Why Cloud Security is Critical for Retailers

By Kristen Bickerstaff, CyberArk.

The past few years have seen accelerated digital transformations for the retail industry as online shopping and the demand for digital-first businesses have grown tremendously. Retailers are rapidly turning to the cloud and Infrastructure-as-a-Service (IaaS) to keep up with the e-commerce demand and unlock operational efficiencies. Cloud services can help retailers with areas such as:

• Tracking inventory in real-time with cloud-hosted databases and applications
• Using big data to personalize shopping experiences for customers
• Scaling e-commerce site performance up and down easily, depending on seasonality and demand

But like all new technologies, the cloud brings new challenges. Security is one such challenge, as distributed cloud-hosted environments need to be carefully protected — especially for retailers handling sensitive information like payment details and other personally identifiable information (PII).

The Risk (and Cost) of a Security Breach is High

Beyond a loss of customer trust, security breaches in the e-commerce space can be expensive. According to IBM’s Cost of a Data Breach study, the cost of a data breach for retailers increased 62.7% in the last year, with an average cost of $3.27M. But the cost can be much higher, depending on the scale of the breach.

Retailers must be particularly wary of unauthorized access to their hybrid and multi-cloud environments, since customers’ personally identifiable information can be exposed. According to Verizon’s Data Breach Investigation Report, the top types of data that were compromised in breaches involving retailers were:

• Payment data
• Personal data
• Credentials

This sensitive information makes retailers a key target for attackers, and attacks can be incredibly damaging if the right databases and cloud storage systems are compromised. Additionally, since retailers collect credit card information, they are subject to the PCI (Payment Card Industry) Data Security Standards, which means they “ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities.” Failing to implement the principle of least privilege access (part of the CSA’s Cloud Controls Matrix), even inadvertently, can expose retailers to fines and other penalties.

Common Attack Paths in the Retail Industry

Data breaches are, unfortunately, common in the retail industry. Risk factors can easily compound in a cloud environment because of the dynamic nature of cloud infrastructure and services. Simultaneously, cloud provider innovation can accelerate the potential for mistakes, as new permissions to access the increasing number of CSP services can expand the total attack surface of a hybrid cloud environment beyond traditional on-premises frameworks.

Some of the most common attack paths in this space include:

• Misconfigured entitlements – The dynamic, quickly changing nature of the cloud means that a database may be misconfigured to allow more access than you’d like and that areas of your cloud infrastructure can be inadvertently exposed to the public. A misconfigured cloud database can expose important personally identifiable information (PII).
• Lack of authentication – If an attacker compromises a customer’s credentials and there are no further authentication layers in place, they can potentially access and use payment details stored in the e-commerce site or application. Additionally, if an unprotected admin account is compromised, an attacker can gain access to the backend systems and databases. Enabling multi-factor authentication for both customers and admins can provide an extra layer of security and reduce this risk.
• Hard-coded application secrets – When building e-commerce applications, developers can sometimes leave secrets embedded in the code, exposing them to potential attackers. Throughout DevOps pipelines and software supply chains, all hardcoded credentials — passwords, keys and tokens — should be securely managed and programmatically rotated to reduce risk of compromise.
• Website vulnerabilities – Attackers can exploit vulnerabilities within your e-commerce site as well. Without the right layers of security, retailers are vulnerable to attacks such as Distributed Denial of Service (DDoS), SQL injection, and e-skimming — all of which can disrupt business and potentially give attackers access to valuable customer data.

Five Things Retailers Can Do to Secure the Cloud

Luckily, there are ways retailers can help ensure their cloud environments are more secure. Some key strategies to consider are:

• Take an ongoing approach to cloud security, including expanding security awareness training programs
• Detect and remediate excessive permissions for all identities
• Enforce multi-factor authentication for all user access
• Rotate and manage credentials for the most privileged human and machine identities
• Implement least privilege throughout your hybrid and cloud environments

Want to learn more about how to secure your cloud environments? Check out our on-demand webinar “Managing Entitlements for All Identities – Shared and Federated.”