In The Zone

Retail outlets must ensure they are abiding by regulations

  • By Mike Lloyd
  • Jun 22, 2009

A delicate balance exists in the retail world as businesses try to ensure easy and seamless customer experiences while maintaining high security. This ranges from finalizing a transaction, down to information security controls and processes designed for data integrity. A business must ensure it is abiding by industry and government regulations as well as providing a secure and protected environment for the transfer and storage of personal customer data.

Achieving a reasonable state of security has been, for many, a difficult objective as application uptime often takes a front seat over other initiatives. However, when IT security needs are expressed in terms of meeting compliance requirements, such as the Payment Card Industry’s data security standard, executives and top-level business managers take notice.

Networks are complex entities, with many moving parts. Determining how to align security practices with other efforts to meet an organization’s needs appears to be a monstrous task. Auditing the setting of each knob and dial on every low-level network device may sound sensible, but such an approach is equivalent to assessing patterns in the bark of trees while ignoring the trees themselves and the forest altogether. Knowing what traffic is permitted and what must be blocked is necessary. But this is inherently an end-to-end question, not a device configuration question.

Compliance Objectives
There’s a clear advantage in converging the goals of all the various compliance objectives. It centers on scope. Anyone manually measuring compliance today will tend to reduce the scope of the project as much as possible. However, this point flips around if automation is applied. The more an organization can automate the management of firewall and router configurations, the more the objective shifts from small scope to unified scope. An organization also should test the whole regulated infrastructure regularly, from a single viewpoint of what is and what it not permitted.

The ideal target is a single set of tools and processes for compliance, evaluated against an infrastructure, with a specific set of rules outlining what is compliant. Reaching this ideal isn’t trivial, but in a world where compliance burdens are continuously increasing, it is a critical survival strategy to unify and automate this work as much as possible. The most successful organizations are well along this path, finding commonality across regulation sets, and applying fixed standards in a turn-key fashion. The contrast in efficiency is stark between these teams. For those in reactive mode, struggling to clear each different regulatory milestone is an isolated project.

As a company looks to better align its security practice with its assessment practice, it has to examine firewall rule sets. Some companies attempt a brute-force approach, building a database of every single rule in every firewall, identifying the owner of each line and re-approving every rule on a regular basis. While logical, such a practice is untenable, despite following the regulations.

People can’t reliably review thousands of complex firewall policy statements. Even if they could, it takes too long for the business to see its benefit. Instead, there’s a deeper issue in this device-by-device approach. Even if one could validate every rule in every firewall, the outcome would not lead to a better understanding of a company’s overall network defensive posture. The complexity of many networks is staggering, as they often include remote sites, each with their own firewalls and VPN equipment. The number of interactions required to ensure a network is operational is staggering.

A New Approach
Leading IT security managers are stepping back from the idea of auditing everything. Instead of managing every rule in every firewall within a database, a more reasonable approach involves managing groups or zones of activity. A company may break its network into a variety of groups, including Internet, extranet, customer database, ERP system and wireless areas. A matrix could represent each group and every legal type of traffic between the various areas in a zone-based, rather than rules-based, approach to security management.

It would be unwise to create a large matrix of dozens or hundreds of cells. To address PCI requirement No. 1, for example, the creation of a four-by-four matrix would work well (see diagram).

PCI-DSS requirement 1, allowable traffic by zones

A zone matrix provides a common language with which to communicate issues and exposures. It is critical that zone-to-zone relationships make sense to people within the organization who are not on the security team. Without that comprehension, necessary resources for getting security issues resolved will not be assigned.

The next step, after taming the complexity through zone management, is to automate the compliance assessment process by using a computer to analyze firewall and router configurations across the entire network. Through automation, security teams are finding forgotten severs attached to networks with access connections to other servers creating security holes. They are finding mistakes and omissions within router access or firewall rules that create problems.

The ability to scale and better manage a network to meet compliance requirements, as well as continually improve the company’s security posture within a complex, rapidly changing IT infrastructure is within reach. Through automation, security teams are regaining valuable time and increasing accuracy.

About the Author

Mike Lloyd is the chief scientist at RedSeal Systems Inc.

Featured

  • Integration Imagination: The Future of Connected Operations

    Security teams that collaborate cross-functionally and apply imagination and creativity to envision and design their ideal integrated ecosystem will have the biggest upside to corporate security and operational benefits. Read Now

  • Smarter Access Starts with Flexibility

    Today’s workplaces are undergoing a rapid evolution, driven by hybrid work models, emerging smart technologies, and flexible work schedules. To keep pace with growing workplace demands, buildings are becoming more dynamic – capable of adapting to how people move, work, and interact in real-time. Read Now

  • Trends Keeping an Eye on Business Decisions

    Today, AI continues to transform the way data is used to make important business decisions. AI and the cloud together are redefining how video surveillance systems are being used to simulate human intelligence by combining data analysis, prediction, and process automation with minimal human intervention. Many organizations are upgrading their surveillance systems to reap the benefits of technologies like AI and cloud applications. Read Now

  • The Future is Happening Outside the Cloud

    For years, the cloud has captivated the physical security industry. And for good reason. Remote access, elastic scalability and simplified maintenance reshaped how we think about deploying and managing systems. But as the number of cameras grows and resolutions push from HD to 4K and beyond, the cloud’s limits are becoming unavoidable. Bandwidth bottlenecks. Latency lags. Rising storage costs. These are not abstract concerns. Read Now

  • Right-Wing Activist Charlie Kirk Dies After Utah Valley University Shooting

    Charlie Kirk, a popular conservative activist and founder of Turning Point USA, died Wednesday after being shot during an on-campus event at Utah Valley University in Orem, Utah Read Now

Most   Popular

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation.

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame.