The rush to cloud for the retail sector has increased significantly in 2020/2021 due to COVID, and along with it an increasing number of cyberattack attempts happening against them. Being aggregators of large amounts of personally identifiable information (PII) and credit card data, online retailers are an easy target for cyber criminals.
Data breaches exposed 36 billion records in the first half of 2020 aloneSource: RiskBased
With the hype and value potential of cloud, it makes sense that not just retail companies, but most companies, would want to capitalise on the high availability and expansive services to enable their business growth. Although cloud can empower speed of delivery and give a good security posture, it is also notoriously complex to do well.
With a lack of skills in the industry overall in the cloud and container space, it’s becoming increasingly more difficult to attract the right level of talent to help underpin the delivery of the application teams. This inevitably leads to compromises on the quality and security of what’s delivered, due to time constraints, pressures, lack of resourcing and an ever-increasing technology landscape that’s hard to keep up with.
The retail industry needs a simplified solution to security.
The struggle of maintaining a strong security posture
We all understand the importance of good security, but maintaining it is always an uphill battle. With new starters, new technologies and expanding teams, maintaining it is extremely difficult.
According to Verizon’s 2020 Payment Security Report, nearly 50% of companies lost their PCI-DSS compliance, along with another 50% within a year. That’s 100% of companies who struggle to maintain a compliant position across their organisation, which prevents a significant risk to customers’ data. On top of that, there’s a lack of personal security, as individuals will often use the same password(s) across many services, meaning one breach of one system results in a multi-breach for the individual across all the services they consume.
Earlier we mentioned the Estee Lauder breach, but there have been several other major compromises in the first half of 2021:
- January 22: Bonobos
- January 26, 2021: VIPGames
- March 23: Hobby Lobby
- April 12: ParkMobile
It’s clear that companies are really struggling with doing cloud security well and maintaining that overall position.
WHY IS IT SO DIFFICULT?
In simple terms, cloud is exceptionally complicated. Each service is independent and requires specialised domain knowledge, on top of understanding base-level cloud security principles and best practices. For example, Kubernetes, which is an application container management system that Google, AWS and Azure offer, requires an understanding of the configuration options needed to harden it, but also has a completely independent management lifecycle inside of itself that requires an additional security posture.
This means your DevOps engineers need to layer in a good set of security configuration standards inside of Kubernetes to protect the applications running inside of it, as well as outside of the system and around the cloud. This naturally increases the amount of expertise required and domain knowledge needed to secure accurately across the business.
This isn’t unique to just Kubernetes, it’s the same for most of the cloud services presented; cybercriminals are constantly scanning companies, looking for common pitfalls to make their attack.
What can you do to prevent a security issue?
It’s not all doom and gloom when it comes to cloud and security, there are some fundamentals you can follow:
Reduce access and use short-lived
- Enable developer self-service with secure cloud configuration
- Don’t give inexperienced individuals cloud access
- Provide least privileges to users and applications (i.e. no admin access)
- Use short-lived access credentials, which are credentials that expire after a time window, to prevent anyone else from being able to reuse them due to them persisting
- Use cloud manage application identities for workloads that run in cloud
Segregation and isolation
- Segregate teams into their own tenants, projects or cloud accounts
- Separate production and non-production into their own tenants per team
Developer self-service and reuse
- Use products and tools that let you version cloud service configurations that can be shared across teams, so there is consistency across all teams
- Only use products, tools or people that understand and adopt cloud best practice
Cloud and DevOps best practices
- Do everything as code—no manual changes—unless in a ‘sandpit’ environment where there is learning/exploration work needed, but no production data
- Test your changes for any regressions (i.e. that the network is still private and not public on the internet)
- Set up security notifications so the relevant teams get notified of any suspicious activity
- Enable cloud security features such as guard duty
- Push good security cloud policies across your team cloud accounts that enable all the relevant features
- Cloud audit
- Central logging of audit (so that it doesn’t live inside of the team’s account)
- Restriction of global administrative roles
- Preventing teams from turning off cloud audit
- Preventing teams from making manual changes via the console
This isn’t an exhaustive list, but it contains some of the main fundamentals when dealing with cloud in a secure way and will bring a huge amount of security uplift if you’re not already doing these things.
Removing the burden
Although cloud is complex to manage completely on your own, there are solutions to bring consistency and order across your organisation to help manage and control the landscape in a more unified way.
With cloud services being released at a rapid pace, leaning into technology to take the burden away from your resources is going to be key to scaling your business in a secure way.