Fiserv system administrators spent hours configuring servers to comply with PCI, SOX-Cobit and CIS security benchmarks; to retrieve compliance data, they had to log into servers individually.
Fiserv is adopting IBM PowerSC Standard Edition (PowerSC) across its IBM Power Systems® estate, streamlining server configuration and unlocking real-time compliance and reporting capabilities.
One clickto set security policies for groups of servers, streamlining maintenance
Real-timemonitoring enables instant intervention to remediate configuration issues
Instantcompliance reporting designed to save dozens of hours of work during audits
Business challenge story
Sharp focus on IT security
The Fiserv mission is to help clients move money and information in a way that moves the world. The company specializes in financial services technology, providing solutions for payments, processing services, customer and channel management, risk and compliance, and insights and optimization.
Managing financial transactions necessarily involves exchanging, storing and processing sensitive data. Fiserv must constantly prove to clients and auditors that it will manage this data responsibly—and earning clients’ trust is one of its top priorities.
As a result, the company’s IT team takes security extremely seriously. Its IT systems are subjected to multiple complex internal and external audits every year, and they are expected to meet numerous industry and regulatory standards. However, regular audits aren’t enough to ensure continuous compliance: the company must also monitor its systems 24/7 to ensure that each server maintains the correct configuration at all times.
As a baseline for configuring its systems, Fiserv uses a best-practice security framework known as the Center for Internet Security (CIS) benchmark. Each of its servers is expected to meet both mandatory settings and a minimum overall score threshold with the standards defined in the benchmark.
Zach Floen, IBM Power Systems Engineer at Fiserv, explains: “From a security perspective, the ideal configuration for a server would be to lock it down completely, so that it can’t exchange any data with any other systems at all. But if a server can’t communicate, it can’t do anything useful.”
While Fiserv already monitored the security configuration of its servers, they sought more integrated end-to-end management of compliance across its server estate. For example, if the company’s engineers needed to install a new server, they had to spend four or five hours manually working through a checklist to “harden” the configuration so that it would pass the compliance threshold.
Similarly, the team often needed to make temporary changes to server configuration while it conducted maintenance and upgrades. Engineers had to implement these changes manually, and then restore the servers to their original settings once the maintenance tasks were complete. Although Fiserv had strategies in place to mitigate the risks of forgetting to restore the settings properly, the company wanted to find a way to eliminate the possibility of human error by controlling configuration changes centrally and automatically.
Finally, the team wanted to streamline its compliance reporting processes and remove the time-consuming task that administrators had to undertake, such as having to retrieve compliance reports across a large estate of servers manually.
Finding a better wayA significant proportion of Fiserv’s server architecture consists of IBM Power Systems™ servers running the IBM AIX operating system to support core financial systems and databases. When the company started reviewing its options for a new compliance management platform, it discovered that IBM offers a tailor-made solution: IBM PowerSC. “IBM PowerSC is rapidly evolving into a very powerful and capable tool for compliance management,” says Zach Floen. “It offers capabilities that our existing tools don’t have, and it is included as part of our existing AIX Enterprise license, so we don’t have to worry about additional costs.” At that time, Fiserv was preparing to rationalize its IBM AIX landscape by bringing disparate groups of servers together into a single private cloud environment. This initiative presented a perfect opportunity to make the switch from the company’s existing compliance tool to PowerSC.
Consistent compliance to earn clients’ trust
As Fiserv rolls out the PowerSC software across its AIX estate, the team is eager to take advantage of the solution’s compliance automation features.
For example, PowerSC monitors a list of programs that are allowed to run on each server and notifies administrators if any unauthorized programs are executed. During maintenance sessions, this feature can be toggled off for groups of servers and set to toggle back on again automatically after a certain period of time. As a result, engineers no longer need to change configurations manually during maintenance, significantly reducing the risk of accidentally leaving a system exposed.
PowerSC also provides pre-built security profiles that support industry and regulatory standards such as PCI-DSS, HIPAA and GDPR. Administrators can apply a profile to a server with a single click, instead of spending hours working through a security checklist for each new machine.
“We’re working with IBM to build a security profile that fully complies with the CIS benchmark out of the box,” says Zach Floen. “Once we have the profile in place, we’ll be able to eliminate hours of manual configuration when we’re setting up machines in our newest virtualized AIX platform.”
The profiles also help to remediate configuration issues quickly, as Zach Floen explains: “We had the ability to monitor our servers and identify when there was a problem with a server’s settings—but in order to fix those issues, we still had to log into the individual machines. With PowerSC, we can just click a button in the admin interface, and it will immediately reset the profile to the correct state.”
Fiserv has seen significant time savings in its server compliance oversight processes and expects to see even greater savings in the future. Currently, retrieving compliance information from each server is a manual and time intensive process. With PowerSC, the team can simply generate a report automatically in a few seconds.
Zach Floen concludes: “For Fiserv, it’s about more than compliance—it’s about earning our clients’ trust—and that requires a secure environment.”
Fiserv is one of the world’s leading financial services technology companies, with around 24,000 employees and annual revenues of USD 5.7 billion in 2017. The company’s solutions empower more than 12,000 clients across more than 80 countries worldwide and help millions of consumers and businesses move and manage money quickly and conveniently.