Securing ecommerce operations and meeting PCI compliance
Komplett is the largest online retailer providing 1,000’s of consumers and businesses with essential goods. With a total of 7 online shops and over $1 billion in revenue in 2019 they have a huge reach in the Scandinavian region.
Industry: Retail Products: HIAB, SWAT
Redesigning the ecommerce operation for PCI compliance
When Knut Erik Ballestad began his current role at Komplett five years ago, he had the mammoth task of redesigning the security architecture of their ecommerce operation to meet PCI DSS compliance. Knut Erik and Komplett’s team of developers had to tackle the legacy servers and update outdated webshops, which were stuck with old architecture and set ups that make protecting the Cardholder Data Environment (CDE), a key requirement for PCI compliance, difficult to achieve and validate.
Knut explains, “We had a huge task when I took on the security responsibility to rewrite and redesign everything - and Outpost24 were integral in helping us understand our security posture and attack surface. We didn’t fully know the attack surface on these old legacy systems, nor the scope of vulnerabilities facing the customer facing website or how best to protect it from hackers.”
Before Outpost24 they were running annual penetration tests and using a patch management tool, which wasn’t sufficient to cover what they needed, as the business grew and scaled up. They realized they needed an integrated security assessment solution across their customer facing websites and vulnerability management tool for internal back-end scanning of their old servers so they could have full visibility and control of their security posture. Using HIAB, Outpost24’s infrastructure scanning solution, helped create an architectural blueprint and to design a ‘secure zone’ for cardholder data.
Knut describes, “The creation of ‘secure zones’ was a game changer for the business and meant we could operate in line with the PCI requirements, protect our critical cardholder data and prove results to management that the security measures were working as it should. This was a vital infrastructure we had to update in order to meet our customers’ expectations to drive the business forwards. Then the key parts of the infrastructure could be prioritized to be ‘fixed’ fast, and the rest could be fixed operationally at a later time.”
Getting to grips with the vast amount of vulnerabilities
As they set out to understand their security posture of the legacy servers they were hit with an unpleasant surprise.
He explains “Immediately we saw the results of Outpost24’s infrastructure assessment tool HIAB, they were able to test a couple of 100 servers and found over 100,000 vulnerabilities. We were then able to take this information and agree on which vulnerabilities were high risk and should be patched first. The HIAB service provided an excellent way to find all the vulnerabilities on our old servers and this was combined into actionable data within the technical user interface which was extremely useful to help us prioritize our remediation efforts.”
Since implementing Outpost24 in 2015, they’ve been able to better understand and take control of the vast amounts of vulnerabilities in their infrastructure. Now five years down the line, Knut and his team take great pride in how they’ve managed to significantly reduce vulnerabilities for the business and its now at a manageable level in 2020.
Delivering a secured ecommerce experience to 1.6m consumers and businesses
The Komplett Group’s webshops sell to consumers, businesses, public enterprises and resellers, with a total of 1.6 million active users and millions of dollars of revenue flowing through their online payment systems. To protect the web stores day to day, the security team also utilize Outpost24’s continuous web application testing service SWAT to ensure total coverage for their critical online ecommerce business. In addition, they leverage the quarterly pen testing to perform a manual checkup and monitor any abnormalities.
Knut explains, “I feel confident when it comes to reporting on the results of our website security, having SWAT in place to continuously scan and monitor our portfolio of sites makes it easier. SWAT has brought a greater sense of security control and coverage for our business needs and we know we have access to the right data to see trends for our own analysis for the wider business.”
Reporting and securing budgets with proven results
Due to the sheer volume of vulnerabilities Knut was faced with, the security team had to spend the budget wisely to ensure remediation efforts are prioritized and gain the PCI accreditation needed to host and process cardholder information for the satisfaction of his board.
Knut says,” Reporting is an absolute necessity to demonstrate findings and document our progress to the management board and to prove ROI. We need to report on the facts and build a holistic picture of what the data means for our business. We used this data from Outpost24 to benchmark our performance each month and to show that vulnerabilities were actively decreasing, and that the money spent was effective and made business sense.”
The security team uses automatic alerts to detect technological and configuration vulnerabilities and gives them the broad vulnerability detection needed for ongoing risk mitigation. They use the interface to see if any new vulnerabilities have appeared - which is now part of their daily routine. The graphical view on the Outpost24 portal shows the trends over previous months so they can track and demonstrate their performance against their goals, which is hugely rewarding for Knut and his team.
The additional information and notifications provide the context on vulnerabilities and helps the team prioritize what to fix and what risks to accept. Knut uses the solutions context and recreation information to feed into JIRA tickets for the development team to action and ensure critical vulnerabilities are fixed within 30 days.
Future proofing their security to support a booming business
Like many other ecommerce businesses, Komplett has seen a rise in cyber attacks since the global pandemic, however they feel confident that they have the protective measures in place to stay ahead of dangerous hackers during these torrid times.
The security team is now on a container and cloud migration path as they move to virtualised web app containers. Knut comments,
“Our security fundamentals brought in by Outpost24 innovation has allowed us to plan for the future and we continue to use their services to give us a daily view of risk across our portfolio. The results has enabled me to look into new realms to support business growth. I would recommend Outpost24 solutions to any business who struggles to detect and manage vulnerabilities efficiently like we did and their technology is second to none in maintaining the security of our critical web apps and enables us to continually deliver exceptional service to our customers.”