Styra Academy - Free OPA Training

Retailers Need Unified Cloud Policy in Today’s Hyper-Agile Era

March 4, 2021

In this pandemic-defined era of rapid retail transformation, the digital shopping experience has become tantamount to the success of the business. As a result, retailers have redoubled their efforts to improve digital applications and services. Whether the focus is introducing new services such as curbside pickup, enabling omnichannel experiences, developing intelligent inventory management systems, enabling seamless traffic bursts to the web site during Black Friday-like events or building new mobile apps, the goal is to improve the customer experience, differentiate the business and grow revenue. 

To speed these digital changes, retailers are increasingly adopting cloud-native strategies for  building and hosting digital services. Such strategies enable retailers to accelerate app development — getting new digital services to market faster — while increasing efficiency and often lowering costs for their back-end operations. Retail adoption of the cloud already outpaces the global industry average — a margin is set to grow to seven percent over the next two years — and overall, 93 percent of retailers agree that hybrid-cloud is the ideal IT model. This kind of cloud-based innovation is likely to stay. For instance, Gartner recently predicted that digital innovation taking place in the retail industry, such as contactless commerce, live commerce, enterprise marketplaces and visual configurations (2D and 3D renderings of products with the options or features that customers have selected) will likely remain for the long term.

But as retailers flock to the cloud, they’re encountering cloud-based challenges. Ensuring security and protecting privacy, for instance, is critical for maintaining consumer trust, and yet entails solving unique challenges in cloud-native environments. Addressing these critical concerns means solving for access policy and authorization — the rules around who (people) and what (computer systems) can access which applications and what they can do there — across numerous cloud environments and tools and processes. These issues are vital for building and scaling secure cloud applications, and they can be addressed by adopting a standard, unified approach to policy and authorization. 

Preventing cloud misconfigurations

In the cloud, the biggest risk of breaches comes from cloud misconfigurations — preventable manual errors that leave cloud deployments vulnerable to attack — followed by a simple lack of visibility into access controls, according to research performed by IDC. The risk, in either case, is deploying a digital application that leads to the unintentional exposure of customer data.

With today’s highly accelerated development cycles, one of the biggest risks of misconfigurations comes from simple manual errors that scale in production. This is especially true when security controls are given short shrift in the race to market. One of the best ways to protect against this risk, however, is to introduce and automate policies directly into the developer pipeline — the workbench where developers build applications — that prevent manual errors from occurring. These policies, for example, could prevent developers from accidentally introducing application code that could undermine the application’s security. Such policies enable retailers to eliminate risks early by “shifting security left” and putting security controls directly in the hands of developers. These types of security guardrails, which only allow what’s right, and prevent what’s wrong, have the dual benefit of both improving security and enabling more rapid application development. While such policies do not guarantee that misconfigurations will never occur, they are highly effective guardrails that prevent errors in the vast majority of cases. 

Unifying retail application policy 

An under-discussed element of retail app development is how challenging it can be to unify approaches to authorization. These, again, are the policies surrounding who and what can access which applications, and what they can do, once they’re there. Often development teams, highly skilled at writing code, simply write their own rulesets for the applications they build. This worked when applications had few moving parts and ran in highly controlled small environments. But with the sprawl of components that make up global apps, custom rulesets become brittle, and require constant updates and maintenance, which introduces risk and slows delivery of meaningful customer features.

Having unified authorization can solve these issues, as well as help maintain consistent approaches to security across the organization. This both eliminates the risks of custom, ever-changing rules, and creates a consistent experience for users as they access services across a suite of branded applications even as they scale to thousands or millions of users. 

Yet the challenge that many retailers face is that each digital application — or even each development team — has a different way of handling authorization, which is often incompatible with other approaches within the organization. The reason, quite simply, is because these policies are written in different coding languages, using different logics and hard-coded into the apps themselves — a practice carried over from the pre-cloud, monolithic application style of development. But it is a legitimate problem that these authorization systems cannot, by default, “talk” to each other. Not only does this pose aforementioned security challenges, it also presents other technical problems, such as difficulties in scaling applications efficiently when back-end systems have conflicting authorization systems and policies. It can also slow application development significantly, when dev teams have to re-code authorization policy themselves across dozens or hundreds of services — not to mention the time spent identifying problems from a morass of inconsistent policies in the first place. For customers, meanwhile, this can degrade the experience in two ways: it can create slow-loading applications when back-end services have trouble “talking” to each other; and it can make it seem like numerous different companies manage your applications, when each login and authorization experience differs from the next. 

This brings us to the core point: to be successful in the cloud, retailers will need to adopt standardized approaches to policy and authorization. Such standards must be able to work across all cloud environments, applications and tools — in other words, be “domain-agnostic” — and manageable from a single management plane in order to be effective. When retailers have a single source of truth for policy across the cloud, they can effectively hurdle the obstacles listed from above: improving security and preventing manual error and misconfigurations by shifting security left; speeding development times and enabling app scalability with consistent policies across teams; and improving the customer experience. 

In this high-pressure economic environment, retailers are putting more weight and urgency behind new digital services — and facing new, cloud-based challenges as a result. Many of those problems can be solved, or at least significantly alleviated, by implementing a standard set of rules around how those cloud-based services can function.

Interested in learning more? Schedule some time to speak with us


Related Posts

May 8, 2019

Centralized vs. Distributed Authorization: the CAP theorem

Learn More
February 25, 2021

Using OPA with GitOps to Speed Cloud Native Development

Learn More
October 28, 2021

Microservices Transformed DevOps — Why Security Is Next

Learn More

Request a Demo

1800 Broadway, Suite 1 Redwood City CA 94063