A GUIDE TO E-commerce Security

Software Magazine, Sept, 1999 by Paul Desmond

Authentication is only half the battle, however. Once a user gains access to a Web site, it's likely that some sort of data will be flowing back and forth. When that data is of a sensitive nature, it's got to be protected. That's where encryption comes into play.

VPNs typically provide encryption for data flowing over the wire, but companies also have to think about sensitive data stored in databases, such as a pool of credit card numbers. That's the type of valuable data hackers will spend time looking for.

Another category of product is intrusion detection systems (IDS), which can issue an alert when someone is trying to break into the network and thwart the attack. Available from vendors including ISS, Axent Technologies, and Network Flight Recorders, an IDS monitors network traffic, looking for telltale patterns that denote most known types of attacks, such as a repetitious flood of packets typical of a denial of service attack meant to overload a Web site.

Authorization Angst

Once the perimeter is secure and only authorized users can get into an e-commerce site, the next step requires tools that authorize different users to do different things. As Forrester's report notes, to date most companies have been using an exception policy, whereby access to resources is denied except to those who are explicitly allowed. "But as enterprise assets become intertwined with partner business processes, exception management will become untenable," the report says.

The alternative is to grant broad access to resources, with limited exceptions. Forrester recommends using only four data classifications, based on the audience for which the data is intended: public, employee, partner, and executive.

Companies including Netegrity and enCommerce make tools that help implement policies that ensure certain individuals or groups get access only to specific resources. Netegrity's SiteMinder, for example, lets organizations store the rules and policies governing who can access what resources in the SiteMinder Policy Server. The server, in turn, is connected to various databases, applications, and Web servers. Users are authenticated once by the server and can then access any resource for which they are authorized, without having to log in to each one individually.

SiteMinder doesn't store information about users itself, however, according to product manager Sumner Blount. Rather, it ties in to most types of existing corporate directories, including Novell NDS, Netscape Directory Server, NT Domains, and Banyan StreetTalk.

The Policy Server also makes it possible to customize content to different groups. For example, a bank customer with a balance above a certain threshold may get a different screen when accessing the bank's Web site than a user with a smaller account, enabling banks to give their larger customers premium services, Blount says.

The product also has a series of application programming interfaces (APIs) that enable it to tie in with various server operating systems, directories, application development tools, authentication products, and firewalls.