The SWIFT Controls Framework was created to help customers figure out which controls are needed to better secure their SWIFT environment. The SWIFT security controls framework is broken down into objectives, principles, and controls. The three objectives are “Secure your environment, Know and Limit Access, and Detect and Respond”.
Customers interested in exploring VMware product alignment with the SWIFT framework should evaluate the end-to-end solution. This includes VMware products, as well as other technology that support a customer’s SWIFT platform. The following is a high-level alignment of some of the SWIFT framework controls and VMware products.
VMware Product Alignment with SWIFT Objectives
Restrict internet access & Protect Critical Systems from General IT Environment
As part of a SWIFT deployment, a secured and zoned off environment must be created. This zone contains the SWIFT infrastructure that is used for all SWIFT transaction. Two SWIFT Principles that we will discuss are
- Protect Critical Systems from General IT Environment
- Detect Anomalous Activity to Systems or Transaction Records
These controls are required to be enforced on the SWIFT infrastructure. SWIFT requires that all traffic from the general IT infrastructure to the SWIFT zone be as restricted as possible. They also require that the customer protect and monitor all systems for compromise.
Creating an architecture that meets the requirement of Protect Critical Systems from General IT Environment can be challenging for the customer. The principle of Protect Critical Systems from General IT Environment calls for a stateful firewall to provide segmentation into and out of the zone, and that all ports and communications be limited and reviewed annually. It also recommends, though optional, that organizations restrict communication between components within the SWIFT environment (micro-segmentation).
Figure 1: Architecture A-1 Full Stack within the user Location
With VMware NSX®, customers can meet this requirement as well as the optional recommendations. NSX provides not only a stateful firewall to segment the SWIFT environment from the rest of the organization, it also allows users to segment the components within the SWIFT zone, allowing for a better security posture. NSX’s ability to perform protocol validation lessens the ability of criminals to tunnel traffic over approved ports. Since NSX is all in software, customers do not need to purchase a dedicated firewall for their SWIFT zone.
In the case of Detect Anomalous Activity to Systems or Transaction Records, customers can leverage VMware AppDefense to protect their systems for unknown processes and compromises. AppDefense allows customers to tighten down the applications running within the SWIFT zone by limiting and enforcing that only approved executables can run and communicate. Enabling AppDefense provides organization a way to better filter out the noise and be alerted to real issues. AppDefense can learn how your applications run and communicate and alert/react to anything outside of these known parameters.
|VMware Product||Product Capability||SWIFT Control|
|NSX||Boundary protection via Stateful firewall||1.1c 1|
|Restricting the communication between components in the secure zone||1.1c 2|
|AppDefense||Integrity checks of software||6.2|
|Alert/detect anomalous activity||6.4|
VMware can help customers better secure their SWIFT environment, their data center, and their clouds. Security features are present throughout the VMware stack, with NSX and AppDefense being at the top of that list. If you want to learn more about VMware’s security capabilities, please reach out your local account team.
VMware’s security and compliance team can is constantly creating and working with customers and auditors to better help our customers meet their security and compliance needed. The VMware security blog has a treasure trove of information.
Disclaimer: This document is intended to provide general guidance for organizations that are considering VMware solutions to help them address compliance requirements. The information contained in this document is for educational and informational purposes only. This document is not intended to provide regulatory advice and is provided “AS IS.” without warranty of any kind. VMware makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of the information contained herein. Organizations should engage appropriate legal, business, technical, and audit expertise within their specific organization for review of regulatory compliance requirements.