BDO Unibank taps Zscaler to secure cloud migration

Philippine banking giant BDO Unibank is shoring up its cyber security capabilities to protect its data and systems as it moves more services to the cloud and expands its physical presence into remote areas of the archipelago.

The bank is working with US-based cloud security firm Zscaler to adopt the zero-trust security model, which assumes no user or device is automatically safe, requiring strict verification for any access request.

Paul Siy, BDO’s senior vice-president and chief information officer, said the bank now prioritises cloud-based software over hosting applications on its own servers.

“Our approach is to adopt software as a service, followed by cloud-hosted applications, with on-premise deployments as the last resort. Because of that, we needed to have a secure way of accessing those applications,” he said at Zscaler’s Zenith Live conference in Singapore last month.

BDO’s move to the cloud is taking place alongside an expansion of its physical branches to reach unbanked and underbanked populations across the Philippines, sometimes using satellite systems such as Starlink to connect branches in areas with poor infrastructure.

To secure its increasingly distributed network, BDO uses Zscaler’s cloud security services, including the secure web gateway, which has not only improved user experience but also freed up IT staff from manually whitelisting websites, a process that used to take days.

The challenges faced by BDO reflect a broader trend across the region, said Sanjay Yadave, Zscaler’s vice-president and managing director for the Greater Asia region.

“Security teams are challenged to provide consistent tools, governance and policies around infrastructure that spans public, private and on-premise environments. It has become a barrier to providing effective data security,” he said.

The Asia-Pacific region, which accounts for 16% of Zscaler’s global business, is a key growth engine for Zscaler, which recently hit $3bn in annual recurring revenue. It has set its sights to grow that figure to $5bn in the next two to three years. “We’re bullish about what we can achieve,” Yadave told Computer Weekly.

To drive growth, Zscaler has been expanding its capabilities beyond the secure web gateway it is known for to zero-trust network access, digital experience monitoring, and more recently, AI-driven security analytics and operations.

Following its 2024 acquisition of Avalor, the company’s AI data fabric now analyses 500 trillion security signals daily alongside data from more than 160 security vendors to help organisations identify and prioritise their biggest cyber security risks.

Another acquisition, Red Canary, provides agentic AI capabilities that automate the work of security analysts. “A task that might typically take an analyst 30 or 40 minutes to troubleshoot, we’ve seen our technology reduce that to three minutes,” Yadave noted.

To secure edge devices outside the datacentre, Zscaler, through its microsegmentation capabilities inherited from its acquisition of Airgap Networks, can isolate internet of things (IoT) devices, factory machines or even office printers, preventing a compromise on one device from spreading across the network.

Yadave said Airgap’s technology has been integrated into a hardened branch appliance that is now being used by the likes of International SOS to support the work of medics and other staff operating in remote locations. “Everything inside the branch, whether it’s a screen or camera, has a completely segmented IP address range, which it makes it very secure,” he added.

The company is also developing a federation capability that lets two Zscaler customers securely connect to each other’s systems. This helps enterprises manage complex supply chains, where partners can access each other’s data without opening up broader network access.

Yadave said Zscaler’s main challenge is not from rival suppliers but customer inertia, “because customers are so used to doing things the way they’ve always done it.”

He added that the firm is looking to replace legacy networking and security tools such as virtual private networks (VPNs), traditional firewalls, and multi-protocol label switching (MPLS) network connections with its platform.

“The list is quite long because the nature of zero trust means that when you deliver those capabilities in the way we do, it really negates the need for those legacy infrastructure and security tools,” Yadave said.