Thwarting Retail Threats

In recent years, retailers saved billions of dollars using Web-based systems to access, transmit, store and analyze data. Many also boosted sales to new heights by leveraging the Internet. However, these benefits have come with a price: The openness and accessibility of the Internet render the data it carries vulnerable to a wide variety of threats, ranging from financially devastating security breaches to worms, Trojans, viruses, spy ware, spam and distributed denial of service attacks. While tactics, like procuring current security patches from systems providers, offer some protection here, many merchants, among them Spencer Gifts, are going one step further by implementing intrusion prevention systems (IPS) and services from vendors, like SonicWALL, MegaPath, Cisco, Raritan and Comm.

"In general, the more disparate 'layers' of Internet security a retailer has in place, the better," says Brian Kilcourse, senior partner, BEK Consulting, and chief strategist, Retail Systems Alert Group. IPS' are becoming an essential layer.

Combine Packet Inspection, Blocking Capabilities

Intelligence-wise, IPS' fall one step above intrusion detection systems (IDS), which pinpoint interference with Internet systems by performing deep inspection of data packets and finding the source of "break-ins." IPS' combine deep packet inspection with the blocking capabilities of firewalls. They look at data content, searching specifically for exploitation characteristics and blocking exploitation where vulnerabilities have been uncovered. Spencer Gifts is experiencing enhanced protection for its new IP-based network with an IPS configuration from SonicWALL, according to David Powell, manager of network and computing services for the 630-unit retailer.

"The irony is that while we're driving more productivity and revenue by switching to broadband POS systems, we need to be far more careful about Internet vulnerabilities," says Powell. "It's a whole new ballgame building an IP network for hundreds of stores that needs to function even if a broadband connection is lost and has to protect private customer and business information, not to mention facilitate the business of managing the entire network.

With (the IPS), we're reaping real-time POS application benefits while protecting highly confidential information. It allows us to be far more productive."

The solution comprises 630 SonicWALL TZ 170 SP devices, one for each store, plus two SonicWALL PRO 5060 multi-service gigabit network security platforms at corporate headquarters. Incorporating dual broadband and dial-up fail over capabilities, the in-store devices integrate support for the vendor's Gateway and Firewall Service, affording real-time protection against viruses, spy ware, worms, Trojans and related threats, Powell explains. On the headquarters side, the security platforms integrate high-speed gateway anti-virus, anti-spy ware, intrusion prevention, content filtering and anti-spam capabilities, along with advanced wireless LAN features, a deep inspection firewall and a VPN security feature.

Spencer Gifts manages the in-store and corporate headquarters components of the solution through a feature-rich interface that allows Powell and his staff to see firewalls working in every unit.

Ace Hardware deployed a VPN based on SonicWALL's Internet security solutions. "With more than 4,800 retail locations, we needed a solution that could easily address all of our Internet security needs," says Bob Gradle, network technologies manager, Ace Hardware. The application provides secure access to inventory and sales information and automatically updates anti-virus software. Store management can implement and can include content filtering to prevent employees from accessing inappropriate Web content.

Regulatory Challenges

The stance Spencer Gifts and other merchants are taking in jumping on the IDS bandwagon should bode well for them given the new regulatory hurdles and security challenges that seeming to be cropping up daily, notes Palaniswamy Rajan, president and CEO of technology consulting firm Vigilar. Among the most recent, which is particularly pertinent to retailers: the Payment Card Industry (PCI) Data Security Standard bulletin, jointly issued by credit and debit card issuers in December 2005. The document contains a series of requirements designed to protect cardholder data; requirements apply to all members of the card issuing associations, as well as to merchants and service providers that store, process and/or transmit cardholder data.

"It's more important than ever to be proactive about establishing an organization-wide optimal security posture," asserts Rajan. "Incorporating enterprise intrusion prevention is essential in establishing this posture."