Retail organizations are experiencing a culture shift as they respond to consumer demand for improved experiences in the store and online. Building applications and migrating PCI-regulated workloads to Microsoft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), is an attractive prospect. It offers a way to respond to competitive pressures, and speed innovation, time to market, and resilience. However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challenges for risk and compliance professionals in the retail industry.
Processes and tools that worked well in the traditional data center do not directly translate to the public cloud. Due to concerns over security and PCI DSS (Payment Card Industry Data Security Standard) compliance, as well as the complexity involved in migrating legacy systems, retailers have traditionally taken a cautious approach to public cloud adoption. However, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind and out of business.
In this new world, retailers need to go from 0 to 60 overnight, without creating risk for themselves, their customers, or other stakeholders. To take full advantage of the opportunities public cloud offers, retailers must ensure that clear cloud governance standards are defined; that they have real-time automated enforcement of security and governance, risk management and compliance (GRC) policies; and that they can present evidence of compliance to assessors and auditors.
This is an achievable objective. This guide explores the frameworks that retailers are leveraging to ensure strong governance in the cloud, provides a roadmap for continuous compliance in the cloud, and explains how InsightCloudSec can help you achieve these goals.
While many retailers know they have to make changes, they are often risk-averse when it comes to implementing new technology (and for good reason). This cautious approach is driven by substantial regulatory requirements and the sensitive nature of consumer information. The risks are not imagined, as the retail industry has been a giant target for hackers. Importantly, the retail industry is heavily regulated via the PCI DSS, and more recently the General Data Protection Regulation (GDPR) set forth by the European Union. Retailers that don’t comply with these regulations face substantial penalties in both brand reputation, liability, and fines.
But how do these regulations translate to the public cloud? How do you map directives back to a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configurations that often result in a violation of policy? How do you do this while embracing self-service, from which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance in the dynamic and transient world of public cloud on a constant and consistent basis?
In essence, how can today’s retailer embrace all the many benefits of the cloud without opening up a Pandora’s box of risk relative to security and governance, risk management, and compliance (GRC)?
Daunting though this may seem, it is entirely possible if you utilize cloud-native frameworks and employ automation to enforce standards.
For retailers, we recommend three frameworks: PCI DSS, Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and CIS Benchmarks. These are the frameworks that should make up the foundation of cloud governance for every retailer. If you do offer goods or services to or monitor the behavior of European Union citizens, then you will also need to comply with GDPR.
Let’s explore these foundational frameworks and the value they deliver.
The Payment Card Industry Data Security Standard is a proprietary information security standard administered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process, or transmit cardholder data or sensitive authentication data, including merchants, processors, acquirers, issuers, and service providers.
When payment card data is stored or processed by customers using Azure, GCP, or AWS, the requirements of PCI DSS will apply. Importantly, PCI DSS compliance is a shared responsibility between the retailer and the cloud service provider (CSP). In other words, running in Azure, GCP, or AWS does not exempt the retailer from the responsibility of ensuring that their cardholder data is properly secured according to applicable PCI DSS requirements.
CSPs use a variety of technologies and processes to secure information stored on their cloud solutions and services. However, all CSPs offer customers a great deal of configuration control over services running on the CSP’s infrastructure. It is the retailer’s responsibility to comply with the requirements of PCI DSS that relate to configuration choices, operating systems packages, and applications deployed by the retailer.
The CSPs all publish guides to the shared responsibility model specific to PCI DSS.
Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud-native security assurance and compliance. The CSA CCM recommendations are mapped to many other compliance standards, such as NIST, and can help companies meet their requirements under these regulations. The CSA CCM provides a controls framework with a detailed explanation of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 16 domains:
As a framework, the CSA CCM provides organizations with structure, detail, and clarity on information security tailored to the cloud industry. The CSA CCM strengthens existing information security control environments in many ways:
As discussed above, one reason it is such a powerful resource is that if you are compliant in one area, it can provide validation that you are compliant with numerous related frameworks.
For example, the control ID – DIS-03 under the CCM Domain – Data Security and Lifecycle Management for E-commerce Transactions requires data related to e-commerce that traverses public networks to be appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification so as to prevent contract dispute and compromise of data. If an organization is in compliance with DIS-03, there is a direct correlation with NIST 800-53, which addresses these same security requirements with controls including:
Retailers should use CSA CCM because it is a well-documented and very accessible framework, and it can be communicated to customers and other stakeholders as the standard by which the retailer can be held accountable. There has also been movement within other industries, including banking, to select CSA CCM as a commonly used standard among institutions.
CIS Benchmarks are secure configuration guidelines and settings created to help you secure specific platforms, including Azure, GCP, and AWS. These benchmarks help retailers safeguard systems against today’s evolving cyber threats and are endorsed by leading IT security vendors and governing bodies. They are prescriptive guidance to help you create a secure baseline configuration when operating in Azure, GCP, or AWS.
In September 2018, CIS published a new benchmark for security cloud workloads on Google Cloud Platform (GCP). This benchmark contains dozens of security recommendations across identity & access management, logging/monitoring, networking, storage, compute, and Kubernetes.
In December 2017, CIS published the AWS CIS Foundations Benchmark, which provides prescriptive guidance on configuring security options for a subset of Amazon Web Services, with an emphasis on foundational, testable, and architecture-agnostic settings.
It is important to note that the CIS Benchmarks from each of the cloud service providers are for a base set of cloud services, and do not guide the complete and ever-expanding collection of services offered by each provider. Therefore it is essential for each institution to perform the legwork to expand the principles established in the CIS Benchmark to a broader set of services, or leverage third-party software like InsightCloudSec that provides out-of-the-box compliance capabilities.
There are 3 keys to building a roadmap for security and compliance: culture, frameworks, and systems. Combining these 3 keys enables you to build cloud operations maturity through automation.
First, we must reject the “command and control” approach that was successful in the traditional data center world, and embrace the new “trust but verify” approach that supports innovation derived by self-service access to the public cloud.
Second, incorporate PCI DSS, CSA CCM, and CIS Benchmarks (plus GDPR as necessary) as the foundation of your cloud security and GRC strategy.
Third, identify and implement the systems that are cloud-native and help you address the unique challenges of the public cloud through automation. Fortunately for retailers, there are ready-made solutions available that help you achieve continuous security, compliance, and governance while embracing the dynamic, software-defined, self-service nature of public cloud and container infrastructure.
InsightCloudSec is a leader in this space. InsightCloudSec helps retailers like Kroger and Pizza Hut to improve security, take control, and minimize risk as they embrace the dynamic self-service nature of public cloud and container infrastructure. InsightCloudSec enables these industry leaders to take full advantage of the agility and speed of cloud and container technology while strengthening their security and compliance posture.
InsightCloudSec performs real-time, continuous discovery and monitoring of resources in Microsoft Azure, Google Cloud Platform, Amazon Web Services, Alibaba Cloud, and Kubernetes. This data is distilled into actionable insights and presented through a single pane of glass console that provides an assessment of your holistic security and compliance posture.
InsightCloudSec offers more than 200 out-of-the-box policies that map to best practices and standards, including PCI DSS, CSA CCM, CIS, GDPR, SOC 2, NIST CSF, NIST 800-53, ISO 27001, FedRAMP CCM, and HIPAA. Customers enable and customize these out-of-the-box policies, or configure custom policy guardrails called “Insights.”
Policy violations are then flagged in real time, and customers can automate remediation with out-of-the-box or custom workflows (“Bots”) that integrate with third-party systems like Splunk and ServiceNow. Crucially, Bots can take action inside connected cloud and container environments. These Bots are fully configurable and can incorporate the lifecycle actions supported by the resource in violation. For example, the workflow may Modify Security Groups, Disassociate Public IP, or Terminate Instance when remediating a compute instance in violation of policy.
InsightCloudSec is designed for security, GRC, and operations professionals who want to identify risks in real time and take automatic, user-defined action to fix problems before they’re exploited.
It is not a matter of if a misconfiguration will occur, but a question of when it will happen and how quickly it will be discovered and exploited. Attackers are becoming more sophisticated at finding and exploiting public cloud infrastructure (including IaaS, serverless, and containers). Without standards and automation in place, a retailer is a proverbial sitting duck. However, with the right standards and tools in place, retailers have the opportunity to drive innovation and profitability while minimizing the increased risk of public cloud adoption. Every retailer running in AWS, Azure, or GCP needs to utilize cloud-native frameworks like CSA CCM and CIS, and employ automation to identify and remediate misconfigurations that violate policy in real time.
As retailers move to embrace public cloud, they must ensure that security and GRC are at the foundation of all decisions. Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. A combination of culture change, adoption of cloud-native frameworks, and the use of tools like InsightCloudSec can help retailers advance innovation while guarding against risk and ensuring that compliance standards are being met.