SWIFT CUSTOMER SECURITY

PROGRAMME (CSP) COMPLIANCE

WITH EKRAN SYSTEM® SOFTWARE
A detailed technical brief showing how Ekran System features map to SWIFT
Customer Security Controls and presenting possible deployment schemes

Customers Who Trust Us

Visit us at: www.ekransystem.com [email protected]

 SWIFT Customer Security Programme (CSP)
Build Your SWIFT CSP Compliance with Ekran System®
Key Feature Groups
Ekran System® - A Flexible and Secure Solution
Detailed Security Controls and Ekran System® Features Mapping
Deployment Schemes
Architecture Type A: SWIFT Infrastructure within a User Location

Architecture Type B: SWIFT Infrastructure outside of User Location

Get More Details

SWIFT CUSTOMER SECURITY PROGRAMME (CSP)

To answer the growing threat landscape, the SWIFT organization has developed and introduced a formalized security
program for its customers. Starting December 2017, any financial organization that uses SWIFT must comply with a set
of 16 mandatory security controls and take all reasonable efforts to meet 11 advisory security controls that together
comprise the SWIFT Customer Security Controls Framework . Compliance is to be confirmed every 12 months.

Aiming at reinforcing SWIFT customers’ cyber security and preventing fraud, the Framework translates the industry
best security practices and guidelines into three key objectives (Secure Your Environment, Know and Limit Access,
Detect and Respond). These main objectives are further detailed in groups of technical, organizational, and educational
security controls.

Secure Your
Objective Know and Limit Access Detect and Respond
Environment

Principles (and 1. Restrict internet access 4. Prevent compromise of 6. Detect anomalous

corresponding security
control groups)
and protect critical systems
from the general IT
environment
2. Reduce the attack
surface and vulnerabilities
credentials activity to systems or
transaction records
5. Manage identities and
segregate privileges 7. Plan for incident
response and information
sharing

3. Physically secure the

environment

Visit us at: www.ekransystem.com [email protected]

 BUILD YOUR SWIFT CSP COMPLIANCE WITH EKRAN SYSTEM®
The Ekran System® insider threat protection platform is your powerful ally in adopting SWIFT Customer Security
Controls.

This robust and flexible agent-based software supports a wide range of operating systems, configurations, and network
architectures, including desktops, servers, and jump servers. It supports both physical and virtual infrastructures. With
Ekran System, you can control access to your secure zone and identities of your users, monitor and record any activity
within it, get alerted to suspicious actions, and enable incident response.

See deployment schemes

KEY FEATURE GROUPS

Access Control • Privileged account and session management (PASM)

• Temporary and one-time credentials
• Manual login approval
• Ticketing system integration with purpose validation
• Password vault

Identity Control • Multi-factor authentication

• Secondary authentication to identify users of shared and built-in accounts

Session Monitoring and
Recording
• Terminal, remote, and local session recording in indexed video format
• Searchable multi-layer text index (URLs, commands, keystrokes,
applications, connected devices, etc.)
• Continuous monitoring with optional record filtering (by user, application,
or URL)
• Forensic export of records

Real-time Alerting and
Incident Response
• Template-based and fully customizable alerts on anomalous, suspicious,
and high-risk events
• Alerts delivered in real time accompanied with relevant event context
• Manual and automated incident response actions including user warning
and blocking, device blocking, and process termination

See detailed security control – feature mapping

Visit us at: www.ekransystem.com [email protected]

 EKRAN SYSTEM® - A FLEXIBLE AND SECURE SOLUTION

Supported Platforms

Secure Solution

Application hardening
Detailed internal action logging
Highly-protected data storage
Encrypted communication channels

Flexible Deployment

High-availability mode
Multi-tenant and single-tenant modes
Integration with SIEM and ticketing systems
Online and offline updates, automated client updates
Self-monitoring system dashboard
Easily scalable deployments

Visit us at: www.ekransystem.com [email protected]

 DETAILED SECURITY CONTROLS AND EKRAN SYSTEM® FEATURES MAPPING
Security Control Objective
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
1.1 SWIFT Environment Ensure the protection of the user’s local SWIFT
Protection infrastructure from potentially compromised
elements of the general IT environment and
external environment.
1.2 Operating System Restrict and control the allocation and usage of
Privileged Account administrator-level operating system accounts.
Control
1.3A Virtualisation Secure virtualisation platform and virtual
Platform Protection machines (VMs) hosting SWIFT-related
components to the same level as physical systems.
2. Reduce Attack Surface and Vulnerabilities
2.1 Internal Data Flow Ensure the confidentiality, integrity, and
Security authenticity of data flows between local
SWIFT-related applications and their link to the
operator PC.
2.2 Security Updates Minimise the occurrence of known technical
vulnerabilities within the local SWIFT infrastructure
by ensuring vendor support, applying mandatory
software updates, and applying timely security
updates aligned to the assessed risk.
Visit us at: www.ekransystem.com
Ekran System Role
Ekran System allows security teams to protect the
SWIFT secure zone by setting up a jump server inside
the secure zone and restricting access to the server
only to trusted administrators. All corresponding
Ekran System management components including
the password vault can be deployed inside the
secure zone, and authentication service segregation
can be implemented.
Access to resources located inside the secure zone
can further be protected by installing Ekran System
Clients on them, allowing security officers to control
user activity more granularly, for instance by blocking
certain actions or applications. Installed clients
provide verbose logging and detection capabilities.
Ekran System provides a secondary authentication
feature to identify users of shared accounts, such as
built-in administrator-level operating system
accounts, based on individual credentials. This allows
not only detailed logging but also restricting and
permitting access to shared accounts for specific
users.
Ekran System provides two options for emergency
access, avoiding use of built-in accounts: one-time
passwords and login with mandatory manual
approval from a security officer. An additional level
of control by purpose can be arranged using
ticketing system integration, which adds validation
against open tickets.
Verbose in-depth activity monitoring delivered by
Ekran System for each session started within the
secure zone allows a security team to monitor all
administrator-level activity, including sudo
commands and the content of executed scripts.
Ekran System provides out-of-the-box support for
virtual environments, delivering its full functionality
for virtual machines and virtualization platforms.
Additional features such as integration into golden
images and dynamic license pools simplify
maintenance.
n/a
n/a
[email protected]
 DETAILED SECURITY CONTROLS AND EKRAN SYSTEM® FEATURES MAPPING

Security Control Objective Ekran System Role

2.3 System Hardening Reduce the cyber attack surface of SWIFT-related

n/a
components by performing system hardening.

2.4A Back-office Data Ensure the confidentiality, integrity, and mutual

Flow Security authenticity of data flows between back office (or
n/a
middleware) applications and connecting SWIFT
infrastructure components.

2.5A External Protect the confidentiality of SWIFT-related data

Transmission Data transmitted and residing outside of the secure n/a
Protection zone.

2.6 Operator Session Protect the confidentiality and integrity of

Confidentiality and interactive operator sessions connecting to the n/a
Integrity local SWIFT infrastructure.

2.7 Vulnerability Scanning Identify known vulnerabilities within the local

SWIFT environment by implementing a regular
n/a
vulnerability scanning process and act upon
results.

2.8A Critical Activity Ensure protection of the local SWIFT
Outsourcing infrastructure from risks exposed by the
outsourcing of critical activities.
Ekran System allows security teams to grant secure
third-party access to the secure zone without
revealing actual access credentials via its PASM
functionality. All corresponding access permissions
are temporary and can be reviewed, continued, or
revoked. A one-time password mechanism can be
used to provide one-time access. Ticketing system
integration enables additional validation of the
purpose of access.
For close contractor monitoring, access can be set up
with mandatory manual login approval from a
security officer with subsequent real-time video
supervision.

2.9A Transaction Restrict transaction activity to validated and

Business Controls approved counterparties and within the expected n/a
bounds of normal business.

2.10A Application Reduce the attack surface of SWIFT-related

Hardening components by performing application hardening
on the SWIFT-certified messaging and n/a
communication interfaces and related
applications.

3. Physically Secure the Environment

3.1 Physical Security Prevent unauthorised physical access to sensitive
equipment, workplace environments, hosting
sites, and storage.
Ekran System protects servers from unauthorized
physical access by blocking access to or restricting
the use of USB ports. With a whitelisting option,
specific USB devices, such as hardware tokens, can
be allowed. Ekran System reliably monitors, alerts
about, and blocks both USB storage devices and
other USB devices of any nature.

Visit us at: www.ekransystem.com [email protected]

 DETAILED SECURITY CONTROLS AND EKRAN SYSTEM® FEATURES MAPPING
Security Control Objective
4. Prevent Compromise of Credentials
4.1 Password Policy Ensure passwords are sufficiently resistant
against common password attacks by
implementing and enforcing an effective
password policy.
4.2 Multi-factor Prevent that a compromise of a single
Authentication authentication factor allows access into SWIFT
systems, by implementing multi-factor
authentication.
5. Manage Identities and Segregate Privileges
5.1 Logical Access Control Enforce the security principles of need-to-know
access, least privilege, and segregation of duties
for operator accounts.
5.2 Token Management Ensure the proper management, tracking, and
use of connected hardware authentication tokens
(if tokens are used).
5.3A Personnel Vetting Ensure the trustworthiness of staff operating the
Process local SWIFT environment by performing personnel
vetting.
5.4 Physical and Logical Protect physically and logically recorded
Password Storage passwords.
6. Detect Anomalous Activity to Systems or Transaction Records
6.1 Malware Protection Ensure that local SWIFT infrastructure is protected
against malware.
6.2 Software Integrity Ensure the software integrity of the SWIFT-related
applications.
6.3 Database Integrity Ensure the integrity of the database records for
the SWIFT messaging interface.
Visit us at: www.ekransystem.com
Ekran System Role
n/a
To enhance authorization credibility, Ekran System
supports time-based one-time passwords delivered
via a mobile app when logging in to the operator PC.
This gives an additional layer of protection against
credential theft.
Ekran System provides a broad set of access control
tools for both privileged and ordinary users.
It includes temporary credential management on a
jump server via PASM functionality coupled with a
secure password vault and automated credential
provisioning. One-time passwords are generated by
security administrators for one-time access
scenarios. Access to a secure endpoint is given only
after manual approval of this login from a security
administrator who can monitor the initiated session
in real time. The purpose of access is validated via
integration with a ticketing system. These tools allow
a security team to implement best practices such as
segregation of duties, four-eye control, the least
privilege principle, and purpose-based access.
n/a
n/a
To ensure the security of passwords, Ekran System
encrypts them and stores them in the Password
Vault. Users can be authenticated on endpoints
through Ekran System without credentials being
revealed to users.
n/a
n/a
n/a
[email protected]
 DETAILED SECURITY CONTROLS AND EKRAN SYSTEM® FEATURES MAPPING

Security Control Objective Ekran System Role

6.4 Logging and Record security events and detect anomalous Ekran System logs user sessions in a searchable video
Monitoring actions and operations within the local SWIFT format, which is indexed with multilayer metadata.
environment. This metadata includes details such as application
names, visited URLs, entered commands, the
contents of started scripts, and keystrokes. Session
details include remote IP addresses and host details.
Session recordings can be exported for forensic
examination.

Security staff can be alerted to a potential security

breach using template-based and fully configurable
alert rules, and log information can be forwarded to
a SIEM system for more thorough analysis.

Changes in the Ekran System configuration are also

logged. The system log is encrypted and protected
by an anti-tampering mechanism.

6.5A Intrusion Detection Detect and prevent anomalous network activity

n/a
into and within the local SWIFT environment.

7 Plan for Incident Response and Information Sharing

7.1 Cyber Incident Ensure a consistent and effective approach for To streamline cyber incident management, Ekran
Response Planning the management of cyber incidents. System provides a centralized UI for analyzing and
reacting to detected incidents. Information about
incidents can automatically be sent to a SIEM and/or
a ticketing system.

To detect and prevent malicious or risky activity

when detected, Ekran System provides incident
response tools such as automatic and manual
session termination, application termination, user
warnings, and user blocking. To streamline incident
management, Ekran System includes powerful
reporting and investigation functionality.

7.2 Security Training and Ensure all staff are aware of and fulfil their
Awareness security responsibilities by performing regular n/a
security training and awareness activities.

7.3A Penetration Testing Validate the operational security configuration

and identify security gaps by performing n/a
penetration testing.

7.4A Scenario Risk Evaluate the risk and readiness of the

Assessment organisation based on plausible cyber attack n/a
scenarios.

Visit us at: www.ekransystem.com [email protected]

 DEPLOYMENT SCHEMES

Architecture Type A: SWIFT Infrastructure within a User Location

Visit us at: www.ekransystem.com [email protected]

 DEPLOYMENT SCHEMES

Architecture Type B: SWIFT Infrastructure outside of a User Location

Visit us at: www.ekransystem.com [email protected]

 GET MORE DETAILS

Contact us

SWIFT sales: [email protected]

General inquiries: [email protected]
Partner program: [email protected]

www.ekransystem.com

Visit us at: www.ekransystem.com [email protected]