Increasing security and privacy at Microsoft retail stores

Technical Case Study

July 2016

Microsoft Stores are a showcase for Microsoft products and technology. Because of this, some of the challenges that the Microsoft IT Retail Information Security and Privacy (RISP) team face are unique. For example, our goal is to have new hardware and software up and running in our stores on the day they are released. However, in many ways, Microsoft Stores are typical of many modern retail environments—despite the miles of wiring, Wi-Fi, VLANs, wraparound video walls, and high-tech devices on display. Sales, inventory, personnel, and other information is collected and shared with a global management infrastructure, and that information must be both highly available and stored securely. Keeping it that way is the job of the RISP team.

*
Figure 1. Microsoft Store in Scottsdale, Arizona*

Not your average retail store

Some fast facts about Microsoft Stores:

• Stores range in size from the 8,000-square-foot flagship store in New York City, to 150-square-foot installations in shopping malls. The average store is 4,000 square feet.

• In addition to Microsoft products, many stores also sell devices from other manufacturers, such as laptops and tablets.

• Most stores have an Answer Desk that provides free technical support.

• Many stores offer free classes and workshops.

• Microsoft Store is also available online in 190 countries/regions.

Evolution of a security team

When the first Microsoft Store opened in 2009, Microsoft had limited experience in retail, and no experience at all running brick-and-mortar retail stores and their associated security operations. Not surprisingly, in those early days, we sometimes planned security using software development strategies. For example, we sometimes used the waterfall development model—with its sequential stages of determining requirements, designing, implementing, and so on—to develop security plans.

Growing pains

We opened 30 stores in 2011, more than doubling the size of our retail operations in just a few months. That growth spurt revealed that security processes used in a software development company didn't always work for a retailer. We were too often reacting more than planning.

Taking stock

Trying to get ahead of the game, we asked, "What kind of framework can we put in place that will help us to determine what we need to do to ensure security and privacy?"Our first step was to establish our priorities.

Establish priorities

The Microsoft IT RISP team is small, so we must carefully prioritize our work to ensure that we're effective.

Establishing a team's vision and mission can sometimes be so far removed from the practical realities of getting the job done that it may seem to be not much more than an intellectual exercise. However, we have found that having our vision and mission clearly defined helps with long-term planning and sorting out conflicting priorities and requests. If something we're considering or being asked to do doesn't align with our vision or mission, we have to ask, "Is that the right thing to do?"

The RISP vision

Our vision is, "Seamless integration of information security and privacy into our daily business processes results in the simultaneous protection of customer and Microsoft data and continued growth of the business."

We seek to make security and privacy an integral part of the stores'day-to-day activities. We want to integrate security and privacy into all of our plans and processes.

The RISP mission

Our mission is, "The RISP team proactively protects, engages, and responds in both physical and virtual Microsoft retail stores to maintain and further develop the trust of customers and safeguard our retail information assets and data."

Define the risks

• Loss or exposure of sensitive information. The RISP team is responsible for protecting our customer's personal information in the store and on Microsoft corporate networks.

• Malicious activity. Malicious activity can be merely annoying, or it can be a predecessor to the loss or exposure of sensitive data through a malware infection or other means.

• Interaction of disparate environments. Sales, personnel, and inventory data share wired and wireless networks with customer data, email, data from customer demonstration devices, and other business information. Unintended interactions of the disparate environments that share a common infrastructure are a risk.

• Overly permissive access or unauthorized access. We must routinely decide who gets access to data, what kind of data they get access to, and when they have access to it. The challenge is balancing our employees'needs and desires for fast and unfettered access to information with good security and privacy practices.

• Integration of third parties. Hosting providers, suppliers, on-site support, and network vendors need access to networks in a secure and trusted way so that they're not needlessly given access to systems and intellectual property. Providing the right level of access is a challenge.

Set goals

Protect, Detect, Respond are familiar imperatives to professionals in the security field. They are the three pillars of many security programs. To these three pillars of security, we have added a fourth: support.

Protect. Guard against damage, loss, or mischief. We seek to protect retail information and customer data by applying our guiding security principles (listed in the section that follows).

Detect. Identify threats. Again, we do this in both the physical and virtual domains. Through careful monitoring of our networks, we try to detect changes within our environment (for example, a sudden increase in sign-in attempts), and then determine whether those changes are suspicious, malicious, or benign.

Respond. Act to protect when you detect or anticipate a threat. Our goal is to respond in an agile manner, meaning our processes, systems, and services must be prepared to adapt to changes in the threat landscape.

Support. Beyond just detecting, and then responding to threats, we also want to support our peers by being a trusted advisor. For example, if a promotional activity requires customers to provide personal information, such as name and e-mail address, it's our job to help the people planning the activity to collect and store that information in a way that protects customer security and privacy. We review the initiative and provide input and guidance about which controls need to be implemented, and then how to implement them. We can even help to design the solution if that's desired. Acting in a supporting role means that we're actively engaging with our peers to contribute and find ways to help security make the stores successful in addition to reacting to threats.

Establish security principles

We use these ten key security principles to guide our activities.

Audit, monitor, and test. Auditing, monitoring, and testing mechanisms are designed and implemented to detect unauthorized activity, support incident investigations, and ensure overall security. The RSIP team routinely tests new policies and practices at stores to see how they are actually affecting users and to verify that there are no unintended consequences.

Defense through simplicity. Solutions are simple in both design and implementation to allow for streamlined monitoring, alerting, and response. When given the choice between multiple solutions, the simplest should prevail. We strive to make security ubiquitous but transparent to users.

Effective authentication and authorization. Firmly established identity and role-based authorization are essential to making informed access control decisions.

Balance need-to-know and need-to-share information. Information will be shared openly, but only to those parties who require it to perform their defined business functions. For example, store associates need sufficient access to a customer's PC to remove a virus, but they don't need enough access to expose the customer's personal information.

Universal participation. The involvement of all members (including leadership, individual contributors, associates, and contingent staff) is critical to a strong security foundation. Everyone is responsible for security.

Universal expectation. All guidance and direction is firmly rooted in Microsoft policy and industry standards.

Risk-based security. An organization's security is defined by the set of risks it faces. Risk discovery and reviews are central to our program

Defense in depth. Overall security should not rely on a single defense mechanism. If an outer security perimeter is compromised, underlying layers should be resistant to the attack.

Least privilege. Users and systems should only have the minimum level of access necessary to perform their defined function. All unnecessary levels of access should be disallowed.

Agility. Processes, systems, and services must be prepared to adapt to changes in the threat landscape. Agility is even more important in retail, where things like holiday promotions or interactive experiences that have potential security impacts need to be able to be created and implemented quickly and without undue administrative burden.

Develop a team operating model

The RISP team has evolved an operating model that we use to perform our security and privacy mission.

Communicate openly and honestly. This is our foundational concept—everything else is built on it and little is possible without it. Only after we develop open, trusting relationships among all parties is it possible to have the kind of quick, direct, two-way communication that is required to be effective and efficient. If a newly implemented security solution causes a failure, we want people to tell us about it quickly so we can fix the problem. And when we perform security assessments, we want to be able to communicate our findings in a similarly open and direct manner.

Build up, don't break down. This is related to communication and it, too, is foundational. We want to provide excellent service and world-class protection. We do that by affirming the positive—by hard work, excellent communication, and real leadership.

Make everyone responsible for security. This is another way of stating the "universal expectation"security principle mentioned earlier. To be effective, security can't be the responsibility of just the security team. This notion extends from the fundamental level of passwords and key cards to the highest levels of security program development.

A good security program has been compared to a three-legged stool, consisting of people, processes, and technology. You can have the best processes and the best technology, but that counts for little without the active participation of the people involved.

Training to increase security awareness among retail staff is a good way to get everyone involved. Beyond the security and privacy training that Microsoft requires for all employees, retail staff benefit from specialized training (such as how to spot a credit card skimmer, for example).

Constantly advocate. We must be a constant advocate for security, always working to get ahead of security challenges so that we can actively remediate risks and not just be putting out fires. Our point of view is always, "What's the right thing to do from a security standpoint?"When decisions are being made that could impact security, it's our job to be the voice of security and privacy. Even in our day-to-day engagements with the business and with peers, it's important to always advocate for security.

Remediate actively. Formulate a list of risks, and then attack those risks. There will always be a reactive component to security work; that's why we have incident response. Mostly, however, our focus should be on trying to foresee what could happen before it does happen.

Take advantage of other resources. Remember that there are people beyond your immediate team who have special knowledge and skills that can be useful. It's important to draw upon those resources. The next section describes some of the resources that we take advantage of beyond our team.

Take advantage of all resources

One of the advantages of being part of a big corporation is that there are many other people and teams who can lend a hand. Here are some of the teams at Microsoft that RISP depends on.

Cyber defense. The Microsoft Cyber Defense Operations Center (CDOC) brings together security response experts from across the company to help protect resources and to detect and respond to threats in real time, at all times. It is the eyes and ears of information security across all of Microsoft. CDOC performs a variety of monitoring services for the RISP team and can triage incidents, alerting members of the RISP team about any incidents that reach a specified security level. This single, unified monitoring function also frees RISP team members from having to provide 24-hour-a-day security coverage.

Physical security. The Global Security and Operations Center (GSOC) at Microsoft is responsible for the securing Microsoft facilities. At Microsoft Stores, GSOC is responsible for physical security, for example, installing and monitoring security cameras and security badge readers. GSOC is also responsible for employee safety.

Legal support. Security concerns and legal concerns often go hand-in-hand, so good legal support is important. Also, security-related laws vary from region to region, so a cookie-cutter approach is not possible; legal guidance regarding the right way to proceed is often required. Interestingly, sometimes the Microsoft legal department reaches out to the RISP team for help; for example, for security-related validation aspects of a new contract.

IT support. Microsoft IT provides access to networks, applications, and data that enables store staff to do their jobs. As a part of Microsoft IT, we help to guard the security of those networks and protect the data that traverses them.

Off-premises storage and computing. Microsoft Stores rely on both traditional data centers and the Microsoft Azure platform and services to run the business. Microsoft Store locations extending from Boston to Sydney need to connect to both central resources and each other, so a distributed data model makes sense. However, distributed data and computing infrastructure make security more complicated.

Customer Support. Microsoft Stores have dedicated customer service and support, but that support is a part of the larger Microsoft customer service and support team.

Tools of the trade

The tools that we use were not developed especially for retail security. Instead, we use standard information security tools and apply them to the retail environment. Among the tools we use regularly are:

• An intrusion detection system that monitors and automatically detects unusual network activity.

• Security software for code reviews and vulnerability scanning.

• A threat modeling tool to assist in finding threats during the design phase of software projects. (Microsoft Threat Modeling Tool 2016 is available as a free download.)

• A vulnerability scanner that can detect misconfiguration, password shortcomings, vulnerability to denial-of-service attacks, and so on.

• A log management solution that automatically monitors logs, develops a baseline of normal activity, and then flags deviations from that baseline activity.

• A static code analysis tool that can detect security flaws in code.

• A dynamic code analysis tool that analyzes how code works in a production environment.

• A security testing tool that automatically imitates hacking and system attacks.

For more information

Microsoft Store

Microsoft IT

www.microsoft.com/ITShowcase

©2016 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.