Fortifying e-commerce security with composable architecture

Presented by Commercetools

In the world of e-commerce, user loyalty hangs on trust. To maintain that trust, consumers need to know their data is protected and safe in a world where cyberthreats are leveling up at breakneck speed, and compliance requirements continue to evolve. The consequences of a breach, or not meeting legal and regulatory demands, can be disastrous, ranging from financial hits to disruption of the supply chain, a break in business continuity, negative press and more.

“But security isn’t a revenue generator — it’s a loss prevention policy, where no news is good news,” says Kelly Goetsch, CSO of Commercetools. “It’s hard to invest in something when you can’t see it, can’t touch it and it doesn’t generate money, even when you know a cyberattack is a real threat to the future of their business.”

It’s an ongoing process, he adds, and though there’s no single solution that will eliminate risk and defeat cybercriminals, there’s a good place to start: an organization’s digital commerce platform, which is the very core of the business. And that’s where composable commerce takes the stage.

A commerce platform that dramatically reduces risk

Monolithic legacy platforms restrict innovation and agility, and offer up a vast and tempting attack surface to cybercriminals. On the other hand, API-first composable commerce platforms are made up of independently pluggable, customizable and replaceable modular architecture that can narrow an attack surface to a pinpoint.

“All you need is one entry point and you can cause some pretty significant damage,” Goetsch says. “A composable platform with a decoupled front end, only exposing data and functionality through APIs, means you have a single front door that you can lock, as opposed to a bunch of source code and a much larger attack surface area.”

The flexibility of multi-services and multi-tenancy

Another significant drawback of the monolithic platform: too many big retailers with old-school architectures are releasing fixes and updates to production as little as once a quarter, or even annually. When something urgent happens — a security breach, updated security recommendations, exposed vulnerability or anything that needs to be addressed quickly — you’re very much out of luck.

Composable architectures, however, are made up of individual microservices, or small applications that sit behind the APIs, which can be easily updated on the fly. Vendors like Commercetools can release updates hundreds, if not thousands, of times a year — any time they’re necessary. If the platform is multi-tenant SaaS, all customers are running the same version of the code. When the company does a release, sends out a bug fix, updates anything, that change is released to every customer, all at once, instead of environment by environment.

“Patching things on a multi-tenant basis lets vendors like us stay on top of security issues,” Goetsch says. “I don’t think there have been any breaches ever in the multi-tenant commerce space. You just don’t hear of it. It’s the single-tenant on-prem commerce platforms that take the hits.”

Composable is about flexibility first and foremost. APIs significantly restrict outside interaction with the platform, let the business pivot and change and release and patch security issues at scale, at any time.

Composable commerce and security best practices

There are a few moving parts to be addressed before a company can pivot to a composable architecture.

On the tech side, the API gateway that locks down the platform is first up — it’s another layer on top of APIs that homogenizes access to that data and functionality. Any time the system wants to access any piece of data or functionality, it goes through that gateway, where it’s tracked, monitored and logged, and anomalies are detected.

Another critical step is a data inventory: what data do you have, why do you need it, where does it come from, who has access to it and why? Data at rest should be encrypted, and access control is vitally important. Employee training and awareness are also essential — in other words, making sure that employees on the brand side know not to click on phishing emails. If an employee leaves, ensure that account is deleted and access is terminated. Keep up-to-date with patches and fixes, and stay in touch with your partners, vendors and customers to ensure everyone is on the same page about security policies.

Amidst ever-advancing technological capabilities, the single biggest vulnerability may surprise you.

“It’s humans. We’re the weakest link,” Goetsch says. “It’s unauthorized access. It’s a privilege escalation. Composable commerce is a huge help in this regard, but security is everyone’s responsibility, from the first-day temp who opens an email, to the CIO and CEO making sure that policies are in place and initiatives are funded properly. It’s employee education. It’s the vendors you choose. It’s prioritizing security in the road mapping process from a product development standpoint. It’s HR policies, making sure that you’re doing background checks on people you hire. It’s across the entire board.”

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact [email protected].