A Wake Up Call for Security

• 03/13/2000

Security only seems to assume importance after a high profile incident. A good example of this is what happened when a number of prominent Internet sites experienced service outages for several hours, recently. Yahoo, eBay, Amazon.com, CNN.com and Buy.com have all been recent victims of hackers. These attacks are a dramatic demonstration of the Internet's vulnerabilities and the ease with which determined hackers can wreak havoc across the global computer network. The chaos highlights the vulnerability of even the best-planned Web sites and may shake public confidence, a concern that security experts warn that the industry must deal with at the risk of disrupting the emerging e-commerce economy.

Business to business e-commerce presents even greater security concerns because important information assets are now exposed. Online business processes such as procurement and order entry are now up on the Web for the public to access. Interestingly enough, it isn’t necessarily this public access that poses the greatest risk.

Survey statistics over time have shown that internal or “trusted” users are a major cause of security breaches relative to information theft or destruction. The CSI/FBI Computer Crime and Security Survey indicates that in 1999 about half of the reported incidents were internally caused. And who knows how many incidents went unreported because of the sensitivity surrounding this issue?

Internal hackers include disgruntled employees, contractors that have access for a period of time and those that see monetary gain in acquiring a company’s intellectual assets.

What then are the security issues that companies should be concerned about? Authorization, authentication, data integrity, configurability, and non-repudiation of origin (so that a company can prove who the sender is).

In an e-business environment, application systems interface to Web servers and therefore, to public networks. This means that assets on the application systems are potentially exposed to external hackers or internal user threats.

In addition, e-business brings together disparate systems and application tool architectures. Often PCs are mingled with AS/400 systems, Unix and proprietary mainframe architectures. Methods are required for them to talk to each other in the context of a new element, namely Web technology. Integration and security issues are raised here as well, as this new environment is introduced to the IT organization.

So, how do you address security issues when designing an e-business system? Through a good plan and an integrated secure messaging system. The ideal system consists of the following components: messaging, encryption, access control and authentication, and directory services.

Messaging

An e-business messaging system offers part of the solution because it deals with the integration issues that arise from the differences between Web server platforms and application servers. For best results, make sure that it is high performance so that the user witnesses a reasonable response. To do this, design your e-business solution specifically for the e-business environment. For example, the e-business architect can assume that the user is connected. Also, make sure that encryption is designed into the system from the start.

Messaging should also contain an independent process to manage security parameters, such as encryption keys and security and administrative tasks. Port addresses should also be dynamically configured to ensure maximum security. Bandwidth requirements can also be addressed by a messaging system. Make sure that the messaging system aggregates messages where possible and only operates when awakened by a transaction request. Because there is a high level of skill required to implement a messaging system, choose an easy to use software package to help guide the implementation of messaging systems.

Encryption

Encryption is also part of the ideal integrated message solution. It is a cornerstone of security and needs to be optimized for performance. Many times there is a trade off between encryption and performance, but this can be compensated for by a well-designed messaging system. It is common to find 128-bit encryption today and desirable to use single use encryption keys for messaging. Special skills are required to work with available software solutions.

Access Control

Access Control and authentication provide important security elements for qualifying users. The ideal system requires users to prove their identities, where they are coming from, and to be authorized for access to specific transactions on specific resources at specific times. For good performance make sure the overall e-business system responds efficiently to an authorized request and that resulting actions are overlapped as much as possible. For example, the application processing system should be notified of an allowed transaction at the same time that the Web server is conditioned to receive a response from the application server. It is important that the people implementing access control have the skills to both understand the applications each user is involved in and to what extent they should have access.

Directory Services

Directory Services provide a single point of control for e-business solutions. This is very important for the security blueprint of a complex e-business system that contains multiple Web servers, application servers, and multi-transactional applications. Directory services provide an easy way of knowing the status of who is authorized and at what level. This is particularly important in today’s environment where personnel changeover is very dynamic. Directory services can also help manage a single point of access control and authorization plan.

Today's businesses rely upon sophisticated e-business networks to keep their businesses running. However these very e-business sites are frequently implemented quickly without properly considering security issues. Designing an e-business site is no small task. It is important to plan a proper strategy and implement a well-integrated secure messaging solution.

Al Nickles is president of CSTeBusiness in Alpharetta, GA. CSTeBusiness provides security, integration, authentication, authorization, data integrity and data confidentiality for users who are implementing advanced electronic commerce solutions across multiple platforms for the Internet or intranet.

Related Editorial: