How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience

Retail organizations are experiencing a culture shift as they respond to consumer demand for improved

experiences in the store and online. Building applications and migrating PCI-regulated workloads to Micro-

soft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an

attractive way to respond to competitive pressures, speed innovation, time to market, and resilience.

However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challeng-

es for risk and compliance professionals in the retail industry.

Processes and tools that worked well in the traditional datacenter do not directly translate to the public

cloud. Due to concerns over PCI-DSS compliance and security, as well as the complexity involved in migrat-

ing legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption. Howev-

er, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind

and out of business.

In this new world, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their

customers, and other stakeholders. To take full advantage of the opportunities public cloud offers, they

must ensure that clear cloud governance standards are defined, that they have real-time automated

enforcement of security and governance, risk management and compliance (GRC) policies, and that they can

present evidence of compliance to assessors and auditors.

This is an achievable objective, and this guide explores the frameworks that retailers are leveraging to

ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how Divvy-

Cloud can help you achieve this goal.

Roadblocks to Innovation

While many retailers know they have to make changes, they are often risk-averse when it comes to imple-

menting new technology (and for a good reason). This cautious approach is driven by substantial regulatory

requirements and the sensitive nature of consumer information. The risks are not imagined, as the retail

industry has been a giant bullseye for hackers. Importantly, the retail industry is heavily regulated via the

Payment Card Industry Data Security Standard (PCI DSS) and most recently the General Data Protection

Regulation (GDPR) set forth by the European Union. Retailers that don’t comply with these regulations face

substantial penalties in both brand reputation, liability, and fines.

Retail Guide:How to Stay Secure as a Retailer Using Cloud to

Revolutionize the Customer Experience

1

The challenge is how do these regulations translate to the public cloud? How do you map directives back to

a novel, and ever-expanding, set of cloud services, especially relative to the set of software-defined configu-

rations that often result in a violation of policy? How do you do this while embracing self-service, from

which the public cloud derives much of its flexibility and agility? How do you ensure continuous compliance

in the dynamic and transient world of public cloud and do so on a constant and consistent basis?

In essence, how can today’s retailer embrace all the many benefits of the cloud without opening up a Pando-

ra’s box of risk relative to security and GRC?

The answer is yes you can if you utilize cloud-native frameworks and employ automation to enforce these

standards.

Cloud Native Frameworks

For retailers, we recommend three frameworks: Payment Card Industry Data Security Standard (PCI DSS),

Cloud Security Alliance Cloud Controls Matrix (CSA CCM), and CIS Benchmarks. These are the foundation-

al frameworks that should make up the foundation of cloud governance for every retailer. If you do offer

goods or services to or monitor the behavior of, European Union citizens then you will also need to comply

with GDPR.

Let’s explore these foundational frameworks and the value they deliver:

Payment Card Industry Data Security Standard

The Payment Card Industry Data Security Standard is a proprietary information security standard adminis-

tered by the PCI Security Standards Council. PCI DSS applies to all entities that store, process or transmit

cardholder data or sensitive authentication data, including merchants, processors, acquirers, issuers, and

service providers.

When payment card data is stored or processed by customers using Azure, GCP, or AWS, the requirements

of PCI DSS will apply. Importantly, PCI DSS compliance is a shared responsibility between the retailer and

the cloud service provider (CSP). In other words, running in Azure, GCP, or AWS does not exempt the

retailer from the responsibility of ensuring that their CardHolder Data is properly secured according to

applicable PCI DSS requirements.

The CSPs uses a variety of technologies and processes to secure information stored on their cloud solutions

and services. However, all the CSPs offer customers a great deal of configuration control over their services

running on the CSP’s infrastructure. It is the retailer’s responsibility to comply with the requirements of PCI

DSS that relate to configuration choices, operating systems packages, and applications deployed by the

retailer.

2

The CSPs all publish guides to the shared responsibility model specific to PCI DSS:

• Azure PCI DSS 3.2 Responsibility Matrix 2017

• PCI DSS Shared Responsibility of Google Cloud Platform

• Standardized Architecture for PCI DSS Compliance on AWS

Cloud Security Alliance Cloud Controls Matrix

Cloud Security Alliance Cloud Controls Matrix is the gold standard for cloud-native security assurance and

compliance. It provides a cloud-native controls framework with a detailed explanation of security concepts

and principles. The CSA CCM recommendations are mapped to many other compliance standards, such as

NIST, and can help companies meet their requirements under these regulations. The CSA CCM provides a

controls framework with a detailed explanation of security concepts and principles that are aligned to the

Cloud Security Alliance guidance in 16 domains:

• Application & Interface Security (AIS)

• Audit Assurance & Compliance (AAC)

• Business Continuity Management & Operational Resilience (BCR)

• Change Control & Configuration Management (CCC)

• Data Security & Information Lifecycle Management (DSI)

• Datacenter Security (DCS)

• Encryption & Key Management (EKM)

• Governance & Risk Management (GRM)

• Human Resources (HRS)

• Identity & Access Management (IAM)

• Infrastructure & Virtualization Security (IVS)

• Interoperability & Portability (IPY)

• Mobile Security (MOS)

• Security Incident Management, E-Discovery, & Cloud Forensics (SEF)

• Supply Chain Management, Transparency, and Accountability (STA)

• Threat & Vulnerability Management

As a framework, the CSA CCM provides organizations with the needed structure, detail, and clarity relating

to information security tailored to the cloud industry. The CSA CCM strengthens existing information

security control environments in many ways:

• It emphasizes business information security control requirements;

• It reduces and identifies consistent security threats and vulnerabilities in the cloud;

• It provides standardized security and operational risk management; and

• It seeks to normalize security expectations, cloud taxonomy and terminology, and security measures

implemented in the cloud.

3

As discussed above, one reason it is such a powerful resource is that if you are compliant in one area, it can

provide validation that you are compliant with numerous related frameworks.

For example, the control ID – DIS-03 under the CCM Domain – Data Security and Lifecycle Management for

E-commerce Transactions, requires data related to e-commerce that traverses public networks to be

appropriately classified and protected from fraudulent activity, unauthorized disclosure, or modification in

such a manner to prevent contract dispute and compromise of data. If an organization is in compliance with

DIS-03, there is a direct correlation with NIST 800-53 which addresses these same security requirements

with controls including:

• AC-14: Permitting actions without identification or authentication

• AC-21: Information sharing

• AC-22: Public Accessible content

• IA-8: Identification and Authentication (Non-organizational users)

• AU-10: Non-Repudiation

• SC-4: Information in shared resources

• SC-8: Transmission confidentiality and integrity

• SC-9: Transmission confidentiality

Retailers should use CSA CCM because it is a well documented and very accessible framework that can be

communicated to customers and other stakeholders as the standard by which they can hold the retailer

accountable. There has also been movement within different industries, including banking, to select CSA

CCM as a commonly used standard among institutions.

Center for Internet Security (CIS) Benchmarks

CIS Benchmarks are secure configuration guidelines and settings created to help you secure specific

platforms, including Azure, GCP, and AWS. These benchmarks help retailers safeguard systems against

today’s evolving cyber threats and are endorsed by leading IT security vendors and governing bodies. They

are prescriptive guidance the help you create a secure baseline configuration when operating in Azure, GCP,

or AWS.

In March 2018, Microsoft published the CIS Microsoft Azure Foundations Security Benchmark which is the

recognized industry-standard for securely configuring traditional IT components.

In September 2018, CIS published a new benchmark for security cloud workloads on Google Cloud Platform

(GCP). This benchmark contains dozens of security recommendations across Identity & Access Manage-

ment, Logging/Monitoring, Networking, Storage, Compute and Kubernetes.

In December 2017, CIS published the AWS CIS Foundations Benchmark which provides prescriptive

guidance for configuring security options for a subset of Amazon Web Services with an emphasis on founda-

tional, testable, and architecture agnostic settings.

4

It is important to note that the CIS Benchmarks from each of the cloud service providers are for a base set of

cloud services and do not guide the complete and ever-expanding collection of services offered by each

provider. Therefore it is essential for each institution to perform the legwork to expand the principles

established in the CIS Benchmark to a broader set of services or leverage 3rd party software like Divvy-

Cloud that provides out-of-the-box compliance capabilities.

Developing a Roadmap for Security and Compliance

There are three keys to building a roadmap for security and compliance: culture, frameworks, and systems.

Combining these three keys enables you to build cloud operations maturity through automation.

First, we must reject the “command and control” approach that was successful in the traditional datacenter

world and embrace the new “trust but verify” approach that supports innovation derived by self-service

access to the public cloud.

Second, incorporate PCI DSS, CSA CCM, and CIS Benchmarks (and GDPR as necessary) as the foundation of

your cloud security and GRC strategy.

Third, identify and implement the systems that are cloud-native and help you address the unique challenges

of the public cloud through automation. Fortunately for retailers, there are ready-made solutions available

that help you achieve continuous security, compliance, and governance while embracing the dynamic,

software-defined, self-service nature of public cloud and container infrastructure.

Embracing Cloud Automation

DivvyCloud is a leader in this space. DivvyCloud helps retailers like Kroger and Pizza Hut to improve

security, take control, and minimize risk as they embrace the dynamic self-service nature of public cloud and

container infrastructure. DivvyCloud enables these industry leaders to take full advantage of agility and

speed of cloud and container technology while strengthening their security and compliance posture.

DivvyCloud performs real-time, continuous discovery and monitoring of resources in Microsoft Azure,

Google Cloud Platform, Amazon Web Services, Alibaba Cloud, and Kubernetes. This data is distilled into

actionable insights and presented through a single-pane-of-glass console that provides an assessment of

your holistic security and compliance posture.

DivvyCloud offers more than 200 out-of-the-box policies that map to best practices and standards including

PCI DSS, CSA CCM, CIS, GDPR, SOC 2, NIST CSF, NIST 800-53, ISO 27001, FedRAMP CCM, and HIPAA.

Customers enable and customize these out-of-the-box policies, or configure custom policy guardrails, called

“Insights.”

5

Once Insights are enabled, policy violations are flagged in real-time, and customers can automate remedia-

tion with out-of-the-box, or custom, workflows (“Bots”) that integrate with 3rd party systems like Splunk

and ServiceNow. Importantly, Bots can take action inside connected cloud and container environments.

These Bots are fully configurable and can incorporate the lifecycle actions supported by the resource in

viåolation. For example, the workflow may Modify Security Groups, Disassociate Public IP, or Terminate

Instance when remediating a compute instance in violation of policy.

DivvyCloud is designed for security, GRC, and operations professionals who want to identify risks in

real-time and take automatic, user-defined action to fix problems before they’re exploited.

Next Steps

It is not a matter of if a misconfiguration will occur, but a question of when it will happen and how quickly it

will be discovered and exploited. Attackers are becoming more sophisticated at finding and exploiting public

cloud infrastructure (and this includes IaaS, serverless and containers). Without standards and automation

in place then a retailer is a proverbial sitting duck. However, with the right standards and tools in place

retailers have the opportunity to drive innovation and profitability while minimizing the increased risk of

public cloud adoption. Every retailer running in AWS, Azure, or GCP needs to utilize cloud-native frame-

works like CSA CCM and CIS, and employ automation to identify and remediate misconfigurations that

violate policy in real-time.

As retailers move to embrace public cloud, they must ensure that security and GRC are at the foundation of

all decisions. Regulatory compliance and managing cyber risk do not need to be the enemy of innovation. A

combination of culture change, adoption of cloud-native frameworks, and the use of tools like DivvyCloud

can help retailers advance innovation while protecting them against risk and ensuring that compliance

standards are being met.

DivvyCloud: Guardrails for Your Cloud Infrastructure

DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and

governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure.

Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve

continuous security governance in cloud and container environments (Azure, GCP, AWS, Alibaba, and Kubernetes).

First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to

identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails

that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.

6