1

DRAFT

HSM Usability Evolution

Introduction
The objective of the HSM usability evolution is to simplify the day-to-day management of HSM boxes
and make it easier to install, configure and administer HSM boxes and to manage HSM certificates,
in order to reduce operational costs & risks associated with complex processes.

This document provides customers with an overview of the key features that SWIFT will introduce
with the HSM usability evolution and their high-level schedule.

Simplify installation
Current The installation process includes multiple manual operations, in particular for
situation the PED functions such as inserting different PED keys multiple times

Objective To optimize user interactions by limiting manual operations such as PED key
insertions, PED prompts and PIN requests to a minimum

Benefits Shorten installation/configuration time

Default remote access for PED

Current Before an HSM box can be administered over the network with a Remote PED,
situation a Remote PED secret needs to be initialized using the PED locally connected to
the box as a first-time action

Objective To make new and reset boxes accessible with a Remote PED over the network
without the need to access the data centre, by making it possible to initialize a
Remote PED secret on a box in default or reset state over the network

Benefits By avoiding PED operations in the data centre:

Speed up deployment of new boxes
Limit availability risk due to long intervention

HSM Usability Evolution SWIFT Product Management Mid-Jul 2015

 2
DRAFT

Unified PED Token

Current Each PED role is stored on a different key. The various keys can be assigned each to
situation a different person or team in the case of segregated responsibility per PED role.
Alternatively multiple keys can be assigned to the same person or team in case of
centralized responsibility for several PED roles.

Objective To consolidate all separate keys on one unified PED token when centralized
responsibility for all PED roles on one team or person is desired
To continue to support also the current multi-keys scheme when segregated
responsibility per PED role is preferred

Benefits Reduce the number of keys to manage

Reduce manual operations as there is no need to switch between keys anymore

Simplify certificate management

Current Certificates and partitions are managed through separate actions. Additionally
situation the partition management functions require the use of a PED device and the
appropriate PED key(s).

Objective To initialize a partition without requiring any PED operation (under the control
of the HSM admin)
To combine the HSM function Initialize partition with the Alliance Gateway
function Delete certificate within the Admin GUI
To simplify the management of certificates when operating multiple data
centers.

Benefits Make certificate management operations more efficient by avoiding PED

operations
Speed up certificate interventions such as when password got lost or partition
got locked (after exceeding the limit of bad password attempts).
Reduce operational costs and risks

HSM Usability Evolution SWIFT Product Management Mid-Jul 2015

 3
DRAFT

Automate recovery for a group of certificates

Current Recovering a group of certificates is a manual process where, for each
situation certificate individually,:
- The security officer initiates the recovery and retrieves the initial secrets
- The end-user (or agent) completes the recovery and sets a new password.

Objective To automate the recovery for a list of certificates through an Alliance Gateway
function run by the SWIFTNet security officers. Such function will combine the
2 steps (set up for recovery and recover) and transparently process initial
secrets for each certificate.

Benefits Facilitate SWIFTNet infrastructure changes where a group of certificates need

to be moved to a different HSM cluster and possibly also to a different Alliance
Gateway.

Accounts Synchronisation
Current User accounts and passwords are defined and maintained on each box of a
situation cluster separately. Any update to an account or a password only concerns the
box on which it was changed and, unless also updated on the other boxes,
these will have different account configurations and different password
lifecycles

Objective To synchronize user accounts & passwords, policies and SNL registration
information automatically between all members of the HSM cluster

Benefits Simplify configuration changes

Limit risk of password de-synchronization within a cluster and of password
mix-up
No need for an SNL re-registration after an HSM configuration change

HSM Usability Evolution SWIFT Product Management Mid-Jul 2015

 4
DRAFT

Customer managed password lifecycle

Current The expiry period of HSM account passwords (admin and operator) is currently
situation fixed to 90 days. If the password has expired, it will force a password change
the next time an attempt is made to use this account.

Objective To make the password expiry period user-configurable.

To enable password expiry monitoring through events

Benefits Ability to adapt password expiry to operational needs or internal policy.

Reduce risk of having an expired password when the account is needed in
emergency

Scheduling HSM box backups

Current Taking a backup of the HSM box content requires a PED operation
situation

Objective To make it possible to schedule regular backups of the HSM box content.
- A PED operation will be required to schedule the backups,
- Once scheduled, each backup will run without a PED operation,
- A history of backups will be kept on the box available for restoration if
needed.

Benefits Risk mitigation

HSM Usability Evolution SWIFT Product Management Mid-Jul 2015

 5
DRAFT

Distributed HSM cluster

Current The maximum network latency supported between boxes of an HSM cluster
situation and between the SWIFTNet Link and each box of a cluster is 2ms .

Objective To support a higher network latency limit for HSM clusters dedicated for
Browse / WebAccess flows for which throughput requirements are limited
To allow boxes of such an HSM cluster to be distributed over distant data
centres, thereby making the same user certificates useable over multiple data
centres

Benefits Limit the number of certificates required per user for cost efficiency and
operational simplification purposes.

New personal HSM certificate

Current The business and lite certificates are commonly used for signing STP messaging
situation flows as well as for authenticating an end-user accessing a Browse/SWIFT
WebAccess service.

Objective To introduce a new type of certificate stored on HSM for personal

authentication on SWIFT WebAccess services. The DN strongly binds the
certificate to the identity of its holder based on an enhanced registration
process by the security officer in O2M.

Benefits Offers strong personal accountability and traceability of end-users actions.

HSM Usability Evolution SWIFT Product Management Mid-Jul 2015

 6
DRAFT

Timeline

HSM Usability Evolution SWIFT Product Management Mid-Jul 2015