Securing Your SWIFT Environment Using Micro-Segmentation

Similar documents
Building a Smart Segmentation Strategy

How to Use Micro-Segmentation to Secure Government Organizations

How to Use Segmentation to Secure Government Organizations

Secure Access & SWIFT Customer Security Controls Framework

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)

Best Practices in Securing a Multicloud World

the SWIFT Customer Security

Stop Cyber Threats With Adaptive Micro-Segmentation. Chris Westphal Head Of Product Marketing

ELIMINATING FIREWALL RULE PROLIFERATION

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Privileged Account Security: A Balanced Approach to Securing Unix Environments

HOW MIDSIZE ORGANIZATIONS CAN MEET COMPLIANCE REQUIREMENTS AND ENHANCE CYBERSECURITY WITH MICRO-SEGMENTATION WHITE PAPER FEBRUARY 2018

Clearing the Path to Micro-Segmentation. A Strategy Guide for Implementing Micro- Segmentation in Hybrid Clouds

Critical Infrastructure Protection for the Energy Industries. Building Identity Into the Network

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

GDPR Update and ENISA guidelines

Simple and Secure Micro-Segmentation for Internet of Things (IoT)

Simple and secure PCI DSS compliance

CipherCloud CASB+ Connector for ServiceNow

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

What It Takes to be a CISO in 2017

BULLETPROOF365 SECURING YOUR IT. Bulletproof365.com

A Guide to Closing All Potential VDI Security Gaps

MICRO-SEGMENTATION FOR CLOUD-SCALE SECURITY TECHNICAL WHITE PAPER

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

The Business Case for Network Segmentation

3 Ways Businesses Use Network Virtualization. A Faster Path to Improved Security, Automated IT, and App Continuity

Deploying to the Cloud: A Case study on the Development of EHNAC s Cloud Enabled Accreditation Program (CEAP)

WHITE PAPER MICRO-SEGMENTATION. illumio.com

Controlling Costs and Driving Agility in the Datacenter

Optimizing Pulse Secure Access Suite with Pulse Secure Virtual Application Delivery Controller solution

Protecting Your Cloud

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

MySQL CLOUD SERVICE. Propel Innovation and Time-to-Market

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

ACTIONABLE SECURITY INTELLIGENCE

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Have breaches declined since the massive Heartland Payments leak in 2008? What proportion of breaches are the result of hacking?

Stop Cyber Threats With Adaptive Micro-Segmentation. Jeff Francis Regional Systems Engineer

The threat landscape is constantly

Network Security Protection Alternatives for the Cloud

in PCI Regulated Environments

HIPAA Regulatory Compliance

PROTECT AND AUDIT SENSITIVE DATA

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Ο ρόλος της τεχνολογίας στο ταξίδι της συμμόρφωσης με τον Γενικό Κανονισμό. Αντιγόνη Παπανικολάου & Νίκος Αναστόπουλος

MODERNIZE INFRASTRUCTURE

90 % of WAN decision makers cite their

SECURITY & PRIVACY DOCUMENTATION

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

CyberArk Privileged Threat Analytics

WHY LEGACY SECURITY ARCHITECTURES ARE INADEQUATE IN A MULTI-CLOUD WORLD

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

MEETING ISO STANDARDS

A company built on security

The Top 6 WAF Essentials to Achieve Application Security Efficacy

SIEM: Five Requirements that Solve the Bigger Business Issues

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

Automated Firewall Change Management Securing change management workflow to ensure continuous compliance and reduce risk

Why Enterprises Need to Optimize Their Data Centers

Network Visibility and Segmentation

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Accelerate Your Enterprise Private Cloud Initiative

FOR FINANCIAL SERVICES ORGANIZATIONS

Microsoft Security Management

GUIDE. MetaDefender Kiosk Deployment Guide

Paper. Delivering Strong Security in a Hyperconverged Data Center Environment

Next Generation Privilege Identity Management

10 Cloud Myths Demystified

WHITE PAPER. The General Data Protection Regulation: What Title It Means and How SAS Data Management Can Help

Integrated Access Management Solutions. Access Televentures

Tracking and Reporting

Enterprise Guest Access

5 reasons why choosing Apache Cassandra is planning for a multi-cloud future

Technical Overview of DirectAccess in Windows 7 and Windows Server 2008 R2. Microsoft Windows Family of Operating Systems

RFP/RFI Questions for Managed Security Services. Sample MSSP RFP Template

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

Spotlight Report. Information Security. Presented by. Group Partner

6 Vulnerabilities of the Retail Payment Ecosystem

White Paper. How to Write an MSSP RFP

Comprehensive Database Security

White Paper Server. Five Reasons for Choosing SUSE Manager

BUILDING A NEXT-GENERATION FIREWALL

THE IMPACT OF SECURITY ON APPLICATION DEVELOPMENT. August prevoty.com. August 2015

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

How to Write an MSSP RFP. White Paper

FireMon Security manager

Simplify PCI Compliance

Data Privacy in Your Own Backyard

Escaping PCI purgatory.

Simplify Application Access with Azure Active Directory

CSP 2017 Network Virtualisation and Security Scott McKinnon

Data safety for digital business. Veritas Backup Exec WHITE PAPER. One solution for hybrid, physical, and virtual environments.

WHITE PAPER DECEMBER VMWARE vsphere VIRTUAL MACHINE ENCRYPTION. Virtual Machine Encryption Management

FIREWALL CLEANUP RECOMMENDATIONS

Security by Default: Enabling Transformation Through Cyber Resilience

Networking for a dynamic infrastructure: getting it right.

Transcription:

Securing Your SWIFT Environment Using Micro-Segmentation WP201801

Overview By January 1, 2018, all SWIFT customers must self-attest to their compliance with the new SWIFT Customer Security Program (CSP). The program is designed to respond to the wave of cybercrime targeting SWIFT installations that began with the Bank of Bangladesh breach back in February 2016 and has swept across the world over the last two years. Needless to say, given this increased targeting, securing SWIFT environments is a priority for every financial institution regardless of the CSP; but like any deadline, meeting all of the CSP requirements on time can be challenging. If organizations have not met all 16 of the CSP s mandatory controls by January, they have until the end of 2018 to close those gaps. The SWIFT CSP requires the implementation of a wide range of controls from encryption to segmentation and multifactor authentication. Addressing any gaps can require rethinking existing strategies, updating security protocols, and deploying new tools to meet the CSP s requirements. It is tempting to jump right into the 16 mandatory controls, but what most organizations don t realize about securing their SWIFT application is that there are three specific challenges that prove especially difficult for SWIFT customers looking to meet the compliance deadline: 1 2 3 Generating an accurate, real-time application dependency map (ADM) of the SWIFT application; Segmenting the SWIFT application from the rest of the infrastructure and imposing segmentation to isolate highest value targets; and Validating the SWIFT application s dependency map and segmentation. Securing Your SWIFT Environment Using Micro-Segmentation 2

This white paper explains each of these challenges and guides you on how to address them most effectively ensuring that your SWIFT compliance initiative runs quickly and smoothly, shortening your audit and avoiding costly mistakes. Generating an Accurate, Real- Time Application Dependency Map of the SWIFT Application You can t secure your SWIFT application if you don t understand the infrastructure on which it runs and how its component systems communicate. This requirement is an essential first step to effective SWIFT compliance; organizations that skip this step risk missing key components of critical infrastructure, leaving themselves out of compliance and exposed. SWIFT provides its customers with four possible application diagrams for their SWIFT deployment. By using architecture B, the need for this mapping is greatly reduced for organizations that outsource most of their SWIFT functionality because most of the critical systems reside on an external network that is beyond their immediate control. For organizations that run most or all of their SWIFT functionality themselves (architectures A1, A2, and even A3), mapping the extent of their SWIFT infrastructure is critical. Many organizations begin this mapping exercise with a network diagram, but network diagrams are poorly suited to understanding application architecture because they only show how network devices communicate. They don t reveal how applications function and share data in real time. To build an accurate map of a SWIFT environment, you must understand how the various systems within it share and process data, for instance, how your SWIFT messaging interface interacts with your SWIFT GUI and communication interface. Building this application-awareness from a simple network diagram generally requires extensive manual effort on the part of the infrastructure and security teams. It can be expensive and slow, and it requires constant manual review and updating as the SWIFT environment changes over time. Securing Your SWIFT Environment Using Micro-Segmentation 3

Building this diagram can be accelerated from days to hours if you have access to a real-time application dependency map. This is because an ADM is built on application-aware metadata. This means that it outlines all the ways that your applications communicate and it can maintain this awareness over time, showing you how communications and applications shift and change as the environment changes. By leveraging an application dependency map, you can quickly generate an accurate and up-to-date understanding of your SWIFT infrastructure, ensuring that you can tailor your compliance strategy to the reality of your systems. Benefits of Application Dependency Mapping Versus Network Diagramming Accuracy Precision Speed Real-Time Application Dependency Map An ADM can automatically identify and map all communications within your SWIFT environment, whether they originate elsewhere in the network or the public internet. This automatic identification process is reliable, repeatable, and upto-date, greatly reducing the risk of costly human error. ADM s automated analysis lets you precisely map your SWIFT infrastructure, saving you resources and time by ensuring that your efforts accurately address your compliance burden. ADM s automated, realtime process speeds up the mapping of your SWIFT environment by reducing the manual work your team must do. It speeds up the first audit and speeds up subsequent audits (when only environmental change must be tracked) even more. Network Diagram A network diagram shows the devices connected to the systems, but not what they do. You must manually map this to the SWIFT functions to identify the scope of your SWIFT environment. A manual mapping exercise like this is prone to errors, making it likely that your team will miss systems and connections that should be covered and expose you to liability. Because of the risk of inaccuracy inherent in the manual steps required when using network diagrams, you risk over-compliance (investing more than necessary) or under-compliance (missing critical requirements or systems). Either leads to inefficiency and unnecessary cost. Although a network diagram can serve as a useful jumping off point for understanding your SWIFT deployment, it takes extensive manual effort to transform a network diagram into a comprehensive map of your SWIFT architecture. This effort takes time and resources and can slow down SWIFT compliance to a crawl. Securing Your SWIFT Environment Using Micro-Segmentation 4

Real-time application communications within SWIFT environment Segmenting the SWIFT Application From the Rest of the Infrastructure and Imposing Segmentation to Isolate Highest Value Targets There are 16 mandatory controls in the SWIFT CSP, but not all controls are created equal. Many of them simply require the deployment of tools you likely already have elsewhere in your environment: malware protection, database and software integrity monitoring, multifactor user authentication, and others. All of these should be addressed, but the most significant and most foundational CSP requirement is that you deploy two types of segmentation: 1) between your SWIFT environment and your other networks; and 2) between components of your SWIFT environment itself (CSP 1.1). The importance of this requirement is reflected in the fact that it is much longer, and contains more individual components, than any other SWIFT control. Securing Your SWIFT Environment Using Micro-Segmentation 5

It is also the control that can prove the most challenging to comply with because many organizations are not used to imposing the level of granular separation between systems that SWIFT requires. Among other things, CSP 1.1 requires that the SWIFT environment be segmented from the back office and other components of the corporate network; it requires that host-by-host control of traffic be implemented within the SWIFT secure zone; it requires that internet access be limited to only certain, segmented systems; and it requires that SWIFT authentication systems be segmented from central authentication ensuring that a compromise of a global active directory deployment will not expose the SWIFT system. When most people think of enforcing these types of segmentation requirements, they think of traditional, network-based segmentation solutions, such as ACLs. Achieving the range and precision of segmentation required by the CSP using traditional network segmentation, however, is incredibly difficult. For instance, if your SWIFT deployment includes a cloud environment, you likely do not have control over the network infrastructure necessary to impose traditional segmentation. Similarly, applying comprehensive host-by-host segmentation using traditional network-based solutions quickly becomes untenable for even small deployments; the complexity of the enforcement devices and firewall rules is simply too great for effective maintenance and application. Thankfully, there are a range of technologies beyond traditional network enforcement that can be used to accomplish the segmentation required by the SWIFT CSP. Many IT organizations are moving from network segmentation to these new technologies. Adaptive micro-segmentation combines the benefits of these new approaches. Key Characteristics of Adaptive Micro-Segmentation Flexible Granularity. Network segmentation can only enforce broad separations (for example, separating development from production). Adaptive micro-segmentation can enforce both broad separations and extremely precise segmentation. Securing Your SWIFT Environment Using Micro-Segmentation 6

Hybrid Environments. Network segmentation works only within traditional, static data centers. Adaptive micro-segmentation works across static and dynamic environments, in the cloud, and on bare-metal servers. Adaptive Enforcement. Adaptive micro-segmentation can shift as environments shift. This means that as your SWIFT environment expands and changes over time, adaptive micro-segmentation saves time and resources by avoiding the manual exercise of keeping SWIFT segmentation up-to-date. Application Awareness. Network segmentation does not understand the details of applications and communications. Adaptive micro-segmentation understands applications, ensuring that the segmentation protects the most valuable data. Network Segmentation Adaptive Micro- Segmentation Flexible Granularity Hybrid Environments Adaptive Enforcement Application Awareness Validating the SWIFT Application s Dependency Map and Segmentation Segmenting the SWIFT infrastructure is an essential step in securing the SWIFT application, but it won t help with the SWIFT CSP compliance unless you can validate that the segmentation is accurate and correctly enforced. Securing Your SWIFT Environment Using Micro-Segmentation 7

When addressing the range of segmentation requirements embedded in SWIFT CSP 1.1, remember that achieving compliance means being able to prove compliance. Here are four characteristics to look for in any scoping tool to ensure that you can prove compliance: HUMAN-READABLE POLICIES Segmenting your SWIFT infrastructure can easily require thousands of firewall rules. Rather than imposing segmentation based on traditional firewall rules, look for solutions that use environmental metadata to create more efficient and more understandable rules. These make it easier for you to explain your scope to an auditor and easier for auditors to validate it as well. Human-readable policies for securing SWIFT environments Securing Your SWIFT Environment Using Micro-Segmentation 8

A PICTURE IS WORTH A THOUSAND WORDS There s a reason that the first step in any SWIFT CSP compliance exercise is building an accurate application dependency map of the SWIFT application. Instead of working with spreadsheets of IP addresses and firewall rules, a visual interface can actually map your SWIFT systems allowing you to understand the primary connections within your SWIFT application and then to identify key characteristics about those connections. ANSWER KEY QUESTIONS BEFORE THEY RE ASKED SWIFT CSP 1.1 outlines specific segmentation requirements. Use a solution that will let you identify and answer these questions at the beginning of the audit, simplifying back-and-forth, and get through the audit as quickly as possible. QUERY PLATFORM TO CHASE DOWN AND FIX ERRORS Inevitably, something will turn up that you didn t expect. Given the complexity of modern environments and the range of requirements that the SWIFT CSP imposes, at least one curveball is guaranteed. Look for a security solution with an effective query-and-correct interface that prepares you for this so you can pinpoint and address mistakes when they do arise. Conclusion Micro-segmentation is a core requirement of the SWIFT CSP. More than that, building an early and accurate application dependency map lets you understand what systems need protecting and how you can apply that protection easily, quickly, and inexpensively. If you use micro-segmentation to follow the steps laid out in this white paper, your SWIFT CSP audit will run smoothly and leave you with SWIFT infrastructure that is secure, flexible, and ready to run your business. Securing Your SWIFT Environment Using Micro-Segmentation 9

About Illumio Follow Us Illumio, the leader in micro-segmentation, prevents the spread of cyber threats inside data centers and cloud environments. Enterprises such as Morgan Stanley, BNP Paribas, Salesforce, Workday, and Oracle NetSuite use Illumio to reduce cyber risk and achieve regulatory compliance. Illumio s Adaptive Security Platform uniquely protects critical information with realtime application dependency mapping and micro-segmentation that works in any data center, public cloud, or across hybrid deployments on baremetal, virtualization, and containers. For more information about Illumio, visit www.illumio.com/what-we-do or follow @Illumio. Illumio Adaptive Security Platform and Illumio ASP are trademarks of Illumio, Inc. All rights reserved. Securing Your SWIFT Environment Using Micro-Segmentation 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback