In The Zone

Retail outlets must ensure they are abiding by regulations

A delicate balance exists in the retail world as businesses try to ensure easy and seamless customer experiences while maintaining high security. This ranges from finalizing a transaction, down to information security controls and processes designed for data integrity. A business must ensure it is abiding by industry and government regulations as well as providing a secure and protected environment for the transfer and storage of personal customer data.

Achieving a reasonable state of security has been, for many, a difficult objective as application uptime often takes a front seat over other initiatives. However, when IT security needs are expressed in terms of meeting compliance requirements, such as the Payment Card Industry’s data security standard, executives and top-level business managers take notice.

Networks are complex entities, with many moving parts. Determining how to align security practices with other efforts to meet an organization’s needs appears to be a monstrous task. Auditing the setting of each knob and dial on every low-level network device may sound sensible, but such an approach is equivalent to assessing patterns in the bark of trees while ignoring the trees themselves and the forest altogether. Knowing what traffic is permitted and what must be blocked is necessary. But this is inherently an end-to-end question, not a device configuration question.

Compliance Objectives
There’s a clear advantage in converging the goals of all the various compliance objectives. It centers on scope. Anyone manually measuring compliance today will tend to reduce the scope of the project as much as possible. However, this point flips around if automation is applied. The more an organization can automate the management of firewall and router configurations, the more the objective shifts from small scope to unified scope. An organization also should test the whole regulated infrastructure regularly, from a single viewpoint of what is and what it not permitted.

The ideal target is a single set of tools and processes for compliance, evaluated against an infrastructure, with a specific set of rules outlining what is compliant. Reaching this ideal isn’t trivial, but in a world where compliance burdens are continuously increasing, it is a critical survival strategy to unify and automate this work as much as possible. The most successful organizations are well along this path, finding commonality across regulation sets, and applying fixed standards in a turn-key fashion. The contrast in efficiency is stark between these teams. For those in reactive mode, struggling to clear each different regulatory milestone is an isolated project.

As a company looks to better align its security practice with its assessment practice, it has to examine firewall rule sets. Some companies attempt a brute-force approach, building a database of every single rule in every firewall, identifying the owner of each line and re-approving every rule on a regular basis. While logical, such a practice is untenable, despite following the regulations.

People can’t reliably review thousands of complex firewall policy statements. Even if they could, it takes too long for the business to see its benefit. Instead, there’s a deeper issue in this device-by-device approach. Even if one could validate every rule in every firewall, the outcome would not lead to a better understanding of a company’s overall network defensive posture. The complexity of many networks is staggering, as they often include remote sites, each with their own firewalls and VPN equipment. The number of interactions required to ensure a network is operational is staggering.

A New Approach
Leading IT security managers are stepping back from the idea of auditing everything. Instead of managing every rule in every firewall within a database, a more reasonable approach involves managing groups or zones of activity. A company may break its network into a variety of groups, including Internet, extranet, customer database, ERP system and wireless areas. A matrix could represent each group and every legal type of traffic between the various areas in a zone-based, rather than rules-based, approach to security management.

It would be unwise to create a large matrix of dozens or hundreds of cells. To address PCI requirement No. 1, for example, the creation of a four-by-four matrix would work well (see diagram).

PCI-DSS requirement 1, allowable traffic by zones

A zone matrix provides a common language with which to communicate issues and exposures. It is critical that zone-to-zone relationships make sense to people within the organization who are not on the security team. Without that comprehension, necessary resources for getting security issues resolved will not be assigned.

The next step, after taming the complexity through zone management, is to automate the compliance assessment process by using a computer to analyze firewall and router configurations across the entire network. Through automation, security teams are finding forgotten severs attached to networks with access connections to other servers creating security holes. They are finding mistakes and omissions within router access or firewall rules that create problems.

The ability to scale and better manage a network to meet compliance requirements, as well as continually improve the company’s security posture within a complex, rapidly changing IT infrastructure is within reach. Through automation, security teams are regaining valuable time and increasing accuracy.

About the Author

Mike Lloyd is the chief scientist at RedSeal Systems Inc.

Featured

  • New Report Reveals Top Trends Transforming Access Controller Technology

    Mercury Security, a provider in access control hardware and open platform solutions, has published its Trends in Access Controllers Report, based on a survey of over 450 security professionals across North America and Europe. The findings highlight the controller’s vital role in a physical access control system (PACS), where the device not only enforces access policies but also connects with readers to verify user credentials—ranging from ID badges to biometrics and mobile identities. With 72% of respondents identifying the controller as a critical or important factor in PACS design, the report underscores how the choice of controller platform has become a strategic decision for today’s security leaders. Read Now

  • Overwhelming Majority of CISOs Anticipate Surge in Cyber Attacks Over the Next Three Years

    An overwhelming 98% of chief information security officers (CISOs) expect a surge in cyber attacks over the next three years as organizations face an increasingly complex and artificial intelligence (AI)-driven digital threat landscape. This is according to new research conducted among 300 CISOs, chief information officers (CIOs), and senior IT professionals by CSC1, the leading provider of enterprise-class domain and domain name system (DNS) security. Read Now

  • ASIS International Introduces New ANSI-Approved Investigations Standard

    • Guard Services
  • Cloud Security Alliance Brings AI-Assisted Auditing to Cloud Computing

    The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today introduced an innovative addition to its suite of Security, Trust, Assurance and Risk (STAR) Registry assessments with the launch of Valid-AI-ted, an AI-powered, automated validation system. The new tool provides an automated quality check of assurance information of STAR Level 1 self-assessments using state-of-the-art LLM technology. Read Now

  • Report: Nearly 1 in 5 Healthcare Leaders Say Cyberattacks Have Impacted Patient Care

    Omega Systems, a provider of managed IT and security services, today released new research that reveals the growing impact of cybersecurity challenges on leading healthcare organizations and patient safety. According to the 2025 Healthcare IT Landscape Report, 19% of healthcare leaders say a cyberattack has already disrupted patient care, and more than half (52%) believe a fatal cyber-related incident is inevitable within the next five years. Read Now

New Products

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area.

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure.

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.”