Is Your Network Secure Enough to Resist a Data Breach?
By Asa Holmstrom, President of Columbitech
Data suggests security issues are becoming a growing problem these days, but retailers can follow a few straightforward steps to protect their wired and wireless infrastructures.
According to the Identity Theft Resource Center (ITRC), data breaches in the first half of 2008 were at a 69 percent increase over the same period in 2007 with at least 17 million consumer records compromised. These numbers cost a company, on average, according to Forrester Research, from $90 to $300 per lost record. The numbers are staggering and increasing as data breaches continue. Furthermore, these numbers are based on data breaches that were reported -- there are many that never were reported.
A security breach is not only damaging to a company's reputation, but can lead to financial loss through lawsuits, regulatory fines, and customer retention failures. And while some retailers have been pushed by PCI regulations to prove their compliance, this has not necessarily created a foolproof security situation.
The real problem behind data breaches is just that -- the lack of focus on security. In the rush to mobilize, many IT organizations have combined a plethora of aging, single-purpose solutions, which sacrifice the necessity of a capable security solution that will prevent data breaches from taking place.
The basic idea when it comes to wireless security is simple. Retailers need to defend the entrance to the networks, applications and sensitive information from unauthorized access, and protect any wireless communication, or data in motion, whether it is within the corporate WiFi or store environment, or wireless WAN used by the field workers or for general remote access.
The problem today for many retailers is open backdoors to both data and applications as unencrypted wireless communications. A retailer might have some devices secured with WPA2, some with TKIP, and some without any security at all. With this mix of devices, even though many might be secured, data hackers will go for the weakest link. For example, a single device used for "harmless" inventory might use a telnet emulator through its own personal door in the firewall. This allows for unencrypted or easy-to-breach encrypted communication, such as WEP or WPA, to take place -- something that still happens on a regular basis.
Organizations need to approach wireless security with the same sense of urgency they use to secure their wired infrastructure, and they need to understand the unique challenges of the wireless environment.
Every single retailer needs to perform a security assessment, to locate its IT security vulnerabilities and risks. Mandatory regulations should of course be included as a requirement, but the assessment should also be customized for each particular retailer. That way, the assessment will be performed on all usage possible in the wireless environment; for all devices, all applications and all types of usage. With these requirements as guidance, the retailer can create its own security strategy, and start implementing security solutions. Entrance points to data and applications need to be identified and all wireless devices must be secured. With that in place an appropriate security solution can be chosen.
While there are countless security technologies available on the market, the retailer can use the following steps to find the appropriate solution for its identified entrance points and devices:
1. Does the solution support the three fundamentals of security?
The solution must support encryption, authentication and integrity. Within each area the level of security must be met as identified. For example, should the retailer use AES encryption or something else? Is one-factor authentication enough?
2. Is the solution based on a standard security protocol?
A solution built on a public tested and verified security protocol is preferred. Proprietary technology exposes the company to unknown risks and may increase the risk of a security breach.
3. Does the security solution enforce compliance?
The solution must ensure compliance with regulations such as SOX, HIPAA, and PCI DSS.
4. Does the solution enforce mobility features?
It's best to choose a security solution that enforces mobility. Mobility features, such as session persistence, ensure the mobile worker stays connected and is able to focus on his job, instead of being disconnected and prompted for re-logons, making the security solution an obstacle for the individual worker.
5. Does the solution lower TCO?
If possible, retailers should find a solution that will work on its existing infrastructure. Many vendors require new hardware, which demands retailers to adapt to them instead of the other way around.
6. Does the solution scale to support future needs?
Retailers must put some thought into the future. Is this a solution for the short term or long term? How will the security of the network respond when new devices or applications are installed? What will happen when regulations are updated?
7. Does the solution support standard-based deployment tools?
Deployment might be a huge obstacle when it comes to replacing inaccessible Access Points or driving to individual remote locations.
To find a capable security solution that will prevent data breaches from happening, it is time to let go of the aging, single-purpose solutions in place. Many retailers today have begun questioning this "one-step-behind" and reactive mindset in favor of a balanced approach between the TCO and the overall retail enterprise business requirements. This demands a shift away from tactical and short-term decisions and instead allows retailers to work with a top down corporate IT and Compliance strategy.
Asa Holmstrom is president of Columbitech.
Data suggests security issues are becoming a growing problem these days, but retailers can follow a few straightforward steps to protect their wired and wireless infrastructures.
According to the Identity Theft Resource Center (ITRC), data breaches in the first half of 2008 were at a 69 percent increase over the same period in 2007 with at least 17 million consumer records compromised. These numbers cost a company, on average, according to Forrester Research, from $90 to $300 per lost record. The numbers are staggering and increasing as data breaches continue. Furthermore, these numbers are based on data breaches that were reported -- there are many that never were reported.
A security breach is not only damaging to a company's reputation, but can lead to financial loss through lawsuits, regulatory fines, and customer retention failures. And while some retailers have been pushed by PCI regulations to prove their compliance, this has not necessarily created a foolproof security situation.
The real problem behind data breaches is just that -- the lack of focus on security. In the rush to mobilize, many IT organizations have combined a plethora of aging, single-purpose solutions, which sacrifice the necessity of a capable security solution that will prevent data breaches from taking place.
The basic idea when it comes to wireless security is simple. Retailers need to defend the entrance to the networks, applications and sensitive information from unauthorized access, and protect any wireless communication, or data in motion, whether it is within the corporate WiFi or store environment, or wireless WAN used by the field workers or for general remote access.
The problem today for many retailers is open backdoors to both data and applications as unencrypted wireless communications. A retailer might have some devices secured with WPA2, some with TKIP, and some without any security at all. With this mix of devices, even though many might be secured, data hackers will go for the weakest link. For example, a single device used for "harmless" inventory might use a telnet emulator through its own personal door in the firewall. This allows for unencrypted or easy-to-breach encrypted communication, such as WEP or WPA, to take place -- something that still happens on a regular basis.
Organizations need to approach wireless security with the same sense of urgency they use to secure their wired infrastructure, and they need to understand the unique challenges of the wireless environment.
Every single retailer needs to perform a security assessment, to locate its IT security vulnerabilities and risks. Mandatory regulations should of course be included as a requirement, but the assessment should also be customized for each particular retailer. That way, the assessment will be performed on all usage possible in the wireless environment; for all devices, all applications and all types of usage. With these requirements as guidance, the retailer can create its own security strategy, and start implementing security solutions. Entrance points to data and applications need to be identified and all wireless devices must be secured. With that in place an appropriate security solution can be chosen.
While there are countless security technologies available on the market, the retailer can use the following steps to find the appropriate solution for its identified entrance points and devices:
1. Does the solution support the three fundamentals of security?
The solution must support encryption, authentication and integrity. Within each area the level of security must be met as identified. For example, should the retailer use AES encryption or something else? Is one-factor authentication enough?
2. Is the solution based on a standard security protocol?
A solution built on a public tested and verified security protocol is preferred. Proprietary technology exposes the company to unknown risks and may increase the risk of a security breach.
3. Does the security solution enforce compliance?
The solution must ensure compliance with regulations such as SOX, HIPAA, and PCI DSS.
4. Does the solution enforce mobility features?
It's best to choose a security solution that enforces mobility. Mobility features, such as session persistence, ensure the mobile worker stays connected and is able to focus on his job, instead of being disconnected and prompted for re-logons, making the security solution an obstacle for the individual worker.
5. Does the solution lower TCO?
If possible, retailers should find a solution that will work on its existing infrastructure. Many vendors require new hardware, which demands retailers to adapt to them instead of the other way around.
6. Does the solution scale to support future needs?
Retailers must put some thought into the future. Is this a solution for the short term or long term? How will the security of the network respond when new devices or applications are installed? What will happen when regulations are updated?
7. Does the solution support standard-based deployment tools?
Deployment might be a huge obstacle when it comes to replacing inaccessible Access Points or driving to individual remote locations.
To find a capable security solution that will prevent data breaches from happening, it is time to let go of the aging, single-purpose solutions in place. Many retailers today have begun questioning this "one-step-behind" and reactive mindset in favor of a balanced approach between the TCO and the overall retail enterprise business requirements. This demands a shift away from tactical and short-term decisions and instead allows retailers to work with a top down corporate IT and Compliance strategy.
Asa Holmstrom is president of Columbitech.