SMU MBA ASSIGNMENTS

Securing the retail store computing environment has never been more important, or more necessary, than it is today. Store technology is shifting from closed, proprietary systems to open, flexible systems that allow greater and more meaningful interaction with the customer, headquarters, and partners, as well as better control and understanding of store operations. This shift is evidenced by the introduction of retail store technologies such as wireless networking, store Internet access, multifunction point-of-sale (POS) devices, multi-channel selling, customer kiosks, handheld devices, Voice-over-IP (VOIP), remote frequency identifiers (RFIDs), and so on. Generally speaking, these technologies require more effort around security, due to the nature of the applications they introduce and the functionality they expose. Additionally, technology is providing lower cost operational alternatives, such as store-to-corporate network connectivity, that leverage public networks that expose retailers to additional security threats, such as cyber-attacks.

More evidence of this trend can be seen in a recent flurry of headlines that describe the theft, both by employees and non-employees, of corporate and customer data from the store environment, and theft from the corporate environment by using the store as an entry point. Additionally, state legislation and industry regulations, such as Personal Data Privacy and Security Act of 2005 (Specter-Leahy), California bill 700, and the Payment Card Industry (PCI) Data Security Standard (DSS) adopted by Visa, MasterCard, and others, have been enacted to ensure that retailers and other purveyors of customer data are responsible for protecting customer data, and that they are held accountable for its theft.

This three-part series is structure to address security in four areas:

• Securing the Network
• Securing the Systems
• Securing the Data
• Managing for Security

Each area identifies the relevant technologies, and describes the advantages, requirements, and considerations of implementing each technology. When possible, generic technologies and solutions are identified, followed by a discussion of Microsoft products and how they apply. Links to more prescriptive guidance for each technology are also provided.

A comprehensive security solution involves people, process, and technology, so that technology alone is not sufficient to mitigate the security threats to which most of today’s retailers are exposed. Although people and process components are not within the scope of this document, we mention these components as they become critical to the guidance.

The following is a list of relevant security threats common to the retail industry:

• Applications running under a shared, privileged account
• Viruses, spyware, and other cyber attacks
• Wireless spoofing
• Data stolen on un-secure, un-managed mobile devices
• Credit card theft by both hackers and employees
• Insecure stores that provide an easy entry into the corporate network
• Physically insecure computers and networks that are an easy target

A common misconception regarding the allocation of budget for securing the store is that it does not provide a clear return on investment (ROI) for retailers. The reality is that security enables a company to meets its business objective by providing a safe and secure environment that helps avoid the following:

• Loss of revenue
• Loss or compromise of data
• Interruption of business process
• Legal consequences
• Damage to customer and partner confidence
• Damage to reputation

A more secure retail store also enables easier and safer connectivity with customers and business partners.

Because many retailers have heterogeneous and legacy devices that are not easily replaced, this document first outlines the general approach involved in securing the store. It then identifies alternative methods based on cost, complexity, or other business decisions. Finally, it outlines how Microsoft addresses these through its products.