C-note: Observations from the NRF Show – Cool Stuff and Advanced Technology

By Rick Dakin, CEO, Chief Security Strategist

To the many friends we met at the National Retail Federation’s "Big Show" in New York City January 16-17, 2012, thank you for your time.  It’s always nice to connect and discuss strategic direction at a show that introduces a wide range of new services and capabilities for more than just the retail community. 

For our friends who are not in the retail industry and for those who could not make it to the "Big Show", I’d like to summarize the strategic opportunities demonstrated by several organizations.

First … the really cool stuff:

  • Several companies like PayPal and Google introduced new electronic wallets.  The features available through integrated cloud services were awesome.  Within a year, you will be able to register for an online wallet that you can fill with a little cash or prepaid function, coupons and gift cards.  The data will be available on an "app" on your smartphone that will soon have Near Field Communications (NFC) enabled.  Google Ice Cream Sandwich (version 4.0), which starts shipping in a few months, will have this new secure communications capability.  The NFC phones will provide a low cost form of electronic payment that will download payment, coupons and gift cards with a single swipe. 

  • Many retailers are moving to GSR functionality that lets you take a picture of a product or a sign and the GSR symbol in the store provides the details about the product and will automatically download any coupons, bundle offers or "out of stock" delivery support.  The physical and virtual shopping worlds are coming together.

  • In-store signage and kiosks will be expanded to enhance the customer experience.  Plan on all services and vendors pushing to interact with every consumer at the time of purchase.  As products become more technology enabled, we will all be able to program our TV remotes with brief instructions delivered in the store in a test area.

Now … the technology advances that will impact your security programs:

Mobile computing is big.  Whether you are in retail, finance, healthcare or other industry, consumers are expecting more accurate and current information when service is delivered.  The option to "get back to" consumers will diminish.  The expectation is that the customer wants customized shopping support throughout the retail (or healthcare) environment and wants real-time data to be available (pricing, availability, sale details).

  • The native encryption on both the transmission and storage of sensitive data (including log-in credentials, passwords and downloaded data) is not yet consistently embedded into the mobile operating environment. Even early encrypted devices are weak. The pressure on application developers and administrators to secure natively exposed data will be high. Few mobile applications will be able to meet stringent regulatory requirements but will likely be widely used by consumers who are unaware of the risks. We all have to determine the liability associated with allowing consumers to share sensitive information that is not adequately protected.

Cloud computing appears to be the answer to providing the data needed to deliver services in the healthcare, finance and retail sectors.  Our smart phones can now pull down pictures of our kids, calendars for shared events, and sensitive information on how we live our lives.  As financial data and healthcare information heads to the cloud, very few vendors demonstrated an ability to segregate or protect the data they stored or processed.  The rush to deploy cloud solutions included an inherent acceptance of very high data privacy risks.

A few vendors have started a comprehensive review of their cloud services to identify risks and deploy commensurate controls.  Early adopters like VMware, HP, Oracle and a few others have already launched programs to validate that their cloud services still meet stringent regulatory requirements for FISMA, CPI, GLBA and HIPAA.  These early services will lead the rest of the industry to a safe and secure cloud-based future if we all demand that security be a key part of future mission-critical platforms.

  • Cloud computing started as a public exchange of infrastructure and data with a notice that "Buyers Beware."  However, Electronic Health Records, alternative forms of payment, and the storage of personal information are rapidly heading to the cloud.  The early user of cloud services has been a relatively uninformed public.  Today, millions of Facebook accounts contain sensitive information that puts the users at risk of being denied employment, subjects them to physical attack, and now cyber crime.  This uninformed consumer will also be entering your virtual world.  The controls you deploy may limit their use or sharing of certain sensitive data, but does it also protect them in spite of their lack of knowledge about the risk?

Wireless data sharing was everywhere.  The wired world now has a finite future.  Both Wi-Fi and cellular technology is being embedded in more payment and retail solutions.  In-store Wi-Fi is no longer for reading email with a cup of coffee.  Shoppers expect to get wireless broadband access to check online prices, download coupons and read GSR symbols.  Stores have to become wireless hot spots to serve a more "Me – Now" environment.  The deployment of new wireless communications has not been coupled with more extensive security.  Product developers do not uniformly consider security to be a key piece of DNA for new solutions.  Merchants and technology users still have to provide a security layer on top of core solutions to protect consumer privacy.  Plus, the technology is leveraging single threaded infrastructure.  Heck…our cars are becoming hot spots at a time when the separation between the consumer features and car operations are not fully segregated.  Can you imagine causing a car to fail while it’s moving ….as a prank?

  • Wireless security is well-understood.  We…as consumers… need to demand that wireless links be secure before we agree to use that infrastructure.  Do not let the vendors or poorly designed wireless infrastructure transfer the responsibility to protect data privacy to you…and, a glossy brochure is not adequate proof of security.  Each vendor should produce a record of security testing to specific industry requirements upon request.

Vendors and solution providers are leveraging new technologies to differentiate products and dramatically improve service levels.  However, the new technologies introduce new risks to consumer privacy.  Whether you protect health, financial or credit card data, the underlying demand is the same.  We will have to confirm that security has been "baked in" every service and that our support staff has been trained to maintain new controls.  Our mutual end-user clients expect us to diligently maintain vigilance over the increasing decentralized use and storage of their personal information.  However, the solutions are coming to market faster than diligence can be performed.

It will be an interesting and risky few years as we streamline our operations, improve client services, and push for low-cost solutions.  We urge you to move forward and embrace technology that allows you to reduce costs and increase productivity.  And let’s work together to manage risk.