Control Definition
Control Objective: Control/Protect Internet access from operator PCs and systems within the secure zone.
In-scope components:
- dedicated and general-purpose operator PCs
- jump server
- [Advisory A1/A2/A3: Middleware server (such as an IBM® MQ server or similar) used for data exchange between back-office and SWIFT-related components]
- [Advisory A4: other Middleware server (such as an IBM® MQ server or similar) than customer connector used for data exchange between back-office and SWIFT-related components]
- [Advisory: Local or remote (hosted or operated by a third party, or both) Virtualisation platform (also referred to as the hypervisor) and their management PCs]
- messaging interface
- communication interface
- GUI
- SWIFTNet Link
- SWIFT and customer connector
Risk Drivers:
- exposure to internet-based attacks
Implementation Guidance
Control Statement:
All general-purpose and dedicated operator PCs, as well as systems within the secure zone, have controlled direct internet access in line with business 18.
Control Context:
Direct access to the Internet raises exposure to internet-based attacks. Risk is even higher in case of human interactions (browsing, e-mails, or other social network activities being permitted). Once compromised, those systems can be an entry point that allows lateral movements or injection of command and control elements (or a combination of both).
If reducing the attack surface and vulnerabilities of those systems (as per the relevant controls identified in this document) is primordial, then limiting and controlling direct Internet accesses is crucial.
On top of (general) operator PCs that connect SWIFT-related services or applications offered by service providers (such as SWIFT in the case of Alliance Lite2 or Alliance Cloud, a Service Bureau, or an L2BA provider), due diligence must be taken to secure (general) operator PCs used to access local interfaces or GUIs. Insecurely combining access to the “production environment” and the Internet could be abused by attackers.
Implementation Guidelines:
The implementation guidelines are common methods to apply the relevant control. The guidelines are a helpful way to begin an assessment, but should never be considered as an "audit checklist" as each user’s implementation may vary. Therefore, in cases where some implementation guidelines elements are not present or partially covered, mitigations as well as particular environment specificities must be considered to properly assess the overall compliance adherence level (as per the suggested guidelines or as per the alternatives).
a) Internet access from the secure zone
- General-purpose internet browsing (including e-mail activities) from systems within the SWIFT or customer secure zone is not permitted.
- Internet access from systems within the secure zone (for example, dedicated operator PCs or other SWIFT-related components) is highly restricted and ideally should be blocked.
- When possible, activities that require the Internet are conducted outside of the secure zone. Example activities may include conducting daily business on swift.com, or downloading security updates for secure transfer into the secure zone.
- If internet access is needed from within the secure zone, then access should be granted only to allow listed URL destinations through a proxy with content inspection and adequate blocking or filtering controls. Connections are only permissible if they are initiated in the outbound direction.
- As the entry point into the secure zone, the jump server (located within the secure zone or another existing secure zone that has similar controls) does not have internet access.
b) Internet access from general-purpose operator PCs
- Control internet access provided on the general-purpose operator PCs used with the follow ing purposes:
- Connect to an application at the service provider (user-to-application) to process financial transactions 19.
- Access a messaging or communication interface through a browser-based GUI (for example, Alliance Web Platform). Control access through one of the follow ing options:
- internet access through a remote desktop or virtual machine solution
- internet access from the general-purpose operator PC to only allow listed URL destinations through a proxy with content inspection, in combination with adequate blocking or filtering controls and permitting only outbound initiated connections
- internet access from the general-purpose operator PC through a Web Gateway (with content inspection, in combination with blocking or filtering controls) using maintained denylisted URL destinations
- Even if SWIFT strongly recommends controlling the internet access, another method to meet the control objective on those PCs accessing the local SWIFT infrastructure is to enforce the usage of a jump server that has no internet access combined with multi-factor authentication (in line with control 4.2) implemented on the individual SWIFT-related components/systems or at the jump server.
c) Internet access from other components (middleware servers or the virtualisation platform - Advisory)
- When used, internet access from the middleware system (such as an IBM® MQ server) or the virtualisation platform underlying system (also referred to as the hypervisor) is highly restricted and ideally blocked.
- When possible, activities that require the Internet are conducted from other systems. Examples of such activities include conducting daily business, or downloading security updates for secure transfer into the target system.
- If internet access is needed from those systems, then access should be granted only to allow listed URL destinations through a proxy with content inspection and adequate blocking or filtering controls. Connections are only permissible if they are initiated in the outbound direction.
