Mapping Swift CSP Framework with Sectona PAM for Banks

Cyber threats are ever-increasing. Recently, there have been many payment fraud incidents in customers’ local environments – As a result, SWIFT’s payment community continues to suffer from numerous cyber-attacks and breaches. 

For 2020, SWIFT promoted two existing advisory controls to mandatory and introduced two additional advisory controls resulting in 21 mandatory and ten advisory controls in the CSCF v2020. SWIFT has also launched a CSP (Customer Security Programme) to improve information sharing throughout the community. The SWIFT CSP Framework also shares best practices for fraud detection and enhances third-party providers’ support.  

Clause 1 of the SWIFT CSP framework discusses restricting internet access and protecting critical systems from the general IT environment. 

The SWIFT CSP framework speaks about SWIFT environment protection, i.e., the protection of the user’s local SWIFT environment from potentially compromising elements of the general IT environment and external environment.  

The framework states that the SWIFT user’s environment should be completely isolated. There should be complete control and access restrictions over OS Privileged accounts. It also emphasizes securing the virtualization platforms. All the virtualization platforms and virtual machines (VMs) hosting SWIFT-related components should be secured to the same level as physical systems. 

Solution Offered by Sectona Security Platform 

With its hybrid access mechanism, the Sectona Privileged Access Management (PAM) ensures secure access to critical systems, including SWIFT infrastructure. Users can access it from the internal or external environment. 

Sectona PAM allows privileged sessions to be accessed over the browser to ensure true session isolation while allowing direct client-based access without needing the agent on the target device.  

There is also a provision for access through a secure Jump Host for session isolation. In addition, users can also take access from any OS and browser without needing plugins.  

Sectona PAM has strong server privilege management & access control capabilities that segregate user access based on workforce roles & responsibilities. Unauthorized access is eliminated by way of this capability. 

The benefit of robust integrations with Virtualization platforms & VMs. And access to these platforms can be secured with the same effect as physical systems. 

Clause 2.6 of SWIFT CSP framework discusses reducing surface attacks and vulnerabilities.  

There should be complete operator session confidentiality and integrity to be maintained. The interactive operator sessions connecting to local SWIFT infrastructure should be protected from surface attacks and vulnerabilities. 

Solution Offered by Sectona Security Platform 

Sessions taken to the SWIFT infrastructure through Sectona PAM will be completely secured, controlled & monitored through a secure mechanism – ensuring the confidentiality & integrity of sessions. Along with MFA to access any interactive session of SWIFT via PAM.  

In addition, the threat analytics engine within Sectona PAM calculates a composite risk score for each privileged session, which helps with auditing and forensics much more easily and faster. 

Clause 2.8 of SWIFT CSP Framework speaks about outsourcing critical activities. 

It states that the local SWIFT infrastructure should be protected from the risks exposed by outsourcing critical activities. 

Solution Offered by Sectona Security Platform 

Sectona PAM enables workflow-based access for outsourced activities to ensure that access to the SWIFT infrastructure is granted only after review & approval from authorized personnel.  

For any critical activity wherein the session may need to be shared over the internet with outsourced or third party vendors, the PAM tool enables a highly secure way of collaborating without revealing credentials and generating collaborative logs identifying and logging the activities during the session. 

Clause 2.9 of SWIFT CSP Framework states that all business transactions should be controlled.  

All the business transactions in the environment should be validated and authorized by the respective counterparties. 

Solution Offered by Sectona Security Platform 

In Sectona PAM, time-based access can be provided to users taking access to SWIFT infrastructure. This ensures that the user access to SWIFT infrastructure is authorized at the pre-decided time frame. In addition, workflow-based access can also be enabled to ensure users are given access only after review & approval. Multiple levels (up to 15) of permissions can be configured with Sectona PAM. 

Clause 4 of SWIFT CSP framework highlights the prevention of credential compromise.  

Clause 4.1 states that effective password policies should be in place. The passwords should be resilient enough to give protection against common password attacks. 

Solution Offered by Sectona Security Platform 

Sectona PAM has a strong password vault that supports customizable password change policies enabling password complexities and rotations with a wide range of combinations. Multiple Password Policies can be created and applied to an asset or group of assets.  

Sectona’s Password Vault can help schedule password changes regularly & help set password complexities as desired. The vault is highly secure & passwords are encrypted with either AES 256 encryption or RSA 2048 encryption. 

Clause 4.2 of the SWIFT CSP framework is about multi-factor authentication.  

The clause of SWIFT CSP Framework requires the prevention of compromised single authentication factors for allowing access into the SWIFT environment. 

Sectona PAM is engineered to readily integrate with MFA providers such as RSA, Vasco, Safenet, Okta, OneLogin, Duo or Google Authenticator. Alternatively, it provides proprietary in-built Mobile OTP or Push Authentication and SMS or Email OTP options for multi-factor authentication. The 2FA mechanism ensures an additional layer of security & control. 

Clause 5 of the SWIFT CSP Framework discusses managing identities and segregating privileges.  

Clause 5.1 is about the logical access control, i.e., access should be provided on a need-to-know basis, and duties for operator accounts should be segregated. 

Solution Offered by Sectona Security Platform 

Sectona PAM follows the principle of least privileges and segregation of duties adding value by providing attribute-based grouping or AD grouping that can help reduce the human effort involved with user mapping based on roles & responsibilities. 

Clause 5.4 speaks about protecting the logically and physically stored passwords in the SWIFT environment. 

Sectona PAM has a strong password vault that supports customizable password change policies enabling password complexities and rotations with a wide range of combinations. Multiple Password Policies can be created and applied to an asset or group of assets. The vault is highly secure & passwords are encrypted with either AES 256 encryption or RSA 2048 encryption. 

Clause 6 speaks about detecting abnormal activities in systems or transaction records.  

Clause 6.4 of SWIFT CSP Framework states that all security events should be recorded to detect anomalous actions and operations within the local SWIFT environment. 

Solution Offered by Sectona Security Platform 

Sectona’s Session Recording module captures logs of all privileged sessions across target system sessions, including access to the SWIFT environment. In addition, the threat analytics engine within Sectona PAM calculates a composite risk score for each privileged session, which helps with auditing and forensics much more quickly.  

Sectona PAM has an in-built Risk Scoring engine with a list of predefined plausible high-risk scenarios. The risk levels for these scenarios can be configured to incorporate desired risk levels of the organization. This Risk Scoring engine will help calculate the composite risk score for each user session based on the activities in the session that, thereby, help assess the access behaviour.  

Sectona PAM has an alert and notification engine to send timely alerts to concerned personnel on executing predefined critical commands or activities. 

Conclusion 

SWIFT has included an extensive list of best practices for banks in its SWIFT CSP Framework. The latest version of the compliance document is available in this link.  

Those starting with their privileged access security programs start by targeting and identifying all privileged accounts. Leverage this list to begin your privileged access security program.   

Related Reading: Why running isolated privileged sessions for remote users is essential?