Headquartered in Marina Bay Singapore, DBS is a Singaporean multinational banking and financial services corporation. It is the largest bank in Southeast Asia by assets and among the larger banks in Asia. With operations in 17 markets, the bank has a regional network spanning more than 250 branches and over 1,100 ATMs across 50 cities.
Having two separate Intranets spread across different physical locations, DBS were looking to protect access to resources inside the Intranet using VPN. In addition to this, they wanted to add a second factor of authentication to their existing VPN. Because they only had one security factor in place, they were vulnerable to hacking or other breaches. This could jeopardise the corporation's data and result in a massive revenue loss for the company.
Using the miniOrange On-Premise Identity Provider (IDP) platform, miniOrange provided DBS with a solution to restrict access to Fortigate VPN with Multi-Factor Authentication (MFA). Because the organisation wanted the entire setup to be protected from internet exposure, as well as a "High availability solution," the entire solution was uniquely custom-built for their needs.
Initially, there were no second factor restrictions in place for accessing the DBS Fortigate VPN. In such a case, the company's data could be vulnerable to hacking, phishing attacks, or identity theft. miniOrange provided a solution for DBS by limiting access to the Fortigate VPN via a Second Factor of Authentication. Before they could access the VPN, end users had to pass the two factors of authentication. This second factor supplemented their existing LDAP directory credentials.The users were authenticated using the miniOrange “On-Premise Identity Provider”.
Secondly, users could configure their 2FA methods on the ‘On-Premise platform’ of the miniOrange Identity Provider. miniOrange provides 15+ authentication methods such as “Google Authenticator”, “Microsoft Authenticator”, “Soft token”, “OTP over SMS/Email” etc. End-users could enable any of the Authentication methods that the administrator had assigned to them.
Finally, miniOrange provided an end-user portal through which they could update their information in the LDAP directory. After entering both authentication factors, the users were connected to the VPN and thus able to access the intranet.
Mobile tokens were required for all DBS end users, which required initial configurations. To accomplish this, the initial second factor method for intranet access was set to OTP over SMS. Users would receive a 6 to 8 digit password on their mobile phones, which they would use to authenticate themselves for the second factor. After successfully authenticating to the VPN and connecting to the intranet, the users were allowed to configure their mobile tokens.
Thus, miniOrange successfully onboarded all existing DBS VPN users to the setup.
The end-capabilities user's could be defined by the On-Premise Administrator. This included what the end-users could see on the End-User portals, as well as which 2FA method they could configure. This gave the administrator complete control over the end-user experience.
Along with MFA, DBS was also looking for a ‘High availability solution’. Because their development teams were in two different physical locations, they desired a solution that was tailored to their specific needs. In the event that one location's service went down for any reason, users would still be able to access the resources using MFA.
The entire setup was made up of various machines that handled different functions and were linked together by a peer-to-peer link. In the event that a single machine in a specific physical location failed, the associated machine in the other physical location took over. In an ideal state, both machines worked concurrently. This solution ensured that any system failure did not impede the team's ability to access the company resources.
Thus, using a hybrid solution, DBS has secured their data and eased access to their resources for their employees.