In The Zone

Retail outlets must ensure they are abiding by regulations

  • By Mike Lloyd
  • Jun 22, 2009

A delicate balance exists in the retail world as businesses try to ensure easy and seamless customer experiences while maintaining high security. This ranges from finalizing a transaction, down to information security controls and processes designed for data integrity. A business must ensure it is abiding by industry and government regulations as well as providing a secure and protected environment for the transfer and storage of personal customer data.

Achieving a reasonable state of security has been, for many, a difficult objective as application uptime often takes a front seat over other initiatives. However, when IT security needs are expressed in terms of meeting compliance requirements, such as the Payment Card Industry’s data security standard, executives and top-level business managers take notice.

Networks are complex entities, with many moving parts. Determining how to align security practices with other efforts to meet an organization’s needs appears to be a monstrous task. Auditing the setting of each knob and dial on every low-level network device may sound sensible, but such an approach is equivalent to assessing patterns in the bark of trees while ignoring the trees themselves and the forest altogether. Knowing what traffic is permitted and what must be blocked is necessary. But this is inherently an end-to-end question, not a device configuration question.

Compliance Objectives
There’s a clear advantage in converging the goals of all the various compliance objectives. It centers on scope. Anyone manually measuring compliance today will tend to reduce the scope of the project as much as possible. However, this point flips around if automation is applied. The more an organization can automate the management of firewall and router configurations, the more the objective shifts from small scope to unified scope. An organization also should test the whole regulated infrastructure regularly, from a single viewpoint of what is and what it not permitted.

The ideal target is a single set of tools and processes for compliance, evaluated against an infrastructure, with a specific set of rules outlining what is compliant. Reaching this ideal isn’t trivial, but in a world where compliance burdens are continuously increasing, it is a critical survival strategy to unify and automate this work as much as possible. The most successful organizations are well along this path, finding commonality across regulation sets, and applying fixed standards in a turn-key fashion. The contrast in efficiency is stark between these teams. For those in reactive mode, struggling to clear each different regulatory milestone is an isolated project.

As a company looks to better align its security practice with its assessment practice, it has to examine firewall rule sets. Some companies attempt a brute-force approach, building a database of every single rule in every firewall, identifying the owner of each line and re-approving every rule on a regular basis. While logical, such a practice is untenable, despite following the regulations.

People can’t reliably review thousands of complex firewall policy statements. Even if they could, it takes too long for the business to see its benefit. Instead, there’s a deeper issue in this device-by-device approach. Even if one could validate every rule in every firewall, the outcome would not lead to a better understanding of a company’s overall network defensive posture. The complexity of many networks is staggering, as they often include remote sites, each with their own firewalls and VPN equipment. The number of interactions required to ensure a network is operational is staggering.

A New Approach
Leading IT security managers are stepping back from the idea of auditing everything. Instead of managing every rule in every firewall within a database, a more reasonable approach involves managing groups or zones of activity. A company may break its network into a variety of groups, including Internet, extranet, customer database, ERP system and wireless areas. A matrix could represent each group and every legal type of traffic between the various areas in a zone-based, rather than rules-based, approach to security management.

It would be unwise to create a large matrix of dozens or hundreds of cells. To address PCI requirement No. 1, for example, the creation of a four-by-four matrix would work well (see diagram).

PCI-DSS requirement 1, allowable traffic by zones

A zone matrix provides a common language with which to communicate issues and exposures. It is critical that zone-to-zone relationships make sense to people within the organization who are not on the security team. Without that comprehension, necessary resources for getting security issues resolved will not be assigned.

The next step, after taming the complexity through zone management, is to automate the compliance assessment process by using a computer to analyze firewall and router configurations across the entire network. Through automation, security teams are finding forgotten severs attached to networks with access connections to other servers creating security holes. They are finding mistakes and omissions within router access or firewall rules that create problems.

The ability to scale and better manage a network to meet compliance requirements, as well as continually improve the company’s security posture within a complex, rapidly changing IT infrastructure is within reach. Through automation, security teams are regaining valuable time and increasing accuracy.

About the Author

Mike Lloyd is the chief scientist at RedSeal Systems Inc.

Featured

  • Report Reveals Security Training Reduces Global Phishing Click Rates by 86%

    KnowBe4, the cybersecurity platform that comprehensively addresses human risk management, today launched its “Phishing by Industry Benchmarking Report 2025” which measures an organization’s Phish-prone Percentage (PPP) — the percentage of employees likely to fall for social engineering or phishing attacks, indicating the organization’s overall susceptibility to phishing threats. This year’s report found a global average baseline PPP of 33.1%, meaning a third of employees interact with phishing simulations before taking part in best-practice security awareness training (SAT).COVER 2025-PIB-NA-Report_EN-US Read Now

  • TSA Begins REAL ID Full Enforcement Today

    Today, the Transportation Security Administration (TSA) announced the imminent implementation of its REAL ID enforcement measures at TSA checkpoints nationwide. Read Now

  • Body-Worn Cameras on the Rise

    On the evening of Oct. 29, 2024, the owner of 300 Guard based in Houston, was shot while on duty at a convenience store. He returned fire. He was wearing a plated vest and thankfully recovered in the hospital. Read Now

  • Brazil Port Enhances Surveillance and Supports Wildlife Conservation with Sustainable Technology

    Ferroport, which operates the iron ore terminal at the Port of Açu in São João da Barra, Rio de Janeiro, Brazil, has deployed state-of-the-art video surveillance cameras from Axis Communications to enhance nighttime security and visibility, while decreasing environmental impact and prioritizing sustainability. With cutting-edge technology, the port now has precise surveillance cameras that capture high-quality nighttime images, while reducing the amount of artificial lighting that negatively impacts the surrounding ecosystem. Read Now

  • Fast-Forward from 1,000 B.C.E. to Today

    The lock and key have been around since time immemorial. In fact, the locksmith profession is one of the oldest in the world when you consider the earliest wooden tumbler lock debuted three-plus millennia ago. Read Now

Most   Popular

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file.

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings.

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening.