The Case for Open Source in Retail Data Security

 

By Mark Weiner, managing partner, Reliant Security

If seeing the words 'open' and 'secure' in the same sentence seems counterintuitive, don't worry. It did for me as well. However, a growing number of retailers are turning to open source security tools as an alternative to high-priced commercial software across their store environments to meet challenging PCI requirements. 

Recent data security breaches, such as the Hannaford's affair, suggest that hackers are focusing on stealing sensitive credit card data at the point of sale. They are focused there for the simple reason that most store systems have only limited protection and provide access to the most valuable data. The commonly prescribed cure to meet this threat is to implement PCI Data Security Standard in its entirety across all systems that store, process, or transmit credit card data including the POS. 

The problem with this is economics. Traditional data security solutions for store environments require a 'mini datacenter' approach which involves multiple commercial security applications and appliances integrated in customized configurations. This approach requires both a significant upfront capital cost, along with a large total cost of ownership associated with ongoing third-party maintenance. The more stores that need to be protected using this approach, the less favorable the economics become. 

For all of its security drawbacks, the store environment has two advantages that retail CIOs can leverage.

1. Most store systems environments are virtually identical across retail chains, so investment to produce a cost-effective solution in one store can be leveraged across all of them. 

2. Transaction volumes are relatively low, so proprietary, high-performance hardware and software are generally not required. 

This is where Open Source comes into play. The biggest benefit to retailers is the price. Open Source software is generally free to use. It runs on commercial-off-the-shelf hardware which can be sourced from multiple vendors and is easy to support. 

Fortunately, the open source community has provided retailers with a wide variety of security tools to choose from including firewalls, logging systems, vulnerability scanners, intrusion detection systems and file integrity monitors. These tools are developed and supported by diverse communities of dedicated industry professionals who deploy them to meet their needs in a variety of security environments. 

The open source model of development and product governance allows the concurrent input of different agendas, approaches and priorities. This differs from the more closed, centralized models of development where a relatively few individuals have input and develop code for specific commercial applications. These divergent approaches yield both benefits and dissadvanges for users of open source.

The greatest benefits are cost, security and stability. Since hundreds and sometimes thousands of developers have input to the process, open source tools are highly stable and often free of security vulnerabilities. The source code is readily available for anyone to review or modify. Consequently, bugs can be identified and fixed by any interested party. Improvements to an open source solution are vetted by the community, available to all, and then rolled up into major version releases only after it has been determined the new code is safe and stable. Such a high level of visibility to the internal workings of open source applications by so many people yields security through transparency.

The disadvantages are largely around usability. Open Source security tools typically lack fancy user interfaces that make the functionality more intuitive to 'one-off' users. For retailers, however, this not much of a disadvantage. Retailers are in the business of building distribution channels and systems that can scale efficiently across hundreds or thousands of locations. The investment of time to deploy, integrate and support open source security tools in store systems can be amortized over the entire retail chain. Simply put, the more stores you deploy open source security tools in, the better the economics become, which is opposite the traditional approach to data security in stores and what the retail industry is really about in the first place.

At my company, Reliant Security, we are focused on the use of open source to meet the challenges of data security and PCI compliance for our customers. We believe that Retail CIOs should consider this alternate path to compliance when meeting the challenges of security and compliance across their enterprises. 

Mark Weiner is Managing Partner of Reliant Security. Reliant Security provides consulting and data security solutions with an emphasis on leveraging open source security tools over commercially available software to provide its clients with secure and cost-effective solutions. Reliant's Managed PCI System assists customers in meeting PCI and other information security compliance requirements. For more information please visit our website at www.reliantsec.net.