African Export–Import Bank, also referred to as Afreximbank, is a pan-African multilateral trade finance institution created in 1993 under the auspices of the African Development Bank. It is headquartered in Cairo, Egypt. Afreximbank’s vision is to be the trade finance bank for Africa.
Afreximbank’s mission statement is: “To stimulate a consistent expansion and diversification of African trade, to rapidly increase Africa’s share of global trade, and in doing so, to operate as a first-class, profit-oriented, socially responsible financial institution and a ‘Centre of Excellence in African Trade Matters.’” Afreximbank’s mandate is to finance and promote intra and extra African trade using three broad services:
- Credit (Trade finance and Project finance)
- Risk Bearing (Guarantees and Credit Insurance)
- Trade Information and Advisory Services
Afreximbank has 50 African member-countries. As of September 2019, the bank has three regional locations and is in the final stages of establishing a fourth regional office for Eastern Africa.
The regional offices are:
- Harare: managing the southern African countries
- Abidjan: managing francophone western and central African countries
- Abuja: managing anglophone western African countries
- Kampala: managing the counties in eastern Africa
- Yaounde: managing the countries in Central Africa
Out of multiple challenges faced by Afreximbank post the deployment of resources on AWS, the most prominent one was the monitoring and maintenance of the infrastructure put in place. Afreximbank primarily required a monitoring solution for application which could be designed, engineered, operationalized and complied as per the Level -1 PCI compliance. Another requirement of Afreximbank was to ensure the restricted flow of traffic, required to communicate as per the business requirement is allowed and others are blocked. This is also required the timely traffic and all event logs to be pushed to SIEM for monitoring and threat prevention purpose.
Another major challenge faced by Afreximbank was to enable the security policies and management, threat detection and management, user management with designated accesses and finally to render the complete security services support 24/7.
The above-mentioned challenges were addressed in a phased approach. The security policies were setup based on a zero-trust concept. That meant to ensure that the resources in the private subnet are not open to the world and malicious traffic trying to breach security are notified and blocked at the firewall level itself. The solution also included the implementation of dynamic threat updates and integrating syslog server with PA to push traffic, incidents, event, threat logs to syslog server which is later parsed for monitoring on Splunk SIEM. We also enabled wild-fire and attached it to the internet communicating resources in order to inspect and mitigate the threat of zero-day attacks. For regulating the access to the application and network, only specific ports were allowed for business related communications. Specific DDOS protection policies and zone protection profiles were configured on Palo Alto to mitigate risks from sophisticated new generation attacks. To conclude the security service offerings, we institutionalized a risk review committee and developed security reporting to track progress against specific risk management and efficiency objectives.
Once the project deployment phase and security services were rendered, we enabled swift transition to Managed Support Services for day to day 24×7 monitoring, administration, support requests and new change requests. As part of this, SIEM monitoring was configured to comply with Level 1 PCI requirements. Engagement activities included SIEM requirements gathering, design, and deployment along with the SIEM content tuning to reduce false positive events/alerts and provide more actionable data to Level 1 responders.
Managed Security Services kicked in post the completion of the deployment of resources on AWS along with security tightening. Its an ongoing project with multiple deliverables and services rendered on a daily basis.
The security tightening and managed security support services resulted in 24/7 threat monitoring and analysis, end to end configuration and troubleshooting support of cloud hosted firewall by in-house security experts. It also led to configurations in sync with the best practices of industry standards and as per ISO 27001 standards. As per the initial requirements from the security and compliance team, monthly and quarterly reports for active and passive threats is submitted to Afreximbank. Each security policy and configuration are reviewed to ensure that it meets the pen-test standards. Inline threat and IPS/IDS were embedded into core banking application with automated and manual endpoint detection and response to protect the critical infrastructure. The managed security support services also ensured 100% business continuity for the renowned bank 24/7.
