Swift and Sure: CIO Joe Eng

If money makes the world go around, Joe Eng is both a spinmaster and a security guard. As chief information officer of the Society for Worldwide Interbank Financial Telecommunication, or Swift, it’s up to Eng to ensure that 7,800 banks and other financial institutions can communicate with each other on a global messaging network. At Swift, an industry-owned cooperative, Eng oversees an information-technology staff of 1,000 for a network that handles 12 million messages a day. One industry estimate pegs the value of the transactions the network helps facilitate at trillions of dollars a day. Eng declined to disclose the actual value, citing security concerns.

Since 2003, Eng has overseen the development and rollout of a $500 million, five-year network upgrade called SwiftNet. It allows banks and other organizations to exchange messages, including payment instructions from one bank to another, in real time. Previously, a financial institution sent messages to other institutions in a store-and-forward system; the message was stored until the recipient connected to the network to receive it. Now, the message is delivered immediately.

During the network upgrade, Eng and his team are working to tighten network security even more by requiring members to adopt public key infrastructure technology to exchange messages, and to use a Virtual Private Network box to secure messages as they travel via one of four telecommunications providers. Future plans include moving the Public Key Infrastructure certificate to a dedicated device, such as a smart card, USB memory sticks, or a PC that sits on a network and is connected to one or more Swift computers. The smart cards or memory sticks will be for small financial institutions, while the PCs are designed for large organizations.

To connect to SwiftNet, financial institutions use software provided by Swift that’s available on Windows, Solaris or AIX platforms.

How important is security to this network? “It’s completely critical,” says Breffni McGuire, research area director for the Tower Group, a Needham, Mass., consultancy. “When banks are asked why they use Swift, besides global connectivity, it’s because of security, availability and reliability. And that rolls up into resiliency.”

Anna Maria Virzi, Baseline’s executive editor, interviewed Eng in March to discuss how Swift ensures that the network remains secure and reliable, and the world’s banks and financial transactions keep humming.

What security features are now in Swiftnet?

We introduced a whole new set of IP [Internet Protocol]-based technologies and, more important, brought about real-time messaging. In SwiftNet, we fully embraced the public key infrastructure, or PKI, technology. We felt that was the way the industry was going and it would give us a highly secure technology. It was also less complex than the security paradigms we used in the past.

What did PKI replace?

A symmetric model; if you and I were to communicate, we’d have to trade certificates or keys back and forth. And that always has to be coordinated. With PKI, because of the way the private and public keys work, you don’t necessarily have to do that. A central directory does it.

Under the old setup, how often did a financial institution have to update keys?

A Typically, every six months. Each institution would maintain a set of keys, one for each institution that it exchanged messages with. This exchange of keys is not needed in the new PKI model.

What other measures did you take?

Another major security introduction in SwiftNet is at the network. We’re not a network by itself. We’re a financial messaging network that needs a network. Our customers connect to Swift using one of four providers: Colt Telecom [of London], Equant [of Amsterdam], AT&T and BT Infonet. We introduced a technology called a virtual private network box [from Juniper] that secures the network tunnel between a financial institution and Swift.

How does the VPN box work?

Both sender and receiver are connected to Swift, so the network is secured from sender to Swift, and then from Swift to the receiver. We went with hardware instead of software. This is tamper-resistant hardware, and it is highly secure. And it resides at a customer’s site.

What’s next for Swiftnet?

In the next release, the PKI [certificate] will reside on a hardware security module [HSM] instead of the computers used by SwiftNet members to send messages.

As part of the software on their SwiftNet computers, bigger customers will get a computer containing the PKI certificate from SafeNet [of Baltimore] that they can add to their local area network and will connect to their SwiftNet computers. Small customers can get a card from Axalto [of Amsterdam] or a token from SafeNet. A pilot phase began in April 2006; the feature will be made generally available by the end of the year.

Why were safenet and axalto selected?

A They are companies in the security technology industry. Via a technology evaluation performed by Swift, they were selected to provide the hardware security module.

How can you be sure these devices are secure?

These technologies, whether the VPN or HSM box, go through a certification process. We use the Federal Information Processing Standards (FIPS) standard for

certifying security hardware to make sure the devices are tamper-resistant.

How so?

The FIPS certifications standard defines expectations on the strength of the device in terms of how difficult it is to intrude upon it—whether it be via computer or physical manipulation. For example, [the testers] see how much radiation the box can handle before it is disabled.

Have you ever had a breach?

None. Because we have these high expectations in security, we continue to invest not only in technologies but in the people and processes around security. I have a staff that focuses on security. They have to understand the algorithms: Are they up to date? What’s the next advancement in supercomputing that can more quickly break the key links? Those are the types of things we work on all the time.

What challenges did you encounter while implementing security in 200 countries? And did u.S. Encryption export laws present an issue?

To make sure we get a high degree of security technology out to all these countries, there are sometimes import-export issues that we have to deal with. But we work those through. It could be that we work through an exception with a particular government, whether it’s the U.S. or another, for an encryption technology. Because a government knows the technology is just used for Swift purposes, they’re OK with it.

What do you think will be the biggest security threat and challenge for your customers in the coming year or two?

Security is not just about the right technologies and models; it’s making sure you have the right assessment mechanisms for risk. People sometimes get themselves into trouble with security because they get complacent. We don’t let ourselves get complacent. We have a team of people always looking at the next set of things.