Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

More Events »

Subscribe to Newsletter

  • Keep up with all of the latest news and analysis on the fast-moving IT industry with Network Computing newsletters.
Sign Up

Vendor NewsFeed

More Vendor NewsFeed »

Security
F E A T U R E  
Opening Your E-Business Perimeter

  January 8, 2001
  By Brooke Paul


Leveraging the power of the Internet and open standards promises to drive down the cost of doing business and increase the return on your technology investments. Recent advances in e-business technologies have led to the development of electronic marketplaces. These marketplaces are an aggregation of buyer-supplier connections, with most being industry-specific.



Nearly 1,000 e-marketplaces have sprung up worldwide--with a combined market value of more than $100 billion--and growth will only accelerate over the next several years. Industry analysts, such as Gartner Group and Forrester Research, project that annual B2B (business to business) e-commerce revenue will reach between $2 trillion and $7 trillion by 2004. E-commerce's advocates say this mode of business can cut a company's administration, inventory and purchasing costs by 10 percent to 30 percent; expand its reach globally; and increase customer and partner loyalty through ease of use, increased efficiency of transactions and personalization.

What Do Readers Think?

Check out our E-Perimeter
e-poll results.
But serious challenges must be faced before these benefits can be realized. One of the biggest is balancing the requirement for security with the requirement for openness. The right framework provides the security you need while allowing access to the people you want to reach.

Moving from brick-and-mortar to an Internet model entails re-engineering many of your company's business processes and deploying new technologies to ensure that your efforts aren't marred by security, performance or scalability problems. A shift of focus is in order, especially in terms of security. Making your most important business systems and data available to others on the Internet is part of embracing e-business. Traditionally, Internet security has concentrated on setting up a perimeter to keep people out. Modern information security requires a focus on enabling business and creating a perimeter that can give customers, suppliers and partners access.

A move into the Internet e-business space without an executable plan for information security and technology management can derail even the most exciting strategy. Risk management must be part of every phase of your online strategy, whether you are planning to join a B2B marketplace, offer B2C (business to consumer) services or open your corporate intranet to partners in the form of an extranet. The key to success will be striking a balance between risk and value, with risk-assessment methodologies providing the business intelligence necessary to make sound decisions around e-business architecture and engineering.

Risk Factors

When people talk about e-commerce risk, the first things that come to mind are crackers and script kiddies: those black-hat, evil agents of mayhem who seem to inhabit every corner of the Internet. The widespread availability of tools for remote DoS (denial of service) and system attacks gives good cause for alarm. Any compromise of data integrity, confidentiality or availability will undermine customer confidence.

Early in the process, as part of your implementation and operational plans, you need to include network and system configurations that protect you against attacks, as well as procedures that make security a part of routine maintenance and administration (see our review of vulnerability-assessment tools). Even more important, security must be included as part of the life cycle of any applications development effort. Without solid preparation at this stage, you remain open for exploit because most network and infrastructure components fail to provide protection for applications with poorly designed or implemented security.

Your security program should adopt a "defense in depth" strategy that provides multiple layers of protection between a potential attacker and your critical data and systems. Defense in depth is the practice of implementing mutually supporting and overlapping defense measures designed to protect against intrusion and alert security staff in the event of a penetration.

To implement a defense-in-depth architecture, you need to understand the infrastructure systems and applications involved and the risks associated with each. If one layer in your infrastructure has a known vulnerability, you can place controls in another layer to provide protection and alert capabilities. For example, to compensate for exposing an application with a known vulnerability, you might use a proxy agent that verifies input before letting it reach the application. Ideally, you should request and receive a patch from the application vendor, but vendors are often slow to accept reports of vulnerabilities and may not even acknowledge the report as valid. Alternatively, you may decide to deploy an intrusion-detection system to watch for attacks. Such a measure does not reduce the risk of an attack but does provide a mechanism to trigger a rapid response.

While the threats posed by the black-hat crowd need to be included as part of your risk assessment and planning, you will also need to consider potential attacks directed against you by competitors--especially if you're joining a B2B e-marketplace or outsourcing to a provider that could potentially service competitors. Many B2B e-marketplaces are aggregations of competing companies, thus making them natural candidates for industrial espionage. The information that could be compromised depends upon the particular B2B market, and can include customer or supplier data, client lists, competitive research, or even employee records. To be prepared for such attacks, you'll need to obtain an appropriate level of assurance that the e-marketplace or outsourcing provider you choose has proper controls and procedures for security. They should be similar to what you implement to protect your own data and systems, and should mirror those we've listed for service providers.

Overlooking liabilities associated with providing shared infrastructure is also common. If you are providing shared services or infrastructure that is accessed by many clients, you could be used as a third-party intermediary to launch an attack against one of the partners accessing your infrastructure. This is particularly true if you are acting as an aggregator of commerce connections. If you provide services to multiple businesses without planning for isolation, others may use you as an intermediary for industrial espionage. Likewise, any aggregator you use should be able to assure you that your data and networks are segregated from other participants. Even if you aren't providing services as a vertical portal or extranet provider, you run the risk of acting as an Internet DDoS (distributed DoS) or cracker launch site if you don't have security planning and operations in place (see "DDoS: Internet Weapons of Mass Destruction").


   Page: 1 | 2 | 3 | 4 | 5 | Next Page

Research and Reports

Hypervisor Derby
August 2011
Network Computing: August 2011

Video


WATCH: Box.net CEO Aaron Levie Takes On Microsoft

WATCH: HP Chairman Ray Lane: Focus On Innovation

WATCH: How OpenFlow Changes Networking


View All Videos
Previous Page First Page Second Page Third Page Next Page

Most Popular

Stories Blogs

More Stories »

Featured Whitepapers

Featured Reports

BlogRoll

TechWeb Careers