The retail sector has seen significant digital developments and shifts in the last few years, due to the explosive growth of online shopping and the desire for brands that prioritise operating in the digital world. In order to keep up with the e-commerce demand and unlock new strategic advantages, retailers are wasting no time in embracing the cloud and Infrastructure as-a-Service (IaaS).
A cloud-based strategy has numerous benefits when it comes to security. With a hybrid cloud approach, for instance, retailers are able to tap into both public and private cloud software. The reduced cost of the public cloud, combined with the maximised security of sensitive data in the private cloud, it’s the best of both worlds.
However, with great benefits comes great responsibility. It is down to businesses to delineate where the service providers’ security responsibilities end and where their own begin, while the expansive nature of cloud infrastructure increases a business’s potential attack surface.
With the holiday shopping season in full swing, what better time to re-evaluate your security processes and infrastructure? So, let’s talk through the key layers of digital security, that all companies leveraging cloud should be paying attention to…
- Encryption
Encryption involves converting data into an unreadable format before it is either transferred or stored in the cloud – this is one of the most effective measures for securing data. In other words, even if hackers manage to successfully access the data, it remains incomprehensible. In turn, this makes it a much less appealing target for cyberattacks.
Organisations should prioritise encrypting sensitive ‘in flight’ data, especially if that business has adopted a hybrid cloud strategy where valuable customer data is transferred between applications and environments on a regular basis.
- Identity and Access Management
Another common attack path in the retail sector is lack of authentication - if an attacker compromises a customer’s credentials and there are no further authentication layers in place, they can potentially access and use payment details stored in the e-commerce site or application. Additionally, if an unprotected admin account is compromised, an attacker can gain access to the backend systems and databases. Enabling multi-factor authentication for both customers and admins can provide an extra layer of security and reduce this risk.
Employing an end-to-end identity and access management system, which absolves employees of all responsibility for password management, is an essential step in improving cloud security.
Additionally, not every employee needs the same level of access to cloud applications and systems. Limiting who has high-level access will help in controlling security from an access perspective.
- Data Sovereignty
All data is subject to the laws and regulations of the region or country in which it’s being stored. American fertility app Proov is a great example – the app migrates all of its workloads to a data centre in Nevada so that the data can be stored in a state where restrictive abortion laws are unlikely to be passed. This can however, result in direct conflicts between these rules.
In the United States, there are laws that state cloud service providers must hand over data to authorities upon request. In contrast, GDPR in the EU stipulates that data stored in the region may only be accessed by law enforcement based on requests under EU law.
In an attempt to manage geographical differences and pressures around data sovereignty. businesses can look to sovereign cloud offerings, which involves working solely with local cloud providers or building on-premise cloud storage.
- Patch Management
To help keep networks secure, reliable, and up to date, consistent patching is vital. Any gap in security represents an open door to cybercriminals. In order to keep that door closed, companies should implement software updates and patches as soon as they become available. When a vulnerability is found after the release of a piece of software, a patch can be used to fix it, ensuring that assets in your environment are not susceptible to exploitation.
Knowing who is accountable for this process might be challenging when working with a public cloud provider. It’s crucial that both entities understand this so that any gaps can be filled right away and no vulnerabilities are left for malicious actors to exploit.
- Ensuring Cloud Data Back-up
In light of every measure explored above, backups are the final item on any thorough checklist for cloud security. Even as a last resort strategy, backing up cloud data can nonetheless ensure that services are maintained and business is not significantly interrupted in the case of a successful cyber-attack.
An effective backup plan should include both “live” and “cold” backups so that upgrades may be done automatically, if feasible, before turning to an offline backup that isn’t connected to live systems, in case the live backup is also hacked.
- Security can be Challenging
Maintaining cloud security is an ongoing challenge for retailers, and bad actors are constantly evolving their tactics and technologies in order to take advantage of any vulnerabilities and steal sensitive data, such as credentials and payment data. And they’re not fussy when it comes to approach – for example, they can work to gain entry to a data centre and physically feed in ransomware to servers. Securing data physically is just as important as securing it digitally.
This is especially important for organisations with on-site facilities to take into account, as they might not be able to provide the same level of security that a tier 4 data centre would. Organisations should look towards cloud providers that offer useful tools such as SOC services and cybersecurity applicances on private cloud infrastructure, in order to protect the sensitive data that is handled here.
In any case, businesses need to be certain that they have all the necessary security precautions in place or that they have chosen the best cloud service providers who can collaborate with them to guarantee that the physical and digital security of their cloud data is strong. Whilst the customer is usually the one predominantly in charge of security, cloud providers can help too, which makes choosing the right one with the right services all the more important.
Fundamentally though, by moving workloads to the cloud, retailers can keep security in check and even improve it with the correct security policy and cloud service providers on board.
The author, Massimo Bandinelli, is Aruba’s Enterprise Marketing Manager.
