Cybersecurity in Retail Podcast: Retail in the cloud – is it safe out there?

Publish date:

Exploring the challenges to cloud adoption in the retail industry

In the 2nd edition of our Cybersecurity Podcast series, cybersecurity experts Peter Hansen and Lee Newcombe discuss the challenges to cloud adoption in the retail industry. The pair discuss the public and private cloud, what are the differences, pros & cons and how to choose between the two. What are most common challenges to cloud adoptions? How can you embed security into the development lifecycle? What is shadow IT? Listen to the podcast for answers to these and other questions.

Transcript

Peter Hansen:

Welcome to the second episode of the Capgemini Cybersecurity Podcast Series. Here we are discussing security aspects in regards to the retail industry. In Episode 1, we touched on the threat intelligence aspects of the retail industry and how technical vulnerabilities are only part of the threat basket. I’m your host, Peter Hansen, and today we’re focusing more specifically on the security aspects in regard to usage of cloud provider platforms and services when you’re a retail company. So, with me from the UK is, once again, Lee. Hi Lee.

Lee Newcombe:

Hi, Peter. Good to be back.

Peter Hansen:

Good to have you back. So, to start with, any fun facts to share?

Lee Newcombe:

Well, I think this one is quite good fun. So, the Amazon EC2 service was launched as a beta back in August 2006. We’re now in 2019, so this means that the public AWS cloud is about to enter its teenage years. What could possibly go wrong?

Peter Hansen:

Teenage is always a fun time.

Lee Newcombe:

Yeah.

Peter Hansen:

So, talking about cloud… A cloud droplet… Now, we’re talking about real clouds… Is actually just 0.02 millimeter in diameter.

Lee Newcombe:

Wow. You need a lot of those to make a decent cloud.

Peter Hansen:

Yeah. So, start talking about the clouds we are supposed to talk about. So, I actually would like to start on the definition of public cloud. So, a misinterpretation is very often that the public means that everything you put there is indeed public, as in, available for everyone. Is that the case?

Lee Newcombe:

No, not at all. I mean, I’m a great fan of the NIST cloud definitions so NIST, being the National Institute for Standards and Technologies over in the States. And they’ve got the set of definitions for the different cloud-service models and the different cloud-deployment models. So, if we’re talking about the public cloud, it just means that the services on offer are publicly available to individuals, businesses, charities, government, whomever it may be. But it is up to the cloud consumer to then secure the information services that they host on such public cloud services. And, it’s very much up to the consumer not to break some of their secure by-default settings that the providers will typically offer. And, that is a not-so-subtle hint at [inaudible] users to not open up their storage buckets to the Internet unless they’re being used to host their static website.

Peter Hansen:

So, a lot of companies actually, especially in Europe, I believe, are sort of using the term, public… Using the term of the big three players, when that would be Amazon, Microsoft, and Google. To use the term, public, and use the term that they are indeed available very easily, has a disadvantage. So, would you say that actually is the case?

Lee Newcombe:

No, I don’t think you could say that’s an advantage or a disadvantage. I mean, one of the reasons behind the massive uptake of cloud is always because it was so easy to access. So, you just need your internet connection and a credit card, and away you go. You can sign up to the services. That can be an issue when it comes to things like Shadow IT, which we might touch on a little bit more later on. Because, all it takes for one of your business users getting frustrated with Central IT, is to go away and use maybe their corporate card or perhaps even their personal card to go and sign up your organization to access some of these cloud services, and that can be problematic.

Peter Hansen:

Yeah. So, we can conclude then that just because it’s labeled public cloud doesn’t make it less private necessarily than a private cloud.

Lee Newcombe:

Ah. I’m not sure I’d go quite that far. So, as I think, when you start thinking about a private cloud, that is something that is purely limited to your own organization. You could host that in your own data centers. You could host that on a cloud providers’ data centers. But the key there is that’s only available to your organization. So, when you start thinking about attack services, and things like that, you only really have to worry about your organization, and then, the boundaries that your provider or hosting partner is putting around that cloud service. Whereas, with the public cloud, you will be sharing more elements of that service with the other tenants of the service.

So, I think there is a difference, certainly a difference there in attack service, between public and private. But, the benefits of public tend to be that they will be a bit more dynamic in terms of the services that they offer and a bit more innovative, as well. So, if you build your own private cloud, you also then have to start worrying about provision, as well, to make sure that you provision enough resources to cope with any spikes that you’ve got. So, there are pros and cons for the public and private, but I’m-

Peter Hansen:

And then, I read that that’s… as it’s actually back to the risk assessment and risk management of the type of information you’re going to put in the cloud that makes you choose whether it’s going to be in a public cloud or in a private cloud.

Lee Newcombe:

Yeah. I think you need some very strong compliance regulatory drivers to stick with private or perhaps some technology limitations. You’re not going to necessarily lift and shift a mainframe into Amazon, at the moment. You can certainly shift the workloads, but that’s more of a transformation than a lift and shift.

Peter Hansen:

So, what would you say are the most common challenges we see, and then even the… anticipate going forward when it comes to cloud adoption, in general?

Lee Newcombe:

I’ll start with the governance side of things because it’s easy to drop straight into the technology, but organizations need to make sure that they’ve got the appropriate strategy and risk ownership and governance structures in place. So, who owns the cloud strategy? Who owns the associated cloud security risk, and do these individuals actually have the power to enforce compliance? Now, I’m not saying that that actually needs to be centralized. So, if you’re operating some form of Multimodal IT, then you’ll likely find you need a mixture of traditional centralized security approaches and the more distributed approach, where you have maybe Security Champions embedded within their various development teams.

If you don’t get the governance right, then you leave yourself open to all sorts of pain, particularly things like Shadow IT, which we spoke about earlier on; cloud sprawl, where you just have lots of different cloud services and lots of different virtual private cloud environments, maybe, lots of different Azure VNets; and maybe even the lifting and shifting of old ways of working into the new cloud world. And, you don’t want that. You want to have kind of cloud native ways of working in the cloud world. You don’t just want to take what you’re familiar with and just do the same stuff in the cloud, because that just limits your future potential.

Away from the governance side, then, you do have the more technical aspects that we always talk about in security, so identity and entitlements management. Privileged Access Management, that’s always a fun topic in the cloud. Security monitoring across your cloud supply chains and your SaaS services, your IaaS services, your PaaS services. How do you get a single view of what’s happening to your stuff? Encryption key management. That’s always a tricky issue on-premises, as well, to be fair, but encryption key management is something that regularly crops up with conversations with clients.

And, then you’ve got the… I spoke about new ways of working. You’ve got to start thinking about how can you embed security into the development life cycle, the whole shift left and DevSecOps approach? And then, of course, Shadow IT I mentioned earlier on. Organizations need to make sure that they know which cloud services they are using, particularly when it comes to SaaS. It’s very hard to control that test data if you don’t really know where it is. And, GDPR has some very strong views when it comes to Information Asset Registers and Privacy by Design. But, that’s where things like [inaudible] Casper Suite can be very useful – making sure that you can control which cloud services are being used and what users can do within them.

Peter Hansen:

So, this actually contradicts a little bit how we see that our customers use cloud and adopt cloud at the moment, right? Because, you talk about the governance of it, you talk about actually having control and possibly even adding additional controls just because the fact that you’re not storing your data within your data center. But, in many cases, I’ve seen business adopting cloud in a way that goes out of the control of IT and information security.

Lee Newcombe:

I wouldn’t say putting in additional controls when it’s within the cloud. I tend to see it as being maybe slightly different controls, because it’s one of the things that I’ve always argued against, is that idea that you need to put 10 times as much security around your data just because it’s on the cloud than you would do when it’s on-premises. It tends to be the same data. It would be the same impact on your organization if that data gets compromised. So, just put the appropriate controls in place. But that may well be different controls to what you have on-premises. What you do not want to do is just lift and shift your existing tooling and processes into the cloud because that’s just the same kind of legacy mess, just in a different place. So, try and move towards more cognitive security controls is my advice in that area.

Peter Hansen:

Yeah. Yeah. Okay. I agree to that and I think I might have put it a little bit not as I intended to. But, whenever you look at a traditional company and they need to put a new system into their own data center, the technical aspects, usually at least IT security, hopefully [inaudible] information security gets involved and maybe just your judgment. But, when it comes to anyone within the business procuring a self-service, for example, they can do that without the interaction of any of the traditional teams.

Lee Newcombe:

Yes, they can, and that’s the whole danger of Shadow IT. You don’t know what your business is doing unless you make the effort to go off there and identify what SaaS services have been used. I’ve had a few clients who had some very nasty surprises when they do that scan of what SaaS services they’re using. I had one big multinational that ended up finding out that they’d been using something like 4,000 SaaS services, which was a bit of a surprise because they only thought they had about 500 in their CMDB. So, they do have a bit of an exposure there to GDPR issues.

Peter Hansen:

Yeah. And, also the fact that some of the SaaS services are, within quotes, For Free, which also means that if you look from a legal aspect, the way your data is actually protected by legal boundaries are different compared to whether you would buy a service.

Lee Newcombe:

Yeah. And, then you get into all kinds of discussions around service duplication. So, how many file transfer tools does any organization need? And, why do you need quite so many PDF converters, and why are so many of them hosted in China?

Peter Hansen:

So, what would you say makes retail unique in this?

Lee Newcombe:

I guess, in some cases, it’s the reluctance to make use of Amazon because they’re seen as a competitor. But, that said, I was listening to the keynote from the AWS Summit in London earlier this week, and they had this CDA from Sainsbury’s, big UK retail organization, on stage giving a presentation about how they make use of Amazon. So, it’s not the case that all retailers are related to Amazon.

Outside of that concern, retail just have to be very dynamic these days. Stock can change quickly. Offers certainly change quickly. Competition is fierce and margins are tight. But, there’s perhaps also a history of a lack of investment in security and IT. So, you’ll see lots of retailers with big flat networks, lots of individual technology silos, lots of channels that their customers can interact with but no common holistic view of customer interaction. That’s where a move towards cloud can provide the opportunity to address those issues whilst also improving security, because you’ve got this more or less greenfield site to go and build on, rather than transform much of your system, which might be a bit more problematic.

There’s also lots of personal information in retail. So, you’ve got payment card details, names and addresses, transaction histories. And, some of this can be very personal when you start thinking about what retailers can infer from your transaction history, things about your habits, interests, circumstances. So, there’s lots of information there that organizations and retailers need to be careful of in terms of how they manage that.

Peter Hansen:

Yeah. I mean, the question around integrity and [inaudible] be, well, it wasn’t that fun maybe for the ones that were affected by it. But you have this occasion where one of the retailers sent a mail to a mailbox. And, it turned out that a father of a young girl realized that his daughter was pregnant just because they were using information from her surf behavior on trying to do target marketing.

Lee Newcombe:

Yeah. That is a famous example of where this stuff can go wrong in terms of that passion matching and privacy impacts. But again, that’s maybe some of the things where cloud can help. So, if you start thinking about Google, the Google DLP service, it’s got a risk analysis capability and it can do analysis on the data that you think you’ve de-identified. And, it can do analysis based on things like k-anonymity, rather than just seeing whether or not you stripped personal data. Using something like k-anonymity, you can see quite how anonymous you’ve made your data. The whole idea of k-anonymity is that you’ve massaged your data so that there are always k-minus-one records that have got the same characteristics. So, you can never identify a single individual, but could always identify a group of k-minus-one who share the same characteristics.

Peter Hansen:

So, one additional when it comes to retail and cloud-based services, as such. So, if we look at AI… I mean, that’s been gaining traction quite a lot the last couple of years. One of the things that’s been preventing, I think, a lot from using machine learning or AI or advanced analytics, has been the investment costs, but now we see these services coming quite a lot. And, those should be specifically of interest for retail, right?

Lee Newcombe:

Yeah. I think so, but managed appropriately. You mentioned the famous example there of the father finding out about his daughter’s pregnancy via a retail mail shot. You do need to be careful about how you make use of the information that you infer.

Peter Hansen:

Yeah. And, especially in terms of GDPR, that actually have additional protection when it comes to automatic processing of information.

Lee Newcombe:

Yeah. I still think that’s one of the big issues in privacy at the moment, is how do you handle inferred data? Because, it’s not data that’s been provided by the subject. It’s data that the processor has created based on the provider data. And, I am not a GDPR expert in that particular area, but I think that’s still an area of some discussion, more generally.

Peter Hansen:

Yeah, definitely. It says the rights… the right of getting what data. So, [inaudible] of you, this subject access request, the law actually specifies that it is… You have the right to get the data that you had provided. But, the definition of data you have provided: would that mean the data you have actually entered or would that also mean the data on what you actually looked at, since you clicked on the different links?

Lee Newcombe:

Yeah. And, then you have the whole question of shadow profiles, as well. So, as a retailer, it’ll be the parents that are going off shopping, but if they’re buying lots of Avengers toys and Marvel comics, they can probably start building up a little bit of a profile about other people in the household, as well. Not that I wouldn’t buy Marvel comics and toys as a grownup, but that’s a slightly-

Peter Hansen:

Yeah. Of course, you wouldn’t. Do you have any closing remarks, conclusions?

Lee Newcombe:

Ah, no, I don’t think there’s anything major that we haven’t covered today. Cloud is a good opportunity for retail because of that chance it offers to move away from the legacy estates that lots of the big organizations have got and to maybe do things a little bit more agile on the cloud. And, I think that’s a transformation that retailers do need to make. Because, if they don’t – I think I said this in the first Podcast, as well – Amazon will eat them for breakfast, because Amazon are agile, they can service their customers much more quickly.

Peter Hansen:

Yep. So, that’s actually all the time we have today for this episode of the Capgemini Cybersecurity Podcast, with additional focus on the retail sector. So, thank you very much, Lee, for joining me.

Lee Newcombe:

Thanks, Peter. Speak again soon.

Peter Hansen:

I would also like to thank the listener, from wherever you are. I would also like to point out that there will be additional episodes coming out with retail, specifically, in mind. You will find these spots in the Capgemini Channel using your standard Pod Player. And, if you enjoyed this, feel free to share it via social media. Goodbye for now.

 

Learn more

For more insights and analysis, tune into our Cybersecurity podcast series.

Related Resources

The Smart Digital Store Smart Store Guide

Have you ever had to rush out for a quick trip to the store and end up spending way more time...

Trends in urban mobility

For the younger generation, a car equals a long-term commitment, one that many are hesitant...

cookies.

By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.

Close

Close cookie information