SIX Group: Data security for the most stringent requirements

SIX protects sensitive financial data from misuse thanks to data-centric security in distributed standard platforms, cloud providers (IaaS, PaaS), and cloud applications (SaaS).

Protect sensitive financial data and ensure compliance.

SIX operates the infrastructure for the financial center in Switzerland and Spain and thus secures the flow of information and money. Since SIX works with sensitive and regulatory-relevant financial data, data security is a top priority in the IT architecture.

New forms of connectivity, cloud-based offerings, and modern operational concepts require fundamental new thinking in IT security. Traditional security measures at the infrastructure level do not go far enough to meet today's and tomorrow's requirements. The reasons are manifold:

1. Today, data also moves outside protected network zones.

2. The risk of data loss is increasing, and with it, the importance of Data Loss Prevention (DLP)

3. Data needs to be protected «at-rest,» «in-use,» and «in transit.»

SIX sought a strong partner with a sustainably high-security solution to meet data security requirements with a suitable security concept and integrate it into the existing IT architecture. «The solution is extremely scalable and supports a diverse system landscape,» says Christian Stork, responsible project manager at SIX.

How is sensitive data protected?

Therefore SIX decided on data-centric security and a future-proof solution for users and infrastructure. SIX contracted Prewen to integrate an enterprise encryption platform into its existing IT architecture.  

The data is encrypted and used in all applications with one universal solution.

Who holds the key?

Of course, database and SaaS providers also offer encryption solutions. But Prewen goes one step further for SIX. All keys remain with the data owner. The system provider that encrypts the data has no access to them. This ensures the separation of powers between encryption and key. Neither internal database admins, system admins at the service providers, nor operating personnel at the SaaS providers can decrypt the data. Only authorized persons have access to the data and can work with it as usual.

«It is important to us that the systems managing the key material are maximally secured, and third parties are prevented from accessing the key material.» 
Christian Stork, Head SIX-wide Strategic Projects at SIX Group 

How was the enterprise encryption platform implemented for SIX?

The encryption platform used is Micro Focus Voltage SecureData, built locally at SIX. Encryption formats, automated key management, and authorization are implemented in all relevant applications and databases using the following integration tools:

• API: Used by applications that provide an API interface for encryption.

• Web services: Used by applications that send data to the central encryption service via web services (SOAP/REST) 

• xDBC integration: Alternatively, the encryption service can be integrated by the application directly via JDBC or ODBC driver. 

• Proxy Integration: An interface has been integrated to connect web applications (SaaS) such as Servicenow or Atlassian to the encryption service via iCAP protocol. This option is used when the application does not offer a direct access option (e.g., via database or API). Thus, only a web-based interface is available as an integration point. 

Why Prewen and the data-centric approach?

In the evaluation process, SIX Group chose the data-centric approach and implementation by Prewen. The compelling reasons were:

1. Efficient set-up.

2. One enterprise encryption platform for all our applications.

3. The highest availability of 99.999 percent with redundancy in two data centers is guaranteed.

4. Secure key management using dedicated hardware security modules (HSMs).

New approaches require a change.

Like any paradigm shift, the transition from conventional security measures at the infrastructure level to data-centric security requires new thought patterns and processes. At the same time, such projects also involve challenges and learnings, both technical and psychological. The obligatory search for the data to be encrypted is routine for Prewen and is a challenge that can be mastered well. A natural skepticism for relevant topics like data security requires an open exchange with the users. Especially at this point, every data security project is individual. After all, despite convincing results, the data-centric security solution is still a relatively new process requiring many companies to rethink how they handle their data. 

Learn more about data-centric protection or Prewen's data security offering.