Many retailers, large and small, brick-and-mortar and online, had their brands tarnished by cyberattacks in 2014. While news stories focused on Point-of-Sales (POS) breaches, often the initial intrusion took place in the back-office and through a business partner. Bottom line, to protect their reputation and the trust of their customers, retailers must reevaluate the level of security currently in place not only in their POS environments but also throughout their value chain and across their business partners and customer touch points.
As a crucial starting point, all applications and servers in the datacenter that generate traffic with a POS should be segmented in one if not several network zones to allow for better scrutiny. Palo Alto Networks next-generation firewall can effectively manage, control, and inspect all traffic coming in and out of the POS datacenter zone(s) and apply security policies that eliminate unnecessary applications, ensure least-privileged access by users (including contractors), and inspect all traffic for malicious payloads to identify and block known and unknown malware.
This segmentation step is critical to prevent cyberattacks, which penetrate the enterprise network through a weak point, and then move laterally into zones that communicate with POS terminals and handle sensitive information such as customer data or credit card information.
Additionally, we recommend additional security for the edge of the network and endpoints. Palo Alto Networks offers two products that are natively part of our Enterprise Security Platform and strengthen security at the POS:
- Our advanced endpoint protection product, Traps, can be deployed on POS endpoints to prevent malware infection. Taking an innovative approach that is completely different from traditional AV products, Traps detects and blocks malware before it installs on the endpoint. Traps can be updated with the latest from the threat intelligence available through Wildfire, our threat detection service.
- Our remote access solution, GlobalProtect, can be deployed on mobile devices and remote computers to enable a security team to enforce enterprise policies at the POS and ensure consistency of policies and security from the core to the edge of your network. GlobalProtect can also be used to enforce a secure VPN connection from the device it is installed on to your core infrastructure.
Finally, to complete the security of the POS environment and the communication between individual stores and the retailer’s datacenter, we support the following options depending on the chosen architecture for distributed stores:
- For stores linked back to a central datacenter via MPLS, our Enterprise Security Platform should be deployed at the core to manage and secure all traffic going back and forth to stores. For this traditional and most common case, the security is centralized on one of our high-end next-generation firewalls.
- For retailers that want to offer richer customer experiences directly at the POS with WiFi access and other advanced services or need to allow store employees to connect directly to the internet, they can deploy one of our smaller appliances like the PA-200, at the store level and benefit from more advanced security features.
Retailers often maintain a hybrid approach to support a broad range of small to large stores in a cost effective manner. They can easily combine any of the above scenarios to support a mixed environment with minimal to no integration as all offered alternatives:
- Are based on the same underlying technology
- Can be centrally managed with our administration console Panorama
- Can easily exchange traffic logs
- Use consistent security policies regardless of the appliance deployed
- Seamlessly share threat intelligence
This deployment flexibility with minimal integration overhead is one key advantage of relying on the Palo Alto Networks Enterprise Security Platform.