Retail’s Security Conundrum

Cloud computing has been slower to get off the ground in Canada than it has in the U.S, and for a couple of reasons. First off, Canadian C-suite occupants aren’t familiar with the concept (according to a 2014 survey, 10 per cent of Canadian execs were familiar with the cloud, and only half of those could accurately explain it). And among those considering a cloud solution, survey after survey has pinned the reluctance to adopt on security concerns.

That’s particularly true in the retail sector, where a series of colossal—and expensive—security breaches have execs on the defensive when it comes to customer and transaction data. The thinking is that cloud computing is inherently less secure than an on-premise, customer managed data centre.

That thinking is wrong.

Yes, there have been widely publicized breaches of public cloud providers, with customer data whisked away. But if you look at the biggest, most expensive retail breaches—there’s no need to name names, you know who they are—they’ve been from retailers running their own, on-premise architecture.

The window of exposure can be as small as an unsecured wireless access point, or a laptop with unencrypted customer data for analysis. The point is, best practices for security are best practices for security—whether it’s an on-premise data centre or a public cloud or a managed services infrastructure. In fact, in a cloud or managed services environment wherein the host has service level agreements (SLAs) that put security requirements squarely on its shoulders, data and applications can actually be more secure, since the provider will have developed a repeatable security model to be used for all of its customers.

Retailers do have specific pain points to address by virtue of the transactional nature of their businesses, and need assurances from a service provider—just as they do from an internal IT department—that certain baseline security measures are covered off.

* PCI DSS Compliance. The Payment Card Industry Data Security Standard is a proprietary security standard for branded credit transactions. This is table stakes for a retail environment; if you want to take Visa, MasterCard, Amex or other name-brand transactions, PCI DSS compliance, verified annually, is a necessity.

* Data sovereignty. This refers to the physical location of data collected and stored, and where it is processed. Different jurisdictions place different demands—hence, applying different liabilities—on the location of data and applications. It’s a complicated issue, but generally, Canadian demands are higher than U.S. demands because of privacy implications—the U.S. Patriot Act exposes data held by data providers physically in the U.S. to much lower conditions for exposure to the authorities than in Canada, though the significance of that difference is often exaggerated.

* Data encryption. In a transactional environment, encryption used to be a performance drag. It’s still a source of overhead for data in transit, though not what it was 10 years ago. Encryption appliances can virtually retain wireline speed. That may be debatable, but the necessity to encrypt data at rest is not. This is where data is most vulnerable, and at the same time, most easily protected.

* Tiered data policy. For corporate compliance purposes, some data might have to be held closer to the chest, especially customer data. For other purposes, such as analytics and marketing, data might have to be exposed to a cloud-based application environment, for example to scale handle seasonal spikes. In this hybrid environment, it’s critical for retailers to retain control over certain elements of the data sets related to personal customer information, while allowing scalable cloud-based application to crunch anonymized data. Yet to offer customers personalized offers, personal information has to be associated transactional data. A clear policy regarding what data can be used, how, and in what infrastructure context—on-prem, private cloud, public cloud—is the foundation for a business and IT strategy to managed information in the context of a retail environment.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s