1 Lowering The Costs Of High Performance Network Security For Retail Chains A FORTINET WHITE PAPER
2 Introduction Retail remains among the top 3 industries to be targeted by cyber criminals, who are particularly aiming for vulnerabilities at the store level. Retailers need cost-effective network security solutions in their stores to mitigate risk to their business and prevent the financial and reputational damage created by a data breach or lengthy system downtime. While threats increase, retail IT teams are under pressure to reduce costs and to develop existing and new retail channels. Given the squeeze on IT budgets, comprehensive and up-to-date network security measures in store may not always be a priority. However, as a result of the increasing data handled by the retail industry, regulatory requirements are being implemented to better protect the retailers but also guarantee the security of non-public personal information, with potential tough financial penalties for firms that mismanage customer data. As such retailers need to recognize that weak security at the store level could leave them very exposed financially, as well as compromising the trust of customers and the confidence of shareholders. Recent projects such as the introduction of Wi-Fi connected tablets for sales and customer service personnel, in-store customer Wi-Fi access and augmented reality are adding to the complexity of the security challenges for retailers. This whitepaper examines the challenges facing retail chains to provide cost-effective and comprehensive network security in their stores. We look at the options and solutions that can be deployed, which will help mitigate their risks while addressing their tight budgets.
3 Retail Store Challenges The wide variety of wired and wireless technology deployed or being deployed in store together with the increasing sophistication of security threats, means retailers need a comprehensive in-depth defense system in place to reduce risks to the business. Securing the retail store network environment has never been more important than it is today. Retail Store Data, IT and Network Security Challenges Protecting systems and data from the increasingly sophisticated threat landscape, which may result in lost sales, brand damage and fines Ensuring an excellent customer experience with high performance and availability of secure connected services, 24 x 7 x 365 Scaling security solutions from kiosk to superstore and managing their distributed deployment cost-effectively Providing visibility and control of an increasingly complex in-store environment without burdening resources Supporting the evolution and migration to high-speed broadband public network and web applications Protecting the increased use of in-store wireless networks and wireless connected devices, including tablets for sales staff Supporting planned/future rollout of new innovative services such as guest access and augmented reality Supporting ongoing compliance requirements, such as PCI-DSS The bottom line: How can today s retailers deploy and manage comprehensive security in a cost-effective manner? Retail IT security managers have several options for implementing comprehensive network security solutions at each store location, but few have the time or resources to be present wherever these distributed and complex technologies are deployed. So, the biggest challenge is often an operational one - how to deploy comprehensive network security solutions and manage their use in a cost-effective manner. Cost-effectiveness is especially difficult to accomplish when any trade-off in functionality due to budget restraints will have an impact on the risk profile of the business.
4 Traditional Approaches To Security Individual retail stores often have no resources for IT security or systems administration. Therefore, retailers have traditionally provided different types of security deployments in their stores on top of central security at head office and within the data center. Initially, a dedicated point solution simply plugged into the store network using a minor setup configuration will have had a great deal of appeal. However, such systems are not scalable, especially when dealing with today s sophisticated threats and complex in-store environments. Multiplying their deployment over hundreds of stores results in very expensive and cumbersome management of security policies and monitoring of events network-wide. The security information analysis from multiple non-integrated appliances is a time-consuming process that hinders store security by making it too difficult to accurately and regularly assess vulnerabilities and guide remediation. In addition, the annual fees for software maintenance, licensing operation rapidly become onerous with multiple appliances at hundreds of stores. Finally, the multitude of separate boxes represents many more potential points of failure, any one of which could expose the entire network to risk of attack. Another low-cost approach has been to utilize the security capabilities of store-based routers and rely on stronger security defenses at head office and in the data center. Although the number of products at each site is minimized, routers are principally designed to provide network connectivity. Turning on more features in the router drags down router performance, slowing down business applications and user response. Besides, the security functions on routers are focused only on firewall and VPN capabilities, requiring additional point solutions to provide an adequate defense for multi-threats scenarios. Traditional Retail Security With Point Solutions Another traditional low-cost security approach has been to bring all the data back over a private wide area network (WAN), such as an MPLS VPN, and implement multiple central security systems at the data centre. Again, in this approach, data integration and reporting is a tedious process and ineffective for rapid response to new vulnerabilities. Plus there is little if no visibility or control of what is happening on increasingly complex in-store infrastructures, especially where wireless access is provided. Bringing all traffic back over a corporate LAN, including customer Internet access, becomes an expensive exercise and an additional traffic management headache.
5 A Recipe For Today s In-Store Security Requirements For retailers with many geographically dispersed shops or stores, having secure network connectivity onsite and linking all sites to head office has become the glue of critical operating processes such as the Point of Sale, accounting, inventory control, pricing, customer relationship management applications and other business services. The in-store and distributed store network is vital, yet invisible, to staff and shoppers alike until it stops working. When the network goes down, commerce transactions halt and cash registers stop ringing. Retailers are looking to increase productivity, and to improve customer service through uninterrupted access to existing and new applications without compromising security and business agility, or stacking up additional costs. So what is needed for today s complex in-store security? 1. Multi-threat security systems Protecting against malware attacks that are equipped with advanced malicious threat technologies requires much stronger threat prevention techniques than those just looking for static viruses that match a signature. It requires an intelligence-based structure that aggregates and correlates information from a variety of unified threat management sources. It requires a unified platform that can analyze user behavior with internal and external sources in order to determine if users on the network are doing their job or something else more nefarious. 2. High performance for excellent customer experience With the increasing number of endpoints, applications and higher volumes of data, each in-store network must provide high-performance for continuous credit card processing and point of sale connectivity to maximize the customer experience and interaction. In order to maintain high throughput and reliability, the increasingly complex in-store network must have security solutions that don t create any performance bottlenecks as they inspect and filter traffic for threats and malware. High performance and low latency of traffic flows is especially important during peak transaction periods. 3. In depth defense for the in-store wireless LAN Recently publicized data breaches in the retail industry have exploited vulnerabilities in store wireless networks. Attackers have been able to access sensitive applications regardless of security systems, such as firewalls and VPNs, back to head office or security measures in data centers. It is no longer staff, auditors and training contractors who visit stores and need to use their laptops or tablets to access corporate systems and data. In-store reps are also being provided with wireless tablets to increase interactivity with customers, while some retailers are looking to differentiate services with wireless kiosks, flexible wireless digital signage and customer access through their own devices. All this increases the security management headache with escalating endpoint and wireless security. 4. Migration to lower-cost public networks The adoption of low-cost superfast broadband connectivity to stores and/or the use of secure VPN over the public networks provide lower-cost operational alternatives to private WAN networks. In addition, the aggregation of multiple broadband connections at each site provides resilient connectivity or additional bandwidth where needed. Broadband is fast, abundantly available and becoming cheaper over time on a cost-per-megabit. However, leveraging public networks for store connectivity can expose retailers to additional security threats, so it is important that such connections are secure and that the encrypted traffic does not succumb to performance degradation when passing through security devices. 5. Adopting innovative in-store services New applications and devices designed for multi-channel retailing in-store are promising to increase retail operations efficiency and drive revenue and customer loyalty. But if these advanced technologies need to be provided with security in mind, they also make the retail environment more vulnerable to threats. Support of cutting edge customer applications will become commonplace in the next 5 years - such as augmented reality applications used as customers move through the store and/or in-store Wi-Fi access to online systems and loyalty schemes. Security systems may need to scale to 100s if not thousands of endpoints without incurring significant costs. 6. Supporting PCI-DSS compliance With in-store networks carrying credit card transactions there is a need to satisfy PCI compliance requirements. Security monitoring and rogue detection are explicit requirements in the PCI standard, so it is imperative that retailers are able to analyze the user and device behavior on the in-store network and respond to any threat. However, costly manual PCI processes are impractical due to scale and distributed nature of networks and the sophistication of the threats.
6 The Fortinet Solution for Retail Stores Fortinet's scalable integrated security platform enables retailers to easily deploy and centrally manage security appliances throughout the distributed network. More Security - More Control - More Intelligence Fortinet's next generation security systems enable retailers to secure multiple, geographically dispersed sites, systems and critical applications, such as inventory control and point-of-sale (POS). Fortinet protects sensitive customer information and complies with industry best practices and regulations including PCI-DSS. These next-generation security devices and virtual appliances are purpose-built to provide rapid deployment of essential advanced security technologies, along with the flexibility to scale with remote sites and growth plans. Unified Threat Management From Kiosk To Superstore And Beyond There are FortiGate platforms for every size network, from kiosk to large superstore, distribution centers, head office and data centers supporting multi-channel retail operations. Fortinet provides FortiGate appliances ranging from 20 Mbps to 480 Gbps of firewall throughput. Several versions offer integrated WLAN access points, while others include voice over IP gateway. In addition the Fortinet security platform and central management can scale to provide protection for data center operations, database and online use cases, providing a comprehensive in-depth, integrated security solution for all retail operations. Single Pane of Glass Management FortiManager centralized management makes it easy to secure thousands of endpoint devices while simplifying management of multiple retail locations, reducing IT operational costs. Endpoint control and identity-based policies secure fixed and mobile devices by identifying endpoints and applying specific access policies according to the type of device, location and usage. FortiManager provides easy centralized configuration, policy-based provisioning, update management and end-to-end network monitoring. Centralized Logging, Analysis and Vulnerability Management The extensive logging, archiving and analysis capabilities enabled with FortiAnalyzer centralized analysis and reporting, provides administrators with more intelligence on the behavior of the in-store networks, users, guests, devices, applications and threats. The FortiAnalyzer securely aggregates log data from all in-store Fortinet security devices and provides a comprehensive set of tools, which enable administrators to measure and report on policy compliance. The central visibility and control simplifies the process to accurately and regularly assess vulnerabilities and guide remediation. This helps retailers achieve lower costs while providing a high security posture and maintain compliance with PCI-DSS and other regulations.
7 Protecting Brand And Reputation An advanced client reputation feature gives retailers a cumulative security ranking of each device based on a range of behaviors and provides specific, actionable information that enables organisations to identify compromised systems and potential zero-day attacks in real time. This enables retailers to provide an unbeatable multi-layered security against sophisticated threats. Providing Unmatched Performance For The Retail Environment Fortinet s purpose built hardware and software provide industry-leading performance for the most demanding networking environments. The integrated architecture is specifically designed to provide extremely high throughput and exceptionally low latency. FortiASIC processors provide the performance needed to block emerging threats, meet rigorous third-party certifications, and ensure that your network security solution does not become a network bottleneck for customer interactions and POS. Integrated Secure Wireless LANs The Fortinet solution reduces the Wireless LAN risk with a comprehensive, integrated in-store security solution. All wired and wireless traffic is integrated into a single FortiGate security platform, giving unmatched visibility and control of all network threats. Retailers have the flexibility to choose between thick and thin access points (APs), all managed by the integrated Wireless Controllers within the FortiGate platform that deliver comprehensive, proven threat management and policy enforcement. In addition, the plug and play wireless APs automatically download their configuration settings saving time and resources. The FortiGate platform enables retailers to have a highly scalable wireless LAN infrastructure in store with the ability to manage a few to a very large number access points. This approach reduces the costs for wireless deployment with all policies managed from a central location, eliminating any wireless blind spots. Aggregating Multiple Broadband Connections With Failover To 3G The Fortinet appliances can aggregate and load balance traffic over multiple low-cost broadband connections as well as MPLS WAN services to distribute and route content to/from the store to remote servers, providing resilient service connectivity. This aggregation and load balancing increases application performance and improves resource utilization. In addition, data compression and independent SSL encryption processors increase transaction throughput providing additional acceleration for Web applications over the public network. This reduces the need and associated costs of providing third party network products in the stores. The solution also supports a 3G wireless card for mobile broadband deployments or redundant WAN connections to ensure high service availability, keeping stores connected all day, every day. Deploying Remote Secure Interactive Kiosks Retail kiosks can also be placed in airports, hospitals, school campuses, company cafeterias etc. extending customer reach and brand for multi-channel operations. The scalability of the Fortinet security solution together with its 3G backup capability provides rapid and cost-effective deployment of a secure remote kiosk facility, whatever the size of facility and location. The Fortinet solution with its auto-configuration, remote management and 3G backup capabilities, ensures high reliability, low maintenance expenses, detailed records of usage, and high flexibility to the smallest location. As such, retailers can provide the same in-depth threat management, visibility and control as they extend operations beyond the storefront. Application Control For Legacy And New Web Apps In order to prevent data loss and mitigate new threats, retailers must be able to effectively control legacy applications as well as the new generation of Web apps. Web apps are no longer restricted to the Internet. They enable retailers to display their products in an environment of their design, such as enabling customers to make more informed choices in store. Fortinet application control can detect and control the use of the new applications on the network, ensuring the correct security policies are applied with usage monitored through intelligent behavioral analysis and end-user association. Keeping Responsive To Global Threats In order to provide rapid product updates and protection from new and emerging threats protection, the FortiGuard Labs' global team of threat researchers continuously monitors the evolving threat landscape. Unlike partner services for other security solutions on the market, the in-house team of over 175 FortiGuard Labs engineers provides around-the-clock coverage to ensure retail in-store networks stays protected. Simple And Cost Effective In-Store Deployment Preconfigured units can be shipped to stores without the need for scarce and expensive onsite IT resources. Once a connection is made to the network, further configuration of security devices can be made centrally. Near zero touch provisioning and central update practices, reduces the cost of deployment and maintenance significantly for retail chains.
8 Conclusion In order to remain competitive in today's changing world, retailers will need to find innovative solutions to create value, fiercely reduce operating costs and mitigate risks throughout the business. For retailers with many geographically dispersed shops or stores, secure network connectivity linking all sites to head office is critical to business operating processes. When the network is breached, IT services can become unavailable and data can be lost with serious consequences to the business. With a Fortinet Unified Threat Management security solution, a retail organization with hundreds of stores can quickly deploy and operate comprehensive high performance security solutions to all endpoints for a fraction of the costs of traditional solutions and stand-alone appliances. The scalability of the Fortinet solution supports the evolution and growth of a retailer s IT and network infrastructure, so that they can easily and cost-effectively add network security functions on an as-needed basis. The combination of world-class network security and central management allows a retailer to have robust security for network resources, no matter where data is stored or accessed. Retailers can easily deploy and centrally manage security appliances throughout the distributed network, from kiosk to superstore. This helps supporting multi-channel operations and innovative services such as customer access, as well as providing a high security posture and the tools to maintain compliance with PCI-DSS. The increased functionality of a single platform for unified threat management with the flexibility of integrated Wi-Fi, 3G failover, traffic aggregation and high performance ASICs provide unmatched performance and agility at each store. Retailers can have a world-class security solution that is scalable, cost-effective and easy to manage, which supports the growth of new applications and wireless networking in-store, without affecting the end-user experience, increasing deployment costs or growing staff burdens.
9 About Fortinet Fortinet is a global provider of high-performance network security solutions that provide our customers with the power to protect and control their IT infrastructure. Our purpose-built, integrated security technologies, combined with our FortiGuard security intelligence services, provide the high performance and complete content protection our customers need to stay abreast of a constantly evolving threat landscape. More than 125,000 customers around the world - including the majority of the Global 1,000 enterprises, service providers and governments - are utilizing Fortinet s broad and deep portfolio to improve their security posture, simplify their infrastructure, and reduce their overall cost of ownership. From endpoints and mobile devices, to the perimeter and the core - including databases, messaging and Web applications - Fortinet helps protect the constantly evolving networks in every industry and region around the world. AMERICAS HEADQUARTERS EMEA HEADQUARTERS APAC HEADQUARTERS 1090 Kifer Road Sunnyvale, CA United States Tel Fax rue Albert Caquot Sophia Antipolis France Tel Fax Beach Road The Concourse Singapore Tel Fax Copyright 2013 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, and FortiGuard, are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herin were attained in internal lab tests under ideal conditions, and performance may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet's General Counsel, with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet's internal lab tests. Fortinet disclaims in full any guarantees. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.