SWIFT Customer Security Program for 2019
The Customer Security Program (CSP) is a framework launched by the Society for World Interbank Financial Telecommunication (SWIFT), originally in 2016. The “programme” can be broken down into three key objectives:
- Secure your environment
- Know and limit access
- Detect and respond
Obviously, these are fairly high-level bullets and therefore leave a lot to interpretation, but SWIFT built into the CSP a couple dozen controls (27 of them, to be exact), some of them mandatory, some of them merely advised. Originally, the arrangement called for member organizations to self-attest to their use of these controls as of the end of last year. 94% of organizations met this deadline and, impressively, this meant that 99% of SWIFT network traffic fell under the controls.
An update from earlier this year means that organizations are again asked to self-attest their compliance by the end of the year. Because some of the controls were updated, this may mean rethinking how it is that your organization, if it is a SWIFT member, achieves its compliance.
At ShieldX, we think the way to protect a modern data center is to have the security architecture be specifically designed for the attributes of such a data center: containerized workloads, elastic and dynamic allocation of workloads, and controls to prevent attacks from pivoting along the axis of east-west traffic within the center. This may sound obvious, but we meet a lot of organizations who are trying to create a static perimeter in the cloud with a stack of virtualized next-gen firewalls. Maybe this works within limits, but it definitely doesn’t scale well and it also comes with all the security risks that accompany the (nearly always) resultant flat network.
As we’ve noted elsewhere, ShieldX takes an approach based on microsegmentation and the application of deep packet inspection. ShieldX Elastic Cloud Security uses microsegmentation and a container-based, microservices architecture to replace the tiered zones and the monolithic firewalls that organizations have traditionally used with mixed success. With ShieldX, you still have zones, but they are automatically generated and maintained, individually defined for separate business applications, and scaled dynamically on a per-zone basis. Within these elastic zones, ShieldX offers full packet inspection equivalent.
When it comes to the SWIFT requirement for “detecting and responding,” virtual patching is a critical part of any current defense posture. You can use a vulnerability scanner to find problems in your network and then, in theory, you could take the scanner report, assemble a team of experts, and manually generate the policies needed to provide virtual patches to your highest-priority vulnerabilities. But the expense and time intensity of this process run aground on the difficulties of too many patches and too many (dynamic) workloads.
We think ShieldX makes an enormous amount of sense when tackling the SWIFT CSP. Learn more about this in our data sheet.