ISACA Journal
Volume 3, 2,015 


Cloud Computing: Software-defined WAN Changes Retail Security Paradigm 

Steve Woo 

The adoption of cloud-based retail applications, as well as increasing demands for agility, for example, with pop-up retail, is changing the requirements for network access. These trends impact users working from remote retail branches who are accessing applications over the wide area network (WAN). Along with the challenges of providing network access to cloud-based applications from the WAN are demands of a new cybersecurity paradigm. The new security framework compliance mandates requires the delivery of security services over the cloud without complicating branch infrastructure and increasing cost, especially for retailers who need strict adherence to Payment Card Industry Data Security Standard (PCI DSS) 3.0.

Increasingly agile and distributed businesses, continued migration of applications to the cloud, and the parallel advances in networking have enabled technology companies to deliver innovative new approaches to these security requirements.

Utah-based retailer Redmond Inc., which began in 1958 after a prolonged drought forced two brothers to abandon farming and begin mining a prehistoric salt deposit on their property, operates four Real Foods retail markets in Utah and owns 16 manufacturing plants, warehouse facilities and branches located in Utah and Colorado.

Although the facilities operate separately, a centralized IT organization supports all of them. As a diverse, entrepreneurial company, each brand’s business model places different demands on the IT infrastructure. For example, the retail stores require compliance with PCI DSS, integration with the existing IT security infrastructure that includes firewalls, intrusion detection and prevention services; and VPN services. Wholesale manufacturing and warehouses require support for mobility, and branch office workers need secure access to their company desktop while teleworking. This diversity creates challenges for the IT team, which needs to support all of the business’s operations from a common infrastructure in their headquarters.

Redmond’s far-flung operations are connected by a WAN comprised of public Internet links. Advanced security for the applications and devices accessing the cloud applications over the Internet is critically important. Users sometimes had difficulty accessing their virtual desktops, encountered downtime or experienced poor voice quality. Redmond’s IT team wanted a WAN solution that would allow them to migrate their unified communications and virtual desktop systems to significantly improve performance and employees’ experiences everywhere across the organization.

Compounding the problem were branch office network devices that were reaching end-of-life status. It made sense to decide on a new WAN solution before upgrading branch locations. PCI DSS compliance was another concern. The company’s retail locations accept credit card payment and, therefore, must comply with PCI DSS. Retail point-of-sale (POS) systems were compliant with advanced firewall, intrusion detection and software features. However, Redmond wanted to enhance the security of its WAN to further secure retail operations. At the same time, a new WAN could not require a network redesign or additional management resources. The IT team operates as lean as possible, and this would not change.

Redmond’s IT team evaluated multiple WAN solutions. They chose a complete cloud-delivered, software-defined WAN (SD-WAN) solution that delivers virtualized services to branch locations with enterprise-class performance, visibility and control. The VeloCloud SD-WAN solution is flexible and can be delivered over the top of public Internet and private networks. The team conducted a proof of concept to ensure that they could connect all branches and achieve improved performance.

SD-WAN delivers enterprise-grade performance across a hybrid WAN combination of private networks and broadband Internet, along with flexible security services such as application-aware firewalls and cloud-enabled virtual private networks (VPNs).

The deployment flexibility of the approach greatly simplified WAN implementation. A business policy approach simplified configurations, including ensuring the correct quality of service (QoS) for business-critical applications. No matter how many Internet links a Redmond site uses or the type of physical connectivity required, it can be handled with automatic discovery instead of manual configuration. Today, Redmond has Long Term Evolution (4G LTE), fiber, digital subscriber line (DSL), cable and mixed 4G/3G wireless links in use across its WAN—all connecting easily with the cloud-delivered SD-WAN.

The solution is now an integral part of the company’s infrastructure and available almost everywhere in Redmond’s WAN, except for a few large manufacturing sites. Aaron Gabrielson, Redmond’s senior manager of IT, says that it takes one IT team member about 30 minutes to install the edge device at each location with only minor changes to the firewall and a few routers. And then they leave—the WAN takes care of itself without requiring IT staff to be present at the remote location.

Key to the deployment is the ease of management based on cloud delivery and adherence to the PCI 3.0 security mandates. With this SD-WAN solution, Redmond IT fulfilled the requirement to segregate the POS network using the virtual local area network (VLAN) trunking feature and restricted user access to the network with a role-based access control. The solution provided an end-to-end encrypted session for the POS traffic with the strong AES-256 scheme and ensured that the payment card traffic was never open in the Internet. Centralized cloud management ensured that policies were consistently deployed across multiple sites and simplified audits to ensure that configurations remained compliant over time.

With the cloud-delivered SD-WAN solution, retailers such as Redmond now have a choice to leverage the benefits of cloud networking and deliver security services in an all-new way.

Steve Woo is cofounder and vice president of products at VeloCloud Inc.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.