Avatar

BBVA is one of the largest financial institutions in the world. Founded in 1857, it has its headquarters in Madrid, Spain, and a vast presence in more than 25 countries across the world. It employs 122,000 people and serves 80 million customers.

BBVAIn keeping with its corporate values that places customers first, BBVA has invested in the most advanced technology available. It uses sophisticated data analytics to ensure user experience, innovative security technologies to keep their data safe, and high-quality solutions that stay in lock step with users’ needs.

BBVA’s decentralized IT administration has a core team that creates global standards, but each region refines and implements them in their local territory. The corporate IT team recently decided to standardize on Cisco networking and partnered with Cisco CX in the development of the new standard architecture based on Cisco Software-Defined Access (SD-Access) and recommended that the regions begin migrating to this new architecture.

 

“We wanted to standardize on a single networking architecture globally. We chose Cisco networking with Cisco DNA Center and SD-Access because of the complete zero trust security it offers with continuous monitoring and verification of trust in our connected endpoints.”
~ Carlos de Liniers, Senior Manager, Network Architecture & Global Deployment, BBVA

BBVA

Industry: Financial Region: Americas – Colombia
Challenge Solution Results
  • IT operations, performed by local teams independently in each site could lead to performance and security inconsistencies
  • Support for employee mobility required extensive manual network updates
  • Malware in connected endpoints could potentially compromise personal and financial data
  • A standard access architecture removed inconsistencies and led to more predictable outcomes
  • No manual effort required for employee movement as access policies handle configuration changes automatically
  • Continuous monitoring of all endpoints detects and flags any anomalous behavior

First stop Colombia

BBVA ColombiaThe very first country to deploy Cisco DNA Center is Colombia. Colombia boasts one of BBVA’s largest networks with 534 branches and customer service points in 122 different municipalities, employing over 7,000 people. The Colombian IT team adapted the corporate recommendation to their needs. “Colombia was the ideal region to start our transformation journey”, explains Carlos de Liniers, Senior Manager, Network Architecture & Global Deployment, BBVA. “They have a mobile workforce, a strong local commitment to security, and a highly trained IT team.”

Reflecting on Colombian needs, Luis Plata, Manager, Network Services, BBVA Colombia, remarked, “Our bankers in Colombia frequently travel from headquarters to branches or from branch to branch. In the past, every time they did so, it used to take our IT department up to four days to reconfigure the network for them. We were using manual configurations to set up access policies and had to be very careful not to leave any security holes.”

This intensive workflow became a non-issue once SD-Access was put in place, as SD-Access recognizes who is entering the network, obtains their access policies from Cisco Identity Services Engine (ISE), and automatically configures network devices to enforce those policies. That way, no matter where the user connects from, the network sets itself up for them, without any manual intervention, and the user has a seamless experience.

Listen to the replay of the Network Insider Series online seminar in which we explain the latest innovations in Cisco DNA Center and SD-Access.

Never trust, always verify

Calculate trust scoreCustomer privacy and data security is paramount in any business but much more so in the financial industry, and at the top of BBVA’s priorities. Conscious that securing their headquarters and branch perimeters was not sufficient in these days of advanced threats, they were keen to root out any malware that somehow made its way past their defenses.

Explained Luis, “We are very focused on finding and removing any threats in our system. For us, segmenting the network with SD-Access is only the beginning. We want to identify, validate, and secure all endpoints before they connect to our network, and make sure that they stay secure for the entire duration of their connection.”

Cisco DNA Center provides the solution to verify trust both before and for the duration of endpoint connection. Before an endpoint connects AI Endpoint Analytics running within Cisco DNA Center uses deep packet inspection to identify and profile it. During each endpoint’s connection, Cisco DNA Center looks for any vulnerabilities in the endpoint’s posture, analyzes each endpoint’s behavior, and looks for any anomalies. Based on this analysis it can detect if the endpoint has been infected and if any corrective steps should be taken. As part of this Trust Analytics component of AI Endpoint Analytics, Cisco has developed several endpoint models that can be used as references for detecting abnormal behavior.

These endpoint models are trained using NetFlow data for known endpoint types functioning under normal operating conditions and deployed within Cisco DNA Center. The real-time behavior of the endpoint under monitoring is compared to that of the known models. If there is a deviation from the expected modeled behavior, Cisco DNA Center will alert the user that the endpoint is not behaving as expected.

Luis agrees, “These security features will certainly help us make sure that we only allow trusted endpoints into our network and that they are quickly removed if the prove to be untrusted later on.”

Best of wired and the finest of wireless

Wireless futureA notable feature in BBVA’s architecture is their use of Cisco Meraki cloud-managed wireless network devices along with Cisco Catalyst switches. While it may be unusual, it is completely in keeping with BBVA’s business requirements. “Our wired and wireless infrastructure serves different sets of users. While our core banking business is performed on thin clients that connect to virtual desktops on the wired network, our wireless mainly serves mobile endpoints”, Carlos clarifies, “This is so that we can match the right security needs with the intended usage.”

The integration between Meraki Dashboard and Cisco DNA Center makes it easier for BBVA to manage both sets of devices as they can view and track the health of Meraki devices from Cisco DNA Center.

A network transition that even a user can love

WorkingUpdating the network that your users depend on to conduct business every day can be challenging for IT. “We were able to minimize any disruption by preconfiguring our replacement switches through DNA Center, and then simply swapping all the users over to it”, said Luis, explaining the process, “That way we maintained security interoperability between the new switches with the old and the users didn’t feel any difference”.

Once the transition is complete, BBVA will have a thoroughly modern, automated, and secure infrastructure.

A more secure connected future

Talking about their planned rollout, Carlos said, “We are already looking beyond our current deployment. Branches in Colombia are next on our list after completing our headquarter deployment. We will then expand in other countries such as Argentina, Peru, etc., and won’t stop until we have a worldwide modern secure network, that can evolve with our business needs for the foreseeable future.”

Conclusion

BBVA standardized on a single comprehensive architecture for their campus and branch networks that provides the services that matter to them most such as enterprise-wide consistent access policies, employee mobility, and above all continuous verification of zero-trust security. Get more details on these and other features in the Cisco SD-Access solution overview.

Listen to the new podcast, read this white paper, and this blog on how Cisco DNA Center and SD-Access make it easy to transition from your existing traditional network and reap all benefits of SD-Access.

 

Check out our Cisco Networking video channel

Subscribe to the Cisco Networking blog