By Paul Desmond

Once the perimeter is secure and only authorized users can get into an e-commerce site, the next step requires tools that authorize different users to do different things. In a January 1999report, “Turning Security on its Head,” Forrester Research , Cambridge, MA, notes that to date, most companies have been using an exception policy, whereby access to resources is denied except to those who are explicitly allowed. “But as enterprise assets become intertwined with partner business processes, exception management will become untenable,” the report says.

The alternative is to grant broad access to resources, with limited exceptions. Forrester recommends using only four data classifications, based on the audience for which the data is intended: public, employee, partner, and executive.
In this article, you’ll learn new ways to limit user access in order to increase security for your e-commerce site. You’ll also discover the benefits and drawbacks to PKI security. Next week, the series concludes with a controversial proposal to tie an IT manager’s bonus to the performance of e-commerce security. Previous articles in this series included:“Guide to e-commerce security”“Policing the perimeter”This content originally appeared in the September issue of Wiesner Publishing’s Software Magazine and appears on TechRepublic under a special arrangement with the publisher.
Companies including Netegrity and enCommerce make tools that help implement policies that ensure certain individuals or groups get access only to specific resources. Netegrity’s SiteMinder, for example, lets organizations store the rules and policies governing who can access what resources in the SiteMinder Policy Server. The server, in turn, is connected to various databases, applications, and Web servers. Users are authenticated once by the server and can then access any resource for which they are authorized, without having to log in to each one individually.

SiteMinder doesn’t store information about users itself, however, according to product manager Sumner Blount. Rather, it ties in to most types of existing corporate directories, including Novell NDS, Netscape Directory Server, NT Domains, and Banyan StreetTalk.

The Policy Server makes it possible to customize content to different groups. For example, a bank customer with a balance above a certain threshold may get a different screen when accessing the bank’s Web site than a user with a smaller account, enabling banks to give their larger customers premium services, Blount says.

The product also has a series of application programming interfaces (APIs) that enable it to tie in with various server operating systems, directories, application development tools, authentication products, and firewalls.

The Promise of PKI
For most business-to-consumer e-commerce sites, implementing all of the above technologies will keep a site reasonably secure. But sites where customers are routinely placing orders worth tens of thousands of dollars or more need to go a step further.

PKI refers to a set of technologies that provide strong authentication for just such applications. Additionally, it offers an audit trail, proving, for example, that John Doe at Company X really did place an order on the third of last month for $1 million worth of widgets. This is what’s known as non-repudiation, and it’s a key aspect of any large scale e-commerce application.

The components of a PKI include a certificate authority (CA), the entity that issues digital certificates to parties that want to conduct secure transactions and is responsible for managing the certificates. Security is provided via a dual-key system, one private, the other public. To encrypt a message, a user employs a private key, which is a string of digits stored on the PC. To decrypt the message, the other party employs that user’s public key, which the user can either send to the recipient or which can be accessed from the CA. In practice, a user’s digital certificate is the same thing as the public key.

In transaction-processing applications, there is also likely to be a back-end system that logs all the transactions passing through, attaching a timestamp. That’s where the non-repudiation comes in, since a record of the transaction will be kept, and the digital certificate proves the identities of those involved in the transaction.

Corporations are only now starting to roll out PKI technology and must address a host of issues. For one, the various companies making digital certificates don’t all do it the same way. That has given rise to a standard, PKIX, based on the X.509 digital certificate specification. Theoretically, any PKIX-compatible certificate will be able to be used by any PKIX-compatible application, says Bob Madey, director of the security business line for IBM, Raleigh, NC. He notes that all of the major PKI vendors, including Entrust, VeriSign, and GTE CyberTrust, have pledged to support the standard.
What do you think is the biggest security concern for e-commerce? Knowing what you do about the risks, would you place a million-dollar order online? Post a comment below or send us a note.