SWIFT 7.2 & Customer Security Providing choice, flexibility & control. 0
SWIFT 7.2 UPGRADE: WHAT DO YOU NEED TO KNOW? DECEMBER 6, 2017 Patricia Hines, CTP Senior Analyst, Corporate Banking Celent
SWIFT 7.2 Upgrade: What s Happening? SWIFT is upgrading the Alliance product suite, including: Alliance Access 7.2 Alliance Entry 7.2 Alliance RMA 7.2 Alliance Gateway 7.2 Alliance Remote API 7.2 SWIFTNet Link 7.2 Alliance Web Platform 7.2 Source: SWIFT Website Introduction of 64-bit architecture and new operating system requirements: AIX 7.2, Red Hat Enterprise Linux (RHEL) 7.2, Oracle Solaris 11.3, and Windows Server 2016 This mandatory upgrade is necessary to continue to provide a highly secure and efficient SWIFT service for our customers in the years ahead SWIFT 2
Why is SWIFT Updating its Release Policy Principles? Cyber threats and security vulnerabilities require more regularly releases security updates Formerly, security updates with combined with functional updates, on an ad hoc basis Release Policy Principles: Clear end of support dates will be defined at the availability of an annual release One planned release per year (aligned with message standards release) Annual version supported for 2 years of maintenance and 7 months of migration support And more Mandatory security updates will be issued once per year, with possible quarterly releases (if required) Source: SWIFT Premium Forum Americas, New York City, May 1 st 2017 3
SWIFT 7.2 Upgrade: What is the Impact? The mandatory SWIFT 7.2 upgrade and technology refresh require: Upgrading SWIFT software components Upgrading operating system software baseline and move to 64 bit Evaluation and potential upgrade of existing hardware Significant systems and user acceptance testing New hardware model for HSM and 3SKey tokens Full impact cannot be determined without a detailed gap analysis Source: SWIFT Website 4
SWIFT: What Else is Happening? SWIFT Accord services decommissioned October 2017 Customer Security Programme (CSP) compliance attestation required by December 31 2017 SWIFT 2017 MT (FIN) and MX Maintenance Release required by November 17 2018 SWIFT FileAct Enhancements SWIFT 2018 MT (FIN) and MX Maintenance Release required by November 2019 (New SWIFT Trade Messages) 5
SWIFT Updates: What is the Timeline? FileAct Enhancements Nov 2018 7.2 Preliminary Release Overview Sept 2015 Aug 2017 7.2 General Distribution SWIFT MT Release 2018 Issued Dec 2017 Nov 2018 SWIFT 7.2 Upgrade Mandatory Completion Nov 2018 SWIFT MT & MX Release 2018 Live 6
SWIFT 7.2 & Customer Security Providing choice, flexibility & control. 7
Planning for 7.2 Upgrade all SWIFT Applications Change environment Hardware OS MQ Changes to comply with Customer Security Controls 8
We understand your challenges How does it impact you (in-house)? Services to upgrade SWIFT Applications Costs of replacing OS Evaluation of hardware replacement Customer security controls changes How does it impact you (Service Bureau)? Supporting vendor through testing of new platform Customer Security controls changes 9
What are your options? 2 Options: 1) Currently In-house: - Stay in-house - Outsource all or part of the infrastructure 2) Currently outsourced: - Stay outsourced - Move in-house PayCommerce well-positioned to support both options SWIFT Certified Specialists (for in-house) SWIFT Certified Service Bureau 10
SWIFT Architecture Connectivit y 11
Swift Connectivity and Messaging Overview Messaging Connectivity VPN Tunnel over Internet or Leased Line(s) VPN Manual End-Users of SAA Back-office integration with SAA SWIFT messaging interface (SAA) Firewall SWIFT Alliance Gateway (SAG) & SNL VPN VPN Appliances SWIFT Web Platform (SWP) Hardware Security Module 12
Service Bureau Outsourcing Options Outsourcing Options 1 Shared Services Multi-tenant Service Bureau 2 Connectivity SAA and Non Swift messaging support 3 Dedicated Services Single tenant, dedicated network / servers for messaging interface 13
SWIFT 7.2 Upgrade File Act Enhancements Functionality 2 GB file size supported (previously 250 MB) Resilience Automatic resume of interrupted file transfers Unknown status requiring manual intervention eliminated Efficiency Logical file name returned in delivery notification for reconciliation Ability to use all available bandwidth No limit on number of concurrent transfers Dynamic control of concurrent transfers Cannot change to production w/o SWIFT authorization Remote file handler, SNL & SAG 7.0.50 mandatory. Not all users are compliant. 14
Changes in MQ SAA Interface changes Only MQ Client supported, not MQ server MQ Client Version supported 8.0.0.6 except 8.0.0.8 on Windows IBM released MQ 9.0 on June 2, 2016 MQ 9.0 will not be supported for 2 to 3 years 15
7.2 Upgrade Process Planning Involve Business, IT & Security teams SWIFT Best practice check tool (34 checks) Decisions on hardware, OS, security, outsourcing Budget approvals Preparation Checklists (comprehensive checklist is 13 pages) Customized for each customer Confirmation that a checklist item has been completed How we can help Execution Upgrade Test Go live 16
The Deadline November 30, 2018 Will lose the ability to transact over SWIFT if migration not completed Migration window SWIFT allows 15 months Out of 15 months, 3 are already over So only 12 (or more likely 11) months remaining Resources The closer you get to November 30, the shorter the resources from vendors will be November is also the 2018 message standards release Plan now!! Execute ahead of deadline 17
Service Bureau Timeline Test Environment March 31, 2018 7.2 test environment available in parallel with 7.1 Production Environment September 30, 2018 Go live dependent on SWIFT confirmation for FileAct 18
Alliance Products --Compatibility HSM Box IS6 (No change) Software version 6.1 compatible with SNL 7.0.50 Remote PED Firmware to 2.7.0-3 Remote PED WorkStation software to 7.2.0.1 HSM Tokens New, requires SNL 7.2. SNL & SAG must be installed together Compatible with SAA / SAE 7.1.x SAA 7.2 Requires SAG / SNL 7.2 Any applications that use ADK must also be upgraded AWP 7.2 required for all 7.2 products 19
Alliance Products Upgrade Roadmap General Principles Set-up new environment: Must get new hardware Install new OS Install Alliance software and import data Upgrade Path If HSM box, upgrade HSM software, Remote PED firmware, workstation software Install AWP 7.2 (but retain older AWP version) Install SNL and SAG together If HSM token, install HSM token Install SAA / SAE Decommission older AWP version. 20
Customer Security CSP and SIP Customer Security Program (CSP) is for SWIFT customers Shared Infrastructure Program (SIP) is for Service Bureaux SIP is more extensive with on-site audit (60+ controls) SIP being explicitly aligned with CSP in 2018 Deadlines and SWIFT Actions for CSP Event Deadline SWIFT Action Self-attestation Dec 31, 2017 Local regulators or supervisory authorities informed Compliance with controls Dec 31, 2018 Local regulators or supervisory authorities informed 21
What You need to do for Self-Attestation Collect Data Baseline document available to help you with what data you have to collect Enter into self-attestation application on swift.com Part of SWIFT s KYC Registry This application is non-trivial. Where you can get help support@swift.com, 540-825-6056 JOHNSTON Jonathan Jonathan.JOHNSTON@swift.com PayCommerce 22
What s your architecture A1: Full Stack A2: Partial Stack (Messaging in-house, Connectivity Outsourced) A3: Software application to facilitate communication B: No local footprint 23
How many Controls are Applicable Architectur e A Architectur e B Mandatory 16 11 Advisory 11 9 Total 27 20 24
Service Bureau: Architecture A3 or B? User interface (B) MQ (B) File Transfer Application: Do you consider this middleware? Yes: B No: A3 SWIFT or PayCommerce cannot make this decision Your judgment and interpretation of the framework 25
How PayCommerce can help - 1 # Name Description Not for distribution 1.1 A SWIFT Environment Protection Secure Zone implementation 2.1 A Internal Data Flow Security Data flows between SWIFT applications 2.2 B Security Updates SWIFT application patches 2.4A B Back-office data flow security TLS, LAU implementations 2.6A B Operator Session Confidentiality and Integrity https, lock-out feature 2.9A B Transaction Business Controls RMA, Reconciliation, limit LT logins. 4.1 B Password Policy For SWIFT applications 4.2 B Multi-factor authentication For SWIFT applications 5.1 B Logical Access Controls Least privilege, segregation of duties, 4-eyes for SWIFT applications 6.2 A Software Integrity For SWIFT applications 6.3 A Database Integrity For SWIFT Applications 6.4 B Logging and Monitoring Event Journal, Automated alerting 26
How PayCommerce can help - 2 # Name Description 2.7A B Vulnerability Scanning Vulnerabilities within SWIFT environment 6.5A A Intrusion Detection Network activity tracked for intrusion 7.1 B Cyber Incident Response Planning Reviewed annually and tested once in 2 years 7.3A B Penetration Testing Application, host and network testing 27
Thank You 28