Beyond Perimeter Defense: Securing Online Transactions

Encrypting, monitoring, and auditing access to actual data

The ability to secure, and maintain, fast transaction processing means life or death for e-commerce and other online transaction processing companies. DHD Media, an online transaction processing and e-commerce hosting company founded in the mid-1990s, is no exception. Either DHD enables financial transactions to go through rapidly and securely for its customers or its risks losing customers to rivals and having to cover bad transactions with credit card companies, then face regulators.

Thus the company’s two imperatives: security and stability. “We never want to have a case of a customer asking us are our systems secure, and our not being able to prove it, and to have multiple layers of redundancy,” says Raj Patel, director of marketing for DHD Media.

About six months ago, the company began looking for a way to encrypt, control access to, and monitor data, and thus to move beyond just so-called perimeter security—firewalls, intrusion detection systems, and the like that watch for an overt break-in. The thinking: if an attacker fools the firewall or IDS, watching actual data access alarms provides an added failsafe.

The shift in thinking at DHD mirror companies’ increasing concern about what happens if traditional safeguards fail. "Perimeter security alone doesn't guard against all the threats enterprises face, such as malicious internal staff, [or] physical theft of machines,” says Gartner Group analyst Rich Mogull. Thus, “enterprises must also protect content and data with internal security controls, including appropriate use of encryption, vulnerability management, identity management, and activity monitoring."

Beyond customers’ happiness levels, for DHD financial regulations are also a concern. Visa’s Cardholder Information Security Program, for example, requires transaction-processing companies to maintain rigorous security standards or Visa won’t do business with them. California’s new Database Security Breach Notification Act, SB 1386, adds another wrinkle: potential bad publicity for any company suffering unauthorized access to customer’s personal information; the company may have to report the breach to customers.

DHD Media ultimately selected Ingrian’s DataSecure Platform, an appliance that secures data in applications, databases, or storage systems in important ways: keeping stored data encrypted via centrally stored keys, and SSL-encrypting all information in transit or in use by applications or databases. As a result, it’s more difficult for attackers to get, or read, sensitive data.

Of course “there are lots of ways to skin the data privacy cat,” notes Enterprise Strategy Group analyst Jon Oltsik. One value of an approach such as Ingrian’s, however, is that it consolidates “functions like encryption, authentication, and key management,” he says, which can save overall costs and management time.

DataSecure gives users various “options for deployment,” including an XML interface for managing deployment (such as user access permissions) and keys, says Karim Toubba, vice president of product management and marketing for Ingrian Networks. The latest version also allows better “control over who can access what data, and when,” he says. In particular, it can audit, alert, and run reports on all cryptographic operations.

DHD’s Patel says the DataSecure installation went smoothly, and that the device doesn’t impede transaction-processing performance. Still, he cautions, it’s but a part of the company’s overall approach. “[Ingrian] is not the core of our security, but another layer of defense to help us maintain a secure system for transaction processing.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.