Cloud Security and Compliance Guide for Retailers

How to stay secure using the cloud the revolutionize the customer experience


Retail organizations are experiencing a culture shift as they respond to consumer demand for improved experiences in the store and online.  Building applications and migrating PCI-regulated workloads to Microsoft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an attractive way to respond to competitive pressures, speed innovation, time to market, and resilience.  However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challenges for risk and compliance professionals in the retail industry.

Processes and tools that worked well in the traditional datacenter do not directly translate to the public cloud.  Due to concerns over PCI-DSS compliance and security, as well as the complexity involved in migrating legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption.  However, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind and out of business.

In this new world, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their customers, and other stakeholders.  To take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined, that they have real-time automated enforcement of security and governance, risk management and compliance (GRC) policies, and that they can present evidence of compliance to assessors and auditors.

This is an achievable objective, and this guide explores the frameworks that retailers are leveraging to ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how DivvyCloud can help you achieve this goal.

Roadblocks to Innovation

While many retailers know they have to make changes, they are often risk-averse when it comes to implementing new technology (and for a good reason). This cautious approach is driven by substantial regulatory requirements and the sensitive nature of consumer information. The risks are not imagined, as the retail industry has been a giant bullseye for hackers.  Importantly, the retail industry is heavily regulated via the Payment Card Industry Data Security Standard (PCI DSS) and most recently the General Data Protection Regulation (GDPR) set forth by the European Union. Retailers that don’t comply with these regulations face substantial penalties in both brand reputation, liability, and fines.

The challenge is how do these regulations translate to the public cloud?  How do you map directives back to a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configurations that often result in a violation of policy?  How do you do this while embracing self-service, from which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance in the dynamic and transient world of public cloud and do so on a constant and consistent basis?   

In essence, how can today’s retailer embrace all the many benefits of the cloud without opening up a Pandora’s box of risk relative to security and GRC?

The answer is yes you can if you utilize cloud-native frameworks and employ automation to enforce these standards.

Cloud Native Frameworks

For retailers, we recommend three frameworks: Payment Card Industry Data Security Standard (PCI DSS), Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and CIS Benchmarks.  These are the foundational frameworks that should make up the foundation of cloud governance for every retailer. If you do offer goods or services to or monitor the behavior of, European Union citizens then you will also need to comply with GDPR.

Let’s explore these foundational frameworks and the value they deliver:

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard is a proprietary information security standard administered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process or transmit cardholder data or sensitive authentication data, including merchants, processors, acquirers, issuers, and service providers.  

When payment card data is stored or processed by customers using Azure, GCP, or AWS, the requirements of PCI DSS will apply. Importantly, PCI DSS compliance is a shared responsibility between the retailer and the cloud service provider (CSP).  In other words, running in Azure, GCP, or AWS does not exempt the retailer from the responsibility of ensuring that their CardHolder Data is properly secured according to applicable PCI DSS requirements.

The CSPs uses a variety of technologies and processes to secure information stored on their cloud solutions and services. However, all the CSPs offer customers a great deal of configuration control over their services running on the CSP’s infrastructure.  It is the retailer’s responsibility to comply with the requirements of PCI DSS that relate to configuration choices, operating systems packages, and applications deployed by the retailer.

The CSPs all publish guides to the shared responsibility model specific to PCI DSS:

Cloud Security Alliance Cloud Controls Matrix

Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud-native security assurance and compliance. It provides a cloud-native controls framework with a detailed explanation of security concepts and principles. The CSA CCM recommendations are mapped to many other compliance standards, such as NIST, and can help companies meet their requirements under these regulations. The CSA CCM provides a controls framework with a detailed explanation of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 16 domains:

  • Application & Interface Security (AIS)
  • Audit Assurance & Compliance (AAC)
  • Business Continuity Management & Operational Resilience (BCR)
  • Change Control & Configuration Management (CCC)
  • Data Security & Information Lifecycle Management (DSI)
  • Datacenter Security (DCS)
  • Encryption & Key Management (EKM)
  • Governance & Risk Management (GRM)
  • Human Resources (HRS)
  • Identity & Access Management (IAM)
  • Infrastructure & Virtualization Security (IVS)
  • Interoperability & Portability (IPY)
  • Mobile Security (MOS)
  • Security Incident Management, E-Discovery, & Cloud Forensics (SEF)
  • Supply Chain Management, Transparency, and Accountability (STA)
  • Threat & Vulnerability Management

As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating to information security tailored to the cloud industry.  The CSA CCM strengthens existing information security control environments in many ways:

  • It emphasizes business information security control requirements;
  • It reduces and identifies consistent security threats and vulnerabilities in the cloud;
  • It provides standardized security and operational risk management; and
  • It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.

As discussed above, one reason it is such a powerful resource is that if you are compliant in one area, it can provide validation that you are compliant with numerous related frameworks.  

For example, the control ID – DIS-03 under the CCM Domain – Data Security and Lifecycle Management for E-commerce Transactions, requires data related to e-commerce that traverses public networks to be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in such a manner to prevent contract dispute and compromise of data.  If an organization is in compliance with DIS-03, there is a direct correlation with NIST 800-53 which addresses these same security requirements with controls including:

  • AC-14: Permitting actions without identification or authentication
  • AC-21: Information sharing
  • AC-22: Public Accessible content
  • IA-8: Identification and Authentication (Non-organizational users)
  • AU-10: Non-Repudiation
  • SC-4: Information in shared resources
  • SC-8: Transmission confidentiality and integrity
  • SC-9: Transmission confidentiality

Retailers should use CSA CCM because it is a well documented and very accessible framework that can be communicated to customers and other stakeholders as the standard by which they can hold the retailer accountable.  There has also been movement within different industries, including banking, to select CSA CCM as a commonly used standard among institutions.

Center for Internet Security (CIS) Benchmarks

CIS Benchmarks are secure configuration guidelines and settings created to help you secure specific platforms, including Azure, GCP, and AWS. These benchmarks help retailers safeguard systems against today’s evolving cyber threats and are endorsed by leading IT security vendors and governing bodies.  They are prescriptive guidance the help you create a secure baseline configuration when operating in Azure, GCP, or AWS.

In March 2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark which is the recognized industry-standard for securely configuring traditional IT components.  

In September 2018, CIS published a new benchmark for security cloud workloads on Google Cloud Platform (GCP). This benchmark contains dozens of security recommendations across Identity & Access Management, Logging/Monitoring, Networking, Storage, Compute and Kubernetes.

In December 2017, CIS published the AWS CIS Foundations Benchmark which provides prescriptive guidance for configuring security options for a subset of Amazon Web Services with an emphasis on foundational, testable, and architecture agnostic settings.

It is important to note that the CIS Benchmarks from each of the cloud service providers are for a base set of cloud services and do not guide the complete and ever-expanding collection of services offered by each provider.  Therefore it is essential for each institution to perform the legwork to expand the principles established in the CIS Benchmark to a broader set of services or leverage 3rd party software like DivvyCloud that provides out-of-the-box compliance capabilities.

Developing a Roadmap for Security and Compliance

There are three keys to building a roadmap for security and compliance: culture, frameworks, and systems.  Combining these three keys enables you to build cloud operations maturity through automation.

First, we must reject the “command and control” approach that was successful in the traditional datacenter world and embrace the new “trust but verify” approach that supports innovation derived by self-service access to the public cloud.  

Second, incorporate PCI DSS, CSA CCM, and CIS Benchmarks (and GDPR as necessary) as the foundation of your cloud security and GRC strategy.  

Third, identify and implement the systems that are cloud-native and help you address the unique challenges of the public cloud through automation.  Fortunately for retailers, there are ready-made solutions available that help you achieve continuous security, compliance, and governance while embracing the dynamic, software-defined, self-service nature of public cloud and container infrastructure.

Embracing Cloud Automation

DivvyCloud is a leader in this space.  DivvyCloud helps retailers like Kroger and Pizza Hut to improve security, take control, and minimize risk as they embrace the dynamic self-service nature of public cloud and container infrastructure.  DivvyCloud enables these industry leaders to take full advantage of agility and speed of cloud and container technology while strengthening their security and compliance posture.

DivvyCloud performs real-time, continuous discovery and monitoring of resources in Microsoft Azure, Google Cloud Platform, Amazon Web Services, Alibaba Cloud, and Kubernetes.  This data is distilled into actionable insights and presented through a single-pane-of-glass console that provides an assessment of your holistic security and compliance posture.  

DivvyCloud offers more than 200 out-of-the-box policies that map to best practices and standards including PCI DSS, CSA CCM, CIS, GDPR, SOC 2, NIST CSF, NIST 800-53, ISO 27001, FedRAMP CCM, and HIPAA.  Customers enable and customize these out-of-the-box policies, or configure custom policy guardrails, called “Insights.”

Once Insights are enabled, policy violations are flagged in real-time, and customers can automate remediation with out-of-the-box, or custom, workflows (“Bots”) that integrate with 3rd party systems like Splunk and ServiceNow.  Importantly, Bots can take action inside connected cloud and container environments. These Bots are fully configurable and can incorporate the lifecycle actions supported by the resource in viåolation. For example, the workflow may Modify Security Groups, Disassociate Public IP, or Terminate Instance when remediating a compute instance in violation of policy.  

DivvyCloud is designed for security, GRC, and operations professionals who want to identify risks in real-time and take automatic, user-defined action to fix problems before they’re exploited.

Next Steps

It is not a matter of if a misconfiguration will occur, but a question of when it will happen and how quickly it will be discovered and exploited.  Attackers are becoming more sophisticated at finding and exploiting public cloud infrastructure (and this includes IaaS, serverless and containers).  Without standards and automation in place then a retailer is a proverbial sitting duck. However, with the right standards and tools in place retailers have the opportunity to drive innovation and profitability while minimizing the increased risk of public cloud adoption. Every retailer running in AWS, Azure, or GCP needs to utilize cloud-native frameworks like CSA CCM and CIS, and employ automation to identify and remediate misconfigurations that violate policy in real-time.

As retailers move to embrace public cloud, they must ensure that security and GRC are at the foundation of all decisions.  Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. A combination of culture change, adoption of cloud-native frameworks, and the use of tools like DivvyCloud can help retailers advance innovation while protecting them against risk and ensuring that compliance standards are being met.

DivvyCloud: Guardrails for Your Cloud Infrastructure

DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (Azure, GCP, AWS, Alibaba, and Kubernetes).  First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.