By Paul Desmond

Perhaps one of the most daunting aspects of any electronic commerce project is security. Whether you’re dealing with a business-to-business application or a business-to-consumer retail site, there are bound to be unseemly types bent on breaking into your network and stealing corporate assets, or simply wreaking havoc and causing embarrassment.

It’s an unsettling thought, but you are far from defenseless. There are myriad software and hardware tools available to help steel your site against most any attack. Vendors are also starting to package products together, delivering a collection of tools that purport to ease your integration chores. And you can also outsource the whole problem, with more and more service providers stepping forward to take on some or all of your security needs.
In this article, you’ll learn about improving e-commerce security with the latest vulnerability scanning tools and appropriate alarm thresholds. Future articles in this series will look at trends in firewalls and improving access policies. This content originally appeared in the September issue of Wiesner Publishing’s Software Magazine and appears on TechRepublic under a special arrangement with the publisher.
No matter which route you choose, it’s easier to get your arms around the e-commerce security dilemma if you think of the problem in terms of four general requirements:

  • Policies and procedures
  • Perimeter security, including firewalls, authentication, virtual private networks (VPNs), and intrusion detection
  • Authorization, for both data and applications
  • Public key infrastructure (PKI), an authorization and encryption setup for those applications where the stakes are particularly high and an audit trail is crucial

Producing good policies
One of the biggest mistakes companies make when it comes to security is failing to come up with good policies and procedures—and to make sure they get followed. Experts agree that security is a moving target. Businesses just can’t install a firewall and forget it. Every time there’s a change in the IS infrastructure, be it an operating system upgrade or a router reconfiguration, the security implications of that change have to be taken into account.

“Coming up with policies is a whole lot easier than making sure they get followed,” says Alan Paller, president of The SANS Institute , a cooperative research and education organization that focuses on security.

In a January 1999 report, “Turning Security on its Head,” Forrester Research, Cambridge, MA, says companies need to “shun complexity” and “set dirt-simple policies and use measures that are invisible to users.”

While that may be a tall order, the point is well-taken, for if a policy is too complex or burdensome to those who must adhere to it, odds are they won’t.

Paul Donfried, chief marketing officer at Identrus, a New York-based company that is developing a PKI service, says the key to good security policy development is inclusion. “What you ideally should do is pull people from all the functional areas that are affected and jointly develop policies and procedures,” he says. “Then you’ve got a high likelihood that they will be followed and implemented.”

This is no mean feat because there are innumerable aspects to consider when developing security policies, such as server upgrades, as well as changes to firewalls and even modems. (Do you know about every modem that’s attached to a PC in your organization? Doubtful, but each is a potential security risk.)

“One of the biggest areas for security breaches are misconfigurations. Period,” says Patrick McBride, executive vice president of the META Security Group , a security consulting firm in Atlanta. Whether a company is dealing with applications, network equipment, middleware, or Web servers, virtually anything can be a security risk if it’s not configured properly, with all known patches applied,” McBride says. “What you really need is people who understand what those holes are and how to close them.”

A good practice is to apply vulnerability scanning tools after any reconfiguration, McBride says. These tools, available from vendors including Network Associates and Internet Security Solutions (ISS), look for known configuration problems and vulnerabilities in operating system, firewalls, and other network elements.

Toward the same end, Paller says SANS is making available a script developed at Xerox’s Palo Alto Research Center that helps beef up security for Solaris servers. The tool scans the server for a list of known security loopholes that have been identified by various SANS members, then automatically applies the recommended fix. SANS has also published a guide to identifying security problems in NT servers, but the fixes must be done manually. (The NT guide is available now for a nominal fee from SANS .)

Another key to good policy development is setting alarm thresholds to avoid too many false alarms. “If a car alarm goes off in New York City, people don’t pay attention anymore,” McBride says. Letting the same thing happen in your e-commerce security infrastructure is akin to leaving the front door open.

Donfried says companies have to strike a balance and compromise. “You don’t want a password policy that says you can use anything you want, but you can’t go too far or users will end up writing passwords down, which is worse,” he says. “There has to be a cultural fit for policies and procedures or they will never be implemented.”
How do you balance security with access and ease of use? Do the employees at your company respect security efforts, or do they consider them an added hassle? Post your comments below or send us an e-mail to suggest another story idea about security concerns.