Cyber threats are ever-increasing. Recently, there have been many payment fraud incidents in customers’ local environments – As a result, SWIFT’s payment community continues to suffer from numerous cyber-attacks and breaches.
For 2020, SWIFT promoted two existing advisory controls to mandatory and introduced two additional advisory controls resulting in 21 mandatory and ten advisory controls in the CSCF v2020. SWIFT has also launched a CSP (Customer Security Programme) to improve information sharing throughout the community. The SWIFT CSP Framework also shares best practices for fraud detection and enhances third-party providers’ support.
The SWIFT CSP framework speaks about SWIFT environment protection, i.e., the protection of the user’s local SWIFT environment from potentially compromising elements of the general IT environment and external environment.
The framework states that the SWIFT user’s environment should be completely isolated. There should be complete control and access restrictions over OS Privileged accounts. It also emphasizes securing the virtualization platforms. All the virtualization platforms and virtual machines (VMs) hosting SWIFT-related components should be secured to the same level as physical systems.
With its hybrid access mechanism, the Sectona Privileged Access Management (PAM) ensures secure access to critical systems, including SWIFT infrastructure. Users can access it from the internal or external environment.
Sectona PAM allows privileged sessions to be accessed over the browser to ensure true session isolation while allowing direct client-based access without needing the agent on the target device.
There is also a provision for access through a secure Jump Host for session isolation. In addition, users can also take access from any OS and browser without needing plugins.
Sectona PAM has strong server privilege management & access control capabilities that segregate user access based on workforce roles & responsibilities. Unauthorized access is eliminated by way of this capability.
The benefit of robust integrations with Virtualization platforms & VMs. And access to these platforms can be secured with the same effect as physical systems.
There should be complete operator session confidentiality and integrity to be maintained. The interactive operator sessions connecting to local SWIFT infrastructure should be protected from surface attacks and vulnerabilities.
Sessions taken to the SWIFT infrastructure through Sectona PAM will be completely secured, controlled & monitored through a secure mechanism – ensuring the confidentiality & integrity of sessions. Along with MFA to access any interactive session of SWIFT via PAM.
In addition, the threat analytics engine within Sectona PAM calculates a composite risk score for each privileged session, which helps with auditing and forensics much more easily and faster.
It states that the local SWIFT infrastructure should be protected from the risks exposed by outsourcing critical activities.
Sectona PAM enables workflow-based access for outsourced activities to ensure that access to the SWIFT infrastructure is granted only after review & approval from authorized personnel.
For any critical activity wherein the session may need to be shared over the internet with outsourced or third party vendors, the PAM tool enables a highly secure way of collaborating without revealing credentials and generating collaborative logs identifying and logging the activities during the session.
All the business transactions in the environment should be validated and authorized by the respective counterparties.
In Sectona PAM, time-based access can be provided to users taking access to SWIFT infrastructure. This ensures that the user access to SWIFT infrastructure is authorized at the pre-decided time frame. In addition, workflow-based access can also be enabled to ensure users are given access only after review & approval. Multiple levels (up to 15) of permissions can be configured with Sectona PAM.
Clause 4.1 states that effective password policies should be in place. The passwords should be resilient enough to give protection against common password attacks.
Sectona PAM has a strong password vault that supports customizable password change policies enabling password complexities and rotations with a wide range of combinations. Multiple Password Policies can be created and applied to an asset or group of assets.
Sectona’s Password Vault can help schedule password changes regularly & help set password complexities as desired. The vault is highly secure & passwords are encrypted with either AES 256 encryption or RSA 2048 encryption
The clause of SWIFT CSP Framework requires the prevention of compromised single authentication factors for allowing access into the SWIFT environment.
Sectona PAM is engineered to readily integrate with MFA providers such as RSA, Vasco, Safenet, Okta, OneLogin, Duo or Google Authenticator. Alternatively, it provides proprietary in-built Mobile OTP or Push Authentication and SMS or Email OTP options for multi-factor authentication. The 2FA mechanism ensures an additional layer of security & control.
Clause 5.1 is about the logical access control, i.e., access should be provided on a need-to-know basis, and duties for operator accounts should be segregated.
Sectona PAM follows the principle of least privileges and segregation of duties adding value by providing attribute-based grouping or AD grouping that can help reduce the human effort involved with user mapping based on roles & responsibilities.
Sectona PAM has a strong password vault that supports customizable password change policies enabling password complexities and rotations with a wide range of combinations. Multiple Password Policies can be created and applied to an asset or group of assets. The vault is highly secure & passwords are encrypted with either AES 256 encryption or RSA 2048 encryption.
Clause 6.4 of SWIFT CSP Framework states that all security events should be recorded to detect anomalous actions and operations within the local SWIFT environment.
Sectona’s Session Recording module captures logs of all privileged sessions across target system sessions, including access to the SWIFT environment. In addition, the threat analytics engine within Sectona PAM calculates a composite risk score for each privileged session, which helps with auditing and forensics much more quickly.
Sectona PAM has an in-built Risk Scoring engine with a list of predefined plausible high-risk scenarios. The risk levels for these scenarios can be configured to incorporate desired risk levels of the organization. This Risk Scoring engine will help calculate the composite risk score for each user session based on the activities in the session that, thereby, help assess the access behaviour.
Sectona PAM has an alert and notification engine to send timely alerts to concerned personnel on executing predefined critical commands or activities.
SWIFT has included an extensive list of best practices for banks in its SWIFT CSP Framework. The latest version of the compliance document is available in this link.
Those starting with their privileged access security programs start by targeting and identifying all privileged accounts. Leverage this list to begin your privileged access security program.
Related Reading: Why running isolated privileged sessions for remote users is essential?