Commentary
Tips for securing SD-WAN in the retail environment
Nirav Shah, senior director, product marketing at Fortinet, explains why a SD-WAN may prove valuable to the digital transformation of the retail environment but also requires some attention to ensure strong security.
March 25, 2019
By Nirav Shah, senior director, product marketing, Fortinet
Until recently, many retailers often either limited their interactions with individual stores to a weekend sale and inventory update combined with physical communications such as email and phone calls.
Or, they implemented a secured hub-and-spoke connection between each store and the central network, often using a service such as MPLS. In this configuration, all data, even between branches, was backhauled through the hub, or the IT team had to establish a meshed network that was both complicated and expensive to develop and maintain.
The demands of the digital marketplace are impacting retailers
All of that is rapidly changing, primarily because retailers have been especially affected by the requirements of the new digital market. On the one hand, consumers increasingly insist on integrating the ease of their online shopping experience using interactive applications with shopping in a physical location. This includes things like receiving frequent shopper recognition and rewards, linking applications to in-store inventory to check for pricing and product availability, quickly accessing and applying online discounts and coupons. It also simplifies things like shipping, in-store pickup of online purchases, and product returns, and even new register-less purchases using apps that connect the consumer's account information to their financial data.
But the consumer experience is only half of the equation. The digital transformation of the retail environment also enables things like automatically controlling, ordering, and redistributing inventory, collecting and processing point-of-sale information and other data, and managing personnel, scheduling, and payroll in real-time.
Some stores also want to be able to scan consumer devices to track shopping trends, influence the shopping experience with customized advertising, track inventory leaving the store to reduce things like shoplifting, and even remotely manage stuff like climate control and physical security. These demands are being further complicated due to the adoption of things like IoT, such as hand-held POS devices, and cloud-based resources ranging from applications to network infrastructure.
While SD-WAN solves digital market requirements, it can introduce security challenges
These digital transformation challenges have served as a massive catalyst for the adoption of SD-WAN to interconnect retail branches. SD-WAN presents a more flexible way to interconnect store locations with the centralized network and inventory hubs into an easy-to-manage meshed environment.
And it also enables seamless integration between customized applications and online services with an in-store shopping experience.
The challenge, however, is that most IT teams underestimate the difficulty of securing a broad SD-WAN deployment strategy. A good number of SD-WAN solutions available do not include any comprehensive security implementation. The best option is to encrypt traffic and then apply a security filter at the edge of the network to shut down a connection if it detects malware or unusual behavior.
Retailers are left with the daunting challenge of figuring out how to implement a security solution that is as flexible as the SD-WAN solution they have selected, but that doesn't also add too much burden to an IT security team that is already stretched too thin. IT resources previously committed to basic network maintenance are being redistributed to development and ops teams to ensure that applications, workflows, and data move seamlessly between different networked environments.
If that wasn't enough, they also need to consider how to meet compliance requirements as they extend their networks to new retail branches. Non-compliance with PCI-DSS credit card data can invoke fines of $5,000 to $100,000 per month. Likewise, non-compliance with SOX, which requires transparent financial reporting and maintaining a formal system of internal checks and balances, can include fines of up to $5 million and even time in prison.
Securing the SD-WAN solution
Unfortunately, the majority of the legacy security devices and solutions in place were never designed to support the unique and highly dynamic requirements of today's connected branch stores. They can't see far enough, can't track data that moves between physical and virtual locations, and can't share and correlate threat intelligence to identify and stop advanced attacks.
Instead, SD-WAN solutions require a sophisticated suite of security tools embedded directly into the product, including NGFW, IPS, web filtering, antivirus/antimalware, encryption, and high-speed inspection of encrypted data.
Further, those security tools need to seamlessly integrate with the security tools deployed elsewhere in the distributed network, whether on the main campus, or remote and mobile devices, and across each of the different cloud solutions that have been adopted. And they need to be able to be managed and orchestrated remotely without adding additional overhead to the current IT team.
As a result, any SD-WAN solution under consideration must include the following security characteristics:
- A comprehensive suite of fully integrated security tools. These include NGFW security that can see and protect traffic, IPS to detect and prevent intrusions, application security, web security and filtering, antimalware and antivirus, data encryption, and support for inspecting encrypted traffic at network speeds.
- Security natively embedded to reduce the device footprint needed to protect the branch location and to orchestrate network and security policies through a centralized console. In addition, the SD-WAN device needs to be designed to handle the processing overhead required to run a full suite of security tools.
SD-WAN security solutions also need to assist with regulatory compliance. Security rating services, for example, allow organizations to continually take the pulse of their deployed security postures, compare themselves against industry peers, and assess their effectiveness in managing the security risks of any retail branch with direct internet connectivity.
Finally, those security solutions must also be able to be seamlessly integrated with other security solutions deployed elsewhere. Single-pane-of-glass management combined with universal threat intelligence collection, event correlation, and threat response not only raises the level of security across the entire distributed network, but also helps preserve and consolidate IT resources related to policy creation and the whole deployment, integration, and optimization lifecycle.
An integrated security fabric strategy
A secure SD-WAN solution allows your IT team to focus resources on developing and managing a single set of security solutions that can be deployed repeatedly and easily at each branch location, and then seamlessly integrated with those security solutions implemented at physical and cloud-based network locations.
Then, as security resources are consistently applied, automation can begin to take care of the more mundane tasks of maintenance and management. This not only reduces the TCO of a distributed security fabric but also frees up valuable IT resources to focus on higher order security functions such as coordination of policies and the analysis of threat intelligence.
Such a strategic approach to deploying a secure SD-WAN solution allows retailers to expand their retail locations, integrate their online and physical shopping experiences, manage and monitor remote sites and inventory to increase profitability, and quickly adapt to new consumer demands without ever compromising on security.
