Fritz Steinmann, Head of Network and Security Engineering at SIX

Head of Network and Security Engineering at SIX, the financial infrastructure provider for the Swiss financial centre, explains why striking the balance between maintaining business agility and ensuring security was a crucial project for the business and how he achieved it with network orchestration.

At SIX we operate the infrastructure for the Swiss financial centre, catering to a broad client base. What does this mean? We manage 2.9 trillion Swiss Francs as a central securities depository for Swiss Securities and each day, 154 million Swiss francs are processed in credit and debit cards via the SIX infrastructure. It’s big business.

With hundreds of applications and business services for over 150 banks, our IT network is subject to constant changes and a very high volume of application-related firewall change requests. At the time we started looking in to how we could streamline our network processes, we were dealing with around 22,000 rules for 400 different applications. Every time we set up business critical applications like SAPs and CRMs or different employees or partners wanted access the applications, we had to manage network access through our firewalls. Each firewall change required a cumbersome and resource-intensive manual process that had the ability to severely impact business agility in Switzerland’s financial heartlands.

As rules and network complexity increased alongside the growing risk of cyber-threats, it became ever more pressing that SIX considered a strategy to relive the pressure from its IT team. Not only does the network complexity of an ever changing enterprise network take time and commitment to maintain, wasting valuable, skilled resources that could be better spent elsewhere, but the process is also error prone.

Different data sources lead to implementation errors and we found that often, rules were not documented into policy. This led to auditing issues in complying with regulatory standards like PCI. Overall, these challenges resulted in longer time to market for business critical applications and this was affecting the business agility of SIX. Each change was taking weeks to approve which just wasn’t good enough.

The challenge we had – and I am certain it is one facing more and more financial companies today – was to safeguard and ensure an impermeable implementation of security policy, while recognising and allowing for the fact that applications are at the core of the organisation. We were fully aware that even a simple application based rule change such as the opening of potentially unnecessary ports could expose the company to a serious breach. In essence we had to balance business agility against the need to ensure SIX stayed protected from security threats.

To overcome this, we needed a solution that would optimise our firewall policy management process. Ideally, this solution would manage application-related firewall changes from a business process perspective, instead of requiring firewall teams to hunt for connectivity data spread across the entire infrastructure. We looked in to building our own internal solution, but the complexity of the project made it very unlikely we would be able to solve all the challenges we faced. From there, we looked in to many market options before settling on Tufin Orchestration Suite.

The key for us was Security Policy Orchestration (SPO). which allows us to define, design and customise agreed security policies in a way that makes sense to the whole team – from the IT operations staff, application developers and network managers. Unlike automation tools that simply repeat tasks in a robotic fashion when particular conditions are met, SPO software is more like a co-ordinator –deftly co-ordinating the many different interconnected parts of a system.

When there’s a change to one part of the system, SPO software knows what needs to be reconfigured elsewhere and how. And where firewalls and devices can be set up remotely through software (as they increasingly are), SPO can either automate those changes or simply flag them up. This alleviates some of the network team’s concerns about the move toward a more automated approach as it means ultimate control over critical decisions remains with them.

By embedding security in to the change process at SIX, we’ve banished the need for a trade-off between security and business agility. In fact, changes that would have taken weeks are now done in days – five times faster than before. Changing applications and delivering new services has become simpler, quicker and far less risky, meaning we can concentrate on increasing the efficiency and competitiveness of the financial centre.

Box out:

The Tufin Solution

SecureApp is part of Tufin Orchestration Suite – the next generation of security policy orchestration solutions, a market also forged and led by Tufin. It enables security and networking professionals to increase security, efficiency and agility despite the increasing network complexity caused by virtualisation, IPv6 and the cloud. Ready for installation, the Tufin Orchestration Suite automates policy and change management for firewalls, switches, routers and load balancers, and integrates and communicates policy change data to relevant systems and stakeholders.

SecureApp enabled SIX to effectively manage the network connectivity and security requirements of their applications, reducing the time it took to implement changes from an average of a week to less than a day, while improving overall network security. According to Fritz Steinmann, head of security at SIX, ‘Applications are the lifeblood of our organisation. SecureApp worked well for us because not only did it flag any unnecessary network access requests for applications, it actively created a cleaner and more reliable firewall policy. And this data was continuously updated and customised automatically making us very confident that our process is optimised and that potential threats have been reduced to a minimum.’ The end result is that SecureApp realised an 88 percent efficiency gain for the process by which SIX deploys, updates and decommissions applications, as well as diagnoses connectivity problems.