Putting Data at the Heart of Retail Security

According to the
‘Breach Level Index’
data published by SafeNet, more than 375m customer records were stolen or lost in the first half of 2014. The retail industry had more data records compromised than any other industry during the second quarter, with more than 145m records stolen or lost, or 83% of all data records breached. Whether it be high-profile and high-volume attacks against store chains such as Target and Neiman Marcus or Adobe, the past year made it clear that the industry has reached an unprecedented level of crisis when it comes to data security.

Figure 1: Top Five Retail Breaches to Date in 2014

SafeNet Retail security fig 1

Source: SafeNet

The rotating door of data breaches within companies is proof that security is anything but simple. Not only do organisations understand the potential harm of a breach to their own business, but they invest heavily in security mechanisms to prevent breaches from happening. However, with an estimated 110m customer records stolen in one breach alone, the security strategy that organisations are following is clearly ineffective.

The current security framework has been built using security controls that guard specific systems against specific threats. However, quite simply, this framework is no longer sustainable. The proliferation of mobile devices, the cloud and virtualisation, means people are accessing more and more enterprise data and applications from multiple locations – challenging the traditional approach of perimeter security that chief information officers (CIOs) have come to rely on within their own networks.

Furthermore, the very nature of this fractured, knitted framework is failing to deliver the integrated, comprehensive approach needed to protect information across its lifecycle. But how and why is data theft on the rise? Which information is most vulnerable? And what steps can businesses take to ensure that their data remains protected?

Figure 2: Number of Data Records Stolen in Retail Industry:

SafeNet Retail security fig 2

Source: SafeNet

Understanding the Vulnerabilities

In order to protect data in the best way possible, businesses must first understand the vulnerabilities. Of all reported fraud, electronic information theft is one of the most common. However, threats to data are not limited to fraud, theft and harm arising from breaches of privacy, but include the risks to data integrity and its serious consequences.

One specific vulnerability is the gap between compliance and security. Retailers in particular are subject to a myriad of compliance requirements around how to handle customer data and process transactions. The most significant of these is the Payment Card Industry Data Security Standard (PCI DSS). However, while the PCI DSS provides a set of 12 requirements for security covering areas including the construction and maintenance of secure networks, the protection of cardholder data and guidelines for stronger access controls, it fails to address some key areas of vulnerability in the payment ecosystem, and these have been exploited with disastrous consequences.

Figure 3: Customer Loyalty and Retail Data Breaches

SafeNet Retail security fig 3

Source: SafeNet

Much has been written about encryption as a solution to attacks such as those launched against Target and Neiman Marcus. Usually when encryption is discussed, it is related to a specific point of vulnerability that was exploited in the attack. However the reality is that a successful transaction relies on a complicated ecosystem with many potential points of vulnerability. This ecosystem is only as strong as its weakest link and involves several parties, including the merchant, acquirer, switch and bank or card issuers.

The internet is also a major point of vulnerability. Today, just about every business has an electronic commerce (e-commerce) site, with a company’s website integral to the businesses success or failure. Securely capturing and processing consumer data via the web poses different, but equally challenging issues.

For example, in the case of e-commerce, businesses lose control of a large portion of the transaction interaction with the customer. Customers visit the website from different devices, operating systems and browsers, yet the company needs a way to protect their customers’ data from the earliest possible moment. This can be achieved by creating an encrypted tunnel, or session, between the consumer’s device and the business’ e-commerce system.

Many retailers today depend on what’s called the secure socket layer (SSL) to provide this tunnel of encryption. SSL is a security protocol that enables two computers to establish a secure, encrypted communication session to allow private information to be transmitted across open networks such as the Internet.

Figure 4: Percentage of Customers who Believe Companies take Protection and Security of Customer Data Seriously Enough:

SafeNet Retail security fig 4

Source: SafeNet

Changing a Mind-set: Adopting a ‘Secure Breach’ Approach

It’s clear that encryption has a vital role to play in ensuring that sensitive data remains protected.

To combat the threats of the future and guarantee the protection of data as it is actually used, organisations must move to a framework that is centred on the data itself. This means adopting a ‘secure breach’ approach to data protection, which focuses protecting sensitive data wherever it exists and limiting access to this data even when it lives in an uncontrolled, untrusted environment.

Today, there is really no way to prevent data breaches without end-to-end encryption. Rather than focusing of specific points of vulnerabilities, this means securing the data throughout its whole lifecycle – from the earliest possible moment of its capture ensuring that data remains in an encrypted state consistently until it arrives at the payment gateway.

With a data-centric approach built around this information lifecycle model, organisations can build systems to better protect data, gain enhanced visibility and control, and realise significant improvements in efficiency and economies of scale. In addition, even if an external attacker bypasses perimeter defences, or an unauthorised internal user looks to leak or steal data, encryption ensures that sensitive assets can remain protected.

Pay Attention to Detail

While encryption plays a major role, it is important to note that it is only part of the solution. Encryption keys, regardless of which technology creates them, must themselves be preserved in a secure and highly reliable manner. Yet, surprisingly, one of the most common mistakes that organisations make is not storing the encryption key separately but where the data resides, thus exposing sensitive information to significant risk.

For instance, when keys are stored in servers, they are susceptible to compromise and loss, which exposes sensitive encrypted data to those same risks. To address these gaps, organisations will increasingly need to leverage purpose-built key management platforms that offer robust security and availability. These purpose-built platforms allow users to store and manage keys in hardware, where they are more protected and controlled. However, currently many organisations store at least some encryption keys in software – the IT equivalent of leaving house keys under the front door mat.

If cybercriminals can access the data, then they can surely get hold of the keys given that they have the same level of protection. Therefore, only those companies that encrypt all valuable data and apply tamper-proof and robust controls to the management of the security keys, can be safe in the knowledge that their data is protected, whether or not a security breach occurs.

For organisations, this means investing in a standards-based enterprise key management platform or strategy that can be used to control keys over their entire life cycle is essential. This strategy should include specific methods of limiting access to keys, defining how those keys are issued and distributed, and providing protections for the keys as they are stored. Without these considerations, keys could be copied, modified or even impersonated by a skilled hacker, who then may be able to access cardholder data.

Focusing on What Matters Most: the Data

In many organisations, today’s security deployments are fragmented, fractured and inefficient. However, long term security – as well as business success – will hinge on an organisation’s ability to more comprehensively and strategically manage its security efforts.

With hacking attempts becoming almost a daily occurrence, it’s clear that being breached is not a question of ‘if’ but ‘when’, so best practice data protection is vital. With businesses now struggling to manage a high volume of data from multiple devices and locations, many are responding by moving this data to the cloud. This, in turn, will undoubtedly improve security, making the data easier to manage and enabling businesses to move security controls closer to the data, such as authentication and encryption for data both at rest and in transit.

Only by adopting a data-centric approach that leverages that cloud to secure sensitive information across its entire lifecycle, can companies be safe in the knowledge that their data is protected, whether or not a security breach occurs.

Figure 5: Retail Statistics:

SafeNet Retail security fig 5

Source: SafeNet

Companies concerned that the might have suffered a data breach can assess it using SafeNet’s Breach Level Index at http://www.breachlevelindex.com/


Related reading