Control Definition
Control Objective: Secure the virtualisation platform and virtual machines (VMs) that host SWIFT-related components to the same level as physical systems.
In-scope components:
- Local or remote (hosted or operated by a third party, or both) Virtualisation platform (also referred to as the hypervisor) and VMs used to host any of the follow ing SWIFT-related components:
- messaging interface
- communication interface
- GUI
- SWIFTNet Link
- SWIFT and customer connector
- jump server
- dedicated and general-purpose operator PCs
- firewalls
- [Advisory A1/A2/A3: Middleware server (such as an IBM® MQ server or similar) used for data exchange between back-office and SWIFT-related components]
- [Advisory A4: other Middleware server (such as an IBM® MQ server or similar) than customer connector used for data exchange between back-office and SWIFT-related components]
- Alliance Connect Virtual VPN instance
Note: This requirement is not applicable when there is no local and remote virtualisation platform and no VMs used to host the referred SWIFT-related components.
Risk Drivers:
- unauthorised access
- uncontrolled proliferation of systems and data
Implementation Guidance
Control Statement:
Secure the virtualisation platform, virtualised machines, and the supporting virtual infrastructure (such as firewalls) to the same level as physical systems.
Control Context:
Security controls that apply to non-virtualised (physical) systems are equally applicable to virtual systems. The additional virtualisation layer needs extra attention from a security perspective. The uncontrolled proliferation of VMs could lead to unaccounted machines with the risk of unmanaged, unpatched systems open to unauthorised
access to data.
If appropriate controls have been implemented to this underlying layer, then SWIFT does not limit the use of virtual technology for any component of the local SWIFT infrastructure or the associated supporting infrastructure (for example, virtual firewalls).
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines
or as per the alternatives).
When relying on a third party for the underlying virtualisation platform, the user must engage with the third party to obtain reasonable comfort that the control objective is met.
- The same security requirements apply to the virtualisation platform, virtual machines, and supporting virtual infrastructure as for all other infrastructure systems and components. Those security requirements cover, for example, the location in an existing secure zone that has similar controls as those applicable to the SWIFT or customer secure zone, privileged access restrictions, login and password policies, installation of security updates, and restriction of internet access. Those controls have the virtualisation platform identified in the In-scope Components section.
- Vulnerability scanning is performed on SWIFT-related VMs and, when technically possible, on the virtualisation platform.
- The virtualisation platform hosts are subject to physical protection, which prevents unauthorised physical access.
- VM isolation is ensured on the virtualisation platform to prevent the lateral move out of a virtual machine to access or interact with other VMs (or the underlying hypervisor) or to bypass normal network controls that filter or inspect connections to the SWIFT environment (or a combination of both).
- Filtering and expected inspections of the network flows that reach the SWIFT-related VMs are performed preferably using resources (such as firewalls, packet inspections, or content filtering) external to the virtualisation platform or must be enforced at the hypervisor level.
- If isolation is ensured on the virtualisation platform, then the hosted VMs can maintain their security classification and can be individually secured accordingly (as such, they do not inherit the classification of the SWIFT-related VMs and are not subject to all SWIFT-related controls).
- When multi-factor authentication is implemented for interactive access to the SWIFT-related VM operating systems (and in-line with control 4.2) to also prevent direct access to those VMs from the hypervisor layer, then multi-factor authentication is not mandatory at the virtualisation platform management level.
