Why your brand must embrace 'Zero Trust Security'

Retailers have long taken PCI DSS (Payment Card Industry Data Security Standards) seriously, requiring both company stores and franchisees to comply in order to protect customer data, prevent security breaches and avoid costly penalties. Nonetheless, POS systems — including those of major brands — are still being hacked on a regular basis.

Digital transformations, cloud, pandemic-related work-from-anywhere, e-commerce growth and third-party partners providing in-store services have made retail and restaurant security even more vulnerable with much broader attack surfaces. Applications are in the cloud, not on the server inside the store network. Mobile POS devices accept credit cards at tableside or anywhere in the store. IoT sensors in freezers are connected to other company networks for monitoring.

Perimeter-only protection has failed. And with cloud and digital transformation, the restaurant is borderless. The resulting new network security imperative for brands that operate distributed company stores is Zero Trust, with the assumption, "Never trust. Always verify."

What is Zero Trust?

Zero Trust is a security model or architecture based on the belief that any person or device, within or outside of the network perimeter, should never be automatically trusted. Additionally, it assumes that internal and external threats exist on the network at all times. As a result, every device, user and data flow must be authenticated and authorized.

Zero Trust is not a device or piece of software that you can buy and install in every store, nor does it replace existing security measures such as firewalls and POS network isolation. Rather, it is an approach to security that is typically deployed over time. It includes security policies, practices, and training aimed at preventing security breaches. One way to understand Zero Trust is to compare what it is with what it is not, as outlined below.

Zero Trust Is...

• Never trust, always verify.
• Borderless.
• Assumes nothing is safe.
• Controlled access.
• Assumes breach.
• Monitor/control inbound and outbound.
• Monitor everything.
• Real-time/proactive.
• Data-centric.

Zero Trust Is Not...

• Trust but verify.
• Limited to the office/store.
• Assumes inside is safe.
• Wide-open access.
• Assumes not breached.
• Monitor/control inbound only.
• Monitor nothing.
• Reactive.
• Device centric.

If your company has not deployed Zero Trust or is just getting started on the Zero Trust journey, you are not alone. The 2021 IBM/Ponemon Cost of a Data Breach Report found that only about a third of organizations surveyed have a partially or fully deployed Zero Trust approach, and of those, only half have mature deployments.

The Value of Zero Trust for operations and security

Now is the time for brands operating company stores to begin the Zero Trust journey for all facilities — headquarters, branches, stores and distribution centers. From an enterprise perspective, the IBM/Ponemon report makes one advantage of Zero Trust very clear: the average cost of a data breach was $3.28 million for organizations at the mature stage of Zero Trust, compared to $5.04 million for organizations without Zero Trust — a cost difference of 42.3%. Beyond that is the soft cost of reputational damage that comes from having your customers' personal and credit card data compromised.

At the store level, a Zero Trust approach extends protection beyond the "walled garden" of POS to the entire store network, the guest wi-fi network, and data flows to and from the cloud. It aims to protect not only POS credit card data but also financial data, customer information in loyalty programs, and employee data, while preventing the introduction of malware such as ransomware into your network.

Zero Trust ensures that all users and all machines are identified and authorized before they are allowed access to the network. You should know when each employee accesses the network using their own ID, a strong password and Multi-Factor Authorization (MFA). If someone plugs in a device on your POS network or attempts to access your wi-fi, a person responsible for monitoring activity on the network should get a notification, investigate, and allow or disallow the connection.

Validating every connection and data flow, inbound and outbound, ensures that all your digital capabilities and diverse digital partnerships are available, whether that's sending credit card transaction data to the cloud, using mobile POS devices and digital signage, accepting online orders, or using digital surveillance or equipment monitoring services. It also prevents unauthorized use of POS systems such as employees using smart mobile POS devices to check personal email or surf the web. With this Zero Trust approach, you are better protected from large-scale vulnerabilities that can bring business to a halt.

Your Zero Trust journey may be underway

"Ticking the boxes" for PCI DSS compliance is essential, but it won't get you all the way to Zero Trust. For example, PCI DSS requires a firewall. Zero Trust would have you fine-tune and continually update firewall settings to enforce policies and control traffic. The good news is that you may already have Zero Trust capabilities in place, based on the security measures in this checklist:
• Do your POS terminals require individual, secure logins?
• Is access to the POS network monitored?
• Do you have network controls based on approved policies?
• Are you capturing security events in a SIEM (Security Information and Event Management)?
• Do you control which devices can be connected to your environment?
• Have you isolated guest access from your business network?
• Do you test your environment for vulnerabilities?
• Do you monitor inbound and outbound traffic?

Barriers to Zero Trust adoption

For midsized brands, there are challenges to adopting Zero Trust. It is an enterprise methodology more suited to company stores, where you have control over the IT infrastructure, than to franchisee networks. In either case, the typical store has no onsite IT support. Implementing machine authentication in practice requires a mature understanding of security in order to function smoothly, particularly when new capabilities are introduced to the store network. Perhaps the most significant barrier will be 24/7/365 monitoring of store networks.

How to start
There are five key capabilities retailers can pursue to begin the Zero Trust journey, either through your corporate IT security operations or with assistance from a Managed Security Service Provider.

1. Ensure all access is uniquely authenticated and authorized via MFA.
2. Monitor all access to POS systems.
3. Control and monitor outbound Internet traffic.
4. Limit capabilities or data flows from the POS network.
5. Control, authenticate and monitor all devices.

The result will be enhanced protection for your stores, your customers and your brand reputation. Retail operations are more dependent than ever on digital capabilities, which means greater risk. By beginning a journey to a Zero Trust network, you can pursue digital transformations with greater confidence.