Thwarting Retail Threats
By By Julie Ritzer Ross
In recent years, retailers have saved billions of dollars by using Web-based systems to access, transmit, store and analyze data. Many also have boosted sales to new heights by leveraging the power of the Internet. However, these benefits have come with a price: The openness and accessibility of the Internet render the data it carries vulnerable to a wide variety of threats, ranging from financially devastating security breaches to worms, Trojans, viruses, spy ware, spam and distributed denial of service attacks.
While such tactics as procuring current security patches from systems providers offer some protection here, many merchants, among them Egg Harbor Township, N.J.-based Spencer Gifts, are going one step further by implementing intrusion prevention systems (IPS) and services from vendors like SonicWALL, MegaPath, Cisco, Raritan and Comm. In general, the more disparate layers of Internet security a retailer has in place, the better, says Brian Kilcourse, senior partner, BEK Consulting and chief strategist, Retail Systems Alert Group. IPSs are becoming an essential layer.
IPSs are one step more advanced than intrusion detection systems (IDS), which pinpoint interference with Internet systems by performing deep inspection of data packets and finding the source of break-ins. IPS combine deep packet inspection with the blocking capabilities of firewalls. They look at data content, searching specifically for exploitation characteristics and automatically blocking exploitation where vulnerabilities have been uncovered. Spencer Gifts is experiencing enhanced protection for its new IP-based network with an IPS configuration from SonicWALL, according to David Powell, manager of network and computing services for the 630-unit retailer.
The irony is that while were driving more productivity and revenue by switching to broadband POS systems, we need to be far more careful about Internet vulnerabilities, Powell observes. Its a whole new ballgame building an IP network for hundreds of stores that need to function even if a broadband connection is lost and has to protect private customer and business information, not to mention facilitate the business of managing the entire network. With (the IPS), were reaping real-time POS application benefits while protecting highly confidential information. It allows us to be far more productive.
The solution comprises 630 SonicWALL TZ 170 SP devices, one for each store, plus two SonicWALL PRO 5060 multi-service gigabit network security platforms at corporate headquarters. Incorporating dual broadband and dial-up fail over capabilities, the in-store devices integrate support for the vendors gateway and firewall service, affording real-time protection against viruses, spy ware, worms, Trojans and related threats, Powell explains. On the headquarters side, the security platforms integrate high-speed gateway anti-virus, anti-spy ware, intrusion prevention, content filtering and anti-spam capabilities, along with advanced wireless LAN features, a deep inspection firewall and a VPN security feature.
Spencer Gifts manages the in-store and corporate headquarters components of the solution through a feature-rich interface that allows Powell and his staff to see firewalls working in every unit.
Another retailer, Ace Hardware, deployed a VPN based on SonicWALLs Internet security solutions. With more than 4,800 retail locations, we needed a solution that could easily address all of our Internet security needs, says Bob Gradle, network technologies manager. The application provides secure access to inventory and sales information and automatically updates anti-virus software.
The stance Spencer Gifts and other merchants are taking in jumping on the IDS bandwagon should bode well for them given the new regulatory hurdles and security challenges that seem to be cropping up almost daily, notes Palaniswamy Rajan, president and CEO of Dallas- and Atlanta-based technology consulting firm Vigilar.
Among the most recent challenges, which is particularly pertinent to retailers: the Payment Card Industry (PCI) Data Security Standard bulletin, jointly issued by credit and debit card issuers in December 2005. The PCI document contains a series of requirements designed to protect cardholder data. Requirements stated in the bulletin apply to all members of the card issuing associations, as well as to merchants and service providers that store, process and/or transmit cardholder data.