Customer Requirements
Isolate SWIFT systems and restrict Internet access
Real-time mapping of all SWIFT network assets and communications
Prevent credentials from being compromised
Protect against horizontal L2-L4 network attacks
Non-disruptive solution with no changes to the underlay network
Solution
Micro-segmentation and native end-to-end encryption across the LAN, WAN, and cloud
Isolated and encrypted overlay networks that restrict Internet access
Maps all systems and associated communications across SWIFT environment
Real-time attack mitigation and resource failover across the LAN and WAN
Confidentiality, integrity, and authenticity of data flows
Replaced internal firewalls
Benefits
Simplifies CSP compliance reporting
Reduces attack surface and vulnerabilities
Prevents credentials from being compromised
Ensures local SWIFT infrastructure is protected against malware
Overview
A leading universal bank serves corporate and retail clients through a network of over 8,000 branches and nearly 3,000 ATMs. In preparation for new regulations from the Society for Worldwide Interbank Financial Telecommunications (SWIFT), the bank needed new security controls to segment and safeguard regulated applications across their IT environment.
SWIFT produced a compliance framework, the Customer Security Program (CSP). CSP includes mandatory segmentation to safeguard local SWIFT environments from the broader enterprise and external environment.
Challenges
On top of providing the necessary micro-segmentation controls to adhere to SWIFT’s CSP, the bank needed a solution that worked seamlessly with its existing infrastructure—no rip and replace—and was quick to deploy.
The Solution
Upon evaluation of various network segmentation alternatives, the bank realized that the cost and complexity of meeting CSP requirements by deploying, maintaining, and auditing traditional IT solutions was impractical.
Complex audits of individual firewall rules, ACLs, and VLANS would be unsustainable and multifactor authentication is way too complex for users. Furthermore, because of the complexity and expertise required to restrict routes, deploy nested firewall rules, and restrict port forwarding across hundreds of subnets within a multi-NAT environment, deployment time for one site was estimated to take 50 days using traditional IT technologies.
Instead, the bank chose Tempered Networks’ Identity Defined Networking (IDN) solution that made it simple to create zero trust overlay networks to securely connect, protect, and micro-segment any device, workload, or endpoint regardless of network or location. IDN gave the bank a simple path to comply with CSP controls, connecting critical SWIFT systems--even unrouteable ones--easily.
IT staff at the bank can securely connect and isolate their SWIFT systems from the general IT network, easily. With Tempered Networks, their SWIFT environment is isolated across its own encrypted and segmented overlay network that can’t be violated. With IDN, the bank deployed in less than a day because the creation of an encrypted overlay network can be performed in minutes.
"Tempered Networks gave us a way to easily create segmented networks and real-time visibility of all systems in our SWIFT environment. Now our organization can quickly and easily generate reports about what is functioning inside our SWIFT environment and how it is being protected."
Point-and-Click Segmentation of SWIFT Environment
The bank can transparently connect and control communications to, out of, and within its SWIFT environment to just the necessary systems that SWIFT requires to function. Boundary and host-level segmentation are both essential to the SWIFT security program’s first and most foundational control: SWIFT environment segregation.
Real-Time Mapping of All SWIFT Network Assets
The bank now has real-time maps of all systems that are part of its SWIFT overlay environment. The real-time mapping gives them insight into the always-on security as well as verification of real-time mitigation activities, which are critical steps to securing SWIFT.
Fast Deployment With Low TCO
The bank can transparently connect and control communications to, out of, and within its SWIFT environment to just the necessary systems that SWIFT requires to function. Boundary and host-level segmentation are both essential to the SWIFT security program’s first and most foundational control: SWIFT environment segregation.
Summary
Using Tempered Networks’ unique identity-first approach for micro-segmentation, the bank has gained host-level security control and has successfully isolated and restricted Internet access to SWIFT systems. The IDN solution enabled the bank to easily achieve the necessary controls and compliance for SWIFT CSP, without disruption to existing infrastructure.