Vice President - Infrastructure & Security at Oman Airports
Why JN Data Uses Runecast for Compliance in Financial Sector
JN Data is a Danish IT operation and technology center with headquarters in Silkeborg and competence centers in Roskilde and Warsaw, focused on the delivery of IT operations and infrastructure to the financial sector. With around 850 employees, they help to create and further develop the technological foundation for Jyske Bank, Nykredit, BEC, SDC, Bankdata and Silkeborg Data.
The company is responsible for financial IT infrastructure which touches millions of Danes and over 40,000 employees in 200 banks and mortgage-credit institutions. Everything they do is centered around stability and efficiency for customers, important due to the systems that they are running on their environment – where any downtime is costly. Almost every time Danes make a payment or use their mobile banking solution, it depends on JN Data for stability and security.
For this case study, we spoke with:
- Lars Enevoldsen, who oversees IT Operations Management (ITOM) aspects such as hardware compliance, firmware and drivers;
- Thomas Hallenberg, whose Compliance responsibilities include validating and verifying their compliance with SWIFT, CIS Benchmarks, and PCI DSS, as well as preventing any drift from their compliance posture.
Challenges (prior to using Runecast)
They were using vSphere, vROps, LogInsight, vRealize Automation, and a compliance tool called vSphere Configuration Manager. This last one was end of life and moved to vROps. They had enough human resources with a strong focus on documenting compliance, but they needed a new automation solution.
Prior to adopting Runecast, they were always proactive about managing their environment – essential for heavily regulated banking services with sensitive data. Being proactive is a strong focus for them as a team.
They have typically had multiple audits annually, and with the sunsetting of their previous tool they needed to find something that would continue to bring a high level of confidence that they would always be compliant.
A primary challenge that led them to Runecast was, according to Lars, “the need to be able to discover and track vulnerabilities for VMware products and hardware, in order to achieve and maintain continuous compliance for our environment.”
They met the Runecast team in 2019 at VMworld US in San Francisco, California, saw Runecast in action, and have been using it ever since.
To determine that Runecast met their needs, they ran a PoC and went through standard internal procedures with the enterprise architect, plus legal and procurement teams.
For an organization of their size, it was one of the fastest processes that Runecast has seen, verifying that JN Data is truly devoted to efficiency.
It was easy to deploy Runecast and configure the first scan… and then get the first compliance report. It all took maybe a day, with the biggest aspect being that “we wanted to customize our own compliance policies and create unique filters,” stated Lars.
Initially, they joked that they chose Runecast over other solutions because of the t-shirt they were given at VMworld, but then Lars clarified that “there weren’t any other options like Runecast available at that time, especially as our requirement at that time was to monitor against PCI compliance.”
They always had high standardization of their environment, and used automation where possible, so whenever they had an issue they had an ‘engine’ that would automatically fix the deviation. Runecast fulfilled that expectation but went beyond what they had been used to previously.
Runecast helped to prioritize discovered issues by “providing visibility against PCI standards with much less difficulty in maintaining the tool itself,” said Thomas. And beyond simply being prepared for compliance audits, “we are now able to provide more documentation and detailed reporting of our compliance posture with PCI and CIS.”
Additionally, according to Thomas, “It’s nice to pull out a Runecast report and verify compliance for various audits as they occur.” They now have a great overview of any vulnerabilities and KEVs, stating that “Runecast helps you to see exactly what you need to do for any gaps in compliance, and it gives us insights of things we can do better and push to our entire environment.”
When asked what aspects of Runecast surprised them the most upon first adopting it, Lars answered, “There is close to zero maintenance to run Runecast.”
Among the ongoing benefits that the JN Data team derives from Runecast is that, while they initially bought their license for PCI DSS compliance and were later able to add CIS Benchmark audits as well, they also use it extensively for IT operations management (ITOM).
When asked the primary benefit that Runecast delivers to their business, Thomas stated, “Being able to continuously monitor compliance state and be able to document and prove it easily.”
Runecast helps them to stay on top of any configuration drift, which they handle via built-in remediation scripts. It further helps them to proactively identify ongoing issues related to VMware KB articles, firmware, and vulnerabilities.
“I’m a bit afraid of the amount of time it would take if we didn’t have Runecast,” said Thomas.
When asked which aspects of Runecast continue to surprise them after working with it regularly over the years, Lars answered, “More capabilities are being added all the time, which means that other teams are starting to also use Runecast, for example our Vulnerability Team now uses it.”
Lars added, “And Runecast’s Support Team is excellent – whenever we raise a support ticket, we get an almost immediate reply, and if we need something changed, it seems pretty easy to do that. We requested CIS compliance checks, and within three months it was added to Runecast.”
Advice to Other Companies Considering Runecast
For other organizations considering Runecast, the JN Data team said that their Procurement Team trusted their judgment on Runecast capabilities. “We showed some overviews to the decision board, a few slides, and they quickly said ‘Go ahead’. It was a requirement for us to be compliant, which of course warranted a great solution for such,” stated Lars.
Regarding any tips or tricks that they would share with peers regarding how they work with Runecast, Lars reiterated, “It’s easy to implement, configure and maintain.”
Thomas added, “One of the big benefits is that even though we have many clusters and vCenters and only a subset of those that need to be monitored for PCI compliance, due to the easy way that Runecast is configured, we can apply PCI compliance checks to the entire environment. Even though it’s not required, it helps us to keep things simple and standardized across our environment, which is a strong focus for our organization.”
- The only solution available for their PCI and CIS compliance
- Easy to deploy, configure and maintain
- Procurement approved it after seeing a few presentation slides
- Provides simple but detailed reporting for continuous compliance
- Upgrade simulation feature helps automate hardware compatibility
- Capabilities continue to expand so that other teams have started to use it
- Responsive Runecast support and agility in adding new features, e.g. 3 months to add CIS profiles