A Cloud Security Blanket For Retail Operators

By now, retail operators are very familiar with the reasons for moving their networks to the cloud: flexibility, scalability, centralized management capability, consistency of commerce experience and cost, to name a few. They also likely are well aware of the issues that can accompany such a move, none of which is more concerning than that of network and data security.

Given the U.S retail sector’s growing dependence on the cloud, along with that sector’s apparent vulnerability to data breaches, the concerns about security are justified. Half of U.S. retailers were breached in the past year, well above the 27% global average for retailers, according to a recent report from Thales eSecurity. What’s more, U.S. retailers lead the world in security breaches; three-quarters of them have been breached at least once.

Nevertheless, the migration to the cloud continues apace, with 85% of U.S. retailers now storing sensitive data in either an IaaS (infrastructure as a service), PaaS (platform as a service) or SaaS (software as a service) public cloud environment, Thales reports.

“Despite the advantages, cloud computing comes with an added vulnerability if data is stored incorrectly or if the provider’s own security is compromised,” Gartner practice leader Matthew Shinkman said, summing up findings from his firm’s recent survey of risk executives. “To mitigate these risks, executives will need to guarantee that their cloud security strategy keeps up with the pace of this growth.”

For many retailers, that means taking a fresh approach to network security, Thales asserts in its report. “Traditional endpoint and network security are no longer sufficient, particularly for heavy adopters of public cloud resources such as the U.S. retail sector.”

Defending against data breaches, DDoS (distributed denial of service) attacks and other bottom-line-crushing network security threats requires multiple layers of security baked into various vulnerable areas of the network infrastructure. But where exactly should retailers be prioritizing their cloud security investments? Here are eight suggested focal points, based on our company’s extensive experience building and supporting secure cloud-based networks for retail operators:

1. A “zero trust” security philosophy. Moving to a multichannel, cloud-based commerce experience creates new surfaces that can be vulnerable to cyberattack. Protecting them means committing to verify anything and everything attempting to access their network systems. That could entail implementing an application-centric security policy, with micro-segmentation and granular perimeter enforcement as a means of determining whether to trust a user, machine or application seeking access to a particular asset or part of the network.
2. A third-party threat assessment of your cloud strategy and planned environment. Moving apps, processes and data to the cloud can create security gaps that a third-party network security specialist can identify via an audit/gap analysis.
3. End-to-end encryption. While data in any form, at rest or in transit, can be vulnerable to exfiltration, data in motion and data housed in the public cloud are especially susceptible to attacks. The best defense is strong end-to-end encryption algorithms, starting at the source. This is particularly important in protecting traffic flowing over the Internet between multiple retail sites, and between retail sites and customers. There’s plenty of room for improvement in this area. Thales found that despite having a higher propensity to store sensitive data in the cloud, only 26% of U.S. retailers are implementing encryption in the cloud.
4. Multi-factor authentication Single-factor (username/password) authentication may not be adequate to keep cybercriminals from hacking account credentials. Multi-factor authentication adds an extra layer of validation to ensure that only those with proper credentials are able to access critical data, systems and infrastructure.
5. Firewall policy/governance based on user, device and actual application flow. In a decentralized network environment, incorporating security approaches such as deep packet inspection and micro-segmentation within the network enables organizations to inspect and protect traffic from outside, as well as traffic between internal sites, from advanced persistent threats, ransomware/malware, etc. The firewall(s) tie back to a centrally managed security policy that applies to all IT assets across the network, whether they are located inside or outside the company network.
6. Security class differentiation. In order to prioritize security resources and allocate them accordingly, enterprises need the ability to set distinct segmentation and security policies for each data class level, and to adjust them in real time as necessary.
7. Software-defined services and VNF (virtual network function) software. Software-defined services and VNFs provide the flexibility to centrally manage and update services in real time and provide unprecedented visibility into current and past network and application performance.
8. A solid mitigation/event management plan. It is imperative to have a comprehensive mitigation plan in place and ready for a multi-pronged attack, including DDoS attacks, with a system of alerts across the network that prompts an enterprise to mobilize as an event is happening, or better yet, before it happens.

By incorporating security measures like these into a coherent cloud security strategy, retail operators can tap the many benefits of cloud-centric commerce, with the confidence that their data, network, IT assets and customers are protected. Because in today’s retail world, protecting yourself and your customers is as vital to growth as digital transformation itself.

Joseph Harding is executive vice president and chief marketing officer for Windstream Enterprise and Wholesale, where he is responsible for all aspects of marketing and product management, including go-to-market strategy, demand generation, product development, pricing, customer insight and brand management.