How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience
Retail organizations are experiencing a culture shift as they respond to consumer demand for improved
experiences in the store and online. Building applications and migrating PCI-regulated workloads to Micro-
soft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an
attractive way to respond to competitive pressures, speed innovation, time to market, and resilience.
However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challeng-
es for risk and compliance professionals in the retail industry.
Processes and tools that worked well in the traditional datacenter do not directly translate to the public
cloud. Due to concerns over PCI-DSS compliance and security, as well as the complexity involved in migrat-
ing legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption. Howev-
er, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind
and out of business.
In this new world, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their
customers, and other stakeholders. To take full advantage of the opportunities public cloud offers, they
must ensure that clear cloud governance standards are defined, that they have real-time automated
enforcement of security and governance, risk management and compliance (GRC) policies, and that they can
present evidence of compliance to assessors and auditors.
This is an achievable objective, and this guide explores the frameworks that retailers are leveraging to
ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how Divvy-
Cloud can help you achieve this goal.
Roadblocks to Innovation
While many retailers know they have to make changes, they are often risk-averse when it comes to imple-
menting new technology (and for a good reason). This cautious approach is driven by substantial regulatory
requirements and the sensitive nature of consumer information. The risks are not imagined, as the retail
industry has been a giant bullseye for hackers. Importantly, the retail industry is heavily regulated via the
Payment Card Industry Data Security Standard (PCI DSS) and most recently the General Data Protection
Regulation (GDPR) set forth by the European Union. Retailers that don’t comply with these regulations face
substantial penalties in both brand reputation, liability, and fines.
Retail Guide:How to Stay Secure as a Retailer Using Cloud to
Revolutionize the Customer Experience
1
The challenge is how do these regulations translate to the public cloud? How do you map directives back to
a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configu-
rations that often result in a violation of policy? How do you do this while embracing self-service, from
which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance
in the dynamic and transient world of public cloud and do so on a constant and consistent basis?
In essence, how can today’s retailer embrace all the many benefits of the cloud without opening up a Pando-
ra’s box of risk relative to security and GRC?
The answer is yes you can if you utilize cloud-native frameworks and employ automation to enforce these
standards.
Cloud Native Frameworks
For retailers, we recommend three frameworks: Payment Card Industry Data Security Standard (PCI DSS),
Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and CIS Benchmarks. These are the foundation-
al frameworks that should make up the foundation of cloud governance for every retailer. If you do offer
goods or services to or monitor the behavior of, European Union citizens then you will also need to comply
with GDPR.
Let’s explore these foundational frameworks and the value they deliver:
Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard is a proprietary information security standard adminis-
tered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process or transmit
cardholder data or sensitive authentication data, including merchants, processors, acquirers, issuers, and
service providers.
When payment card data is stored or processed by customers using Azure, GCP, or AWS, the requirements
of PCI DSS will apply. Importantly, PCI DSS compliance is a shared responsibility between the retailer and
the cloud service provider (CSP). In other words, running in Azure, GCP, or AWS does not exempt the
retailer from the responsibility of ensuring that their CardHolder Data is properly secured according to
applicable PCI DSS requirements.
The CSPs uses a variety of technologies and processes to secure information stored on their cloud solutions
and services. However, all the CSPs offer customers a great deal of configuration control over their services
running on the CSP’s infrastructure. It is the retailer’s responsibility to comply with the requirements of PCI
DSS that relate to configuration choices, operating systems packages, and applications deployed by the
retailer.
2
The CSPs all publish guides to the shared responsibility model specific to PCI DSS:
• Azure PCI DSS 3.2 Responsibility Matrix 2017
• PCI DSS Shared Responsibility of Google Cloud Platform
• Standardized Architecture for PCI DSS Compliance on AWS
Cloud Security Alliance Cloud Controls Matrix
Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud-native security assurance and
compliance. It provides a cloud-native controls framework with a detailed explanation of security concepts
and principles. The CSA CCM recommendations are mapped to many other compliance standards, such as
NIST, and can help companies meet their requirements under these regulations. The CSA CCM provides a
controls framework with a detailed explanation of security concepts and principles that are aligned to the
Cloud Security Alliance guidance in 16 domains:
• Application & Interface Security (AIS)
• Audit Assurance & Compliance (AAC)
• Business Continuity Management & Operational Resilience (BCR)
• Change Control & Configuration Management (CCC)
• Data Security & Information Lifecycle Management (DSI)
• Datacenter Security (DCS)
• Encryption & Key Management (EKM)
• Governance & Risk Management (GRM)
• Human Resources (HRS)
• Identity & Access Management (IAM)
• Infrastructure & Virtualization Security (IVS)
• Interoperability & Portability (IPY)
• Mobile Security (MOS)
• Security Incident Management, E-Discovery, & Cloud Forensics (SEF)
• Supply Chain Management, Transparency, and Accountability (STA)
• Threat & Vulnerability Management
As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating
to information security tailored to the cloud industry. The CSA CCM strengthens existing information
security control environments in many ways:
• It emphasizes business information security control requirements;
• It reduces and identifies consistent security threats and vulnerabilities in the cloud;
• It provides standardized security and operational risk management; and
• It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures
implemented in the cloud.
3
As discussed above, one reason it is such a powerful resource is that if you are compliant in one area, it can
provide validation that you are compliant with numerous related frameworks.
For example, the control ID – DIS-03 under the CCM Domain – Data Security and Lifecycle Management for
E-commerce Transactions, requires data related to e-commerce that traverses public networks to be
appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in
such a manner to prevent contract dispute and compromise of data. If an organization is in compliance with
DIS-03, there is a direct correlation with NIST 800-53 which addresses these same security requirements
with controls including:
• AC-14: Permitting actions without identification or authentication
• AC-21: Information sharing
• AC-22: Public Accessible content
• IA-8: Identification and Authentication (Non-organizational users)
• AU-10: Non-Repudiation
• SC-4: Information in shared resources
• SC-8: Transmission confidentiality and integrity
• SC-9: Transmission confidentiality
Retailers should use CSA CCM because it is a well documented and very accessible framework that can be
communicated to customers and other stakeholders as the standard by which they can hold the retailer
accountable. There has also been movement within different industries, including banking, to select CSA
CCM as a commonly used standard among institutions.
Center for Internet Security (CIS) Benchmarks
CIS Benchmarks are secure configuration guidelines and settings created to help you secure specific
platforms, including Azure, GCP, and AWS. These benchmarks help retailers safeguard systems against
today’s evolving cyber threats and are endorsed by leading IT security vendors and governing bodies. They
are prescriptive guidance the help you create a secure baseline configuration when operating in Azure, GCP,
or AWS.
In March 2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark which is the
recognized industry-standard for securely configuring traditional IT components.
In September 2018, CIS published a new benchmark for security cloud workloads on Google Cloud Platform
(GCP). This benchmark contains dozens of security recommendations across Identity & Access Manage-
ment, Logging/Monitoring, Networking, Storage, Compute and Kubernetes.
In December 2017, CIS published the AWS CIS Foundations Benchmark which provides prescriptive
guidance for configuring security options for a subset of Amazon Web Services with an emphasis on founda-
tional, testable, and architecture agnostic settings.
4
It is important to note that the CIS Benchmarks from each of the cloud service providers are for a base set of
cloud services and do not guide the complete and ever-expanding collection of services offered by each
provider. Therefore it is essential for each institution to perform the legwork to expand the principles
established in the CIS Benchmark to a broader set of services or leverage 3rd party software like Divvy-
Cloud that provides out-of-the-box compliance capabilities.
Developing a Roadmap for Security and Compliance
There are three keys to building a roadmap for security and compliance: culture, frameworks, and systems.
Combining these three keys enables you to build cloud operations maturity through automation.
First, we must reject the “command and control” approach that was successful in the traditional datacenter
world and embrace the new “trust but verify” approach that supports innovation derived by self-service
access to the public cloud.
Second, incorporate PCI DSS, CSA CCM, and CIS Benchmarks (and GDPR as necessary) as the foundation of
your cloud security and GRC strategy.
Third, identify and implement the systems that are cloud-native and help you address the unique challenges
of the public cloud through automation. Fortunately for retailers, there are ready-made solutions available
that help you achieve continuous security, compliance, and governance while embracing the dynamic,
software-defined, self-service nature of public cloud and container infrastructure.
Embracing Cloud Automation
DivvyCloud is a leader in this space. DivvyCloud helps retailers like Kroger and Pizza Hut to improve
security, take control, and minimize risk as they embrace the dynamic self-service nature of public cloud and
container infrastructure. DivvyCloud enables these industry leaders to take full advantage of agility and
speed of cloud and container technology while strengthening their security and compliance posture.
DivvyCloud performs real-time, continuous discovery and monitoring of resources in Microsoft Azure,
Google Cloud Platform, Amazon Web Services, Alibaba Cloud, and Kubernetes. This data is distilled into
actionable insights and presented through a single-pane-of-glass console that provides an assessment of
your holistic security and compliance posture.
DivvyCloud offers more than 200 out-of-the-box policies that map to best practices and standards including
PCI DSS, CSA CCM, CIS, GDPR, SOC 2, NIST CSF, NIST 800-53, ISO 27001, FedRAMP CCM, and HIPAA.
Customers enable and customize these out-of-the-box policies, or configure custom policy guardrails, called
“Insights.”
5
Once Insights are enabled, policy violations are flagged in real-time, and customers can automate remedia-
tion with out-of-the-box, or custom, workflows (“Bots”) that integrate with 3rd party systems like Splunk
and ServiceNow. Importantly, Bots can take action inside connected cloud and container environments.
These Bots are fully configurable and can incorporate the lifecycle actions supported by the resource in
viåolation. For example, the workflow may Modify Security Groups, Disassociate Public IP, or Terminate
Instance when remediating a compute instance in violation of policy.
DivvyCloud is designed for security, GRC, and operations professionals who want to identify risks in
real-time and take automatic, user-defined action to fix problems before they’re exploited.
Next Steps
It is not a matter of if a misconfiguration will occur, but a question of when it will happen and how quickly it
will be discovered and exploited. Attackers are becoming more sophisticated at finding and exploiting public
cloud infrastructure (and this includes IaaS, serverless and containers). Without standards and automation
in place then a retailer is a proverbial sitting duck. However, with the right standards and tools in place
retailers have the opportunity to drive innovation and profitability while minimizing the increased risk of
public cloud adoption. Every retailer running in AWS, Azure, or GCP needs to utilize cloud-native frame-
works like CSA CCM and CIS, and employ automation to identify and remediate misconfigurations that
violate policy in real-time.
As retailers move to embrace public cloud, they must ensure that security and GRC are at the foundation of
all decisions. Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. A
combination of culture change, adoption of cloud-native frameworks, and the use of tools like DivvyCloud
can help retailers advance innovation while protecting them against risk and ensuring that compliance
standards are being met.
DivvyCloud: Guardrails for Your Cloud Infrastructure
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and
governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure.
Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve
continuous security governance in cloud and container environments (Azure, GCP, AWS, Alibaba, and Kubernetes).
First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to
identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails
that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.
6