The very public SWIFT breaches and the SWIFT consortium’s reaction have been a canary in a coal mine, setting many regional governments in motion to look at the ramifications of ‘wide open’ payment systems and driving the development of the new SWIFT Customer Security Controls Framework in the past year.
The Framework comprises a core set of mandatory and advisory security controls that establish a security baseline for SWIFT members – with pressing compliance deadlines. Organizations had to announce their level of compliance with the mandatory controls by the end of 2017 and have to declare full compliance by the end of 2018.
New Segmentation Controls
The SWIFT Customer Security Controls Framework mandates the isolation of the SWIFT payment infrastructure from other applications within SWIFT members’ data centers. Some of the key controls that financial services organizations are required to address around segmentation include (but are not limited to):
- SWIFT environment segregation: Segment local SWIFT infrastructure from the broader enterprise and external environment to create a “secure zone.”
- Internal data flow security: Protect the confidentiality, integrity, and authentication of SWIFT data flows in the secure zone and across links to user PCs.
- System hardening: Harden all systems and infrastructure within the secure zone and on user PCs.
- User account management: Limit user access based on need-to-know, limit user privileges, and segregate user duties.
- Logging and monitoring: Deploy capabilities to detect anomalous activity, including a process or tool to frequently store and review logs.
The Global Reaction
While all financial institutions that are part of the SWIFT consortium must commit to being compliant by year's end, many governments have already mandated that payment systems be segmented. Some of those regimes and approaches are discussed below.
In the U.S., the Federal Reserve has issued a series of Supervisory Actions in the form of Matters Requiring Action (MRAs) and Matters Requiring Immediate Action (MRIAs) regarding segmenting payment systems. The first MRAs and MRIAs were aimed at the largest banks in the United States – specifically around their payment systems such as Automated Clearing House (ACH) and Fedwire.
As time has passed, the Federal Reserve made their way from the largest banks to regional banks and have asked for similar compliance. Based on discussions with Chief Information Security Officers (CISOs) of large regional banks, many believe that the Federal Reserve will begin the process of auditing then mandating that payments systems be segmented from the rest of their infrastructure in 2019.
French banks are regulated by Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI or National Security Agency of Information Systems). They have also begun to regulate separation of payment infrastructure from the rest of infrastructure within its banks.
However, their version of segmentation is even more rigorous, requiring financial institutions to:
- Avoid collocating regulated payment systems on the same hypervisor as non-regulated systems – in other words, a workload that is part of a credit card balance application cannot be on the same hypervisor as a regulated payment server.
- Segment all regulated assets from non-regulated assets.
- Place all regulated assets on a physically separate network or have encryption between the workloads that comprise those payment applications.
Other Global Banks
Depending on the country, governments have decided to intercede or rely on the banks to self-police protecting their payment infrastructure. For instance, as of writing this, Australia does not have any regulations that govern Australian payment systems, but all banks still need to comply with the regulations around SWIFT. Similarly, in the wake of the SWIFT attacks, SAMA (Saudi Arabian Monetary Authority) published their own Cyber Security Framework which explicitly calls out the SWIFT requirements for banks in Saudi Arabia.
The challenge of SWIFT compliance is twofold:
- Timing: Each of the compliance regimens require full compliance or attestation to compliance by a specific date.
- Minimizing disruption to payment systems: Payment systems are critical to keeping banks running – that is the mechanism by which money flows between these institutions, creating liquidity and trust in the financial system. Getting compliant cannot impact interbank transfers.
Reconciling these challenges requires a strategy that allows the organization to get to timely compliance with minimal impact to “Run The Bank” activities. It’s important to note that ‘forklifting’ entire payment applications systems often isn’t possible since there are many adjacent systems that interact with critical payment infrastructure. Arbitrarily moving these systems can impact the bank by breaking the applications that make up payment systems.
WHAT DO PAYMENT SYSTEMS LOOK LIKE?
Each bank’s payment systems infrastructure is different. Some banks have all of their infrastructure inside of their data center. Depending on size, parts of the infrastructure may be outsourced.
In the case of SWIFT, deployments have different architectures – from A1 (“full stack”) where the entire SWIFT payment infrastructure is housed within the data center of the bank to type B (“no local footprint”) where the SWIFT infrastructure is hosted by a third party. Banks that host payment systems like SWIFT are primarily comprised of Windows and LINUX systems. Many of the persistence layers are made up of bare-metal AIX and Solaris systems.
For some of the biggest banks, SWIFT has multiple applications. A bank may have a SWIFT production environment with 10 applications and over 100 OS instances that comprise those applications. Then consider that those applications sit in multiple environments: Development, UAT, and Production.
Finally, because payment systems are considered critical infrastructure, they need to be resilient in the face of data center failure. The applications that comprise payments are rarely found in a single data center – instead, they're spread across multiple data centers so that if one data center goes down, the institution can continue to transfer money.
GETTING TO COMPLIANCE
The key to getting started is determining a strategy to meet the compliance deadline on time and then evaluating whether the need for segmentation is going to grow.
The first step is building a real-time application dependency map to understand what systems comprise payments. Most organizations that have successfully been able to segment off SWIFT and other payment infrastructure did not do it with a centralized team. The SWIFT application teams have attested to the workloads that are part of those systems – and the application dependency map is a critical part of helping them attest to the systems that are part of their applications.
Once the application dependency map is built, the next challenge is determining the right solution to solve the segmentation problem.
There are three general approaches:
- Network-based segmentation: This requires an organization to either move the servers that make up the payment systems, which can be costly, and/or to upgrade the network infrastructure, which is even more costly.
- Hypervisor-based segmentation: This requires an organization to use a hypervisor to segment workloads. Unfortunately, hypervisor-based solutions do not do well with bare-metal servers and most organizations' payment systems will have some amount of bare-metal servers (and some virtual infrastructure).
- Host-based segmentation: These solutions activate the native OS-level firewalls that are found in every host. The challenge is in coordinating and programming these numerous and heterogenous enforcement points. Many of the largest financial institutions in the world, including Morgan Stanley, BNP Paribas, and a host of other banks, have turned to host-based solutions because it allows them to meet compliance faster and more effectively than network and hypervisor-based products.
About That Iceberg
A major question that many organizations are asking is, "Where do we draw the line?" Payment infrastructure does not sit on air-gapped networks; there are many other applications that connect into it. While government-mandated segmentation calls out the specific payments systems, many CISOs are wondering whether the upstream applications will come next. Systems that connect into the payment infrastructure are the next logical segmentation target for regulators.
While SWIFT got global banking thinking about segmentation, SWIFT is really just the tip of the iceberg. Thinking about a long-term strategy for segmentation requirements will pay long-term dividends.