As online shopping continues to grow and more customers flock to e-commerce, retailers need to ensure they have...
enough resources to keep their online business performance consistent and properly backed up. A move to the cloud could do just that. But is it a safe option? There are significant security implications of using e-commerce in the cloud for a business -- whether it's just for additional hosting resources for peak demand times, or moving entire platforms or infrastructures to the cloud. This tip discusses what retailers need to consider before making this move, what security pros and cons exist when moving to the cloud, and how e-commerce organizations should balance their IT operations between on-premises hardware/software and the cloud.
What to consider before moving to the cloud
The first consideration e-commerce companies must address is the scope of what they will be placing into the cloud -- will the data include customer payment card information? Will payment card processing be performed in the cloud environment? If the answer to this is "yes", then the company will need to find a cloud provider that is compliant with the Payment Card Industry Data Security Standard. This may change the scope of the cloud provider business negotiations, and should be carefully considered before signing contracts or fully planning costing models. Most compliant cloud environments cost more to engage since the provider must maintain more stringent security controls and accommodate more rigorous audit testing and reporting.
Retailers should also determine whether the cloud providers they are evaluating can offer innovative security options for processing and handling payment card information or other highly sensitive data. Some cloud providers may offer more advanced encryption or tokenization options for protecting and obfuscating sensitive data, helping to add another layer of security for e-commerce companies.
These services may also be offered by third-party security as a service (SaaS) providers, in which case e-commerce companies should see if there are any native integration options available that offer benefits. For example, some of the encryption and tokenization offerings from SaaS companies may have API access for application integration, or extensive logging or monitoring controls. For encryption in particular, e-commerce companies should determine where the encryption keys are stored and who maintains control of the keys.
Selecting a cloud provider
Very few major cloud providers have extensive network security control offerings. For example, Amazon Web Services and Microsoft Azure offer "security groups" that are very simple network access control lists and do not cover more robust network security filtering and protection. E-commerce companies should determine if the cloud providers have network security that meets their needs, and also whether any network security vendors they use have products that can be installed and managed in the cloud. Two-factor authentication for access and management of cloud resources is also paramount, and this control should be evaluated carefully before moving to a cloud environment. Finally, API security should be scrutinized for any cloud providers where application integration will be performed.
The benefits of moving e-commerce to the cloud
There are significant benefits of moving to the cloud -- even from a security standpoint. Cloud providers may offer significant redundancy and backup capabilities that would be difficult to match internally. For disaster recovery and business continuity purposes, e-commerce companies may find cloud providers have better uptime and SLAs than they could maintain on their own. Before working with a cloud provider, companies should ask for references and statistics on uptime, as well as any outage cases that can be discussed. Scalability can also be improved and scaled back more readily in a cloud environment, which is a major benefit for the e-commerce industries where capacity may not be needed all the time.
Does e-commerce in the cloud makes sense for you?
Perhaps most importantly, e-commerce companies need to take a longer view of cloud implementation and determine what makes sense in the cloud versus what doesn't. For example, storing all sensitive data in the cloud may not make sense, but the front-end applications and tokenization may be a good option for performance and scalability improvements. Keep in mind that the use cases for implementing cloud today may change over time, so organizations should ensure they choose providers that can grow with the business, and meet not only the security requirements of today, but those that may emerge down the road as well.
About the author:
Dave Shackleford is the owner and principal consultant of Voodoo Security LLC; lead faculty at IANS; and a SANS analyst, senior instructor and course author. He previously worked as CSO at Configuresoft; as CTO at the Center for Internet Security; and as a security architect, analyst and manager for several Fortune 500 companies. He currently serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance.
Learn how AWS PCI compliance affects enterprise PCI compliance