By Sahir Anand, Principal Retail and CPG Industry Lead, Cloud Commercial Communities Team
Retail and Consumer Product Goods (CPG) businesses are undergoing digital transformation and increasingly use public clouds to run their ecommerce, data analytics and logistics applications. New cloud-based technologies such as AI, IoT, Blockchain are powerful tools to improve the customer experience, optimize supply chains and reduce costs. Accordingly, more and more sensitive data is moving to the cloud. And it’s for that reason that hackers are constantly testing and attacking retailers.
We often hear that security concerns are slowing down cloud adoption. Boards require additional risk assessments for their IT infrastructure to understand the state of security. Therefore, preventing security breaches is at the top of the mind for most Chief Information Security Officers (CISOs). As companies progress on their cloud journey, they realize that traditional security and compliance processes (built for on-premises datacenters) don’t work for public cloud infrastructure. Those processes were designed for once-a-year reviews. Such point-in-time security assessments don’t show the real picture if translated to the cloud. By the time an assessment is done, the infrastructure could have changed multiple times from what was reviewed. To solve this, retailers (and other industries) need to implement automated and continuous security and compliance assurance. It’s as the only way to match the pace of digital transformation.
An important point is that by far the largest data loss from breaches in recent memory has happened because of preventable misconfigurations, typically a result of a human error. (When data breaches occur, they are rare, but a single breach often means large data losses). At this point, every cloud service provider builds their infrastructure securely and adheres to multiple industry compliance standards. But securely configuring cloud infrastructure is a customer’s responsibility. It turns out that these configurations are not fully controlled using standard developer processes. In the cloud, multiple developers are continuously releasing new code and building new environments. Without automated compliance checking, a human error may result in a fatal mistake such as exposing a database, a storage account, or a virtual machine to the internet. Hackers know the IP address ranges of cloud service providers and continuously scan these IP addresses for such unsecured resources. If a resource is accidentally exposed, it takes less than ten minutes for the data to be compromised.
The good news is that such cloud infrastructure misconfigurations are easily preventable. A new software product category for cloud security assurance has emerged: continuous, automated cloud compliance. These products map out cloud infrastructure configurations using APIs, compare these actual configurations against cloud security best practices and provide instant visibility into security and compliance posture. And going forward, every new build is evaluated against the set standards.
On the Azure Marketplace, we now have one such offering, Cloudneeti Cloud Assurance for Retailers. This SaaS product supports thirteen cybersecurity and industry benchmarks, and features compliance with laws and regulations. Out of the box, the solution offers the most commonly required compliance framework in retail: PCI DSS. Other cybersecurity benchmarks such as NIST, CIS and CSA are also available.
The solution is a security and compliance assurance product, purpose-built as a multi-tenant SaaS application hosted on Microsoft Azure. It uses the latest advancements in scalable and highly available cloud architectures. To ensure high availability, the solution is deployed across multiple regions in an active-active mode (a load-balancing concept). The deployment uses Azure services such as WebApps, Azure Functions, CosmosDB, Azure Machine Learning, API management, and data analytics. It also uses multiple networking and security services including content caching, DDoS protection, data encryption, and WAF. Serverless infrastructure significantly reduces infrastructure costs and shortens the overall time of data collection and processing. By orchestrating and parallelizing thousands of durable functions across multiple Azure regions, the data collection time is reduced from hours to minutes. And a NoSQL database offers scalability in terms of the amount of data it can handle while providing robust data encryption and data reliability.
The solution can be used by organizations to gain visibility into security posture, and to enforce cloud security standards. Each end customer must define their own set of “must have” security policies and measure itself for compliance against their standard. By using a solution for this task, a customer’s security responsibilities can be automated and tracked.
According to Cloudneeti, customers typically start with a quick assessment project to determine their current security posture. In most cases the assessment reveals a 30% to 45% compliance—but it should be in the 90% to 100% range. Customers then begin to remediate current misconfigurations and maintain the set standard going forward. Cloud security and compliance assurance processes are then rolled out across all cloud infrastructure deployment teams.
Concern over security has resulted in the recent invention of “Developer, Security and Operations” (DevSecOps). With automated deployments using Infrastructure as Code and a product like Cloudneeti, organizations can begin to manage compliance efficiently—and that is a good start at securing a retail enterprise.