2 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
Table of Contents
ca.com
Executive Summary
Section 1:
The Growing Diversity in Users, Applications and Access Channels
Section 2: Opportunity
Harness the Power of Identity-Centric Security
Section 3:
Technology
10
Section 4: Benefits
Support Key Business Goals
13
Section 5: Conclusion
Innovation and Leadership through Identity-Centric Security
15
Section 6:
About the Author
16
3 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Executive Summary
Challenge
The retail industry is extremely competitive. Retailers today are focused on improving the traditional
shopping experience and stretching profit margins, while finding innovative ways to attract new
customers and grow revenue. The retail business itself is increasingly driven by technology: where
associates, customers and vendors are empowered to access information and make decisions on their
own. The transition from the physical store to the Web store is now overshadowed by the imperative
to offer services on mobile platforms, through social networks and in the cloud. The convenience,
quality and effectiveness of these new tools are becoming a competitive differentiator, making it
possible for retailers to have better, longer-lasting relationships with their customers. Large-scale
incidents of compromise or theft of customer personal or financial information make the headlines,
but even small-scale attacks can cause significant financial and organizational damage, erasing years
of work building customer trust. Identity-Centric Security is a pivotal part of the technology solutions
aimed at making retail more efficient, secure and competitive.
Opportunity
The challenges of 21st century retail are an opportunity for companies to adapt and embrace
technology platforms that create business value. Using practices that put user identities in the center
of the security model, we can confidently extend secure business services through new channels, to
the mobile consumer and over the internet. Doing so confidently, with safeguards that prevent
unauthorized access to customer information, strengthens the relationship and trust between store
and customer. The same model will also make a retailers internal IT environment more effective by
managing the dynamic access needs of associates.
Benefits
The benefits of Identity-Centric Security can be felt throughout the retail business, with IT helping to:
Quickly deploy new e-commerce services, and provide a compelling and secure experience, across
access models, that turn marketing demographics into customers.
Empower associates to access information and the tools to do their job, across on-premise and
cloud environments, from any authorized device or location.
Protect customer data from insider threat and external targeted attack.
Reduce the effort of security administration in an organization that has high turnover, distributed
management and a large number of remote locations.
4 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Section 1:
5 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Customers who need access to transactions that include buying online, recording loyalty points,
tracking shipment and return at the physical store may need to traverse several websites, sometimes
with different authentication, and provide the same information several times. Associates who have
access to several applications may need to remember and input several forms of authentication.
As competition has grown, retailers recognized that user access and identity management are a
pivotal part of the customer experience. At the same time, software rationalization initiatives are
looking to find opportunities to consolidate and streamline common IT services. Corporate IT
departments, that used to provide identity and access management to hundreds of full-time
employees in a handful of locations, are now pressured to provide access to thousands of associates
and millions of customers in remote locations and from unknown networks and devices.
Figure 1:
Diversity in users,
services and access
channels
Consumer
Partner
User
Corporate
User
Store
Associate
Cloud
Platforms
E-Commerce
Platforms
Enterprise
Data
Store
Systems
6 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Point of sale is moving out of the register line and onto the sales floor, as associates use mobile
devices to interact and assist customers with their purchases.
Providers of branded services expose their applications in the cloud and make them available with
varying degrees of integration.
General corporate functions like human resources, benefits, education, travel, performance
management and facilities management run on multiple applications, some cloud-based.
Marketing and customer retention programs based on social networking and social media make use
of public services to analyze customer data.
Distributed computing places servers and applications onsite at the store or warehouse, where
software runs independently from central corporate IT.
7 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
The magnitude of these challenges is large, but the questions are familiar: Who is the user requesting
access? How to validate their identity? What is an appropriate level of access? When to assign and
revoke access rights? Where to store information about users? How to counter persistent threats?
And, possibly most importantly, Who has access to what?
The principles of Identity and Access Management apply to these expanding populations, but the
current processes and systems, built to serve only corporate users, are no longer adequate. A set of
new capabilities is required to successfully expand the number and the types of users, services and
access models that make use of modern retail information systems, while reducing the threat of
identity theft.
Section 2: Opportunity
8 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
What is needed are fine-grained controls over administrator actions, so that each admin can do no
more than their role requires, and only on the systems under their responsibility. These controls
would include restrictions on what data they can access, as well as what system services they can
control. This level of precise authorization can prevent installation of unauthorized programs, access
to data outside an approved process and external network accesseven by criminals who gained
administrative access.
Application Admin
Figure 2:
Database Admin
Operations Admin
Privileged accounts
can have access
that overrides
security controls
End User
Client or
Browser
Presentation
Service
Application
Processing
Server
O/S
Data
Layer
Virtualization Physical
Hypervisor
Storage
Partner access
Working with partner organizations, such as wholesale suppliers, vendors or institutional customers,
involves granting access to individuals who work for the partners. These users need to be managed as
individuals, but also tied to the relationships between the retailer and the partner. This requires active
administration in both organizations to enable new users, terminate access and help ensure that any
action taken by the individual user is sanctioned by the partner.
9 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Capabilities in Identity Federation and Delegated Administration simplify the management effort on
both sides by making the partner responsible for the user accounts that can act on its behalf.
Delegated Administration segments the partners users from the rest of the population and provides
an interface to manage the reduced scope of users (with optional workflow and approval). Federation
allows partner users to authenticate locally with their organization, and gain trusted access to the
retailers systems. When the users access is terminated on the partner side, access is no longer
possible to the federated application, requiring no communication or action on the part of the retailer.
10 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Figure 3:
Social customer
lifecycle
Anonymous user
Registered user
Validated user
Section 3:
Technology
Capabilities that make identities the center of security management rely on a set of technologies that
together form a comprehensive IAM solution for the Retail sector:
11 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
Identity lifecycle management includes provisioning, delegated administration, role discovery and
management, user self-service, and user activity reporting. Support of provisioning connectors to a
wide range of enterprise applications is also essential. In addition, the entitlements of employees and
partners should be validated on a continuous basis to ensure that each user still has the appropriate
rights for their role.
Identity Governance includes processes and controls to facilitate this on an ongoing basis. For
example, automated entitlements certification enables users managers, role owners, or resource
custodians to periodically review and validate that current access is correct. Unnecessary access
identified through a certification process can be quickly removed to reduce the organizations security
risk. Since many retail organizations have large employee populations that are highly geographically
distributed, automating the process of access validation becomes especially important.
Advanced Authentication
Retail organizations require a flexible but strong set of authentication capabilities to validate the identities
of all their users. These capabilities should be lightweight, hassle-free, and available on mobile devices.
Advanced Authentication technology enhances Federation and Single Sign-On with risk analysis and
device registration. When a user attempts to authenticate, a risk score is generated based on their
location, time, day of the week, role, and possibly even their previous activity. For example, an
authentication attempt originating from Eastern Europe for a user known to be based in Chicago
would generate a high risk score.
12 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
The risk score can then be compared against predefined thresholds. If the authentication is
determined to have higher risk, the user can be required to provide more information to prove their
identity. If the risk score is extreme (like multiple connections in succession from a hack-prone
location), the connection is dropped or redirected for investigation.
User Directory
The most basic function in Identity and Access Management is to hold and manage information
about people. For internal populations it might include a personal identifier, organizational attributes,
operational attributes and any other data that is used in the process of assigning access, or needs to
be replicated to a production system. For external populations, information might also include the
type of user, the security domain for authentication, and past patterns of access.
This foundational component is often missing in a retail environment, where records of different user
populations are spread across separate user stores, attached to legacy applications or otherwise
segmented. This prevents organizations from asserting the proper controls over identities,
understanding their access and demonstrating governance. A user directory for the purpose of IAM
can also provide a place to store operational data and hold the information required by internal and
external services to determine appropriate access.
The user directory must be flexible enough to support the attributes for diverse user populations. It
must also be scalable to millions of records, reliable with high-availability and fast enough to execute
a high volume of transactions. In addition, it should be capable of guaranteeing local storage of
sensitive data (to accommodate regulations that require user data to be stored within prescribed
geographic boundaries), while presenting a unified view into the entire structure.
13 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
Figure 4:
ca.com
API Management
Technology
capabilities in
context
Advanced
Authentication
Single
Sign-On
Used Store
Identity Management
and Governance
Privileged Identity
Management
Section 4: Benefits
14 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
ca.com
15 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
Figure 5:
Business benefits
ca.com
Protect Against
Insider Threats
and Internal Attacks
Section 5: Conclusion
16 | WHITE PAPER: IMPROVING SECURITY FOR RETAIL WITH IDENTITY AND ACCESS MANAGEMENT
Section 6:
Copyright 2014 CA. All rights reserved. Microsoft is either a registered trademark or trademark of Microsoft Corporation in the United States and/or other countries. All
trademarks, trade names, service marks and logos referenced herein belong to their respective companies.
This document is for your informational purposes only. CA assumes no responsibility for the accuracy or completeness of the information. To the extent permitted by
applicable law, CA provides this document as is without warranty of any kind, including, without limitation, any implied warranties of merchantability, fitness for a
particular purpose, or non-infringement. In no event will CA be liable for any loss or damage, direct or indirect, from the use of this document, including, without
limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised in advance of the possibility of such damages.
CS200-61604_0314