SWIFT Reporting – Getting the most out of the available toolsEmma Pacheco, Service Manager – SWIFT

SWIFT Reporting

ObjectivesGet the most …• understanding• access• address questions

What are …• your challenges• we missing

SWIFT Reporting

Agenda Quiz• What? Where? How?

Exercise• Putting my reports to good use !!!!

Your turn• Your challenges

Recap & conclusions• What have we learnt?

QUIZ Time !!!

• Leased Line Utilisation Report

What?

• Swift.com > Support Tools

Where?

P+/P

QUIZ Time !!!

• Year/Month/Peak Day

• Per line• Segregation

• Resiliency• Browse traffic• Degradation

How?

P+/P

QUIZ Time !!!

• Support usage Report

What?

• Swift.com > Premium Doc Repository

Where?

P+

QUIZ Time !!!

• Disturbance index

• Case stats• Per month• Per channel• Per user• Per product …

How?

P+

QUIZ Time !!!

• Availability Report

What?

• Swift.com > Premium Doc Repository

Where?

P+

QUIZ Time !!!

• Availability of:• SWIFT• VPNs• SNLs• LTs

• Configuration via:• Service Mgr

How?

P+

QUIZ Time !!!

• Healthcheck Report

What?

• Swift.com > Premium Doc Repository

Where?

P+/P

QUIZ Time !!!

• Identify risks• Best practices• Focus:

• Service Availability

• Performance• Security

How?

P+/P

QUIZ Time !!!

Traffic Monitoring- Throughput- Volume- Queues

Reports- Certificates- Roles- Activity Log

Report Automatio

n O2MSWIFTNet Online

Operations Manager

P+/P

QUIZ Time !!!

O2M

P+/P

QUIZ Time !!!

P+/P

O2M > Throughput (TPS)

QUIZ Time !!!

O2M > Volume

P+/P

QUIZ Time !!!

• Watch• …

• Case review• …

• License• Systems• …

• Accounts• Ordering• …

Swift.com MyConfig

BusinessIntelligence

ServiceMeetings

Many other on-demand reports

P+/P P+/P

P+P+/P

CO

O Q

uest

ions

Cha

ngesAug 2015:

New business flow Important volumes Traffic: IA + browse

Same time: HW/SW changes New security policies enforced

Did incident risk increase since new flow?

Do you feel safe in terms of capacity?

Exercise Time !!!

What are your challenges? what are we missing?

Cap

acity

?

Ris

k in

crea

se?# incidents stable

but risk higher: support cases (system config/admin) BW usage HW/SW maturity & knowledge management

LL BW increase, still OK… growth? Staff? HW saturation? internal monitoring

Exercise Time

Conclusions

Request budget for in-depth analysis/prep for upscaling?

What are your challenges? what are we missing?

Recap Case review

O2M

HC swiftmon

LLUR

Availability

Support Usage

Recap Case review

O2M

HC swiftmon

LLUR

Availability

Support Usage

HC cases?

LLUR–O

2M=B

rowse

Training

DomainsIn

cide

nt v

s Q

uest

ion

Cer

tific

ates

Sec

Mgm

t

Ntwk BW vs System BWVB box used vs available?

Recap

• to assess current situation

Combine different reports …

• to prevent outages

Use reports proactively ...

• voice your requirements !

Reports are only one way SWIFT can help …

IT Update:CTO’s view of 2020 Strategy- Challenges and OpportunitiesCraig Young, Chief Technology Officer – SWIFT

USEUR

KL

IT at SWIFT

Presence in the 3 geographical regions is of strategic importance for business relevance and resilience. 

Strategic business priorities:• Grow and strengthen core ‘many-to-many’ financial messaging, connectivity and closely adjacent products and services • Expand and deepen offerings for market infrastructures • Build our financial crime compliance portfolio to meet the full spectrum of related challenges.

Critical enablers:

OperationalExcellence

Innovationat the Core

Customers And Communities Talent Financial

Management

• Recognized systemic importance

• Invest in operational excellence & platform efficiency

• Security, technology and resilience

• Innovate core payments & securities

• Platform innovation

• Continued product innovation

• Leverage Innotribe and SWIFTLab

• Expand geographical reach

• Customer centricity

• Community dialogue

• CSR

• Develop to match business needs

• Developing critical capabilities for future

• Reduce message pricing

• Grow non messaging revenue

• Financial resilience

SWIFT 2020 – Grow the core, Build the future

TransformGrowRun

Security

Talent

Technology

Role of IT

Security –Challenges

Increased complexity to cyber attacks• Phishing, impersonation, DDoS, virus, …• Multiple hacking techniques to evade detection and

distract defender• Stealthy and diverting techniques• Weaponisation means less entry hurdle for hackers

Increased threat sources• Very powerful, resourceful and skilled actors• New categories of threats: losing trust in technology

(weakened crypto, backdoor added)

Increased technology vulnerability• More zero day exploits• IT consumerisation : usability vs security, technology

favouring end user• Weakest link in the chain: people

Changing business landscape• More Internet facing services• More business agility• Mobility, BYOD• Geopolitical tensions

It’s no longer a matter of if your cyber security defense will be compromised at some level – it’s when.

Prevent

Detect

Plan

LearnComplicate enemy’s life and prevent cyber attacks to succeed

Do not underestimate the enemyand detect attacks that woulddefeat your prevention

Know your enemyand understand

own exposure

Prepare for the worse and be ready to contain and

recover from detected attacks

Security - Holistic Cyber Framework

FNAO

FINSWIFTNet

Regional Processor

Slice Processor

FIN BridgeSwitchFront End Processor

Slice Control Processor

Certification Authority

SWIFTNet Directory

SWIFTNet LinkAlliance Gateway

SNL

Lite

Alliance Lite2

Alliance Access IntegratorAlliance Access

Alliance Entry

Alliance Connect Bronze

Alliance Connect Silver

Alliance Connect Gold

Alliance Messaging HUB

Autoclient

SWIFTNet Browse

SWIFTNet InterAct

SWIFTNet FileAct

Sanctions Screening

Accord

SWIFT WebAccess

KYC

Online Operations Manager

Swift.com

3SKey

HSM

VPN

Alliance Managed Operations

Alliance Lifeline

Alliance Remote Gateway

SWIFTRef

Sanctions Testing

Watch for Securities

IPLA

Increasing number of services 

Scalability following strong growth  

Common User Experience 

Time to Market

Security Evolution 

Platform - Challenges

Platform - Business Architecture Process

Ideation Ideation

Innovation - Challenges

Ideation Validation Proof of Concept Project life cycle

Security - Anticipating your future requirements

Mayank Bhatt, Security - Product Manager – SWIFTChetan Uka, Messaging - Product Manager – SWIFTBikash Mishra, Service Manager – SWIFTJithendra Manne, Service Manager – SWIFT

HSM Refresh and HSM Usability Enhancements

Mayank Bhatt, Security Product Manager - SWIFT

HSM Refresh: 2-phase project

Hardware Refresh Renew infrastructure

Usability Evolution

Simplify day-to-day management of HSM boxes Reduce cost & risk associated with complex processes

5653 4618 339

100% IS6 HSM Boxes shipped overall

IS6 HSM boxes Installed

Remaining oldHSM Boxes

HSM Refresh: key figures

HSM Refresh: 2-phase project

Hardware Refresh Renew infrastructure

Usability Evolution

Simplify day-to-day management of HSM boxes Reduce cost & risk associated with complex processes

HSM

O

PER

ATIO

NS

Q2 ‘14 Q3 ‘14 Q4 ‘14 Q1 ‘15 Q2 ‘15 Q3 ‘15 Q4 ‘15 Q1 ‘16 Q2 ‘16 Q3 ‘16 Q4 ‘16

SNL/SAG 7.0.29 (CLS users)SAG Admin GUI enhancements (CLS users)- Improved certificate monitoring- Easier/integrated certificate management

HSM cluster enhancementSupport higher latency limit on dedicated browse HSM clusters

SNL/SAG 7.0.40SAG Admin GUI enhancements- Improved certificate monitoring- Easier/integrated certificate management - Automate recovery of group certificates

SNL/SAG 7.0.50HSM enhancements- Simplified installation process & remote set-up- Unique PED token (option)- Cluster improvements- Controlled password management

CER

TIFI

CAT

E M

AN

AG

EMEN

T SNL/SAG 7.0.50 Certificate management enhancements- Option to avoid or minimize PED functions- Fully integrated certificate management

HSM Usability Enhancements

SNL/SAG 7.0.50Enhancements Benefits

Operational efficiency • Reduce manual PED operations• Streamline certificate management through GUI• Automate group functions• No physical box access required for initial remote PED

set-up• Reduce manual steps for installation/configuration• Limit number of PED keys to manage

Risk prevention• Reduce manual errors• Enhance control on certificates lifecycle• Ability to prevent password expiry• No need to manage accounts/passwords on each box separately

within a cluster

Enhance SAG Admin GUI • Delete certificate without PED operation• Integrated partition management

Simplify HSM configuration• Default remote PED access• Unattended backup• Flexible cluster configuration

Improve account administration• Account synchronization across cluster• Controlled password management

Limit PED operations• Unified PED token • Session-based PED authentication

HSM Refresh, a multi year project

2011 2012 2013 2014 2015 2016

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

New hardware selection started

PSF 2014: Planning for refresh Review potential changes

End of support for IS5 HSM boxes

Deliver remaining usability enhancements(patch 7.0.50)

Design potential usability changes

Launch IS6 HSM boxes shipment

Start program preparation

Usability enhancements (patch 7.0.40)

Initial usability enhancements (patch 7.0.29)

PSF 2015: HSM refresh status update

Launch customer consultation

Deliver remaining usability enhancements(patch 7.0.50)

Updated Release Policy

Chetan Uka, Messaging Product Manager - SWIFT

Describe type (major, minor, patch), naming convention, and releases cycles.

Provides supportability and migration framework of our products

Provides information about SWIFT framework for qualifying OS and patch levels

What is the SWIFTNet and Alliance Release Policy

The SWIFTNet and Alliance Release Policy is the rule-book describing the delivery of SWIFTNet and Alliance releases.

Foster community alignment on

features, enhancements & Security updates

Technology landscape

evolving faster and continuous monitoring

(OS and COTS)

Cyber Security roadmap

Release Policy – Ensure sound Release cycle post 7.2

Security and cyber threats requires more frequent

updates

SWIFT

Why an Updated Release Policy?

Rationale for refresh

SWIFTNet and Alliance Release PolicyCollaborate with the SWIFT Community for feedback

Propose updated Release Policy

Principles

Discuss with User groups and Vendors

to incorporate there

feedback

Release 7.2 Final Release

Overview to include updates

to Release Policy

SWIFT Proposal

SWIFT Community

Updated SWIFTNet and Alliance Release Policy- Applicable as of Release 7.2

Oct2015

Nov - Feb2015/16

June2016

Release PolicyPrinciples

• Clear End of Support date defined at the availability of an annual release

Life Cycle - End of Support

• One planned release per year• Annual version supported for 2 years of maintenance and 1 year of

migration support• Hotfixes / Patches provided as needed• Each annual release can be installed without prior installed version

Concurrence of Release

• OS baseline supported for 3 years

Operating Systems

Release Policy Roadmap: how this will work ( for example, SNL/SAG)

2018 2019 2020 2021

Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4

J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D J F M A M J J A S O N D

Primary upgrade path – upgrade to following release24 month migration period

2019 to 2022 OS Baseline

2018 to 2021 OS BaselineRelease N+1 (7.2.10)

Release N ( 7.2)

Release N+2 (7.2.20)

Release N+3 (7.2.30)

2020 to 2023 OS Baseline

Unsupported

Unsupported

2017 to 2020 OS Baseline

Secondary upgrade path - upgrade to N+2 release12 month migration period

Customer Testing Policy

Bikash Mishra, Service Manager - SWIFT

SWIFT products Vulnerability testing

Allowed

• Alliance Access• Alliance Web Platform• Alliance Gateway• SNL• SIL• AMH• HSM devices• 3SKey

Not Allowed

• Alliance Connect• SWIFT Network• SWIFT Messaging

Solutions• Business Application

Services• SWIFT web sites• 3SKey Portal, Lite2

Conditions: • No connection to SWIFT Network• Latest and supported versions of Software/Hardware

Non- SWIFT products Vulnerability testing

Allowed

• Prior Vendor agreement

• Without physical/logical connection to SWIFT

Not Allowed

• M-CPE (Managed Customer-Premises Equipment) supplied by Network Partners

Performance Test

FIN Stress

CUG Stress

Best Practices

• SWIFT Approval• Rules - Tip

2008531

• Managed by Service Administrator

• ISAE 3402 type 2 report -Tip 2208810

• Customer Testing Policy document

• System Backup

SWIFT addressing your security needs

Jithendra Manne, Service Manager – SWIFT

Exercise Time !!

Objective : Secure the Infrastructure

• Each team has a SWIFT infrastructure diagram • Brainstorm amongst your team • Mark each entity/server to be secured • Use the techniques and tools available to secure them (SWIFT /

Internal )• Highlight your challenges and needs • One person from each team to Present !!

Time starts now !!

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

IPsec• Authentication• Encryption

Remote PED

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

PKI, ED, CRL, CARA

Remote PED

PKI, SSL, SSH, FIPS 140-2 Level 3

CertifiedEncrypted, PED Keys

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

TCP Ports, FIPS 140-2 Level 3,

SSL, SSHPED Encrypted,

Passwords, Cluster Certificate

Remote PED

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

FW, TCP Ports

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

TCP Ports, FW, SSL,

SSHPED

Encrypted

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

Ports, FW, TLS/SSL,LAU

SAA-SAG Server Authentication

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

FW, Ports, SSL/TLS

SAG-AWP Server Authentication

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

SSL/TLS Server Authentication, HTTPS, HTTP

Proxy, FW, Ports

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

Ports, SSL + Server Authentication

Profiles/Operators/Passwords (SHA-256) ,

LDAP/OTP, Session Inactivity TimeOuts, SW

+ DB Integrity,

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

Ports, SSL + Server Authentication

Profiles/Operators/Passwords (SHA-256) ,

LDAP/OTP, Session Inactivity TimeOuts, SW

+ DB Integrity

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

SW Integrity , PKI Certificate,

Signing and Encryption

Threat: Steal Password or Session

Attacks

•Key logger•Session guessing•Shoulder surfing

• Session Mechanism• SSL Tunnel • Account Management

AWP-SE

• Strong Password Policy• OTP / LDAP• Account Management• Session Mechanism

SAA/SAG/SAI

• Secure Browsing PracticesUser

• Protection of System Used by Alliance Products

Customer Infrastructure

Pre

vent

ion

Threat: Data Eavesdropping

Attacks

• Phishing

• Sniffing

• SSL/TLS TunnelAWP-SE

• SSL/TLS TunnelSAA/SAG/SAI

• Secure Browsing PracticesUser

• FirewallCustomer Infrastructure

Pre

vent

ion

Customer Footprint

Third PartyInterface

AMH

Alliance Access

MQHA

SOAP

AFT

ADK WSSIPLA

Alli

ance

Web

P

latfo

rm

Web

GU

I

Alliance Connect

SNL

SNL

HS

M

Clu

ster

HS

M

Clu

ster

Third PartyInterface

Third PartyInterface

SWIFT network

AllianceGateway

RAHA

MQHA

Remote PED

SSL, LAU, Ports, FW, Digest (FA)

Threat: Data Tampering

Attacks

• Man in the Middle

• Server AuthenticationAWP-SE

• 4-eyes AuthorizationSAA/SAG/SAI

• Secure Browsing PracticesUser

• Network Segregation• Patch Management• Logical and Physical

Control• VPN

Customer Infrastructure

Pre

vent

ion

Threat: Weakness of Third Party Products

Customer InfrastructureNetwor

k Segregation

Patch Management

AWP-SEReverse Proxy DMZ

• Protect your infrastructure

Customer InfrastructureNetwork

Segregation Server

Segregation

Protection of the system

used by Alliance product

VPN

SAA/SAG/SAIPatch Management

AWP-SEPatch Management

• Protect your infrastructure

Threat: DDOS Denial of Service

Security : Best Practices

Do’s

•Updated Firewalls •Software and Security Patches•User Roles •Strict Passwords•Restart Browser sessions•Suspicious emails•Restrict unwanted traffic •Anti-Virus / Malware

Dont’s

•Internet from Alliance PCs•Keep sessions open •Saving / writing passwords•Pop-ups to install executables•Assign multiple roles•Open URLs from suspicious emails

Closing Remarks

Danny Smedley, Head of Customer Support – Americas SWIFT

April 23 •Cold Start DRI

Sept 26-29th •SIBOS Geneva

Oct 22 •Global OPC Recover Test

Nov 16 •FIN Standards Release ‘16

Upcoming Events

Your SWIFT Infrastructur

e

Health Check

s

Troubleshootin

g Training

• Be proactive about your SWIFT Infrastructure.

• Schedule your Health Checks & Troubleshooting Training early.

Getting the most out of your support package

www.swift.com