUR PERFORMANCE AND SERVICES, AND EVEN OUR BEST PRACTICES AND STRATEGY. Jean-François Hugon. The Head of
certification, which EBRC achieved,
Hugon. The ISO 9001 certification, which
Marketing also emphasised the benefit of
stresses this point. It specifies the
is linked to quality management systems,
certifications for service providers such
requirements for the service provider
makes it possible to define standards
as EBRC, which are imposed both by
to plan, establish, implement, execute,
that are part of the company’s overall
future customers seeking a solution and
monitor, review, maintain and improve
framework: it includes requirements for
by regulators at the international level.
a Service Management System across
product design, development, production
Finally, as the two experts point out, this
the board, from its design to service
and after-sales service. “A certification
certification strategy makes it possible,
improvement. “Today, knowing your
that sets the milestones, that serves as
above all, to control the quality of services
processes better also means predicting
a foundation”, according to Philippe
internally, each of them providing a very
and anticipating. Two key elements in
Dann. As for the ISO 20000 certification,
precise framework with obligations to
a world in which uncertainty is almost
as mentioned above, it focuses on
be respected and ultimately improving
constant”, highlights the Head of Risk
the management and organisation
the structure of services by optimising
& Business Advisory.
of IT services, including processes,
the working environment, thus enabling the various stakeholders to save time.
reports, customer relations, helpdesk — C ERTIFICATIONS ARE
and incidents. Business continuity is
“Standards require structure and
AT THE HEART OF EBRC
ensured through ISO 22301 certification:
improve internal communication. Each
STRATEGY
it involves defining processes to ensure
stakeholder’s role must be defined, and
“EBRC has currently over 70 local and
that the company will continue to be able
KPIs - Key Performance Indicators -
international certifications and awards,
to provide the services to its customers
but also KRIs - Key Risk Indicators
which, combined, enable customers
in the event of a technical or human
- must be implemented. This can be
to evaluate our performance and
disaster. A strong focus on security and
tricky, but it remains crucial”, adds
services, and even our best practices
risk management is provided by the
Philippe Dann. Moreover, the ISO 20000
and strategy”, underlines Jean-François
ISO 27001 standard: these aspects must
2019 EDITION
16
SOLUTIONS
ACTIVE IN THE HEALTHCARE SECTOR IN FRANCE, EBRC IS ALSO HDS – HEALTH DATA HOSTING – CERTIFIED AND CAN THEREFORE OFFER ITS SERVICES TO STAKEHOLDERS IN THE MANAGEMENT OF SENSITIVE AND PERSONAL DATA.
be managed upstream, from the design
(Payment Card Industry - Data Security
or implementation of a new service
Standard) Level 1 standard. With its five
or product. “It includes the “Trusted”
data centres in Luxembourg, EBRC
concept, which is important to EBRC”,
attaches great importance to work
add the experts. EBRC also has the
towards protecting the environment.
ISO 27018 certification, which relates
This “Green IT” aspect is defined through
to the protection of personal data in the
the ISO 14001 standard, which includes
cloud. Three sources must be checked
the planning and implementation of
in order to verify safety requirements:
actions that aim to comply with this
the legal, regulatory and contractual
environmental policy, as well as the
environments, risk assessment and
ISO 50001 standard which concerns
internal references within the company.
energy performance and promotes
Active in the healthcare sector in
efficient energy management. These
France, EBRC is also HDS – Health Data
Tier IV certified data centres were
Hosting – certified and can therefore
designed to ensure the highest
offer its services to stakeholders in the
standards of continuity. “The certification
management of sensitive and personal
provides an availability rate of 99.995%,
data. As the Risk & Business Advisor
corresponding to less than 26 minutes of
explains, “this is a certification of our
cumulative downtime per year. The data
data centre services in our Tier IV
centre must therefore be autonomous,
infrastructures”. In order to support
both in terms of its management and
its partners in the financial sector
its ability to respond to incidents”
offering credit card payment services,
comments Philippe Dann.
EBRC also complies with the PCI DSS
Why outsource IT activities – and how? According to EBRC Head of Risk & Business Advisory, “it is crucial to investigate internal processes before outsourcing. Secondly, the choice of supplier is just as important: it involves a study and must result in a relationship of trust. This is where certifications come into play”. The Business Advisory and IT Transformation teams first map out customer needs before implementing a strategy, with an action plan, which will then be implemented. Philippe Dann and Jean-François Hugon also share their recommendations as regards selecting an IT service provider: “First of all, we recommend starting with an internal audit to measure the company’s level of maturity with regard to outsourcing. Afterwards, workshops can be led by EBRC experts”. According to them, companies can also consider certification and describe their processes using a known framework, which will facilitate the transformation and migration to outsourcing. “Drawing up the specifications and identifying KPIs will follow. The latter, which are professional and business indicators, must be aligned with senior management. Some must be technical, while others are centred on employees’ satisfaction with a focus on usability”, they explain. The service provider, for its part in a constant concern to improve customer relations, must ensure that
it provides new and innovative solutions, anticipating and meeting future needs: once chosen, the service provider will be integrated into the customer’s value chain. “Subsequently, companies must assess the possible financial, qualitative and business benefits of a potential migration to outsourcing. Obviously, this goes hand in hand with assessing the potential losses, especially when it comes to control. Thus, the notion of strategy takes on its full meaning: is it a strategic business or not? The answer will depend on the customers, their activity and their maturity” explains Philippe Dann. EBRC extensive certification process does not prevent it from having the agility required to navigate today’s digital and changing environment. While certifications impose a framework, they provide real, flexible and pragmatic added value based on the customer’s needs. To be effective, they must also be understandable to the people who apply them. According to Jean-François Hugon and Philippe Dann, “it is the combination of these aspects that makes standards evolve with the company”. While the implementation of such standards can be difficult at first, they will subsequently bring significant gains to companies, while benefiting their end-users.
17
CYBER-RESILIENCE LIFECYCLE
PREPARE KEY PEOPLE CEO, CISO, BCM, CRO, DPO ACTIVITIES • Business impact analysis • Risk assessment • Cyber-Resilience audit • Compliance & standards • Cyber-Resilience strategy • Governance & policies • Awareness & exercise
RECOVER ADV CERT MS SOC
ADV
KEY PEOPLE CIO, CISO, BCM, CRO ACTIVITIES • Back to normal operations • Forensics • Continuous improvement • Legal • Communication
IDENTIFY KEY PEOPLE CIO, CISO, BCM
ADV CERT
ACTIVITIES • Gap analysis Business/IT • Vulnerability assessment • Penetration test • Technology watch • Vulnerability watch
01
ADV CERT MS SOC
02
07
RESPOND
PROTECT
KEY PEOPLE CEO, CISO, BCM, CRO, DPO ACTIVITIES • Decisional crisis management • Crisis communication • Containment • Remediation • Business continuity
KEY PEOPLE CIO, CISO, BCM
05
A N A LY S E ADV CERT MS SOC
ACTIVITIES • Risk mitigation • Continuity management • Security management • High availability architecture • Data centre availability • Change management
03
06
04
DETECT
KEY PEOPLE CIO, CISO, BCM
KEY PEOPLE CIO, CISO, BCM
ACTIVITIES • Threat analysis • Prioritization • Operational crisis management
ACTIVITIES • Log correlation • Real-time alert • Incident management
ADV CERT MS SOC
EBRC expertise: ADV
: ADVISORY / CERT : COMPUTER EMERGENCY RESPONSE TEAM / MS
: MANAGED SERVICES / SOC
: SECURITY OPERATION CENTER
2019 EDITION
ADV CERT MS
18
SO L UTIONS
Yuri Colombi - Head of Solutions & Innovation, and Gérard Miceli - Innovation Consultant - EBRC Author: Sébastien Lambotte Photo credit: EBRC
HYBRID CLOUD, DEVOPS, OBJECT STORAGE:
BOOST YOUR TRANSFORMATION
— ADOPTING CONTAINERIZATION TO MANAGE AND FACILITATE HYBRID DEPLOYMENTS One of the first challenges involves providing the IT department with increased agility with regard to IT resource management. The corollary to technological development is the
The IT environment must constantly evolve in order to
introduction of increasingly containerized
adapt to the business’ transformation and enable the
applications. “Contain technology
company to improve its performance. The times call for
facilitates IT management across
resource hybridization, between dedicated infrastructures
increasingly hybrid environments, using
and public clouds, and for bringing together development and operations stakeholders. In order to help its customers to better evolve, EBRC completed its service portfolio by
on-premise, private and public cloud infrastructures” explains Gérard Miceli, EBRC Innovation Consultant. Containers offer an additional level of abstraction.
implementing more flexible platforms making it possible
“They can therefore be deployed in any
to migrate between environments, thereby providing its
type of environment, thanks, in particular,
customers with increased agility.
to the Kubernetes orchestration tool that we use. Technology offers a great
“For many organisations, one of the
a more scalable IT environment
deal of flexibility in migration towards
current challenges with regard to
also offering guarantees in terms of
the public cloud, for instance.”
providing support in the context of
resilience, business continuity and — M OVING TOWARDS
the business’ digital transformation
data protection.” To this end, EBRC
lies in strengthening their ability to
has developed a digital transformation
deploy services in a more agile and
support offering to help organisations
Today, EBRC positions itself as a
secure way” says Yuri Colombi, EBRC
to more easily migrate to the hybrid
full-fledged cloud stakeholder by
Head of Solutions & Innovation. “This
cloud and implement DevOps initiatives
providing its customers with access
requires them to be able to rely on
based on robust governance.
to the environments most suited to their
THE HYBRID CLOUD
—
B OOSTER S
needs, whether they are dedicated or widely shared. “We provide them with support in analysing opportunities linked to the evolution of their environment. Contrary to popular belief, using the public cloud is not necessarily the most affordable solution. An analysis of needs must be conducted. With a
OF
YOUR
TRANSFORMATIO N
19
—
IN THE CONTEXT OF SUPPORTING CUSTOMERS’ TRANSITION TO THE CLOUD, EBRC HAS ALSO IMPLEMENTED A DATA HOSTING AND PROTECTION SERVICE USING “S3” OBJECT STORAGE TECHNOLOGY.
good understanding of the issues, we can better guide organisations on the path towards the hybrid cloud”, adds
and enable them to easily deploy
protection service using “S3” object
Yuri Colombi.
services and micro-services based
storage technology. “In the move
on their current needs. “This makes
towards increasingly heterogeneous
it possible to considerably reduce the
environments, the aim is to offer
time-to-market”, confirms Gérard Miceli.
solutions that improve data storage,
— A PLATFORM FOR FACILITATING DEVOPS Moreover, EBRC wants to make it easier to build bridges between development
guaranteeing its integrity over time, with — P ROVIDING SUPPORT IN
greater flexibility” comments Gérard
and operations. “The flexibility our
THE TRANSFORMATION
Miceli. “Object storage is the answer to
customers gain with regard to the
OF METHODS AND
these new challenges.” Object storage
management of environments can also
APPROACHES
facilitates migration to and integration
be reflected in the way that they develop
Faced with these challenges, EBRC
with the public cloud in the context of
and deploy new features, particularly
intends to be more than just a
system hybridization. The technology
through the use of DevOps approaches”
technological partner. While continuing
integrates the major standards of the
says Gérard Miceli. “The challenge lies in
to ensure the management of operational
market and especially the API used
implementing a continuous development
aspects, with guaranteed service
by the giants of the cloud. Customers
process and guaranteeing the easy and
levels based on current needs, the
enjoy high reversibility and can therefore
secure integration of new features.”
trusted service provider offers support
easily migrate between environments
With this in mind, EBRC facilitates the
in the evolution of governance and
while guaranteeing the integrity of their
industrialisation of deployment from a
the management of its customers’
data. By addressing storage issues
platform specifically designed for the
architectures. “To achieve this, in addition
in a new way, this technology makes
purpose. “We provide support to our
to the technological platform, we offer
it easier to manage large volumes of
customers with regard to the operational
a full range of services and training
unstructured data. “Object storage was
management of the platform that we
opportunities aimed at enabling them to
specifically designed to guarantee data
make available to them and which is
activate the transformation throughout
protection and integrity over the long
based on a multi-cloud environment”
the innovation value chain” explains
term” highlights Yuri Colombi. “Whereas
explains Yuri Colombi. “The platform,
Yuri Colombi. “Each organisation can
elements were previously accessed
through which containers can be easily
therefore take advantage of the full extent
from a disk, this new storage method
orchestrated, makes it much easier
of EBRC’s and its partners’ expertise
enables each object to be protected and
to implement a DevOps approach.
in order to fully enter the digital age.”
encrypted individually. Therefore, we are able to guarantee compliance with the
Through the platform, our customers gain access to a range of certified
— M ORE FLEXIBLE STORAGE
most stringent regulatory requirements.
deployment tools and a wide range of
BETTER GUARANTEED
Object storage integrates reading and
data analytics solutions.” The entire
OVER TIME
writing mechanisms for the elements
package is designed to improve the
In the context of supporting customers’
by design, thus ensuring redundancy
autonomy of organisations, make them
transition to the cloud, EBRC has
and automatic error correction.”
less dependent on technical resources
also implemented a data hosting and
2019 EDITION
20
SOLUTIONS
Fabrice Croiseaux CEO - InTech
Author: MichaĂŤl Renotte Photo credit: InTech
DEVSECOPS:
ADDED SECURITY EBRC and InTech, which are both members of the POST group, have combined their expertise to help companies take full advantage of the agility and responsiveness of the DevOps approach while directly incorporating security practices into that one. This integrated approach reconciles continuous development with the requirements of cyber-security and data protection.
—
DEVSECOPS:
ADDE D
SE CURITY
21
—
“IT decision-makers are now using three
“EBRC, a company specialising in IT
proactivity in terms of performance,
tactics to transform their organisations:
infrastructure, critical IT operations
resilience and high availability. “The
moder nising existing systems,
and IT transformation, has extensive
global transformation of IT services that
cyber-security and moving towards agile
experience in system operations and
we are witnessing introduces a change
development and delivery models”,
conducts the operational management
in the way projects are approached”,
says Jean-François Hugon, EBRC Head
of IT environments for many customers”,
emphasizes Jean-François Hugon.
of Marketing. “In the latter area, the
he says. “As for InTech, it is a leading
“Companies are seeking greater
adoption of a DevOps approach directly
stakeholder in the fields of software
agility for both business and IT.
based on agile methods enables IT teams
development, application architectures
Developers have more responsibilities,
to set up a continuous development and
and the implementation of industrial
in particular with regard to cross-cutting
production cycle, thus increasing their
development platforms.”
considerations such as quality and safety. The latter is no longer pushed back to the end of the chain, it is
THE GLOBAL TRANSFORMATION OF IT SERVICES THAT WE ARE WITNESSING INTRODUCES A CHANGE IN THE WAY PROJECTS ARE APPROACHED.
integrated by design.” — P RIORITISING SECURITY The DevSecOps approach is based on integrated security, not on a security perimeter that protects applications and data. When security is relegated to the end of the development process, companies that adopt the DevOps approach may face long development cycles, which they were trying to avoid. The DevSecOps approach therefore involves thinking about the security of the application and infrastructure
responsiveness in taking into account
— D EVELOPMENT,
from the outset. It is based on close
business demands and reducing the
OPERATIONS
collaboration between development
time-to-market of applications.”
AND SECURITY
and cyber-security teams to ensure
Within a DevOps context, the traditional
However, while an effective DevOps
the safety of products throughout their
silos separating developers, testers,
approach ensures fast and frequent
lifecycle. This approach prioritises
production managers and system
development cycles, it does not
security by establishing a framework for
administrators are dismantled. All
take into account a critical aspect
development activities. “Good security
stakeholders work more closely
of development, namely that of
practices in development are known and
together throughout the development
application security. Yet, inadequate
documented. These include OWASP, for
and deployment process, thus enabling
security practices can cancel out the
example, which lists major application
them to better understand each other’s
benefits offered by even the most
security vulnerabilities and provides the
expectations and the challenges they
effective DevOps projects. It is within
tools enabling developers to address
face.
this framework that an evolution of
them. On the other hand, the automatic
“By joining forces, EBRC and InTech are
the DevOps principles, DevSecOps,
integration of OWASP controls into the
able to provide end-to-end support in
is emerging. The latter is an approach
development industrialisation process
the implementation of the DevOps value
that brings IT services closer in line with
can still be improved. This is precisely
chain, from design to operation, through
business needs and also strengthens
what we are doing with EBRC in the
development, testing and deployment”,
the security of developments, improves
framework of the implementation of
said Fabrice Croiseaux, CEO of InTech.
their quality and demonstrates greater
DevSecOps” says Fabrice Croiseaux.
2019 EDITION
22
—
DEVSECOPS:
— A UTOMATION AND
ADDE D
SE CURITY
—
The EBRC Kubernetes as a Service cloud
transfer of skills relating to new ways
CONTINUOUS MONITORING
platform includes all the building blocks
of approaching infrastructure.”
In order to avoid any slowdown in
needed to industrialise the deployment,
Both the scope and impact of a transition
DevOps flows and since manual security
scaling and orchestration of micro-
to DevSecOps are considerable.
checks can be time-consuming and
service architectures and containerised
Although DevOps remains complex in the
costly, the automation of repetitive tasks
applications. With the Red Hat OpenShift
eyes of highly-responsible developers,
is a key element of the DevSecOps
solution - a continuous security-oriented
system administrators are forced to
approach. Automation applies in
platform common to development
adapt their traditional skills to information
particular to development control:
and operations teams that allows
systems configured and managed by
developers can continuously test their
them to create, deploy and manage
code. These are risk factors that must
code to identify potential vulnerabilities
containerised applications -, EBRC
be taken into account in any DevSecOps
as early as possible and thus reduce the
KaaS forms the foundation of InTech
strategy.
number of post-deployment patches. It also affects system control through solution containerisation, which makes it possible to isolate a system’s various functions, automate security audit operations and check that cyber-security policies are being properly implemented at all times. Using containerised environments also makes it possible to secure the infrastructure by automating incident detection processes. Thus, when an intrusion attempt or abnormal flow is detected, it is possible to disable and isolate corrupted instances and instantly redirect traffic. — O PENNESS
TODAY, THE TECHNOLOGIES THAT ENABLE THE AGILITY AND RESPONSIVENESS OBJECTIVES OF THE DEVOPS APPROACH TO BE ACHIEVED CAN TO A LARGE EXTENT BE IMPLEMENTED IN THE PUBLIC CLOUD. and EBRC DevSecOps technology
From development to operation, from
AND INTEROPERABILITY
offering. By focusing on openness and
ideation to maintenance, EBRC and
“Today, the technologies that enable the
interoperability, POST group companies
InTech combine all the assets to enable
agility and responsiveness objectives of
differentiate themselves from traditional
companies to seamlessly integrate into
the DevOps approach to be achieved
public cloud stakeholders and enable
their IT organisation all the key factors
can to a large extent be implemented
companies to protect themselves against
on which a successful transition to
in the public cloud”, said Fabrice
the risk of vendor lock-in.
DevSecOps depends, whether for
Croiseaux. “However, our customers
“EBRC also has very high levels of
the purpose of setting up an active
can benefit from a comparable level
expertise in information security and
collaboration between all stakeholders,
of service through a platform hosted
Cyber-Resilience as well as in process
standardising development and delivery
in Luxembourg, in the Trusted Cloud
management and information systems
processes by integrating cyber-
Europe and EBRC Tier IV data
governance”, recalls Jean-François
security requirements, introducing new
centres, and meet both the regulatory
Hugon. “By combining their respective
technological tools for automating checks
requirements of the various regulators
expertise”, he goes on to say, “InTech
and operations, or organising cross-
and the compliance criteria of the most
and EBRC support their customers in
functional governance which is common
demanding international standards such
their DevSecOps journey by helping
to all businesses and professions involved
as ISO 27001, ISO 20000, ISO 22301,
them transform their development
in the application lifecycle.
Tier IV and PCI DSS, among others.”
methods as well as by ensuring a
23
SO L UTIONS
Author: Michaël Renotte Photo credit: EBRC
TRUSTED ADVISORY SERVICES,
THE PATH TO RESILIENCE Convinced of the fact that companies must acquire the resilience necessary for their development in the digital economy, EBRC has deployed a consulting offer that responds to the challenges posed by the digital transformation. This consulting activity now covers business continuity management, cyber-security, IT transformation, data centre audits and the full spectrum of all aspects of Governance, Risk and Compliance. “Our consulting and support missions are carried out by our Trusted Advisors team”, explains Philippe Dann, EBRC Head of Risk & Business Advisory. “Our experts meet with the managers of the various facets of the company that uses Philippe Dann Head of Risk & Business Advisory - EBRC
our services, to identify the critical processes and activities. They can thus identify business needs and analyse the ability
2019 EDITION
24
SO L UTIONS
of the IT infrastructure to meet these requirements.” EBRC experts’ investigations cover the entire spectrum of business continuity, from DRP - i.e. infrastructure continuity - to business impact analyses. “Our consultants work both with the business lines and with IT to ensure that both are aligned” says Philippe Dann. “They conduct impact analysis campaigns, identify applications, risk elements or the most critical elements, and then work with the customer to set up its own continuity and crisis management strategies and plans”. EBRC Trusted Advisors can then assist the customers until they obtain the ISO 22301 certification, which governs the field of business continuity. “In terms of business continuity management, we provided support to Arendt Services in their certification process, the first Luxembourg-based PFS to obtain ISO 22301 certification, the Banque de Patrimoines Privés, a pioneer among local banks, and a French insurance company”, said Philippe Dann.
centre certification. These data centre
related to data centres, cyber risks, or
“At the moment”, he goes on, “we are
audits are carried out by the certified
the elements highlighted by the NIS
supporting half a dozen companies in
teams that manage and operate EBRC’s
directive and which concern the scope of
their certification process. For others,
own Tier IV data centres. “Beyond the
the data centre” explains Philippe Dann.
our intervention focuses on risk analysis
traditional audits of infrastructures and
“To do this, we systematically conduct an
or Business Impact Analysis activities”.
their operation, these missions integrate
analysis of the risks to which our client’s
The Trusted Advisory consulting offer
the analysis and management of risks,
data centre is exposed in relation to its
also includes audits and support for data
whether they are environmental risks
economic activity and its IT environment. In this way, we combine our technical expertise in data centres - physical
OUR CONSULTING ACTIVITY IS BASED ON A SET OF SKILLS DEVELOPED INTERNALLY BECAUSE WHAT WE RECOMMEND TO OUR CLIENTS IS WHAT WE APPLY TO OUR OWN ACTIVITIES.
security, logical security, availability and risk management”. “Our consulting activities also extend to GRC, Governance Risk & Compliance, an area that falls within the scope of information system security, in particular ISO 27001. We help our customers to carry out their risk analyses, set up risk management and develop their safety strategies”, explained Philippe Dann. “In this context,” he added, “we
—
TR USTED
integrate both European regulations
ADV ISORY
SE RV ICE S
— A RESOLUTELY
—
25
trust us, because we have in-depth
and directives - GDPR and NIS, in
PRAGMATIC APPROACH
knowledge of the topics that we address
particular - international standards and
“Our consulting activity is based on
and have the required experience to
the company’s own internal rules to
a set of skills developed internally
interact with IT specialists, CISOs,
define a risk management and cyber-
because what we recommend to our
Risk Managers and DPOs, on the one
security dashboard aimed at assessing
clients is what we apply to our own
hand, and with the business lines, on
compliance”.
activities” explains Philippe Dann.
the other hand”.
The IT transformation is another aspect
“Our approach is pragmatic. It is
“Our intervention can thus be based
of EBRC consulting services. “We help
based on sharing information with
on a request from the business lines
our customers select the solution that
our customers and feedback. We
relating to business continuity for
best suits their needs, business and
are not business continuity theorists,
example, or a need related to the risk
applications as they transform their
nor are we governance theorists” he
identified by the CISO, the Risk Manager
IT environment, whether in terms of
emphasizes. “To date, we have more
or the DPO. In both cases, alignment
relocating data centres or migrating to
than 800 continuity tests to our credit
with IT will have to be assessed” said
the cloud” says Philippe Dann. And to
and many achievements in the area of
Philippe Dann. “This enables us to
help companies better protect their data
crisis management” said Philippe Dann.
cover all the company’s needs and,
and system integrity, EBRC’s experts
“And we have the ISO 27001 certification
in combination with our Cloud, SOC,
assess and strengthen the security
since 2010, which is renewed every
and data centre activities, to offer an
level of infrastructures and applications
year, enabling us to capitalise on our
end-to-end solution to customers who
based on risk analysis, vulnerability and
long-standing experience. This is one
so desire” concludes Philippe Dann.
intrusion tests.
of the reasons for which our customers
2019 EDITION
26
CASE
STUDIE S
Author: Michaël Renotte Photo credit: Michaël Renotte
BANQUE DE PATRIMOINES PRIVÉS CERTIFIED ISO 22301,
A FIRST IN LUXEMBOURG! banquedepatrimoinesprives.com
Carlos Fernandez-Rubies de Lillo Managing Director Josep Arseni Ramoneda Chief Operating Officer/Chief Financial Officer & François Clausse Head of IT Department - BPP
—
B ANQUE
DE
PATRIMO INE S
PRIV É S
27
—
Banque de Patrimoines Privés at a glance...
st
Founded in 2010
7 billion assets under management in Luxembourg
First bank being ISO 22301 certified in Luxembourg
By gaining access, with the support of EBRC, to ISO 22301 certification, the Banque de Patrimoines Privés becomes the first Luxembourg-based financial institution to set up a Business Continuity Management System in full compliance
T
with the standard. he Banque de Patrimoines
— A GILITY AND
Privés is a Luxembourg-
RESPONSIVENESS:
based financial institution
CONDITIONS CONDUCIVE
geared towards private
TO CERTIFICATION
banking. It was founded
“Our strategy is essentially focused
in 2010 and mainly provides wealth
on our customers, who come from all
management, custody and administration
regions of the world. It is for the purpose
services for investment and portfolio
of ensuring the highest level of service
management funds. In 2011, BPP was
to our customers that our policy is to be
acquired by the Crèdit Andorrà group,
a first-class stakeholder in the activities
the market leader in Andorra.
we carry out” continues Carlos Rubies.
“The Crèdit Andorrà group is in the midst
“The small relative size of our bank
of a major international development
makes us very agile stakeholders in an
programme” explains Carlos Rubies,
increasingly complex market. We are
Managing Director of the Banque de
also very keen to anchor the quality and
Patrimoines Privés. “Today, Crèdit
efficiency of our processes in a demanding
Andorrà is present in Europe - Andorra,
normative framework, which is both a
Spain, Luxembourg and Switzerland - as
guarantee of safety for our customers
well as in America.”
and a differentiating factor in the market.”
2019 EDITION
28
CASE
STUDIE S
“With the acquisition of Banque de
bank and existing procedures to ensure
and implemented crisis management and
Patrimoines Privés by Crèdit Andorrà”
that the training framework is as close as
automatic communication procedures,
says François Clausse, Head of the
possible to the reality in the field.”
the latter of which are based on the F24
bank’s IT Department, “various projects
During this training cycle, François
application. The experience was then
aimed at supporting the growth of
Clausse gathered the company’s
validated by our internal and external
our business have been launched,
various stakeholders and, together, they
audit departments, which enabled us
including the adoption of the Avaloq
conducted an in-depth reflection through
to position our bank in line with the
banking software, the deployment of the
several Business Impact Analysis and
standard and thus achieve certification”
NeoXam GP3 application - to support the
Risk Assessment sessions.
explains François Clausse.
development of the fund industry - and
“The Business Impact Analysis and Risk
the implementation of an electronic flow
Assessment sessions have the advantage
— A DEMANDING
management solution.”
of enabling business process managers
STANDARD…
to put into perspective the role they play in
“ISO is an international standardisation
the overall flow of the bank’s information
body” he continued. “Therefore, the
INTEROPERABILITY
system” explains François Clausse. “This
ISO 22301 standard enables us to
BETWEEN BUSINESS
exercise enabled us to map the main
establish and modify our model - but
AND IT
— E NSURING
banking processes and the associated
also to control, maintain and test it
“At the same time, we undertook to
interdependencies. We have therefore
- using an unalterable and globally
implement procedures relating to business
been able to formalise a policy that has
proven management system. In
recovery, but the vision we had of it was
resulted in a strategy and various business
addition, the roles and responsibilities
purely IT-based, oriented towards disaster
recovery procedures.”
of all stakeholders are clearly stated,
recovery, and disconnected from the needs of business departments. However, we wanted to ensure interoperability between business and IT flows, which requires different recovery times being taken into account.” It was with the aim of solving this equation that BPP’s management decided in 2017 to provide the bank with a Business Continuity Coordinator by offering its Head of IT the opportunity to follow training in order to obtain the title of Lead Implementer of the ISO 22301 standard, and thus acquire
“WE CAN ONLY WELCOME THE SUPPORT WE HAVE RECEIVED FROM THE EBRC TEAMS.”
the necessary expertise to support the company in the implementation and management of its Business Continuity
— CERTIFYING THE BANK
as the strategy emanates from the
Management System.
At the end of this first cycle, BPP’s
Board of Directors, the tactics are the
management decided to increase the
responsibility of the Business Continuity
company’s level of maturity by making
Coordinator and operationality is ensured
— T RAINING IN REAL CONDITIONS
it take the path of certification. After
by the company’s various departments.”
“To achieve this objective, we chose
validation by the Board of Directors,
“However, the scope of the ISO 22301
to work with the Luxembourg leader in
all efforts in 2018 were focused on
standard is not limited to the recovery
this field, EBRC. We decided by mutual
achieving the ISO 22301 certification.
plan” notes François Clausse. “The
agreement that the training would not be
“During the bank’s certification cycle, we
standard also includes the protection
purely academic in nature. We used the
formalised and tested all our procedures
of employees, the maintenance of the
—
B ANQUE
DE
PATRIMO INE S
PRIV É S
29
—
company’s vital activities, contracts and
risk management and the resumption of
South in Kayl. “EBRC is the market
SLAs, greater predictability and better
our organization’s business. The effort
leader with 1,000 emergency positions
understanding of events in the event of
made by the bank enables it to affirm
in totally secure spaces that enable us
a crisis, as well as the protection of the
the robustness of its system.”
to completely and transparently switch
entity’s reputation and competitiveness.”
“We are indeed succeeding in achieving
our operations following a disaster or
In order to meet the requirements of the
performances that seem difficult to achieve
unavailability” confirms François Clausse.
ISO 22301 standard, it is also essential
for a bank of our size” says Josep-Arseni
“It was in this same resilience centre and
to develop a proper understanding of
Ramoneda, Chief Operating Officer of BPP.
with the support of an EBRC Service
the organisation and to establish clear
“We must therefore be able to demonstrate
Account Manager that we first tested
limits on the scope of the management
to our customers and partners that our
our Business Continuity Management
system. In particular, it is important
processes are as efficient as they are
System. This test was a real success and,
that the organisation respects the
robust. This effort also paves the way for
after validation by the Bank’s Executive
interests, needs and expectations of
other certification paths, in areas such as
Committee, our management system
the various stakeholders - business
quality and security, for instance.”
was audited by PECB, a global provider
departments, IT Department and staff as well as the position of regulatory and supervisory bodies. “Thus,” underlines
of training, examination, audit, and — R ELYING
certification services for a wide range
ON A MARKET LEADER
of international standards. Whether it is
François Clausse, “the implementation
As part of this certification, the Banque
our journey towards achieving ISO 22301
of a Business Continuity Management
de Patrimoines Privés chose to work
certification or the establishment
System enables us to meet certain
in partnership with EBRC. “With
of our emergency positions, we can
regulatory requirements, in particular that
international expertise in this field, the
only welcome the support we have
the bank is able to test the robustness
professionals of EBRC Advisory team
received from the EBRC teams. In
and resistance of its systems.”
were able to optimise the implementation
addition to the great professionalism
of the standard through summary
I have already mentioned, EBRC’s
— … WHICH OPENS
documents that effectively support
consultants demonstrated, during their
UP CONSIDERABLE
the Business Continuity Management
interventions, a rare sense of listening,
PROSPECTS
System” explains the Head of the bank’s
sharing and common interest that allowed
“Finally,” he added, “achieving an
IT Department. Last year, the bank also
us to establish a relationship of trust”
international certification such as
chose to set up its emergency positions
concludes François Clausse.
ISO 22301 demonstrates our interest in
in EBRC’s Resilience Centre Luxembourg
The ISO 22301:2012 standard – Business Continuity Management Systems In recent years, companies have had to contend with traditional risks - breakdowns, errors or moderate disasters - and emerging risks - climate-related disasters, cyber threats, terrorism, cascading failures that cause widespread service interruptions, etc. This change of perspective calls for the implementation of new strategies to ensure the growth and sustainability of organisations. Published in 2012, the ISO 22301 standard is a Business Continuity Management Systems standard that can be used by organisations of all types and sizes. Once their management system has been implemented, organisations have the opportunity to apply for certification of compliance with the standard to demonstrate their compliance with good business continuity management practices to the legislative and regulatory
authorities, potential customers and other interested parties. The ISO 22301 standard can also be used as a reference for the company to assess its situation in relation to good practices and for auditors to report to management. The value of the standard goes beyond simply obtaining a certificate of compliance: it also serves to identify and manage current and future threats, to take proactive approach towards minimising the impact of incidents, to maintain essential functions in times of crisis, to minimise downtime during incidents and to demonstrate resilience.
iso.org
2019 EDITION
30
CASE
STUDIE S
From left to right: Pascal Rogiest - CEO, Stefano Susca - CIO, Frédéric Laurain - Head of IT Systems OPS - LuxTrust Ludovic Gilles - Director Client Development and Yves Reding - CEO - EBRC
Author: Alexandre Keilmann Photo credit: Dominique Gaul
THE COMBINATION OF SECURITY AND TRUST
AT THE CENTER OF LUXTRUST STRATEGY www.luxtrust.lu
—
L UX TRUST
31
—
700,000 Luxembourgish and cross-border users with more than 300,000 daily connections.
In a context of digital transformation which impacts businesses but also individuals, LuxTrust, which was founded in Luxembourg more than 13 years ago, aims at providing trusted and secure environments to citizens and enterprises. The IT One team met with Pascal Rogiest, CEO of LuxTrust, to discuss the vision of the security and data expert, his company’s latest collaborations – notably with the ICT service provider and fellow company EBRC (European Business Reliance Centre), headquartered in Luxembourg –, but also the pioneering role of Luxembourg and the development of the country’s digital ecosystem. “LuxTrust was created as an initiative of
Europe, his company has opened its
the government of Luxembourg, backed
doors to a wider European market
with several national banks. Our main
and is now seen as a trusted and
mission was to provide tools to the
quality service provider, not only in
entire active population to manage
Luxembourg, but also all over the Old
digital identities – through a secure
Continent. LuxTrust is therefore known
banking access and an electronic
for its tokens which allow a secure
signature – which we did”, starts Pascal
connection to online banking accounts,
Rogiest. He also highlights that since the
its mobile declinations but also for its
implementation of eIDAS – Electronic
legally-valued electronic signature
IDentification Authentication and trust
offer. The latter has been a key element
Services – a couple of years ago in
for LuxTrust for the past two years,
2019 EDITION
32
CASE
STUDIE S
“LUXTRUST IS THE FIRST CERTIFICATE AUTHORITY CLIENT FOR EBRC. THIS IS PERFECTLY IN LINE WITH OUR MANAGED SERVICES PRACTICE, FOCUSING ON MANAGING CRITICAL INFRASTRUCTURES AND WORKLOADS THROUGHOUT EUROPE.”
20 minutes with no service interruption. This fruitful collaboration was recently recognized with the “Managed Services of the Year” prize, awarded to both EBRC and LuxTrust last December during the IT One Gala. Ludovic Gilles,
with the mission to provide an integrated
Working hand in hand with EBRC, a
EBRC Director Client Development
solution allowing the digitalization of
local partner with international expertise,
comments: “LuxTrust is the first
entire processes within organizations
adds more depth and credibility to our
certificate authority client for EBRC.
and institutions. “Replacing paper with
service offer. Again, trust and reliability
This is perfectly in line with our Managed
digital requires entire platforms where
are key elements in our current digital
Services practice, focusing on managing
authentication, security and signature are
world”. The LuxTrust data are hosted in
critical infrastructures and workloads
some of the main ingredients of a digital
Luxembourg in dedicated infrastructures,
throughout Europe. With this project,
process which must be implemented
which means that they are not shared
we have been able to tailor our services
end-to-end” the CEO adds.
with others, with the highest level of
to the highest level of security and
A l l t h e s e s o l u t i o n s , t o g e t h e r,
security requested to answer to specific
availability requested by LuxTrust, a great
interoperable and/or embedded, allow
audit needs. “At LuxTrust, as a trusted
collaboration partner”. The collaboration
the creation and management of entire
third party, we need to ensure a level of
with EBRC and this new infrastructure
digital identities, assigned to persons but
security, with 6 different audits being held
allow LuxTrust to provide its clients in
also to institutions. “In today’s digital and
each year. Keeping this status is crucial
Luxembourg and abroad with “more
mobile environments, security remains
for LuxTrust and we therefore needed
digital”, in a period where all companies
essential and must not be left off, even
a specific infrastructure to match local
are dealing with concrete and sometimes
if companies sometimes request more
and European regulations, from the
severe transformations while still having
flexibility and customers simpler and
CSSF and ILNAS to CNPD and many
to follow and match a growing number
smoother interactions” explains Pascal
more within Europe. For instance, the
of European and global regulations.
Rogiest, whose company is also currently
QTSP certification – Qualified Trusted
working on increasing and developing
Service Provider – allows us to deploy our
the value of digital IDs with additional
strong authentication services, our digital
pieces of personal information.
identities and our signature services, in
— T HE CHALLENGES OF CREATING DIGITAL IDENTITIES
all sectors in Europe and worldwide,”
Over the years, LuxTrust has worked on
says the CEO before adding “this is
providing secure means of payments
what we do today for the European
and therefore on building trust with
In such a context of internationalization
Commission”.
its partners and users. “We started by
and product development, LuxTrust,
Therefore, the EBRC experts, leveraging
providing banks with tokens, but the
which claims more than 700,000
the knowledge of the LuxTrust team,
current and future generations are asking
Luxembourgish and cross-border
had to manage the move of critical
for mobile apps, that are as secure and
users with more than 300,000 daily
IT operations from an external data
even easier to use. And when it comes to
connections, needed a partner able
centre to one of their own, without
electronic signatures, LuxTrust has also
to allow the strong development of
impacting the quality of service.
created a qualified and strong product.
LuxTrust service delivery processes
From the RFP and the definition of
Yet, challenges remain and getting people
while providing a stable environment
the new architecture to the set-up of
to use these innovative and digital tools is
and state-of-the-art information security.
the infrastructure and its audit as well
one of them” underlines Pascal Rogiest.
As explained by Pascal Rogiest,
as hand-over to EBRC IT operations,
According to the trust expert, most
“expanding on a European level means
the project lasted 12 months. The
people have not accepted these yet,
more requests from our clients and
actual transfer was successfully done
hence the need for campaigns as well as
therefore more flexibility and agility.
overnight in September 2018, in
marketing and communication actions to
— PARTNERING WITH A TRUSTED LOCAL PLAYER
—
L UX TRUST
—
33
show citizens how they can benefit from the digital tools that are already available, by first reassuring and educating them about our digital world. “It may have started with online banking, digital identities and electronic signatures, but the trends are clearly pointing towards more and more dematerialization, and we therefore need to embark people for this deep transformation to succeed” highlights the CEO of LuxTrust. The ambiguity and ambivalence between the need for security and the necessity to provide services that are smoother and easier to use, can also be seen as a huge challenge for almost all the companies navigating in a digital environment. “Combining security with regulation – notably with GDPR which is already impacting major players as well as smaller and medium
to provide the EC and 80 non-EU
and we actively work on making this
enterprises – with customer needs and
countries a strong electronic signature
happen” Pascal Rogiest comments
with business demands first requests
for the importation of foodstuffs into
when asked about the status of our
the definition of the boundaries that
EU. Another challenge appears: making
country. Together with the help of the
companies do not want to cross while
sure that digital identities are compatible
Luxembourgish government, LuxTrust is
seeking for the best user experience.
and interoperable in all these countries.
indeed currently working on reinforcing digital identities by actually giving
Therefore, building and providing the perfect customer journey takes time and each step of digitalization must
— A DIGITAL PIONEER IN A DIGITAL COUNTRY
them more value. With the question of data privacy growing, the company
be tackled independently depending
“In Luxembourg, almost everyone
based in Capellen aims at assigning
on the use cases of our customers. In
already has a digital identity, whether it
more information to the citizens’ digital
this respect, digitalization needs to be
is through the use of a token or a mobile
identities allowing them to manage and
more pragmatic” comments the expert.
to access banking records, or by using
share their health, education, professional
Finally, Pascal Rogiest underlines the fact
and accepting electronic signatures. In
and private data. “Luxembourg is also
that the Grand Duchy of Luxembourg
this respect, our country is already well-
building an ecosystem will eventually lead
has an advanced and expert level when
placed in the race towards digitalization,
to the creation of a data-driven economy.
it comes to digital, which is a splendid
as an effective digital identity ecosystem.
It is our duty, as ICT company with an
vitrine that the country should further
Yet, several additional processes could
expertise in data and cyber-security, to
leverage. For instance, LuxTrust has
be more developed in both the private
give these new opportunities to people
been working at the international level
and public sectors. Fortunately, our public
while making sure they can use it in a
for a couple of years now, with very good
administration has already jumped on the
safe, secure and trusted environment.
traction from multiple clients in France
digital train with many initiatives, notably
Yet, this entire strategy of digitalization
and Belgium. Moreover, the company
with Digital Luxembourg and thanks to
will only be successful if people trust
has concluded several partnerships in
the services provided by the CTIE. The
their digital identities. We have to ensure
Belgium and Italy, and has also signed a
national economy could further take
such Trust” concludes Pascal Rogiest.
contract with the European Commission
advantage of the momentum created
2019 EDITION
34
CLIENTS
TE STIMO NIAL S
COMO In this video, Henning THEOBALD, General Counsel at COMO, tells us about his customer experience with EBRC, which has taken the form
VIDEO: our clients testimonials We asked seven of our customers to talk about their collaboration with EBRC. In this series of short videos, they reflect on the partnership with our teams and the support they received throughout their project.
of a true partnership thanks to the personalised support provided by EBRC teams who have always been attentive to his needs.
IBBL Dominic ALLEN, COO of the IBBL (Integrated Biobank of Luxembourg) reminds the Biobank’s mission and explains the reasons for which he selected EBRC when launching his project. Health Data Hosting and ISO 27001 certified, EBRC meets the security requirements to manage sensitive information such as medical data.
AGENCE E-SANTÉ Pascale LUCAS and Hervé BARGE, respectively Operational General Manager and CEO of the Agence
“In the digital world, our role is to support our customers: on the one hand, we must offer them agility so that they can accelerate and innovate in their core business; on the other hand, we must protect them and reduce uncertainty as well as increasing complexity. Our objective is to support them with confidence in cyberspace, offering them both agility and protection.” Yves Reding, EBRC CEO.
e-Santé, outline the challenge met by the Agency in setting up a national health platform with, in particular, the establishment of a shared medical file. The hosting and management of highly sensitive health data, as well as the ability to meet the 9-month deadline for the implementation of the infrastructure, were key factors in the decision to work with EBRC. Trust, respect for commitments and professionalism are the defining characteristics of the relationship between the two companies.
CLIENTS
35
TE STIMO NIAL S
Banque de Patrimoines Privés
LuxTrust Stefano SUSCA, Director of Information
Carlos F. Rubies, Josep-
Systems at LuxTrust, shares his experience
Arseni Ramoneda and
with EBRC in his project to migrate its data
François Clausse of the
centres and operate a critical infrastructure
Banque de Patrimoines
requiring 24/7 high availability. He explains the reasons
Privés discuss the support received from EBRC teams as
for LuxTrust to use EBRC services, which are based on
part of their ISO 22301 certification. Thanks to the end-
numerous certifications including Tier IV, ISO 27001 and
to-end support and the support of a market leader, the
the PFS status, and also provides his assessment of the
Banque de Patrimoines Privés was able to benefit from the
relationship between Luxtrust and EBRC teams in a project
professionalism of EBRC teams and their ability to listen
lasting more than 12 months.
to and understand their needs throughout the partnership.
i-Hub
KBL epb Abdelha Tayeb, Head of Cyber Security at
Eric Mansuy, Group Chief Operating Officer
i-Hub, discusses the high requirements involved
at KBL epb discusses the project to migrate the
in operating the technologies of this support
bank’s data centre to the EBRC infrastructures,
PSF delivering AML/KYC services. The criteria
which was carried out in parallel with the
taken into account when selecting EBRC were numerous:
replacement of the group’s core banking platform. The
being able to operate the latest generation technologies
decision to work with EBRC teams was based on several
and monitor them 24/7, being able to integrate with i-Hub
criteria, including security, the relationship between the
security operations centre, delivering advice, particularly
teams and also the consistency of the approach. Ultimately,
in terms of continuity plans, governance and international
the project was completed on time and on schedule.
standards. EBRC expertise in cyber-security has been instrumental in ensuring the highest levels of protection throughout the service production chain.
Flash the QR codes to view the testimonials
2019 EDITION
36
PA RT N E R S P R O G R A M M E
— A CATALOGUE OF “TRUSTED” SOLUTIONS The “Powered by EBRC” programme provides an answer to these concrete expectations. The catalogue is made up of selected solutions driven by EBRC clients. “These solutions rely on our infrastructure and expertise. The goal of “Powered by EBRC” is to kick off a virtuous circle by helping our partners convince their own clients more easily”, continues Jean-François
Jean-François Hugon Head of Marketing EBRC
Hugon. “The label reflects services with high added value and high levels of availability and data protection. We want to make it easier to identify our clients and partners using our services, which
Author: Jean-François Hugon Photo credit: EBRC
“POWERED BY EBRC”
BOOSTING CLIENT DEVELOPMENT AND BUSINESS HYBRIDISATION
thereby automatically inherit EBRC’s valuable catalyst for our clients wishing
built-in guarantees.”
to deploy innovative digital services while benefiting from a very high level
— A WIN-WIN APPROACH
of services and an extremely short time-
The solutions “Powered by EBRC”
to-market.”
process sensitive data in the areas of FinTech, Health, Artificial Intelligence
— A DDRESSING BUSINESS MORE DIRECTLY
and Space. “This programme reinforces relationships we already have with our
EBRC meets the needs of international
clients to create strong partnerships. We
stakeholders who want to further develop
are aware that their success contributes
their business in Europe. The company
to our own growth. “Powered by EBRC”
supports large accounts in their digital
aims to support them, to boost their
n Europe, EBRC has established
transformation process as well as
OPEX-centric business solutions.
itself as the leading player in
Start-ups or FinTech companies
Our collaboration enables them to
the management of sensitive
developing new digital services. “All
better respond to specific requests
information. The company located
these players have high standards for
from major customers requiring
in Luxembourg has deployed a
their data protection and the availability of
for instance the implementation of
unique ecosystem of trust. “We support
their operational systems, often in a strict
dedicated environments that provide
companies at the heart of their digital
and restrictive regulatory environment.”
all the necessary guarantees. Through
transformation, in the implementation
In the context of digitalisation, companies
this approach, it is possible to
and management of their IT environment
look for turnkey solutions that meet their
convince new businesses to rely on
with our IT services based on our Tier IV
needs. “Our clients who look for solutions
our trusted ecosystem. We promote
data centres”, explains Jean-François
to digitalise their business have to ensure
the hybridisation of our clients’
Hugon, EBRC Head of Marketing.
the quality of their service provider. The
information systems by enriching them
“Our expertise integrates regulatory
“Powered by EBRC” label provides the
with solutions that are certified and
issues and the highest standards in
first level of guarantees, certifying that
ready for use”, concludes the Head
terms of quality, integrity, security and
the service is hosted by EBRC”, states
of Marketing.
confidentiality. This expertise is now a
Jean-François Hugon.
I
PARTNE RS
37
PROGRAMME
“POWERED BY EBRC” MEMBER COMPANIES
Discover three of our Powered by EBRC members and find out more about their solutions on our website
BANKABLE
LIMONETIK
BIONEXTLAB
Using Bankable services, “Moneyou” -
Created in 2008, Limonetik is nowadays
Founded in 2017, BioneXt LAB is a
a subsidiary of ABN AMRO - was able to
considered as one of the most disruptive
medical biology analysis laboratory
offer a current account to 500,000 clients
companies on the payment market and
which has launched a scalable interface
in less than one year. The London FinTech
proves its value through major contracts
for communication between healthcare
company, whose platform is hosted in EBRC
signed with the largest PSPs, international
professionals and patients that includes
data centres in Luxembourg, allows new
buyers, and B2B marketplaces. Limonetik’s
an iOS and Android compatible application.
banking start-ups to more easily emerge and
first challenges were to process and create
The tool is customizable, mobile, fast and
enables established institutions to launch new
payment methods, but also simplify and
makes it possible to provide fast treatment
services by taking advantage of a shortened
accelerate their development on the Internet.
too, by simplifying patients’ and healthcare
time to market.
“Limonetik has been working with EBRC
professionals’ lives.
Bankable decided to host its solution in
since 2012 and chose its services because
“myLAB Digital Health Ecosystem provides
Luxembourg, within EBRC Tier IV data centres.
the company was then the only supplier
patient management from medical
“To win the confidence of our clients, we
with PCI DSS accreditation and which
prescription until results through the blood
have to rely on partners offering excellent
could provide full banking services
test stage. myLAB is supplemented by an
quality of service” concludes Eric Mouilleron.
(3 Tier IV certified data centres). EBRC
interactive interface dedicated to preventive
“ERBC certifications, which are backed by
guarantees the availability of the service
medicine named B-Next CARE, which helps
stringent procedures and state-of-the-art
for all payment methods
to move from management of a declared
infrastructures, guarantee the highest level
offered by Limonetik.”
pathology to a 4P medicine that is predictive,
of security and availability. Furthermore,
says Olivier Berthelier,
personalized and involving the patient taking
EBRC PCI DSS certification
CTO & co-founder.
into account his specificities (including
even allows us to offer credit
genomics) in order to anticipate the future
card payment services to
pathology and respond to
our clients.”
it preventively” explains Jean-Luc Dourson, Founder & General Manager.
2019 EDITION
38
NE WS
EBRC AND WALLIX GROUP join forces to strengthen the protection of critical assets in Europe EBRC (European Business Reliance Centre), IT service operator specialized in the management of sensitive information, and WALLIX Group, a European publisher of Privileged Access Management (PAM) software, partnered with the aim of setting up “by design” protection of IT systems and guaranteeing the companies’ trust in digital.
NEWS
EBRC and WALLIX want to provide businesses and organisations with the means to implement a Cyber-Resilience strategy to deal with digital environments that are increasingly exposed to risks of cyber-attacks and subject to extremely stringent regulatory constraints, in particular in the fields of finance, health and the public sector. WALLIX helps organisations protect their critical IT infrastructures by securing and tracing access to servers, terminals and connected objects in the cloud environment. By encouraging organisations to design their cyber-security policy according to the “Privacy & Security by Design” principle, WALLIX also enables them to meet compliance requirements and changes in regulations. Since its creation in 2000, EBRC has positioned itself as a specialist in the management and protection of sensitive information, and has developed an offer that is unique in the market as it integrates the full value chain: consultancy, outsourcing, cloud, security, business continuity and data centres enabling it to offer a cyber-resilient service offering. This offering is aligned with the highest level of requirements, including international standards and certifications: ISO 27001, ISO 22301, ISO 20000, PCI DSS and Tier IV, to name a few.
IS YOUR DIGITAL FUTURE SECURE ? DON'T LET CYBERTHREATS PUT YOUR BUSINESS ACTIVITY IN DANGER WALLIX is a cybersecurity software vendor dedicated to defending and fostering organizations’ defense against the cyberthreats they face and offers solutions to ease their Digital Transformation IDENTITY PROTECTION,
ACCESS SECURITY, END POINT AND DATA PROTECTION WALLIX Identity An Identity-as-a-Service solution including unique authentication features (SSO), Multi-Factor Authentication (MFA), and access management
WALLIX Access
identity
All-in-one PAM solution including session management, password management, access management and privilege elevation delegation management
WALLIX Data
access
End-to-end encryption technology which enables complete security of client data in any application
w w w . w A L L I x . C O M
data
40
NE WS
By relying on a trusted European partner such as WALLIX,
are strengthening the framework of trust that we have
EBRC further strengthens the value of its offering for the
implemented within EBRC since 2000. In addition, we are
protection of business critical data. Thus, EBRC offers WALLIX
particularly pleased to have selected a European solution,
Bastion for the implementation of strategic IT projects within
making WALLIX a strategic partner within the framework
a standardised environment. The clients of EBRC subsidiary,
of our integrated “Trusted Services Europe” offer” explains
Digora, can enjoy the benefits of the Bastion solution.
Yves Reding, EBRC CEO.
By striking up this partnership, the two entities contribute
“WALLIX and EBRC have based their offer on the alarming
to strengthen trust in digital by making a simplified
observation of the increase in threats in cyberspace and
cyber-security solution available to organisations in order to
the failure to take the associated risks into account.
ensure their compliance with all regulations.
Our two entities share the same vision of a digital world which must move towards greater compliance, trust and
“The confidentiality, high availability and protection of data
security. By entering into this partnership, we are able to
are among the highest priorities on Information Systems
offer a simple way of achieving that objective” underlines
Managers’ agendas. This also involves meeting ever-
Jean-Noël de Galzain, Chairman of the Management Board of
increasing needs with regard to traceability of interactions
WALLIX GROUP.
with business’ digital assets. With WALLIX Bastion, we
THE 3 MODULES OF THE BASTION SIEM (Security Information and Event Management) Log Management
Audit Risk compliance
Privileged user
ACCESS MANAGER
SESSION MANAGER
PASSWORD VAULT
Application windows server web console
Appliance Linux/Unix server
PASSWORD MANAGER External service providers
Cloud ready
Network and security equipment Industrial equipment AAPM (Application-to-Application Password Management)
41
NE WS
OUT OF BAND MANAGEMENT, the ultimate Cyber-Resilience within a data centre
By integrating the Out of Band Management technology with the RAHI-ZPE Systems partners at the heart of its data centres, EBRC eliminates residual “Single Points of Failure” in order to guarantee an optimal level of availability for stakeholders’ systems and improve Cyber-Resilience.
A
and create a minimal residual risk for business continuity”, says Michel Ackerman, EBRC Business Consultant. “Those weaknesses are most often located in the active elements of the network. As an example, a firewall experiencing a partial failure could render its entire cluster inoperative, causing a loss of accessibility to the platform. In such cases, a physical reboot of the equipment is required. If that operation requires human on-site intervention, the resolution time may be
lthough data centres make extensive
incompatible with the platform user’s business requirements.
use of equipment redundancy to ensure
Anticipating this kind of event using various technologies
the resilience of the hosted systems,
is the aim of the Out of Band Management technology.”
infrastructures still have some SPOF (Single Points of Failure) that can affect
AVOIDING PARALYSIS AND IMPROVING
their availability rates. By implementing the “Out of Band
CYBER-RESILIENCE /
Management” (OOB) technology, EBRC intends to eliminate
Several large companies around the world, including major
those SPOF and provide its customers with an additional
European banks, have already faced situations in which
and optimal level of availability.
access to the network is impossible. The systems’ users and administrators are paralysed as a result. “The only way
ELIMINATING THE RESIDUAL RISK THAT CAN
of remedying this situation involves a physical intervention
AFFECT THE BUSINESS /
in each data centre concerned in order to reboot the failing
The OOB technology makes it possible to keep control of
components”, adds Michel Ackerman. “Such an intervention,
the active components of the network, even if the latter
which depends on the teams’ operation and travel times, may
should fail. “Despite all the security measures adopted to
cause a business impact exceeding the company’s accepted
ensure a high level of resilience, some weaknesses remain
tolerance depending on its industry and the application in
2019 EDITION
42
NE WS
question. However, high availability is becoming the standard
IMPROVING THE MAINTENANCE SERVICE
in a digital and interconnected economic environment. Out
AND REDUCING HUMAN ERROR /
of Band Management is therefore positioned as a crucial
In addition to avoiding time-consuming travel, its ergonomics
technological building block of Cyber-Resilience.”
provide the added benefit of reducing the probability of human error and optimising maintenance operations. “The CRM
MAINTAINING CONTROL OVER THE EQUIPMENT
interface linked to the Out of Band Management solution
IN ALL CIRCUMSTANCES /
enables the manager to access the 360° overview of all
EBRC and RAHI Systems, integrator of the ZPE Systems
components in the network, making it easier to target remote
technology, now offer an original solution to cover the
interventions in the event of a problem, while also making
residual risks associated with IT infrastructure management.
it possible to more easily carry out several maintenance
“Out of Band Management makes it possible to remotely
operations on those components”, underlines Bruno Paolini.
control components that are considered critical”, explains
“In addition, the open architecture developed in an Open
Bruno Paolini, Director Europe at RAHI Systems. “Its aim is
Source world under Linux/Intel adds a potential for automation
to enable administrators to access critical infrastructures
for more proactivity in order to prevent rather than cure.”
through the ‘NodeGrid Services Routers’ by using a parallel communication service (Internet, MPLS, 4G, etc.). Thanks
A RECOGNIZED AND PROVEN TECHNOLOGY /
to this OOB infrastructure, it is possible to use a remote
“The benefits offered by OOB within infrastructures is such
administration console with an ‘HTML5’ interface to carry out
that the world’s leading stakeholders of the Internet and the
operations that previously required an on-site intervention,
world of Finance have adopted it” adds Bruno Paolini, “thus
such as activating/deactivating, reconfiguring or monitoring
making the platforms within their many data centres accessible
a given active component (firewall, router, Load-Balancer,
and remotely operable in all circumstances.”
network, server, storage array, PDU, and many others).”
OUT OF BAND SOLUTION AT A GLANCE
AUTO SWITCHING
INTERNET
zpe SERVERS/STORAGE ROUTERS/SWITCHES Local user
Remote user
PDU POWER UPS POWER
A
Introduce
OUT OF THIS WORLD...
OUT OF BAND MANAGEMENT to your company
- Eliminate Single Points of Failure - Remotely Control Network Active Components - Improve Cyber Resilience - Cut Operational Costs MANAGE YOUR NETWORKS, ANYTIME, ANYWHERE.
www.rahisystems.com bruno@rahisystems.com
The Inuksuk represents the HEART of EBRC: Human, Excellence, Agility, Responsibility, Trust
Inuksuk Inuk = human being suk = substitute, acting on behalf of Inuksuks are piles of stones which serve as a reference point (orientation = consulting), but also, a hiding place (store = Data Centre). They are closely associated with orientation and resilience; with survival in a hostile world. Their longevity is legendary, as well as their resistance to the elements. This symbol, our logo, ties in perfectly with the polar iconography, resilience, solidarity and orientation. It is a concept which stands out and is coherent with our company history.
w w w. e b r c. c o m
