Crosskey Banking Solutions
To cope with threats, vulnerability management must be integrated into day-to-day operations. Tenable is making this happen and ensuring our continued success."
Key Business Needs:
Crosskey Banking Solutions develops, delivers and maintains systems and solutions for the Nordic banking and capital markets. The company needed to validate the effectiveness of its security practices through PCI compliance, and because it operates in both Finnish and Swedish markets, it had to comply with a variety of specific banking regulations for each country.
Tenable.sc™ (formerly SecurityCenter®), integrated with Nessus® and Tenable.io®, provided extensive reporting capabilities and addressed a variety of audit policy options, including customizable scripting.
With banking customers relying on Crosskey to prevent data breaches, protect cardholder data and ensure the integrity of their operations, Crosskey was in search of a way to validate the effectiveness of its security practices through PCI compliance. Tenable Network Security helped Crosskey reduce risk and ensure compliance with PCI DSS requirements by implementing Tenable.sc, Nessus and Tenable.io.
About Crosskey Banking Solutions
Crosskey Banking Solutions develops, delivers and maintains systems and solutions for the Nordic banking and capital markets. A wholly-owned subsidiary of the Bank of Åland, Crosskey’s mission is to make it easier and more profitable for customers to operate a bank. To accomplish this, Crosskey operates three datacenters in Finland and Sweden from which it provides hosted banking and card payment solutions. The organization’s continued success rests upon the integrity, performance and security of its operations.
To help reduce risk and improve its overall security posture, Crosskey decided to transition responsibility for vulnerability scanning from an outsourced MSSP to internal resources. This allowed Crosskey to better integrate vulnerability and patch management, shrinking the patch window and eliminating exploitable gaps in coverage. Crosskey’s continued success and growth led to another significant problem with its outsourced scanning services – costs were not scalable.
Crosskey currently operates in both Finnish and Swedish markets and must comply with a variety of Finnish and Swedish banking regulations in addition to the PCI DSS requirements. As a validated PCI DSS Level 1 Service Provider, Crosskey must adhere to PCI DSS requirements 6.1, 6.2 regarding vulnerability discovery and patch management. This means all critical security patches must be installed on all systems in scope of PCI DSS within 30 days of release. This ongoing process must follow documented procedures and be effective and repeatable. Crosskey must be able to provide evidence that its vulnerability discovery, patch management and change control processes are functioning on an effective, ongoing (business as usual) basis to their QSA during its annual PCI DSS validation assessment.
The Tenable Solution
After evaluating multiple enterprise-class vulnerability management platforms, Crosskey selected Tenable.sc. Tenable.sc offers extensive reporting capabilities as well as the means to address a variety of audit policy options (including customizable scripting to meet Crosskey’s unique requirements), and has enabled Crosskey’s successful transition from MSSP to internal control of vulnerability management.
To address its specific requirements around PCI DSS compliance, Crosskey extended its Tenable.sc deployment with Tenable.io. This hosted version of Nessus Enterprise supports Crosskey’s needs for external network vulnerability scanning of all Internet-facing systems by a PCI Approved Scanning Vendor (ASV) . It also facilitates the sharing of vulnerability and compliance information between Crosskey security and operations personnel, as well as outside QSAs and auditors, further streamlining the overall PCI assessment process.
“By implementing Tenable.sc and Tenable.io, we’re not only making this happen, we’re doing it efficiently and effectively, ensuring Crosskey’s continued success and that of our growing portfolio of banking customers.”
Since implementing Tenable.sc, Nessus and Tenable.io, Crosskey has streamlined and improved the effectiveness of its vulnerability management program. These capabilities were made possible by enabling a team-based approach along with Tenable’s unique ability to identify vulnerabilities and compliance gaps across Crosskey’s entire environment, including external-facing systems, and to provide extensive reporting and analytics.
For Crosskey, implementing Tenable products has resulted in better control of its environment. Vulnerability management is more collaborative and integrated with the operations teams. This has fostered a “DevOps” mindset, with Ops and Security teams working together to keep the Crosskey enterprise more secure. These efforts are evaluated with Key Performance Indicators, including:
- Number of vulnerabilities on externally exposed systems
- Number of vulnerabilities with discovery date > 15 day
- Number of vulnerabilities with discovery date > 30 days
According to Kim Halavakoski, Chief Security Officer, Crosskey Banking Solutions, “To cope with the ever-changing threat landscape, vulnerability management has to be integrated into the day-to-day operations of any organization that needs to properly secure its environment.” Halavakoski continued, “By implementing Tenable’s Tenable.sc and Tenable.io, we’re not only making this happen, we’re doing it efficiently and effectively, ensuring Crosskey’s continued success and that of our growing portfolio of banking customers.”