As a service provider to financial institutions, Fiserv prioritizes IT security. As part of its commitment to protecting clients’ data, Fiserv decided to simplify and automate IT security management for its IBM® AIX® landscape, adopting a new compliance monitoring platform: IBM PowerSC™.
Fiserv system administrators spent hours configuring servers to comply with PCI, SOX-Cobit and CIS security benchmarks; to retrieve compliance data, they had to log into servers individually.
Fiserv is adopting IBM PowerSC Standard Edition (PowerSC) across its IBM Power Systems® estate, streamlining server configuration and unlocking real-time compliance and reporting capabilities.
The Fiserv mission is to help clients move money and information in a way that moves the world. The company specializes in financial services technology, providing solutions for payments, processing services, customer and channel management, risk and compliance, and insights and optimization.
Managing financial transactions necessarily involves exchanging, storing and processing sensitive data. Fiserv must constantly prove to clients and auditors that it will manage this data responsibly—and earning clients’ trust is one of its top priorities.
As a result, the company’s IT team takes security extremely seriously. Its IT systems are subjected to multiple complex internal and external audits every year, and they are expected to meet numerous industry and regulatory standards. However, regular audits aren’t enough to ensure continuous compliance: the company must also monitor its systems 24/7 to ensure that each server maintains the correct configuration at all times.
As a baseline for configuring its systems, Fiserv uses a best-practice security framework known as the Center for Internet Security (CIS) benchmark. Each of its servers is expected to meet both mandatory settings and a minimum overall score threshold with the standards defined in the benchmark.
Zach Floen, IBM Power Systems Engineer at Fiserv, explains: “From a security perspective, the ideal configuration for a server would be to lock it down completely, so that it can’t exchange any data with any other systems at all. But if a server can’t communicate, it can’t do anything useful.”
While Fiserv already monitored the security configuration of its servers, they sought more integrated end-to-end management of compliance across its server estate. For example, if the company’s engineers needed to install a new server, they had to spend four or five hours manually working through a checklist to “harden” the configuration so that it would pass the compliance threshold.
Similarly, the team often needed to make temporary changes to server configuration while it conducted maintenance and upgrades. Engineers had to implement these changes manually, and then restore the servers to their original settings once the maintenance tasks were complete. Although Fiserv had strategies in place to mitigate the risks of forgetting to restore the settings properly, the company wanted to find a way to eliminate the possibility of human error by controlling configuration changes centrally and automatically.
Finally, the team wanted to streamline its compliance reporting processes and remove the time-consuming task that administrators had to undertake, such as having to retrieve compliance reports across a large estate of servers manually.
A significant proportion of Fiserv’s server architecture consists of IBM Power Systems™ servers running the IBM AIX operating system to support core financial systems and databases. When the company started reviewing its options for a new compliance management platform, it discovered that IBM offers a tailor-made solution: IBM PowerSC. “IBM PowerSC is rapidly evolving into a very powerful and capable tool for compliance management,” says Zach Floen. “It offers capabilities that our existing tools don’t have, and it is included as part of our existing AIX Enterprise license, so we don’t have to worry about additional costs.” At that time, Fiserv was preparing to rationalize its IBM AIX landscape by bringing disparate groups of servers together into a single private cloud environment. This initiative presented a perfect opportunity to make the switch from the company’s existing compliance tool to PowerSC.
As Fiserv rolls out the PowerSC software across its AIX estate, the team is eager to take advantage of the solution’s compliance automation features.
For example, PowerSC monitors a list of programs that are allowed to run on each server and notifies administrators if any unauthorized programs are executed. During maintenance sessions, this feature can be toggled off for groups of servers and set to toggle back on again automatically after a certain period of time. As a result, engineers no longer need to change configurations manually during maintenance, significantly reducing the risk of accidentally leaving a system exposed.
PowerSC also provides pre-built security profiles that support industry and regulatory standards such as PCI-DSS, HIPAA and GDPR. Administrators can apply a profile to a server with a single click, instead of spending hours working through a security checklist for each new machine.
“We’re working with IBM to build a security profile that fully complies with the CIS benchmark out of the box,” says Zach Floen. “Once we have the profile in place, we’ll be able to eliminate hours of manual configuration when we’re setting up machines in our newest virtualized AIX platform.”
The profiles also help to remediate configuration issues quickly, as Zach Floen explains: “We had the ability to monitor our servers and identify when there was a problem with a server’s settings—but in order to fix those issues, we still had to log into the individual machines. With PowerSC, we can just click a button in the admin interface, and it will immediately reset the profile to the correct state.”
Fiserv has seen significant time savings in its server compliance oversight processes and expects to see even greater savings in the future. Currently, retrieving compliance information from each server is a manual and time intensive process. With PowerSC, the team can simply generate a report automatically in a few seconds.
Zach Floen concludes: “For Fiserv, it’s about more than compliance—it’s about earning our clients’ trust—and that requires a secure environment.”
Fiserv is one of the world’s leading financial services technology companies, with around 24,000 employees and annual revenues of USD 5.7 billion in 2017. The company’s solutions empower more than 12,000 clients across more than 80 countries worldwide and help millions of consumers and businesses move and manage money quickly and conveniently.
Footnotes
© Copyright IBM Corporation 2018. 1 New Orchard Road, Armonk, New York 10504-1722 United States. Produced in the United States of America, March 2019.
IBM, the IBM logo, ibm.com, AIX, Power, and PowerSC are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at “Copyright and trademark information” at ibm.com/legal/copytrade.shtml.
Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions.
All client examples cited or described are presented as illustrations of the manner in which some clients have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual client configurations and conditions. Contact IBM to see what we can do for you.
The client is responsible for ensuring compliance with laws and regulations applicable to it. IBM does not provide legal advice or represent or warrant that its services or products will ensure that the client is in compliance with any law or regulation.
Statements regarding IBM’s future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.