3-Steps for Compliance with “SWIFT customer security controls framework 1.0”
A deadline of Jan 2018 looms upon Banking & Financial Institutions for compliance with the Security Guidelines issued by SWIFT. This guidance from EZMCOM provides a concise summary of controls that can be implemented for compliance.
Typically we can classify the operators of the SWIFT software as – “IT / OS admin” or a “User”. The “IT / OS admin” typically login to the SWIFT server and administer, manage, update, upgrade the SWIFT software and perform general maintenance. The “User” performs the financial transactions/ functional work on the web-based SWIFT Alliance software.
The following security guidelines must be implemented for both these types of users (“operators”).
Compliance for the “Password”
Banks are most likely compliant with this requirement. But if not, here below is the guideline from SWIFT:
The Password should be at least 8 characters long
It should be a combination of digits, special characters, uppercase and lowercase letters
The Passwords should be uniquely used for accessing the SWIFT account (and not a common Password used to generally login to the Bank’s domain)
The Password should not be trivial (e.g. dictionary words)
EZMCOM recommends the use of standard password policies of an Active Directory (AD) server to enforce this compliance. The AD can be integated for OS login as well as a user repository in the SWIFT software.
The Isolated / Dedicated workstation compliance
Typically bank users have access to the internet on their workstations. SWIFT requires you to have a dedicated workstation that is not connected to the internet and preferrably any other external content (e.g. mail, FTP, SFTP etc). This would be an inefficient and expensive approach.
Alternatively, SWIFT recommends that the bank user connect to a JUMP server and then from this jump server the operators connect further to the SWIFT software. The jump server must be isolated from any other network and should not be connected to the internet or have any other mail, ftp, sftp software etc. and be firewalled appropriately.
Establish a jump (intermediate) server infrastructure – Viz. Microsoft Windows Server(s) for Remote Desktop of your SWIFT users. If you have a VDI infrastructure (E.g. CITRIX XenApp XenDesktop Receiver), then you can use that as well
Firewall and restrict the access to SWIFT Servers and the URL of the SWIFT Alliance web application so that they are only accessible from the JUMP server(s)
Two-Step Verification (2SV) compliance
2SV or in other words a 2-Factor Authentication is typically the use of an additional credential that is usable One-Time and valid for a limited time duration ensures that a compromise in the Username and Password credential due to any reason doesn’t compromise and provide unauthorized access to the SWIFT software.
The compliance requires the operators to perform a 2SV in at least one of access procedures to SWIFT software.
Implementation of 2SV during the remote (desktop) access to JUMP server. Its very unlikely that Banks will allocate additional dedicated and isolated workstation to each SWIFT software operator and the JUMP server access can be a uniform and consistent 2SV experience for all operators (IT/ OS admin as well as the users)
Alternatively, 2SV/ 2FA can be enforced during RDP by the “IT/ OS admin” operators of SWIFT but for the “User”, it can be enforced during the web-based browser login into the SWIFT Alliance software application. With this, the User operator of SWIFT will not be required to perform 2SV/ 2FA during every remote desktop session. Typically such remote connections auto-disconnect after an inactivity period or the lock screen appears and the 2SV/ 2FA can become inconvenient.
You may consider implementaion of some behavioral authentication that monitors the keystroke dynamics of the users during the remote desktop and an Artificial intelligence/ Machine learning based solution grants access to the remote desktop without a 2SV/ 2FA if there isn’t an anomaly in the way the remote desktop connection is getting establish. This will greatly increase the convenience for SWIFT operators while maintaining compliance.
EZMCOM cautions against;
- Use of free (3rd party/ opensource) OTP/ 2FA/ 2SV authenticators that are natively integrable with SWIFT software’s internal capability of supporting Time based OTP (TOTP) authenticators.
- Do not assume that by using the built-in 2FA/ 2SV capabilities of SWIFT Alliance software you can get compliance to all of the security guidelines stipulated in the “SWIFT customer security controls framework 1.0” issued by SWIFT. You will need to implement additional 2FA/ 2SV for the “IT/ OS Admin” operators nevertheless even if you chose to use a free/ opensource OTP authenticator that is compliant to SWIFT.
A sample illustration of SWIFT “IT / OS Admin” operator’s experience with 2SV during remote desktop connection to a JUMP server before accessing SWIFT software server for administration. The same experience can be for the “User” operator as well prior to launching the browser for login into the SWIFT web-application.
EZMCOM is not endorsing any vendor, product or service mentioned in its guidance document, and does not advise Banks and Financial institutions to refer to this document only for compliance. This publication from EZMCOM consist of the opinions of EZMCOM’s own experience in working with Banks and Financial institutions for attaining comnpliance and should not be construed as statements of fact. EZMCOM disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
EZMCOM is an Identity Fraud & Risk Management solution provider with innovative and easy-to-use technology that can be deployed to protect users, data, and applications from credential theft, account takeover and breaches. EZMCOM is working with companies worldwide to change the way we authenticate and authorize – across mobile devices, servers, workstations within enterprise and cloud services.
If you have questions, or would like a demo of EZMCOM’s authentication solutions that help you establish compliance to SWIFT security guidelines, please talk to an EZMCOM representative today!
1 (510) 396-3894 | 60 (0) 12 570-1114 | 44 (0) 7483-214871
For more information, please visit www.ezmcomcom or follow @ezmcom on Twitter, LinkedIn