For the Defense Commissary Agency, there may be nothing worse than losing the confidence of their customer base.

For any retail grocery store around the world, any loss of customer data or any problems with their supply chain would severely impact servicemembers and their families.

Michelyne LeBlanc, the deputy chief information officer of the Defense Commissary Agency, said that is why employing specific cybersecurity tools and capabilities across their global operations isn’t just a matter of Defense Department policy, but central to DECA’s mission success.

“For DECA with our retail mission being paramount and our responsibility to our patrons to make sure that we’ve appropriately and adequately protected their data, that singular focus on executing the mission while maintaining the safety and security of our environment and our solutions, not only so that we can keep doing business and providing the benefit, but so that we’re doing it in such a way where we’re protecting department and patron data is of utmost importance, not only from mission execution perspective, but also from an optics perspective. It was a struggle for Target or for any retailer when there is confidence loss in the security of their solutions,” LeBlanc said on Ask the CIO. “At least from my experience within partnerships across the broader retail, grocery landscape, the Department of Defense has a strong foundation in cybersecurity. I would hope that instills a strong sense of confidence that not only are we adhering to industry, retail and grocery standards, but we’re also adhering to the standards set by the department.”

DECA is looking at the seven pillars of the DoD zero trust strategy and figuring how best to meet all the requirements. LeBlanc said working in a retail sector presents a host of different challenges and complexities.

Providing a secure, user experience

Like many of the private sector retail and grocery providers, technology is driving more and more of the user experience. Whether it’s the widespread adoption of self-check out lanes or the use of mobile applications for coupons, DECA must keep up with the users’ expectations.

“Not only are those technology enablers paramount to our ability to execute our mission, which, of course, is always top of mind, but it’s also paramount to the customer experience. When you walk into a grocery store and all the self-checkout lanes are closed, and there’s only, you know, one lane open with a backlog that reaches to the back of the store, that’s a customer experience that is a lasting one,” LeBlanc said. “Across the retail landscape,  and with businesses universally, data is critical, and certainly the exchange of data with our retail suppliers and distributors is fundamental to our capability to keep the shelves stocked, which means getting healthy, affordable food in the hands of soldiers and authorized patrons that need it. That is a fundamental component of not only our zero trust implementation, but just day-to-day operations within the commissary. If we lose those assured connections, not only with our vendors to stock shelves, but even from a payment principle, if you know people are  trying to use the payment card industry technologies aren’t able to make those communications, so that’s a problem.”

To achieve those zero trust capabilities, DECA is relying on native cloud security tools as well as turning on more capabilities of the tools it current owns.

LeBlanc said one key consideration is interoperability with private sector services that DECA and its customers depend on. This makes the business risk side of its zero trust implementation come even more to the forefront.

“We have to ensure that not only our technical solution and architecture is configured in such a way that allows that dialog across a variety of disparate stakeholders, from our distribution partners to the vendors to our e-commerce partners. That is really always top of mind,” she said. “Whatever our zero trust implementation is, we know that we can’t interrupt that interoperability if we’re offline with our vendors or distributors for 24 hours. That’s 24 hours that stores across the world can’t reorder supplies to stock the shelves. While that may seem like a blip, it has significant and serious impacts in the stores and on the shelves, and it only takes a moment to create that bad customer experience.”

Viewing OT, IT through same cyber lens

LeBlanc said to strike that right balance DECA is coordinating closely with the experts at Joint Force Headquarters – Department of Defense Information Network (JFHQ-DoDIN).

“The constant feedback helps us make adjustments to our endpoint security posture to the maximum extent possible. We leverage capabilities provided by DoD, such as their identity and credential access management (ICAM) solution and cloud certified security solutions,” she said. “We also have implemented commercial solutions for vulnerability management and device compliance and monitoring, anti-virus and malware. Those are just a few of the ways those endpoints that exist in our ecosystem are managed and protected.”

Another big challenge for DECA is the amount of operational technology it runs, especially at the end points.

LeBlanc said they like to look at OT and IT through the same lens.

“Within the landscape of our OT, we’ve got some differences. We’ve got a lot of facilities management systems, refrigeration systems, for example, and those systems are old. I classify them differently as our front line retail technology, with regard to that aging or maybe I’d use the word legacy operational technology,  it is more of a challenge, for sure, and we’re really focused as we bringing OT more directly into the fold of management,” she said. “Once upon a time we thought of trucks as just trucks. We thought of refrigerators as just refrigerators. Why does my dishwasher need a WiFi connection now? But now all of those systems, whether it’s organic or they were retrofitted with it, have some kind of monitoring and reporting system. Many of those OT systems have their own unique limitations, whether it is processing power or the operating system that make it really just challenging to manage them the same way we do other endpoints. That’s where we really employ a defense in depth strategy that doesn’t rely on  a singular layer, but multiple layers to make sure that every node in that network is protected.”

DECA is turning to a combination of tools and automation to address the OT challenges.

LeBlanc said asset management is a good example of how DECA has implemented automated technology that resulted in both better mission success and improved cybersecurity.

“Once upon a time, asset management was walking around with pieces of paper and forms and carrying them from desk-to-desk, a much more labor intensive process. That’s now automated configuration management. We use tools to automate the management and tracking of our infrastructure, and this helps the team provision and configure and deploy and our assets across the environment,” she said. “For vulnerability management, we use a system to help assess and gain visibility into the hygiene of our endpoints and infrastructure, which is a significant reduction in manual labor that goes into identifying, collecting, compiling and really the analysis and prioritization of those remediation efforts. I think it’s safe to say that it would be difficult to realize the vision of zero trust without those automated enablers.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.