A GUIDE TO E-commerce Security

Software Magazine, Sept, 1999 by Paul Desmond

Ann Marie Beasley, product line manager for Cybertrust CA hosting services, says her company will also conduct a periodic analysis and review of security policy and procedures. She notes that while companies can outsource some or all of their security infrastructure, they still need to dedicate staff to make sure internal security goals are being met.

Frameworks and Package Deals

For those who'd rather go the do-it-yourself route to e-commerce security, a number of vendors are now offering packages of point products and security frameworks that purport to help with the integration effort.

These products are still in their infancy, so it's tough to say with any certainty how well they do what they say they can do. All-encompassing frameworks in general have often had trouble meeting expectations, especially in the network and systems management realm, where products from the likes of Tivoli and Computer Associates have been notoriously difficult to install and configure.

The security packages that integrate various point products probably have a better chance of success because they typically involve the integration of existing products, not entirely new concepts. IBM, for example, offers its FirstSecure package, which includes IBM's own firewall and PKI software along with content filtering tools from Content Technologies (MIMEsweeper) and Finjan (SurfinGate) as well as Symantec's Norton AntiVirus tool. Also included is DASCOM Inc.'s IntraVerse, which provides application authorization, authentication, and other functions.

The central focus of IBM's security offering is the Policy Director, says IBM's Bob Madey, director of the security business line. Based on a DCE-compliant directory, Policy Director provides a central authorization control facility for all e-commerce applications, enabling users to dictate who should get access to what applications and providing single sign-on to applications, much like Netegrity's tool. The Policy Director works with all the FirstSecure products, as well as any other products users want to bring into the framework, Madey says.

Computer Associates recently announced a similar integrated security offering, although it is made up entirely of CA products; or at least, products that CA now owns thanks to its acquisition of Platinum Technology. The products will be integrated via CA's Jasmine TND product that incorporates an object-oriented database.

CA's offering, eTrust, encompasses a laundry list of security technologies, including PKI, VPN, encryption, firewall, antivirus, content filtering, intrusion detection, access control, single sign-on, policy management and compliance, audit, and directory tools. CA's Global Professional Services organization, now about 4,000 strong following the Platinum acquisition, will help users integrate all these offerings into their e-commerce sites. GPS will also help with security audits, policy development, and security education.