Kroger to Hackers: Get Off My Cloud

Kroger to Hackers: Get Off My Cloud

NEW YORK — As cloud computing continues to be adopted by retailers as a cost-saving alternative to internal technology investments, the security of cloud-based systems should not be overlooked, said a Kroger security expert. Cloud computing is an emerging model by which retailers can gain access to their applications from any location, through any connected device, dramatically lowering IT costs. It

NEW YORK — As “cloud computing” continues to be adopted by retailers as a cost-saving alternative to internal technology investments, the security of cloud-based systems should not be overlooked, said a Kroger [2] security expert.

Cloud computing is an emerging model by which retailers can gain access to their applications from any location, through any connected device, dramatically lowering IT costs. It is often associated with software-as-a-service and other service-based business systems.

“Cloud solutions should be based on a secure foundation,” said Darrell Sandefur, technology architect for Kroger Co., Cincinnati, during a presentation called “Hey! You! Get Off of My Cloud” this month at the National Retail Federation's 100th Annual Convention & Expo here.

Sandefur, who is also co-chair of the Cloud Computing Committee of the Association for Retail Technology Standards (ARTS), a division of NRF, referred to a new ARTS document that can help retailers address security concerns in cloud-based platforms.

The document - the Cloud Computing Standard RFP (request for proposal) for Retail — offers “unbiased guidance” for developing request-for-proposal questions for cloud computing vendors. “It can help you determine whether they're doing things in a secure fashion,” he said.

In considering an application from a technology provider, Sandefur said he likes to test it internally to see if it meets Kroger's business and security requirements.

“I want to do a load and stress test on this system,” he said. “While I'm doing that, I'm going to add on my security vulnerability test to make sure there's no kind of brute force attack that could occur because the system has an Achilles' heel.” This has resulted in a few “very eye-opening experiences,” he added.

Sandefur stressed that systems should be assessed for security weaknesses during their construction. Waiting to test an application after it has gone live may prove far more demanding. “Security vulnerabilities are going to build up and you're going to spend two to three weeks resolving issues that you could have been resolving all along,” he said.

He also recommended that retailers apply an “oil change” approach - that is, preventive maintenance - to their software development, pointing out that almost two-thirds of security breaches can be addressed in a simple and inexpensive way if preventive maintenance has been done in advance.

“What I propose to you as retailers, business partners and technologists is that you apply that [oil change] concept to your internal software development and/or require it of your external partners,” he said.

In particular, he stressed that for every three “minor point releases” during development, developers should run an internal security scan. “I don't want to hear excuses from development teams that, ‘Oh, this is just a minor point release - all we did was add some content to that first page on the web store,’” said Sandefur. “At the third minor point release, it is mandatory that you're going to do a security scan.”

Sandefur warned that failing to do a security scan in those cases could result in “opening that door wider and wider and wider. You could have an Achilles heel evident in your application allowing a hacker to get into your system.”

Another tip from Sandefur is for IT people to become familiar with the security team, who can delay or kill a project if it fails security tests. He also suggested “deputizing” someone outside the security team “with a security-geek edge” — such as himself — to be responsible for security scans. “This has worked out well for us at Kroger,” he said, noting, “It's a virtual [deputy] badge, but one that I wear proudly.”

In addition to security scans, someone should be reviewing logs on intrusion detection or prevention systems, he said. “It's quite an eye-opener if you take a look at the raw logs of what's coming into your DMZ environment and see how many ways people are trying to get into your system.”

Sandefur likes to use Google alerts - email updates of the latest relevant Google search results based on a choice of query topics - to track potential security threats.

“It gives you a daily digest about anyone blogging about you, setting up a web page about you or saying anything about you,” he said, adding that it helps him to “think like a hacker does.”