What does it take to move over 38 million tons of agricultural, steel and mineral products around Brazil each year?
For VLI, it requires 8,000 kilometers of railway, 100 locomotives, 6,700 railway cars, eight intermodal terminals, four strategically located shipping ports, 8,000 employees and 1,000 contractors.
As complex as logistics and transportation are, the challenges extend far beyond simply moving products from Point A to Point B. As an owner and operator of an integrated logistics system of rails, ports and terminals, VLI must address myriad government regulations related to compliance, security, safety and other factors.
To comply with rail regulations set forth by Brazil’s national regulator for the ground transportation sector, the Agencia Nacional de Transportes Terrestres (ANTT), VLI must demonstrate how it safely manages its trains and railways. Further, in 2014, the company was organized as a holding company, a business model that is subject to numerous governance laws and regulations, in addition to certain operational and security rules that must be followed.
“We are a company with many government regulations,” explains Thiago Galvao, Chief Information Security Officer (CISO) at VLI. “In Brazil, port regulations require us to have specific controls and processes in place related to security. In the end, the regulations are related to technology, so identity management is important for me.”
Enhanced Response Time
VLI improves user access request response times by 99% from 5 days to mere seconds
Security Risk Minimization
With IBM Security solutions, VLI minimizes risks of malware and ransomware attacks
As part of the procedure of loading and unloading cargo, truck drivers and rail operators had to repeatedly sign on to systems to access reports and transactions, slowing the process and reducing productivity. Despite the company having large IT and development teams, there was no way to trace or track privileged users accessing VLI servers. The process of onboarding new employees and granting them access to systems and applications took weeks because it was handled manually. And the company also relied on labor-intensive paper-based processes to manage user lifecycles and carry out other controls related to user access.
When Galvao joined the company in 2018, he immediately recognized the need for identity and access management (IAM) solutions. “We had nothing for identity in the past,” he says. “I made an assessment and showed the board the risks, and how important it is to have a system in place to control user access.”
VLI’s approach to choosing a provider for its identity governance and administration (IGA) initiative was a meticulous six-month process. A key driver for the project was business enablement; specifically, having the ability to provide the right users with access to the right resources at the right time. Ultimately, VLI chose IBM for its local presence and support, its breadth of offerings and the cost effectiveness of its solutions.
“We started the RFP [request for proposal] process looking at a lot of solutions,” Galvao recalls. “We created scenarios. We made benchmarks. We looked at how solutions integrated. And we created scorecards.”
He continues: “We decided on IBM for a combination of reasons: the technology, local support and price. We validated the technical integration and that the solution works for us. We validated that IBM can attain our expectations. But it was also very important that I have support in Brazil because we need to have a relationship too. IBM paid attention to us. And the third reason was the price. So we made a big investment in IBM.”
Today, VLI is IBM’s first client to deploy solutions across the full portfolio of IBM Security Identity and Access Management products. To help with the integration and deployment, VLI turned to IBM Business Partner Qriar, a technology firm that specializes in cybersecurity solutions. Qriar has engaged with VLI since the initial RFP answering phase. It is working with the company throughout the entire project, from planning and defining the architecture to rolling out, installing, configuring and customizing IBM products according to the client’s needs and best practices.
VLI rolled out the solutions in four phases. Phase 1, which began in September 2019 and finished two months later, focused on IGA. During this time, the company deployed IBM Security Verify Governance software and the Microsoft Azure Active Directory platform. The IBM software automates processes that used to be labor-intensive, such as access certifications, access requests and password management. It also delivers detailed reports and recertification campaigns to ensure users are only given the access rights they need to do their jobs.
In Phase 2, VLI deployed three solutions from IBM’s Privileged Access Management suite: IBM Security Verify Privilege Vault, IBM Security Verify Privilege Manager for Client and IBM Security Verify Privilege Manager for Server technologies. IBM Security Verify Privilege Vault software helps protect VLI’s most sensitive servers by eliminating the need for shared privileged users’ passwords. The session recording feature records all of the action executed on the servers, thereby providing extensive auditing trails and helping VLI manage compliance with strict identity governance requirements.
IBM Security Verify Privilege Manager technologies help VLI minimize the risk of malware and ransomware attacks by reducing the number of non-administrative users who have administrative privileges on endpoints. VLI can also configure lists of trusted and untrusted applications and commands, and customize elevation policies.
In Phase 3, VLI deployed the enterprise and virtual enterprise editions of IBM Security Verify Access (formerly IBM Security Access Manager software, or ISAM) and IBM Security Directory Suite Enterprise Edition technologies.
In addition to simplifying the authentication architecture, IBM Security Verify Access software provides single sign-on (SSO) capabilities for web-based and non-web-based systems, helping boost productivity of line workers. In the future, the company can expand its virtual edition to enable multifactor identification or logins without passwords. With the robust and scalable directory of IBM Security Directory Suite technology, VLI can store the identities of internal and external users and take advantage of powerful replication and high-availability features.
Today, VLI is in Phase 4, which involves integrating its IGI solutions with its SAP ERP. Ultimately, the IBM technologies will be connected to more than 10 key IT systems and subsystems. They will also help support VLI´s IAM standards for integration with the remaining applications, both existing and new ones.
By deploying IBM Security solutions, VLI has realized benefits from the loading docks to the bottom line.
The software automates processes that used to be labor-intensive, such as access certifications, access requests and password management. In the past, these activities could take up to five days, creating delays and worker frustration. Now access requests are granted automatically upon a manager’s approval, or 99% faster than before.
“We have 8,000 employees and about 1,000 contractors and customers,” explains Galvao, “so about 9,000 people who need access to our different systems to move the trains. It’s critical for timing — a new driver can’t be waiting to unload a truck. He needs access to records about product movements and transactions.”
By eliminating the delays and frustration associated with system access, employee satisfaction and productivity improved. “We measure our performance according to the total weight of cargo we move through the rail,” says Galvao. “In April 2020, we achieved the highest number in the history of the company.”
The IBM solutions are also helping minimize risk related to cyberthreats and system access by unauthorized people. Galvao concludes: “A key point is risk and avoiding attacks. Before, users who left the company might still be activated in the system. It was because we didn’t have standards. We maybe had external people using our systems and we didn’t know who.
“Now I have controls. Now we are investing in identity solutions and increasing the number of integrations.”
Founded in 2011 with headquarters in Belo Horizonte, Brazil, VLI (link resides outside of ibm.com)is the country’s leading rail-based logistics solutions operator. The company controls an integrated system of more than 8,000 km of railroads, 700 locomotives, 6,700 railway cars, four ports and eight intermodal terminals across 10 states. It also operates in five logistic transport corridors across Brazil. VLI serves the industrial, steel, agricultural and mineral industries. VLI staffs roughly 1,000 contractors and 8,000 employees.
About Qriar
Based in São Paulo, Brazil, Qriar (link resides outside of ibm.com)specializes in developing, integrating, implementing and customizing cybersecurity solutions. Areas of expertise include privileged access management, identity governance and management, user authentication and API security management. During the IBM Think Digital 2020 conference, the company was awarded the IBM Excellence Award for Outstanding Growth in the IBM Security category. The award recognizes IBM Business Partners who have demonstrated excellence and delivered exceptional client experiences and business growth. Qriar was founded in 2016.
Legal
© Copyright IBM Corporation 2021. IBM Corporation, Security, New Orchard Road, Armonk, NY 10504
Produced in the United States of America, April 2021.
IBM, the IBM logo, ibm.com, and IBM Security are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at https://www.ibm.com/legal/copytrade.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.