Retail IT Networks Under Stress: When Digital Transformation Equals Digital Disruption

What is SD-Branch? and How a software-defined branch network (SD-Branch) helps retailers innovate without business interruption.

Within the retail industry, Point-of-Sale (POS) technology is being pressured to constantly innovate, as people become more hyper-connected as they shop.

The retail industry has come a long way during the last decade in its efforts to overcome the challenges of generational and technological shifts that have been disruptive to the business. To stay competitive while catering to new generations of hyper-connected shoppers, Point-of-Sale (POS) technology is being pressured to constantly innovate. Online ordering, in-store beacon technology, cloud POS, omnichannel retail platforms, and digital menus and signage, are part of the evidence of those innovations taking place.

We’ve seen the advent of self check-out, RFID technology, and digital wallets, plus we’ve got accustomed to guest Wi-Fi at pretty much every retail shop. Those risks are not to be underestimated by the tech-savvy retailer. A heavily leveraged store network that is increasingly reliant on optimal network performance and uptime is a disaster waiting to happen if it is not properly secured and monitored. The impact of complacency can seriously damage short term revenue and also brand reputation (long term revenue).

Read this article and discover four key challenges facing retail in the age of digital transformation and learn how to overcome them. You will learn about the four key challenges facing a retail digital transformation in the areas of security, business continuity, agility, versatility, and compliance management.

Find out why a software-defined branch network (SD-Branch) is the future of retail network management and how it can help retailers overcome the above challenges, encouraging them to innovate without business interruption.

Content Summary

Four key challenges facing retail digital transformation
Security challenges
Business continuity challenges
Agility and versatility challenges
Compliance management challenges

SD-Branch helps overcome those challenges
What is SD-Branch?
SD-Branch vs security challenges
SD-Branch vs business continuity challenges
SD-Branch vs agility and versatility challenges
SD-Branch vs compliance challenges
The future of retail networks

The retail industry has come a long way during the last decade in its efforts to overcome the challenges of generational and technological shifts that have been disruptive to the business. To stay competitive while catering to new generations of hyper-connected shoppers, Point-of-Sale (POS) technology is being pressured to constantly innovate. Online ordering, in-store beacon technology, cloud POS, omnichannel retail platforms, and digital menus and signage, are part of the evidence of those innovations taking place. We’ve seen the advent of self check-out, RFID technology, and digital wallets, plus we’ve got accustomed to guest Wi-Fi at pretty much every retail shop.

Those risks are not to be underestimated by the tech-savvy retailer. A heavily leveraged store network that is increasingly reliant on optimal network performance and uptime is a disaster waiting to happen if it is not properly secured and monitored. The impact of complacency can seriously damage short term revenue and also brand reputation (long term revenue).

Four key challenges facing retail digital transformation

Security challenges

POS Systems, payment kiosks, cloud-connected security cameras, Voice-over-IP (VOIP) communications, vending machines, digital signage, office desktops, laptops, guest’s smartphones, wireless access points, firewalls, and other IT appliances, are all connected to the store’s network via Ethernet and Wi-Fi. IT sprawl at the store adds complexity to security management, and that complexity means increased risks of a breach. With increasing connected devices comes an increase in vulnerabilities. Endpoint security alone, without a proper edge security stance, won’t be enough to reduce risks. Yet just a firewall, even a nextgen firewall service, won’t always be sufficient to secure the perimeter.

It all comes down to the level of risk tolerance of the business, but week after week we read about organizations that have been breached and that failed to detect the threat early and respond rapidly and effectively. Traditional network security solutions do not provide the level of visibility and control that is required to face today’s threats. Ransomware is targeting POS systems and the typical defenses are insufficient to combat this cyberthreat.

Ransomware attacks occur every 14 seconds. Source: Cybersecurity Ventures

Business continuity challenges

Network performance and resilience also suffer from the increase of connected devices and apps and subsequent growth of bandwidth demand that comes along with the digital transformation of the business. Quality of Service (QoS) is now a major concern, especially when migrating out of Multi-protocol Label Switching (MPLS) links to reduce cost, increase bandwidth, and gain operational efficiencies.

Also, to avoid store-and-forward of payments and prevent revenue loss, retailers find themselves with the need to preserve optimal uptime. Blackouts and brownouts not only affect short term revenue but may also impact long term one when the customer experience goes negative during business downtime. It is paramount to be able to accept and process payments even during a blackout of the ISP broadband connection and also to keep the mission-critical applications connected to the colocation and/or to be able to connect to key cloud-based apps.

Nearly 50% of customers avoid a retailer or brand in the future if they had to wait longer than five minutes in line. One out of three customers will abandon the checkout line if forced to wait for that much. – Retail Customer Experience.

Like with the security challenges mentioned earlier, it all comes down to the risk tolerance of business downtime. When security fails, a blackout may ensue. But most of the time blackouts are inevitable because they originate at the ISP. ISPs can become a headwind rather than a tailwind, blowing against the digital transformation of the retail business when their traditional approaches to network resilience and availability no longer suffice. 99.9% uptime is not enough; 99.99% is the new standard retailers should aim for.

Agility and versatility challenges

The digital transformation of the retail business can drive an increase in IT complexity and hardware sprawl at the store. It would not be surprising these days to find a closet full of appliances, cables and blinking LED lights at any given retail store. The reality is that most of that hardware goes under-utilized and is expensive to manage and provision. Frequent truck rolls are the norm and capital and operation expenses go up with each new gadget.

Furthermore, connecting and securing new locations can take weeks or even months if connecting an MPLS link to a branch location. Besides, MPLS is cost-prohibitive for many retailers and has bandwidth limitations. Attempts to deliver a better in-store digital experience can backfire if the network is not properly designed to be agile and versatile.

On the other end of the spectrum, stores connecting via broadband using Virtual Private Network (VPN) tunnels to other stores, to headquarters, or a colocation, face the difficulties of managing those hub-to-spoke and spoke-to-spoke WAN configurations. Hybrid networks are complex to manage and secure; the lack of enough talented cybersecurity specialists only makes it more challenging.

To reap the rewards of the digital transformation in the retail market, retailers and the Managed Service Providers that serve them need to simplify network security, reduce the amount of single-point solutions, consolidate IT bills as much as possible, and minimize the number of truck rolls to the store locations.

Compliance management challenges

Payment Card Industry Data Security Standard (PCI DSS) compliance, although a basis where to start when building a sound cybersecurity strategy, gets challenged when new types of devices connect to the store’s network, such as IoT devices and innovative POS systems. PCI DSS is not a checklist, it is a minimum practice to manage. But the risk of exposure to vulnerabilities increases with every new type of device that connects from within the LAN. “Fear the hacker, not the auditor”, it’s been said.

In short, being PCI DSS compliant is not enough these days. New digital experiences for in-store shoppers requires increasing the protection of their transactions and information but also making sure a zero-trust security policy is in place and that full visibility and control of the network is possible. It is primordial to be able to separate mission-critical traffic from non-critical ones.

SD-Branch helps overcome those challenges

What is SD-Branch?

SD-Branch, software-defined branch networking, is the next step in the evolution of branch technology and can be defined as a single hardware platform that supports SD-WAN, routing, integrated security and LAN/Wi-Fi functions that can all be configured and managed centrally via the cloud. The hardware platform is called by the industry as the “universal Customer Premise Equipment” (uCPE) and it is essentially a multi-functional edge appliance that delivers all-in-one connectivity and security services to a branch location. The uCPE is managed via an orchestrator, a portable web-based console, that runs in the cloud and enables the SD-WAN functionalities.

SD-Branch vs security challenges

The big advantage of a robust SD-Branch is the capability to deliver multiple security functions using a single device, the uCPE, installed at the branch. By connecting the uCPE between the ISP modem and the LAN, it is possible to see and control all the traffic that comes in and out of the network (note: not all SD-Branch solutions can deliver this capability). Deep Packet Inspection of all encrypted data, including first packet detection at layer 7 (app level), enables detection and response at the edge. A robust SDBranch can see all the applications communicating within the LAN to the internet, and who they are communicating with.

Although an SD-Branch appliance can replace an on-premise firewall or Universal Threat Management (UTM) box at the store, it does not necessarily have to. It represents a new paradigm on how to secure the branch network and for certain types of businesses such as highly distributed ones with multiple small-sized locations, it enables consolidating functions into a single piece of hardware, reducing IT sprawl at the branch, and consequently reducing the exposure to cyberthreats. An SD-Branch solution can complement a firewall and UTM, but for small to medium size retail locations, it makes more sense to shift strategy and replace with what can work as a UTM solution at the edge.

So, why would I replace my firewall or UTM box with this uCPE if they fulfill the same functions albeit orchestrated differently, you may ask? The answer is that the uCPE delivers much more than software-defined security. When security fails, business continuity is at stakes and this is where SD-Branch shines again with the all-in-one hardware platform.

SD-Branch vs business continuity challenges

The multicarrier cellular failover capabilities of a robust SD-Branch solution delivered via integrated modem are central to deliver the resilience and business continuity essential to a retail operation. When broadband connectivity fails, it becomes imperative to stay in business not just for the sake of avoiding revenue loss but also to keep delivering a positive experience to the customer. Cellular failover kicks in only when needed, whether during a blackout or when overall Quality of Service (QoS) drops below a pre-established threshold. The goal is to move from 99.9% uptime standard to the “four nines”: 99.99%. A positive by-product of instant cellular failover is avoiding store-and-forward transactions and potentially losing revenue: after all, who remembers that purchase from over a month ago?

The ideal uCPE for a retail use case includes an integrated modem and dual SIM for dual carriers. Netsurion BranchSDO can steer traffic based on pre-established policies and can manage different LAN segments differently during a blackout or brownout. For example, payment processing would be steered via the carrier that shows the strongest signal, while the important but nonessential traffic could be diverted to the second cellular link (the second carrier). With the broad deployment of 5G networks in 2020, any latency concern about connecting via cellular would disappear.

By integrating the cellular modem into the uCPE box and managing it via the cloud-based orchestrator, SD-Branch again reduces hardware sprawl at the branch and simplifies business continuity management. External modems are no longer needed and there is one less management console to learn and work with.

Resilience not only means ensuring that the retail store is always connected to the internet: it also means that it can always reach headquarters, a colocation, cloud apps, and the other branches, via any of the secure VPN tunnels. VPN management can be extremely complex and work-intensive but the ideal SD-Branch solution includes Auto VPN, which delivers that network resilience and availability.

SD-Branch vs agility and versatility challenges

By consolidating multiple network and security functions into an all-in-one multi-functional device, SD-Branch reduces complexity and cost. It enables rapid service deployment and zero-touch provisioning, reducing the number of truck rolls to the location and calls to help desks. By adding managed services delivered through the appliance, SD-Branch facilitates transitioning from a CapEx model to an OpEx model where services can be scaled up and down based on needs at the time. The total cost of ownership (TCO) is vastly reduced and retailers can focus on selling rather than troubleshooting expensive, and often underutilized, network security appliances.

But is a uCPE a single point of failure, you may ask? The reality is that the uCPE boxes come preconfigured and can be re-configured remotely very quickly, making replacing a malfunctioning device as simple as its original installation. Indeed, connecting a new store location can be done by non-technical staff in a matter of minutes. The same applies for a replacement. The ease and speed of deployment are one of the most valued benefits of SD-Branch by highly distributed businesses such as Quick Service Restaurants, C-Stores, and other types of franchises.

There are other aspects of how an SD-Branch solution delivers agility and versatility. For example, BranchSDO facilitates the orchestration of Internal Vulnerability Scans. It is possible to schedule regular scans of different stores across the network, choosing the best times for each to be as non-intrusive as possible. Another example is the speed and eases to create site-to-site VPN meshing. The virtualization of network functions has benefited distributed businesses and MSPs as much as it has benefited datacenters. Agility is the element of SDBranch that is most valued by MSPs serving cost-conscious clients because of the rapid service and the cost-efficiencies.

SD-Branch vs compliance challenges

SD-Branch solutions check many boxes when it comes to PCI DSS compliance. The ability to segment traffic is essential to ensure that credit card transactions are protected from untrusted traffic. Other features that go beyond PCI DSS compliance is the possibility to switch LAN ports in the uCPE to WAN and vice versa and to close the unused ones to prevent rogues devices to be connected to the network via ethernet.

BranchSDO is a comprehensive SD-Branch solution with security at its core and that offers PCI DSS tools and support. The Netsurion CXD edge appliances are purpose-built for small to medium-size branches typical of the retail industry and offer audit trail, log keeping, and many PCI DSS requirements. An SD-Branch solution that caters to retail, must offer the necessary add-ons to help retailers not just to demonstrate compliance but to go beyond the minimum and comprehensively protect their brands.

The future of retail networks

SD-Branch is the future of retail network management. SD-Branch delivers the scalability and versatility needed to keep innovating and transforming the business to stay competitive but without affecting security and business continuity. As hybrid networks become more complex, prevention, detection, response and prediction of threats become more demanding intellectually and financially. SD-Branch responds to those challenges by reducing complexity and cost and by improving security and resilience. A managed SD-Branch service is the way to go for SMB and highly distributed businesses and, for those large retailers with an in-house network security team, it delivers a powerful and affordable solution that can keep up with the pace of the digital transformation while avoiding digital disruption and self-inflicted damage.