The Fiserv mission is to help clients move money and information in a way that moves the world. The company specializes in financial services technology, providing solutions for payments, processing services, customer and channel management, risk and compliance, and insights and optimization.
Managing financial transactions necessarily involves exchanging, storing and processing sensitive data. Fiserv must constantly prove to clients and auditors that it will manage this data responsibly—and earning clients’ trust is one of its top priorities.
As a result, the company’s IT team takes security extremely seriously. Its IT systems are subjected to multiple complex internal and external audits every year, and they are expected to meet numerous industry and regulatory standards. However, regular audits aren’t enough to ensure continuous compliance: the company must also monitor its systems 24/7 to ensure that each server maintains the correct configuration at all times.
As a baseline for configuring its systems, Fiserv uses a best-practice security framework known as the Center for Internet Security (CIS) benchmark. Each of its servers is expected to meet both mandatory settings and a minimum overall score threshold with the standards defined in the benchmark.
Zach Floen, IBM Power Systems Engineer at Fiserv, explains: “From a security perspective, the ideal configuration for a server would be to lock it down completely, so that it can’t exchange any data with any other systems at all. But if a server can’t communicate, it can’t do anything useful.”
While Fiserv already monitored the security configuration of its servers, they sought more integrated end-to-end management of compliance across its server estate. For example, if the company’s engineers needed to install a new server, they had to spend four or five hours manually working through a checklist to “harden” the configuration so that it would pass the compliance threshold.
Similarly, the team often needed to make temporary changes to server configuration while it conducted maintenance and upgrades. Engineers had to implement these changes manually, and then restore the servers to their original settings once the maintenance tasks were complete. Although Fiserv had strategies in place to mitigate the risks of forgetting to restore the settings properly, the company wanted to find a way to eliminate the possibility of human error by controlling configuration changes centrally and automatically.
Finally, the team wanted to streamline its compliance reporting processes and remove the time-consuming task that administrators had to undertake, such as having to retrieve compliance reports across a large estate of servers manually.