The Co-operative Food enhances PCI DSS compliance

Boosting endpoint security with more effective patch management

Published on 28 Oct 2012

"With IBM Endpoint Manager we will be able to guarantee that all of our endpoints are patched appropriately, and we will be able to provide solid proof that we have a regular, fully documented patch process in place. This will be a huge step in helping us to move closer to full PCI DSS compliance." - Neil Wakefield, System and Process Change Manager, The Co-operative Food

Customer:
The Co-operative Food

Industry:
Retail

Deployment country:
United Kingdom

Solution:
Automation, Business Resiliency, Enabling Business Flexibility, BA - Risk Analytics

Overview

The Co-operative Group Ltd. is a British consumer cooperative, wholly run and owned by its members. It is the largest organisation of its kind in the Europe, with over six million members. The group comprises a diverse range of businesses, the largest of which is The Co-operative Food: a chain of food and convenience stores employing some 70,000 people.

Business need:
The Co-operative Food wanted to develop a more unified approach to patch management, in an effort to improve compliance with PCI DSS standards and enhance security across its retail network.

Solution:
Selected IBM® Endpoint Manager (formerly BigFix®) to centralise and streamline the patching process, delivering more effective patch management for an endpoint environment comprising some 19,000 devices.

Benefits:
Offers real-time, automated patch discovery and management, ensuring that endpoints maintain appropriate patch levels. Integrated reporting helps to demonstrate compliance with PCI DSS requirements.

Case Study

The Co-operative Group Ltd. is a British consumer cooperative, wholly run and owned by its members. It is the largest organisation of its kind in the Europe, with over six million members. The group comprises a diverse range of businesses, the largest of which is The Co-operative Food: a chain of food and convenience stores employing some 70,000 people.

The Co-operative Food’s retail estate is vast, and encompasses approximately 2,800 stores across the UK. The company manages an extensive network of endpoint devices, including tills, servers and back-office workstations, which are essential to the smooth running of daily business.

Achieving PCI compliance
As a company in the retail sector, it is vital for The Co-operative Food to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), which was created to increase controls around cardholder data to reduce credit card fraud. PCI DSS requires all retailers accepting payment cards to comply with a number of standards, one of which is ensuring that all endpoint devices have the latest security patches installed. All critical security patches must be installed within one month of release.

Neil Wakefield, System and Process Change Manager at The Co-operative Food, explains: “In the past, we did not have a joined-up way of patching our tills and other endpoint devices. We only applied patches when we needed to bring a particular till image up to date. As part of our efforts towards PCI DSS best practices, we realised that we needed to radically overhaul our approach to patch management if we were to improve compliance and avoid penalties.”

The Co-operative Food recognised that improved patch management would also help to drive greater efficiency in its IT environment. With a comprehensive patching strategy, the company would be able to obtain real-time information on software and hardware versions, and reduce the amount of effort involved in keeping its vast endpoint estate patched and compliant.

Selecting a comprehensive patch management solution
The Co-operative Food commissioned Gyrocom Limited to perform an evaluation of patch management solutions on the market. After reviewing offerings from five vendors, Gyrocom presented The Co-operative Food with two final options, one of which was IBM Endpoint Manager, built on BigFix technology.

“IBM was the clear front-runner and made our decision an easy one,” notes Wakefield. “The IBM team offered us a proof-of-concept demonstration free of charge: we installed IBM Endpoint Manager on our own server and used it to manage a small number of endpoints. We immediately recognised the capability and value of the solution and moved forward with a pilot phase.”

The Co-operative Food negotiated a deal with IBM, which stipulated that the company would not have to commit to a full licence for the IBM software until the pilot phase was completed. This helped to mitigate the business risk of investing in the new solution. The Co-operative Food signed a full contract with IBM in early 2012 and began a full roll-out of IBM Endpoint Manager soon afterwards.

The company is nearing the final stages of the implementation, with IBM Endpoint Manager now providing comprehensive coverage for more than 18,500 endpoint devices. The solution places a single intelligent agent on each endpoint, which sends regular messages to a central management server and pulls patches and con?gurations to the endpoint when necessary to comply with a relevant policy.

As a result of the agent’s intelligence and speed, the central management server always knows the compliance and change status of endpoints, enabling rapid and up-to-date compliance reporting.

Solid training from IBM
To help The Co-operative Food to take full advantage of the range of capabilities offered by IBM Endpoint Manager, IBM ran a four day training course for members of the IT department’s support function. “The training provided by IBM was excellent,” states Wakefield. “I have never seen a more enthused group of people return from a course.”

The Co-operative Food plans to create a small group of super users who will then be able to train more users internally to use the new software. Wakefield adds: “We anticipate that it will be an easy sell to bring new users on board with IBM Endpoint Manager, given the incredibly positive response that we have seen so far.”

Improved endpoint visibility and control
IBM Endpoint Manager provides The Co-operative Food with a comprehensive solution for patch management that allows the company to see, change, enforce, and report on patch compliance status in real time, through a single console.

The solution will significantly change the way that The Co-operative Food approaches patch management, offering a unified strategy for handling the discovery and deployment of patches, helping to ensure greater patch compliance and saving valuable time and resources.

Wakefield explains: “In the past, our patch discovery process involved creating a bespoke dial to discover what software and operating system versions our tills were running. We had to manually repeat this audit whenever we needed to upgrade a certain till, and the process would typically have to be run overnight. While this was not a particularly difficult task, manually auditing thousands of tills could become very tedious.

“In comparison, IBM Endpoint Manager offers us real-time information on the patch status of every device from a single point of control. Now we can instantly obtain the compliance and change status of all our endpoints, which will dramatically improve security and management across our network.”

The solution eases the management burden for IT staff by continuously enforcing patch policy compliance. Instant access to the patch status of each device reduces the time and effort that the company’s deployment team spends on monitoring and managing endpoints.

In the future, The Co-operative Food plans to extend the solution to manage software updates for its tills. This will build on the value of the Endpoint Manager system, ensuring that all point of sale devices are regularly maintained with the latest software versions.

Enhanced reporting and regulatory compliance
Integrated IBM Endpoint Manager reporting capabilities allow The Co-operative Food to access up-to-the-minute dashboards and reports that provide a global view of its endpoint environment, indicating which patches were deployed, when they were deployed and to which devices. This enhanced reporting ability helps The Co-operative Food to provide solid documentation that its retail network is compliant with current PCI DSS patching requirements.

IBM Endpoint Manager can ensure compliance with PCI and other standards automatically, with a comprehensive library of more than 5,000 “out of the box” compliance rules. By reducing the need for manual detection and remediation to bring devices back into a compliant state, Endpoint Manager can significantly reduce the risk and cost of maintaining constant compliance.

“In the past, we simply did not have a consistent approach to patching, full stop,” remarks Wakefield. “With IBM Endpoint Manager we will be able to guarantee that all of our endpoints are patched appropriately, and we will be able to provide solid proof that we have a regular, fully documented patch process in place. This will be a huge step in helping us to move closer to full PCI DSS compliance.”

Components

IBM products and services that were used in this case study.

Software:
IBM Endpoint Manager for Server Automation

Legal Information

© Copyright IBM Corporation 2012 IBM United Kingdom Limited PO Box 41 North Harbour Portsmouth Hampshire PO6 3AU Produced in the United Kingdom October 2012 IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corporation, registered in many jurisdictions worldwide. A current list of other IBM trademarks is available on the Web at “Copyright and trademark information” at: ibm.com/legal/copytrade.shtml. References in this publication to IBM products, programs or services do not imply that IBM intends to make these available in all countries in which IBM operates. Any reference to an IBM product, program or service is not intended to imply that only IBM’s product, program or service may be used. Any functionally equivalent product, program or service may be used instead. All customer examples cited represent how some customers have used IBM products and the results they may have achieved. Actual environmental costs and performance characteristics will vary depending on individual customer configurations and conditions. IBM hardware products are manufactured from new parts, or new and used parts. In some cases, the hardware product may not be new and may have been previously installed. Regardless, IBM warranty terms apply. This publication is for general guidance only. Photographs may show design models.

Showcase your unique capabilities