This blog discusses how IT in banks and financial services organizations are leveraging their Citrix investment to secure high-value apps and data, in particular SWIFT systems. It is an overview of my Synergy breakout session that outlines these principles and best practices: SYN124: Securing high-value applications in bank IT infrastructure.
Security is the forethought of everything we build at Citrix, because it’s such an important element for our customers to succeed in their business.
According to a recent survey by Ponemon Institute commissioned by Citrix, 83 percent of respondents, including a large portion representing the financial services industry, indicate that their technology is outdated or inadequate, and 74 percent say a new IT security architecture is needed to improve security. With the confluence of number and type of devices, apps, data, networks and clouds, finance IT environments are becoming increasingly complex, creating a larger, more fragmented and more porous perimeter to secure. As technologies evolve, so does the threat landscape, and attackers become more sophisticated. Over the summer of 2016, hackers used malware to bypass three international banks’ security systems to gain access to the SWIFT messaging network. They initiated unauthorized money transfers from one bank to another, presumably to withdraw the money undetected. When you consider the myriad of ways financial institutions can be attacked — malware, ransomware, Trojan horse, key logger, denial of service attacks, phishing attempts, etc. — it is no wonder that IT departments in financial services companies are on edge.
Finance IT’s goal is to solve five security challenges that include secured access, mobile security, data and IP protection, compliance and governance, and business continuity. This cannot be done efficiently with the traditional approach to delivering apps and data. The traditional approach leads to application, data, network, and cloud sprawl — a patchwork of disparate application delivery platforms, difficult to manage and maintain. This doesn’t work for several reasons including increased complexity, difficulty in scaling, and security gaps between point solutions. And at the center is the endpoint — the most vulnerable and exposed device(s), as it moves from network to network. The problem is magnified when these endpoints are let loose with local administrator privileges.
The Citrix approach to securely delivering apps and data is endpoint-agnostic. In fact, for many customers, all endpoints are initially deemed untrusted until they pass a series of tests for verification. All users are proxied through Citrix NetScaler where they are authenticated and given the appropriate level of access. NetScaler is also the control point where traffic is inspected and encrypted between the user and the internal network. With XenApp and XenDesktop, applications and data are centralized and virtualized with a hosted delivery model – with policy-based control over connected peripherals and functions such as printing, copy/paste, and drive mapping. This means providing just the right level of access needed to be productive and maintain a secure environment. Protection is extended to mobile devices, where mobile apps and data are containerized and encrypted with XenMobile. Web apps and data are protected against denial of service and application layer attacks by NetScaler.
Let’s look at the two largest attack surfaces for malware and ransomware – the web browser and the email client. One of the largest, if not the largest, ransomware attacks in history happened recently. Wannacry crippled a lot of organizations around the world and it could have been prevented. The malware problem is so extensive that countries like Singapore are implementing Internet Separation mandates. One control is to secure the web browser through remote browsing, as colorfully articulated by Gartner analyst Neil McDonald:
It’s time to isolate users from the Internet cesspool with remote browsing.
This approach aims to create an air gap between the growing threats of the Internet and the user. Decouple the web browser, email client, and critical apps from the endpoint, virtualize and provided hosted delivery from the data center or cloud. Additional hardening is provided by malware scanning, URL whitelisting, and consistent security configurations — like disabling macros.
This concept is not entirely new — Citrix has enabled this decoupling for years. Customers have been publishing the web browser to meet version requirements of legacy and custom web apps. Some of the most security-driven institutions publish completely isolated instances for security reasons — these can include a trusted browser for the confidential intranet and a relaxed instance for general web browsing. The browsers are isolated from each other — on two different server groups and different network segments.
Combine this model with innovations in malware detection using Bitdefender HVI on XenServer and with NetScaler Secure Web Gateway and we add additional layers of protection by providing memory-based malware scanning and reputation-based whitelisting for internet browsing.
Securing your SWIFT systems
Centralization and delivery of critical apps include specialized apps like those used to access the SWIFT network. In September of 2016, SWIFT introduced mandatory security requirements and associated assurance framework. As part of its Customer Security Programme, the SWIFT Customer Security Controls Framework 1.0 introduces twenty-seven controls of which sixteen are mandatory and eleven are advisory. This will help financial institutions remain compliant as well as secure. These controls aim to reduce financial, legal, regulatory and reputational risk by relying on three overarching objectives: Secure your environment, know and limit access, and detect and respond. By January 01, 2018, all SWIFT users must have submitted their self-attestation and users will be required to resubmit their attestation on an annual basis thereafter.
In the full stack architecture diagram above, a secure zone is established around the SWIFT systems. Whether a full stack, partial stack, or connector architecture – there are direct security controls that Citrix provides to secure access to the SWIFT network. Deploying SWIFT systems through Citrix enables banks to segregate those systems from potentially compromised elements of the general IT environment such as email, web browser and other back office applications. Operators securely connect through NetScaler using multifactor authentication to a jump server via XenApp or XenDesktop. Systems built on top of XenServer and Bitdefender have advanced malware protection and are more consistently hardened and up to date using Provisioning Services and single image management. Additionally, meet compliance with detailed access and usage logging and security event detection with Citrix Analytics.
Financial services organizations have apps and data that are a constant target for hackers and thieves. We can learn a lot about security controls from the financial industry since it’s one of the most highly-regulated. And while no security control is foolproof, we must continuously adapt and raise the bar for defense – as the threat landscape grows more sophisticated and innovative. We must focus on prevention but plan for containing the blast radius of a breach through isolation, segmentation, and containerization.
To learn more about these principals and best practices, the video recording of my Synergy Session, SYN124: Securing high-value applications in bank IT infrastructure, that outlines these principles and best practices from Synergy is now available on-demand at www.citrix.com/SynergyTV. You can download presentations from your My Synergy Account.