Data policies and next-gen firewalls are critical.

May 13, 2019

6 Min Read
Endpoint Security
Shutterstock

By Derek Handova

In e-commerce security, usually the focus goes to securing the e-commerce server and the application. That makes sense because most attacks take place there. however, other attack vectors need to be taken into account, in particular the endpoints.

That’s important because e-commerce sites have a client-server architecture where the server is the application, which trusts authenticated clients — but these endpoints aren’t always trustworthy. For example, if an employee with an admin account loses an insecure, logged-in mobile device, whoever finds it could access the site. Considering that many e-commerce site operations are outsourced, this article will look at how MSSPs can secure e-commerce endpoints for their e-commerce customers.

Data Security Policy for E-Commerce Endpoints

When considering how MSSPs can secure e-commerce endpoints, the first order of business must be creating a data policy to ensure that the right people can access the right apps at the right time. In conjunction with developing a data policy for their customers, some security experts think MSSPs should use authentication to make sure these people are who their endpoints say they are. In addition, MSSPs should get a handle on their structured data, making sure data is masked, encrypted, and adheres to critical compliance regulations.

“Data policy is important for quantifying what you have and what the appropriate security controls are to apply to each type of data,” said George Mateaki, security analyst at SecurityMetrics, a data security and compliance firm. “The more valuable the data, the more stringent the security controls required. Anything of any importance needs to be encrypted. This usually has an inconvenience cost but still needs to be part of any serious data policy.”

However, other security experts say people might overlook unstructured data; for example, e-commerce operators often will leverage unstructured data, which can make up more than 80 percent of an organization’s overall data, according to Gartner.

Cassetta-Mark_Titus.jpg

Titus’ Mark Cassetta

“But not everyone has access to a big data store, so often what happens is this information is pulled down from a big data repository into a spreadsheet for analysis, where it’s no longer protected,” said Mark Cassetta, senior vice president – strategy, for Titus, a data protection vendor. “Or another example: An employee may want to share details or trends among an e-commerce operator’s top 20 customers, sharing that information as an unsecured Word document. So what MSSPs must do is work with their e-commerce customers to develop a holistic data strategy that not only looks at data repositories but also how that data is extracted.”

Securing IoT Endpoints for E-Commerce

With the explosion of mobile devices, in-car connectivity, sensors, and other internet-of-things innovations, a critical focus on security has arisen — particularly for e-commerce applications. In addition, such demand has built up to troubleshoot IoT endpoint compliance with data privacy and protection regulations, that unless MSSPs can find qualified personnel disaster. could well ensue.

“To put it bluntly, there’s a worldwide shortage of infosec talent and the number who understand information security and regulatory compliance is small enough a significant number of them are on a first-name basis,” said Trevor Pott, product marketing director at Juniper Networks. “Centralizing scarce talent within MSSPs and vendors makes it easier to train the next generation of defenders and build the next generation of security products. One day, we hope to see a depth of information security knowledge throughout the IT industry that is comprehensive enough for …

… each organization to effectively secure their own networks.”

But until enough properly trained and insightful talent can be developed to create this next generation of IoT security products, how MSSPs can secure e-commerce endpoints means leveraging existing technology as much as possible. This could include next-generation firewalls (NGFs), intrusion prevention systems (IPS) and malware solutions.

“Since many modern IoT devices have limited OS stacks where remote monitoring and management (RMM) agents are tough – or impossible – to install, placing more reliance on NGFs is the next best place to enforce security levels,” said Derrick Wlodarz, president of FireLogic, an IT services firm. “Employing NGF units at all locations that can host IPS/IDS and malware filtering is a critical first defense that can also help produce logs IT pros can use to connect the dots on potential issues.”

Backing Up E-Commerce Endpoints?

Given that most e-commerce endpoints are headless devices, endpoint experts generally seem to have the opinion that how MSSPs can secure e-commerce endpoints doesn’t necessarily include backing them up. But what is more important is protecting them from exploits like phishing and ransomware in the first place — if possible.

Tallent-Stephan_Fortinet.jpg

Fortinet’s Stephan Tallent

“The reason IoT devices for e-commerce applications are so important is that they collect revenue impacting data that improves agility for the customer,” said Stephan Tallent, senior director of MSSP and service enablement at Fortinet, the security solutions provider. “Due to the headless nature of IoT devices, ransomware/malware protections cannot be installed on IoT devices. That’s why ransomware attacks that target IoT devices are becoming more common. The key to a ransomware attack is to wipe the devices and recover from backups.”

Still others believe that while traditional ransomware and malware solutions cannot be installed on endpoints, MSSPs can manage them securely in different ways.

“Endpoints are the primary target of a bad actor as they are often the path of least resistance, so it is important to make sure there is active security on the endpoints,” said Zane West, director of product management at Proficio, a global MSSP. “This goes beyond traditional antivirus solutions — most organizations are looking for a solution that has full endpoint detection and response capabilities with continuous monitoring of not only antivirus alerts but also file integrity monitoring cross-correlated with network traffic through the firewalls to detect anomalies.”

Proactive E-Commerce Endpoint Security?

When it comes to deciding how MSSPs can secure e-commerce endpoints for customers, the first thing to realize is that security is everyone’s responsibility. And the first step to understanding that is that endpoint security is not just an IT problem.

ken-galvin-quest-software-2018.jpg

Quest Software’s Ken Galvin

“Security presents a significant business risk,” said Ken Galvin, senior product manager, unified endpoint management business unit, Quest Software. “It should be a high business priority for IT admins and the C-suite alike to develop predefined, automated processes that can be immediately evoked in the event of a lost computer or device, data breach or employee termination.”

Beyond that, proactive e-commerce endpoint security involves more than being ready for an attack and thinking of all the possible vectors. It requires preemption, if possible, and after-attack action on any attempted or successful exploits.

“The essential elements are preventing attacks on endpoints both pre- and post-infection,” said Andy Singer, vice president of product, enSilo, the endpoint security provider. “Protect the data stored on those endpoints and orchestrate automated remediation actions — all in real time, avoiding any business disruption.”

Read more about:

MSPs
Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like