Securing the Retail Enterprise
By David Dorf on Oct 20, 2008
Every retailer is well aware of the Payment Card Industry (PCI) and its Data Security Standard. Breaches exposing credit card data at several prominent retailers have been publicized ad nausea. On the one hand I'm pleased to get increased questions from retailers about PCI, but on the other I wish they would look beyond the specifics of PCI and consider security holistically. As I described in the article Avoid the PCI Hype, retailers would be better served if they implemented all the right levels of security, then PCI basically works itself out.
To help companies think about the many aspects of security, use the Seven A's:
Authentication, Authorization, Assure privacy, Audit, Alarms, Archive, Administration
Addressing each of these areas will provide a comprehensive security framework that covers concerns such as PCI, SOX, Canada's PIDEDA, and California's SB-1386. In a perfect world, retailers would just purchase and install the "Secure Everything" product and be done. (Actually, if such a product existed it would probably lock everything down such that productivity ground to a halt. Perfect security equals useless systems.) But alas, it takes several products working in concert.
I am encouraged by today's release of Oracle Adaptive Access Manager 10gR3. It represents one more weapon in the impressive arsenal of Identity Management products. In a world where attackers show incredible nimbleness, adaptive security is an important defense.
As a former retailer myself, I know the burden of securing not only corporate systems, but the distributed store systems that extend well beyond "enemy lines." And I recall the consternation associated with weekend calls when something had failed. Only bankers have it worse; but at least they get a decent budget.