SWIFT Framework: SWIFT security and PAM

The Society for Worldwide Interbank Financial Telecommunication (SWIFT), the global banking information network, facilitates over $5 trillion in bank transfers every day. It therefore presents an extremely high value target for cyber-attackers.

SWIFT links over 11,000 financial institutions in more than 200 countries and territories. Collectively, SWIFT members exchange in excess of 15 million transaction messages per day worth a total of $5 TRILLION.

SWIFT does not handle actual funds. It sends payment orders. Nevertheless, unauthorized access to the SWIFT network could wreak havoc on a financial institution and cause potentially large financial losses.

To fend off these attackers, SWIFT provides a customer security controls framework. The framework is designed for SWIFT members to secure their SWIFT environments and to limit access, detect, and respond to security threats. Realizing the framework’s goals involves devising controls that cover issues of physical security, credentials and user identities. As a result, Privileged Access Management (PAM), which governs access to administrative back ends, is critical to the framework’s success

Privileged Access Management (PAM) is critical to the success of the entire SWIFT framework.

The SWIFT Customer Security Controls Framework 1.0

As part of its Customer Security Programme (CSP), SWIFT has published its Customer Security Controls Framework. Comprising 27 mandatory and advisory security controls, the framework is designed to establish a security baseline for the entire SWIFT community. Mandatory controls must be implemented by all users on their local SWIFT infrastructures. SWIFT requires an attestation process to ensure that members are adopting the controls.

The SWIFT Framework is based on the objectives of:

  • Secure your environment
  • Know and limit access
  • Detect and respond

The Framework identifies a number of major areas of risk, including:

  • Unauthorized sending or modification of financial transactions
  • Processing of altered or unauthorized SWIFT inbound transactions
  • Business conducted with an unauthorized counterparty
  • Confidentiality breach (of business data, computer systems or operator details)
  • Integrity breach (of business data, computer systems, or operator details)

PAM and the SWIFT Customer Security Controls Framework

Management of administrative access is essential to many of the SWIFT security controls. The Framework’s objectives, especially “Know and Limit Access” are intended to prevent unauthorized people from accessing sensitive data and messages. For example, to restrict unauthorized sending or modification of financial transactions, the institution has to be in control of who has authorization.

Similarly, being able to prevent the conducting of business with an unauthorized counterparty requires being aware of who can and cannot authorize a counterparty—and being able to track administrative sessions where counterparties have been authorized. This is the province of Privileged Access Management (PAM).

The Direct Role of PAM in Implementing Framework Controls

12 of the Framework’s 27 controls directly involve PAM. By analyzing the Control Objective for each of them, we can understand how managing privileged access will make the control effective. In addition, having the PAM logs for the implementation of these controls will aid in the attestation processes called for by the SWIFT Framework.

Indirect Role of PAM in Implementing the Framework

The controls described above are directly related to PAM. However, PAM is also relevant to virtually every other control in the Framework. The configuration of interdependent systems affects how secure they will be under the Framework controls. For example, the mandatory control 2.3 for System Hardening has the objective:

“Reduce the cyber-attack surface of SWIFT-related components by performing system hardening.”

System hardening varies from organization to organization. The process of hardening is done by privileged users. Even though the control itself is not about access or identity, PAM is actually critical for its successful execution.

Want to Know More?

You’re in luck! We’ve written an entire white paper on the role that PAM can play in implementing SWIFT. Check it out here:

SWIFT Compliance with PAM