The 2018 holiday shopping season is in the rearview mirror. In 2017, holiday sales totaled $687.87 billion, and while total numbers aren’t yet in, experts predicted an increase between 4.3 and 4.8 percent for a total $717.45 billion to $720.89 billion in spending. That’s A LOT of consumer data retail companies are responsible for. If retailers are using cloud to revolutionize the customer experience, how are they doing so without creating risk for themselves, their customers, and other stakeholders?
Retail organizations are experiencing a culture shift as they respond to consumer demand for improved experiences in the store and online. Building applications and migrating PCI-regulated workloads to Microsoft Azure and Google Cloud Platform (GCP), and sometimes even Amazon Web Services (AWS), offers an attractive way to respond to competitive pressures, speed innovation, time to market, and resilience. However, the self-service, dynamic nature of software-defined cloud infrastructure creates unique challenges for risk and compliance professionals in the retail industry.
Processes and tools that worked well in the traditional datacenter do not directly translate to the public cloud. Due to concerns over Standard Payment Card Industry Data Security (PCI-DSS) compliance and security, as well as the complexity involved in migrating legacy systems, retailers have traditionally taken a tentative approach to public cloud adoption. However, competitive pressures are driving retailers to jump into the proverbial deep end or risk being left behind and out of business.
Hasty Public Cloud Adoption Can Lead to Compliance Issues:
According to the 2018 Verizon Payment Security Report, almost half of organizations fail to maintain PCI DSS compliance. For the half that DO achieve full compliance with their annual PCI DSS review, nearly half of those companies then fall out of compliance within a year.
This is incredibly important because 100% of companies that suffered a payment card breach were found to lack compliance with PCI-DSS. The report elaborates on this point, “Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.”
So why don’t more companies achieve and maintain compliance?
As stated above, the challenge is that competitive pressures are hastily pushing organizations to public cloud and they simply don’t have the right staffing levels or the right tools to consistently achieve good outcomes when approaching compliance as a manual task. Automating policy enforcement is a key element to achieving and maintaining compliance. The report backs this up, “Measure, report and act. Enhance data and security monitoring, detection and response competency through automation, training and performance measurement.”
In this new year, retailers need to go from 0 to 60 overnight, and without creating risk for themselves, their customers, and other stakeholders. To take full advantage of the opportunities public cloud offers, they must ensure that clear cloud governance standards are defined, that they have real-time automated enforcement of security and governance, risk management and compliance (GRC) policies, and that they can present evidence of compliance to assessors and auditors.
If you’re interested in finding out how to achieve this objective, click here to read, “How to Stay Secure as a Retailer Using Cloud to Revolutionize the Customer Experience.” Use our guide to explore the frameworks that retailers are leveraging to ensure strong governance in the cloud, a roadmap for continuous compliance in the cloud, and how DivvyCloud can help you achieve this goal.
DivvyCloud: Guardrails for Your Cloud Infrastructure
DivvyCloud minimizes security and compliance risk by providing virtual guardrails for security, compliance, and governance to customers embracing the dynamic, self-service nature of public cloud, and container infrastructure. Customers like General Electric, Discovery Communications, and Fannie Mae run DivvyCloud’s software to achieve continuous security governance in cloud and container environments (Azure, GCP, AWS, Alibaba, and Kubernetes). First, our software performs real-time, continuous discovery of infrastructure resources allowing customers to identify risks and threats. Second, customers can implement out-of-the-box or custom cloud-native policy guardrails that identify and alert on violations. Third, we automate the enforcement and remediation of these policies.