How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience Retail organizations are experiencing a culture shift as they respond to consumer demand for improved experiences in the store and online. Building applications and migrating PCI-regulated workloads to Micro- soft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an attractive way to respond to competitive pressures, speed innovation, time to market, and resilience. However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challeng- es for risk and compliance professionals in the retail industry. Processes and tools that worked well in the traditional datacenter do not directly translate to the public cloud. Due to concerns over PCI-DSS compliance and security, as well as the complexity involved in migrat- ing legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption. Howev- er, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind and out of business. In this new world, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their customers, and other stakeholders. To take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined, that they have real-time automated enforcement of security and governance, risk management and compliance (GRC) policies, and that they can present evidence of compliance to assessors and auditors. This is an achievable objective, and this guide explores the frameworks that retailers are leveraging to ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how Divvy- Cloud can help you achieve this goal. Roadblocks to Innovation While many retailers know they have to make changes, they are often risk-averse when it comes to imple- menting new technology (and for a good reason). This cautious approach is driven by substantial regulatory requirements and the sensitive nature of consumer information. The risks are not imagined, as the retail industry has been a giant bullseye for hackers. Importantly, the retail industry is heavily regulated via the Payment Card Industry Data Security Standard (PCI DSS) and most recently the General Data Protection Regulation (GDPR) set forth by the European Union. Retailers that don’t comply with these regulations face substantial penalties in both brand reputation, liability, and fines. Retail Guide: How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience 1
6
Embed
DivvyCloud - Retail Guide · experiences in the store and online. Building applications and migrating PCI-regulated workloads to Micro-soft Azure and Google Cloud Platform (GCP),
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience
Retail organizations are experiencing a culture shift as they respond to consumer demand for improved
experiences in the store and online. Building applications and migrating PCI-regulated workloads to Micro-
soft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an
attractive way to respond to competitive pressures, speed innovation, time to market, and resilience.
However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challeng-
es for risk and compliance professionals in the retail industry.
Processes and tools that worked well in the traditional datacenter do not directly translate to the public
cloud. Due to concerns over PCI-DSS compliance and security, as well as the complexity involved in migrat-
ing legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption. Howev-
er, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind
and out of business.
In this new world, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their
customers, and other stakeholders. To take full advantage of the opportunities public cloud offers, they
must ensure that clear cloud governance standards are defined, that they have real-time automated
enforcement of security and governance, risk management and compliance (GRC) policies, and that they can
present evidence of compliance to assessors and auditors.
This is an achievable objective, and this guide explores the frameworks that retailers are leveraging to
ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how Divvy-
Cloud can help you achieve this goal.
Roadblocks to Innovation
While many retailers know they have to make changes, they are often risk-averse when it comes to imple-
menting new technology (and for a good reason). This cautious approach is driven by substantial regulatory
requirements and the sensitive nature of consumer information. The risks are not imagined, as the retail
industry has been a giant bullseye for hackers. Importantly, the retail industry is heavily regulated via the
Payment Card Industry Data Security Standard (PCI DSS) and most recently the General Data Protection
Regulation (GDPR) set forth by the European Union. Retailers that don’t comply with these regulations face
substantial penalties in both brand reputation, liability, and fines.
Retail Guide:How to Stay Secure as a Retailer Using Cloud to
Revolutionize the Customer Experience
1
The challenge is how do these regulations translate to the public cloud? How do you map directives back to
a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configu-
rations that often result in a violation of policy? How do you do this while embracing self-service, from
which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance
in the dynamic and transient world of public cloud and do so on a constant and consistent basis?
In essence, how can today’s retailer embrace all the many benefits of the cloud without opening up a Pando-
ra’s box of risk relative to security and GRC?
The answer is yes you can if you utilize cloud-native frameworks and employ automation to enforce these
standards.
Cloud Native Frameworks
For retailers, we recommend three frameworks: Payment Card Industry Data Security Standard (PCI DSS),
Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and CIS Benchmarks. These are the foundation-
al frameworks that should make up the foundation of cloud governance for every retailer. If you do offer
goods or services to or monitor the behavior of, European Union citizens then you will also need to comply
with GDPR.
Let’s explore these foundational frameworks and the value they deliver:
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard is a proprietary information security standard adminis-
tered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process or transmit
cardholder data or sensitive authentication data, including merchants, processors, acquirers, issuers, and
service providers.
When payment card data is stored or processed by customers using Azure, GCP, or AWS, the requirements
of PCI DSS will apply. Importantly, PCI DSS compliance is a shared responsibility between the retailer and
the cloud service provider (CSP). In other words, running in Azure, GCP, or AWS does not exempt the
retailer from the responsibility of ensuring that their CardHolder Data is properly secured according to
applicable PCI DSS requirements.
The CSPs uses a variety of technologies and processes to secure information stored on their cloud solutions
and services. However, all the CSPs offer customers a great deal of configuration control over their services
running on the CSP’s infrastructure. It is the retailer’s responsibility to comply with the requirements of PCI
DSS that relate to configuration choices, operating systems packages, and applications deployed by the
retailer.
2
The CSPs all publish guides to the shared responsibility model specific to PCI DSS:
• Azure PCI DSS 3.2 Responsibility Matrix 2017
• PCI DSS Shared Responsibility of Google Cloud Platform
• Standardized Architecture for PCI DSS Compliance on AWS
Cloud Security Alliance Cloud Controls Matrix
Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud-native security assurance and
compliance. It provides a cloud-native controls framework with a detailed explanation of security concepts
and principles. The CSA CCM recommendations are mapped to many other compliance standards, such as
NIST, and can help companies meet their requirements under these regulations. The CSA CCM provides a
controls framework with a detailed explanation of security concepts and principles that are aligned to the
Cloud Security Alliance guidance in 16 domains:
• Application & Interface Security (AIS)
• Audit Assurance & Compliance (AAC)
• Business Continuity Management & Operational Resilience (BCR)
• Change Control & Configuration Management (CCC)
• Data Security & Information Lifecycle Management (DSI)