Unwrapping Retail’s Cloud Security and eCommerce Risks this Holiday Season

November 24, 2021 Sam Flaster

Retail’s Cloud Security and eCommerce Risks this Holiday Season

Sustained supply chain issues, shipping delays and other current realities have combined to extend the duration of the 2021 holiday shopping season. While retailers work hard to adjust, there’s reason for holiday cheer — according to National Retail Federation estimates, 2021 holiday sales will grow between 8.5% to 10.5% from 2020.

Consumers are shopping eagerly, both in-store and online. To support their customers’ omnichannel shopping experiences, retailers are utilizing operational efficiencies of cloud-hosted eCommerce sites and applications to improve the customer experience. Just a few examples include:

  • Real-time inventory tracking with cloud-hosted databases and applications
  • Personalized shopping experiences with cloud-hosted big data and machine learning services
  • Better eCommerce site performance and availability during peak shopping periods with auto-scaling capabilities in Infrastructure-as-a-Service (IaaS) environments, including serverless functions

Despite these advantages, retailers must remain wary of attackers seeking to capitalize on big shopping holidays, including attempts to gain unauthorized access to cloud-hosted systems. In fact, as the FBI warns of increased scams and fraud, and for retailers embracing the cloud to make the most of this shopping season, security must remain a top priority. According to IBM, the cost of a data breach for retailers increased 62.7% in the last year, with an average cost of $3.27 million.

Cloud-hosted PII Elevates the Risk (and Cost) of an eCommerce Security Breach

No matter where customers transact— in-person or online — many retailers store personally identifiable information (PII) and payment details in the public cloud to drive cost efficiencies for storage and processing. For attackers, this provides major opportunities: one successful attack on the right database or cloud storage system can lead to devastating, far-reaching consequences — from financial loss and legal action to reputational damage and loss of customer trust.

Additionally, since retailers collect credit card information, they are subject to the PCI (Payment Card Industry) Data Security Standards, which compel them to “ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access.” Failing to protect this data, even inadvertently, can expose retailers to fines and other penalties.

Five Common Cyber Weaknesses in Retail

As recent data shows, data breaches are increasingly common in the retail industry. And risk factors can easily compound in dynamic cloud environments, while rapid introduction of new cloud provider services can accelerate the potential for security mistakes and misconfigurations. Some of the most common weaknesses that can be exploited in the retail space include:

  • Excessive PII access from misconfigured entitlements. The rapidly changing nature of the cloud means that resources are often configured to grant human and machine identities excessive access. Attackers and malicious insiders can exploit identities with excessive permissions to reach critical cloud infrastructure, steal or alter sensitive data or interrupt cloud-hosted services. The principle of least privilege access is key here — all identities should have only the bare minimum necessary permissions to perform their intended functions.
  • Event-driven scaling during holiday shopping peaks. Many retailers utilize serverless functions for event-driven eCommerce site architectures, triggering scaling processes in times of peak demand such as Black Friday or Cyber Monday. This rapid scaling can minimize website latency and optimize customer shopping experiences. But serverless functions can also be notoriously powerful in the hands of an attacker. For this very reason, implementing least privilege is critical for all serverless functions across all major public cloud providers.
  • Gaps in internal Identity and Access Management (IAM) enforcement. If an unprotected workforce identity with sensitive access to cloud resources is compromised, an attacker can gain access to those resources. In addition to enforcing least privilege across systems, enforcing multi-factor authentication for all employee access to a cloud environment can provide an extra layer of security by reducing risk of credential theft.
  • Hard-coded application secrets. Modern eCommerce applications are the result of complex interactions between machine identities. eCommerce sites build on top of one another, integrating with payment services such as Paypal, Affirm or Klarna. When building their eCommerce applications, developers can sometimes leave secrets (credentials, passwords, keys and tokens) embedded in their code, exposing them to potential attackers. Throughout DevOps pipelines and eCommerce software supply chains, all hardcoded secrets should be securely managed and programmatically rotated to reduce the risk of compromise.
  • eCommerce website vulnerabilities. Attackers also look for easy ways to exploit common vulnerabilities within eCommerce sites. Without the right layers of security in place, retailers are vulnerable to attacks such as Distributed Denial of Service (DDoS), SQL injection and e-skimming — all of which can disrupt business and potentially give attackers access to valuable customer data. Retailers should follow Center for Internet Security (CIS) best practices to mitigate these risks.

Steps to Secure the Cloud and Minimize Holiday eCommerce Disruption

Fortunately, there are established controls that can help retailers strengthen the security of their cloud environments this holiday season. Check out the eBook “Retail and eCommerce: Securing Your Brand and Locking in Consumer Confidence” to explore best practices. You’ll also discover how your retail organization can “unwrap” new operational advantages and drive secure, rapid cloud expansion with unified Identity Security.


Previous Article
Identity and Access Management is Changing: Here’s Where It’s Headed
Identity and Access Management is Changing: Here’s Where It’s Headed

We’re living in an exciting, highly dynamic world that is driven by rapidly evolving technology. To grow an...

Next Article
How to Use the MITRE ATT&CK Framework to Fight Ransomware Attacks
How to Use the MITRE ATT&CK Framework to Fight Ransomware Attacks

Chinese military general Sun Tzu’s treatise The Art of War has been cited over the years by millions of sel...