Data Protection

Vulnerability and Patch Management

Finastra’s enterprise vulnerability management program includes regular vulnerability scanning and independent penetration testing at least yearly. Identified vulnerabilities are prioritized for the remediation process according to criticality, with reporting up to the board level. Finastra maintains subscriptions to various threat intelligence advisory services and resources.

Logging & Monitoring

Finastra has implemented security logging for systems and accounts. The logs collected from various platform components and are sent to a centralized security information and event management system (SIEM) for analysis by the Security Operations Center (SOC). The logs are retained for at least one year, unless otherwise required by a legal or a governmental regulation.

Network Security

Finastra performs architecture reviews and updates to ensure all tangible assets, data, and functionality are tracked and validated for all changes that occur on FusionFabric.cloud and associated products.

Active reviews are performed on access in accordance with firewall rules and security domains with access controls to ensure that only necessary functions are permitted, as part of business operations.

Virtual Machine

Scanning

Virtual machines are scanned for known vulnerabilities, malware, and operating system configuration checks against CIS benchmarks. This process ensures that the virtual machines are secure and aligned with security compliance protocols and policies. Host assurance is achieved through configuration scanning, compliance baselines, and alerting.

Monitoring controls include file integrity monitoring and Windows registry monitoring to prevent unauthorized access, modification or deletion of files or registries.

Encryption

Virtual machines disks are encrypted using Azure Disk Encryption. By default, Managed Disks are encrypted at rest using Azure Storage Service Encryption, where the encryption keys are managed by Microsoft Azure.

Virtual Machine disks are encrypted with keys stored in the Azure Key Vault, with appropriate policies defined by Finastra. This solution works for both Linux and Windows operating systems, manages key access policies, and provides an audit functionality for the key usage.

Container Security

Multiple layers of controls are implemented to ensure defense in depth throughout the container life cycle. These include continuous scanning for vulnerabilities, malware, hard-coded secrets, and security misconfigurations.

Access control roles and policies govern the kubectl commands, preventing unapproved images from running in the cluster. In the cluster, file integrity monitoring, configuration checks against CIS benchmarks, user access and activity monitoring are established. Additional controls are leveraged on an as-needed basis. Some of these controls include delivering secrets in encrypted form to containers, automated container-level security profiles, and network traffic control based on container-level firewall rules. This culminates in a tailored image assurance, and ensures that only secure patterns are promoted throughout the development life cycle.

Lastly, extensive and specific event logging is available for auditing.

Data, Tenant Architecture and Segmentation

The FusionFabric.cloud platform is reviewed and approved by Finastra’s product and data security team in accordance with Finastra’s internal security standards that define the development life cycle’s best practices. The data flow for every data ingestion and related data product pipelines are reviewed by architects from our engineering, architecture and security teams.

Each dataset is stored in a physical or a logical segmented area even when stored on the same system. The segmentation is implemented at network, data store, and application layers. The key drivers that we consider for segmentation are Finastra’s internal standards, regulatory compliance, multi-tenancy and contractual obligations.