0

SWIFT 7.2 & Customer Security

Providing choice, flexibility & control.

© Oliver Wyman

Patricia Hines, CTP

Senior Analyst, Corporate Banking

Celent

SWIFT 7.2 UPGRADE: WHAT DO YOU NEED TO KNOW?

DECEMBER 6, 2017

2© Oliver Wyman

• SWIFT is upgrading the Alliance product

suite, including:

– Alliance Access 7.2

– Alliance Entry 7.2

– Alliance RMA 7.2

– Alliance Gateway 7.2

– Alliance Remote API 7.2

– SWIFTNet Link 7.2

– Alliance Web Platform 7.2

SWIFT 7.2 Upgrade: What’s Happening?

Source: SWIFT Website

• Introduction of 64-bit architecture and new operating system requirements: AIX 7.2,

Red Hat Enterprise Linux (RHEL) 7.2, Oracle Solaris 11.3, and Windows Server

2016

• This mandatory upgrade is necessary “to continue to provide a highly secure and

efficient SWIFT service for our customers in the years ahead” – SWIFT

3© Oliver Wyman

• Cyber threats and security vulnerabilities require more regularly releases security

updates

• Formerly, security updates with combined with functional updates, on an ad hoc

basis

• Release Policy Principles:

– Clear end of support dates will be defined at the availability of an annual release

– One planned release per year (aligned with message standards release)

– Annual version supported for 2 years of maintenance and 7 months of migration

support

– And more…

• Mandatory security updates will be issued once per year, with possible quarterly

releases (if required)

Why is SWIFT Updating its Release Policy Principles?

Source: SWIFT Premium Forum Americas, New

York City, May 1st 2017

4© Oliver Wyman

• The mandatory SWIFT 7.2 upgrade and technology refresh require:

– Upgrading SWIFT software components

– Upgrading operating system software baseline and move to 64 bit

– Evaluation and potential upgrade of existing hardware

– Significant systems and user acceptance testing

– New hardware model for HSM and 3SKey tokens

SWIFT 7.2 Upgrade: What is the Impact?

• Full impact cannot be

determined without a

detailed gap analysis

Source: SWIFT Website

5© Oliver Wyman

• SWIFT Accord services decommissioned October 2017

• Customer Security Programme (CSP) compliance attestation required by December

31 2017

• SWIFT 2017 MT (FIN) and MX Maintenance Release required by November 17

2018

• SWIFT FileAct Enhancements

• SWIFT 2018 MT (FIN) and MX Maintenance Release required by November 2019

(New SWIFT Trade Messages)

SWIFT: What Else is Happening?

6© Oliver Wyman

SWIFT Updates: What is the Timeline?

SWIFT 7.2

Upgrade

Mandatory

Completion

7.2

Preliminary

Release

Overview

Nov

2018

7.2 General

Distribution

SWIFT MT

& MX

Release

2018

Live

Nov

2018FileAct

Enhancements

Nov

2018

Aug

2017

Sept

2015

SWIFT MT

Release

2018 Issued

Dec

2017

7

SWIFT 7.2 & Customer Security

Providing choice, flexibility & control.

8© Oliver Wyman

• Upgrade all SWIFT Applications

• Change environment

–Hardware

–OS

–MQ

• Changes to comply with Customer Security

Controls

Planning for 7.2

9© Oliver Wyman

• How does it impact you (in-house)?

–Services to upgrade SWIFT Applications

–Costs of replacing OS

–Evaluation of hardware replacement

–Customer security controls changes

• How does it impact you (Service Bureau)?

–Supporting vendor through testing of new platform

–Customer Security controls changes

We understand your challenges…

10© Oliver Wyman

2 Options:1) Currently In-house:

- Stay in-house

- Outsource all or part of the infrastructure

2) Currently outsourced:

- Stay outsourced

- Move in-house

PayCommerce well-positioned to support both options

–SWIFT Certified Specialists (for in-house)

–SWIFT Certified Service Bureau

What are your options?

11© Oliver Wyman

SWIFT Architecture

Connectivit

y

12© Oliver Wyman

SWIFT

messaging

interface

(SAA)

SWIFT

Alliance

Gateway

(SAG) &

SNL

Back-office

integration

with

SAA

Manual

End-Users

of SAAFirewall

Hardware

Security

Module

VPN

Appliances

VPN

VPN

VPN Tunnel over Internet

or Leased Line(s)

SWIFT Web

Platform

(SWP)

ConnectivityMessaging

Swift Connectivity and Messaging Overview

13© Oliver Wyman

Service Bureau Outsourcing Options

1

Shared

Services• Multi-tenant

Service Bureau

2

Connectivity• SAA and Non Swift

messaging support 3Dedicated Services• Single tenant,

dedicated network /

servers for messaging

interface

Outsourcing

Options

14© Oliver Wyman

• Functionality–2 GB file size supported (previously 250 MB)

• Resilience–Automatic resume of interrupted file transfers–“Unknown” status requiring manual intervention eliminated

• Efficiency–Logical file name returned in delivery notification for

reconciliation Ability to use all available bandwidth–No limit on number of concurrent transfers–Dynamic control of concurrent transfers

• Cannot change to production w/o SWIFT authorization–Remote file handler, SNL & SAG 7.0.50 mandatory.–Not all users are compliant.

SWIFT 7.2 Upgrade – File Act Enhancements

15© Oliver Wyman

SAA Interface changes

–Only MQ Client supported, not MQ server

MQ Client Version supported

–8.0.0.6 except …

–8.0.0.8 on Windows

–IBM released MQ 9.0 on June 2, 2016

–MQ 9.0 will not be supported for 2 to 3 years

Changes in MQ

16© Oliver Wyman

Planning–Involve Business, IT & Security teams–SWIFT Best practice check tool (34 checks)–Decisions on hardware, OS, security, outsourcing–Budget approvals

Preparation–Checklists (comprehensive checklist is 13 pages)–Customized for each customer–Confirmation that a checklist item has been completed–How we can help

Execution–Upgrade –Test–Go live

7.2 Upgrade Process

17© Oliver Wyman

November 30, 2018– Will lose the ability to transact over SWIFT if migration not

completed

Migration window– SWIFT allows 15 months– Out of 15 months, 3 are already over– So only 12 (or more likely 11) months remaining

Resources– The closer you get to November 30, the shorter the resources from

vendors will be– November is also the 2018 message standards release– Plan now!!– Execute ahead of deadline

The Deadline

18© Oliver Wyman

Test Environment

–March 31, 2018

–7.2 test environment available in parallel with 7.1

Production Environment

–September 30, 2018

–Go live dependent on SWIFT confirmation for

FileAct

Service Bureau Timeline

19© Oliver Wyman

• HSM Box– IS6 (No change)– Software version 6.1 compatible with SNL 7.0.50– Remote PED Firmware to 2.7.0-3– Remote PED WorkStation software to 7.2.0.1

• HSM Tokens– New, requires SNL 7.2.

• SNL & SAG must be installed together– Compatible with SAA / SAE 7.1.x

• SAA 7.2– Requires SAG / SNL 7.2– Any applications that use ADK must also be upgraded

• AWP 7.2 required for all 7.2 products

Alliance Products --Compatibility

20© Oliver Wyman

• General Principles–Set-up new environment: Must get new hardware– Install new OS– Install Alliance software and import data

• Upgrade Path– If HSM box, upgrade HSM software, Remote PED firmware,

workstation software– Install AWP 7.2 (but retain older AWP version)– Install SNL and SAG together– If HSM token, install HSM token– Install SAA / SAE–Decommission older AWP version.

Alliance Products – Upgrade Roadmap

21© Oliver Wyman

• CSP and SIP–Customer Security Program (CSP) is for SWIFT

customers

–Shared Infrastructure Program (SIP) is for Service

Bureaux

–SIP is more extensive with on-site audit (60+ controls)

–SIP being explicitly aligned with CSP in 2018

• Deadlines and SWIFT Actions for CSP

Customer Security

Event Deadline SWIFT Action

Self-attestation Dec 31, 2017 Local regulators or

supervisory authorities

informed

Compliance with

controls

Dec 31, 2018 Local regulators or

supervisory authorities

informed

22© Oliver Wyman

• Collect Data–Baseline document available to help you with what data you

have to collect

• Enter into self-attestation application on swift.com–Part of SWIFT’s KYC Registry–This application is non-trivial.

• Where you can get help–support@swift.com, 540-825-6056–JOHNSTON Jonathan Jonathan.JOHNSTON@swift.com–PayCommerce

What You need to do for Self-Attestation

23© Oliver Wyman

• A1: Full Stack

• A2: Partial Stack (Messaging in-house,

Connectivity Outsourced)

• A3: Software application to facilitate

communication

• B: No local footprint

What’s your architecture

24© Oliver Wyman

How many Controls are Applicable

Architectur

e A

Architectur

e B

Mandatory 16 11

Advisory 11 9

Total 27 20

25© Oliver Wyman

• User interface (B)

• MQ (B)

• File Transfer Application: Do you consider this middleware?–Yes: B–No: A3

• SWIFT or PayCommerce cannot make this decision–Your judgment and interpretation of the framework

Service Bureau: Architecture A3 or B?

26© Oliver Wyman

• Not for distribution

How PayCommerce can help - 1

# Name Description

1.1 A SWIFT Environment Protection “Secure Zone” implementation

2.1 A Internal Data Flow Security Data flows between SWIFT applications

2.2 B Security Updates SWIFT application patches

2.4A B Back-office data flow security TLS, LAU implementations

2.6A B Operator Session Confidentiality and

Integrity

https, lock-out feature

2.9A B Transaction Business Controls RMA, Reconciliation, limit LT logins.

4.1 B Password Policy For SWIFT applications

4.2 B Multi-factor authentication For SWIFT applications

5.1 B Logical Access Controls Least privilege, segregation of duties, 4-eyes for

SWIFT applications

6.2 A Software Integrity For SWIFT applications

6.3 A Database Integrity For SWIFT Applications

6.4 B Logging and Monitoring Event Journal, Automated alerting

27© Oliver Wyman

How PayCommerce can help - 2

# Name Description

2.7A B Vulnerability Scanning Vulnerabilities within SWIFT environment

6.5A A Intrusion Detection Network activity tracked for intrusion

7.1 B Cyber Incident Response Planning Reviewed annually and tested once in 2 years

7.3A B Penetration Testing Application, host and network testing

28

Thank You