ebusiness at eBusinessProgrammers.com ::   Putting 'e' in your Business.
eBusiness ConsultantseBusiness consultants
Approach to eBusiness Security
 
 
eBusiness
    Programmers
Home
Ecommerce
EBusiness
ECommerce Vs
  EBusiness
EBusiness Security
SiteMap
 
Case Study
Case Study
 
Information
Contact Us
About Us
 
 
Partner With Us
 
Advertisement

GoECart Ecommerce Solution


Within five years of time, all companies will be Internet Companies or they wont be any Companies at all.

~ (Groove 1999)
 
Approach to eBusiness Security

Once the organization has defined a clear list of security requirements, it can begin to identify technology that meets its needs. By combining authentication and authorization with monitoring technology a comprehensive e-business security solution can be built. First, authentication and authorization technology is used to control access to e-business applications. This technology is valuable for any organization building e-business applications. Businesses should evaluate the technology’s capabilities in multiple areas:
  • Core authentication and authorization functions, including single sign on
  • The ability to set policies for security
  • Support for existing enterprise software
  • Manageability
  • Scalability and reliability
  • Privacy
  • Software quality
Second, monitoring technology minimizes the business risk associated with potential network intrusions. This technology is particularly useful for organizations with large, complex networks. Key features to consider are the technology’s ability to correlate information from a wide range of data sources; its ability to automate responses to routine problems; and its manageability.
 
Authentication and Authorization Technology:
To date, Web application developers have generally coded security logic into each of their applications. Each application had to maintain its own access control list of users, resources and the rights granted to each user. As the e-business environment grows, this approach rapidly becomes problematic for several reasons:
  • It is expensive because of the need to replicate development and maintenance work across multiple systems.
  • It requires time-consuming development when there is often corporate pressure to get online as quickly as possible.
  • Maintenance is time-consuming and error prone.
Once the applications are online, it is vital to ensure that access control lists are kept up to date and in step across multiple applications, and to make sure that as security policies change, those changes are simultaneously reflected across the whole e-business environment. Each of these steps is an opportunity for error, inconsistency or delay, and can result in security loopholes. An alternative approach is now possible. Technology is available that provides a security infrastructure for all of an enterprise’s Web-based applications, eliminating the need to code and maintain security logic for each application. This approach has been accepted as a standard method for developing mainframe applications for years, but the technique is only now being extended to Web applications.

To be capable of managing access to the entire environment, this software should handle a broad range of functions.
 
Authentication and Authorization:
The fundamental requirement is for technology that handles the authentication and authorization of all users (whether inside or outside the enterprise) accessing all e-business applications. All user attempts to access an e-business system are handled by the security infrastructure technology, which authenticates the user and grants the appropriate access to the requested system or systems. Many authentication methods exist, ranging from simple usernames and passwords to stronger methods such as tokens or digital certificates. Different types of authentication methods may suit different organizations. Applications and access methods tend to become less convenient for users and become more expensive as they increase in security. Passwords and usernames encrypted on transmission may be adequate for some resources, and may be the most practical approach for access via mobile devices that have limited computing power. For access to sensitive business information, token-based products or digital certificates may be more appropriate. An additional factor is that organizations may have already installed one of these authentication technologies and want to extend use of the technology for new e- business applications as well. A solution should be able to support all of these techniques, which implies that it must be able to interface to the leading specialized authentication technologies, such as Tokens from RSA, or PKI systems from Entrust or IBM. A major advantage of a security infrastructure is that organizations should not have to change their application logic in order to change or add new authentication technologies. Further, they should be able to implement changes at the security infrastructure level and have applications evolve transparently.
 
In many cases, centralizing security into an infrastructure product has the additional security benefit that of removing the need to hold authorization information in multiple places, such as application servers and desktops. Adopting a security infrastructure also means it should not be necessary to change the security logic in applications in order to take advantage of new devices—a major consideration when organizations are looking at supporting access from thousands of handheld wireless devices during the next few years. The infrastructure should be able to handle access via wireless networks and handheld devices, so users can access applications whether at home, in the office, or on the road. This means that it must interface to the gateways that handle traffic from wireless networks.
 
Single Sign-On:
A related and extremely useful benefit in some technology is the ability to provide single sign-on to all corporate applications. When security logic is coded into each application, the number of passwords and logins that users have to remember and enter grows along with the number of e-business applications. This also imposes a considerable management burden. Administrators have to add users to each system they will use, and delete them from each system if they no longer have access. Because the security infrastructure maintains authorization information for each user and resource, it is able to authenticate the user once, and then seamlessly provide access to each system the user is authorized to use.
 
Policy Setting:
An infrastructure product provides a central point for implementing security policy across the organization. Ideally, a product will allow the establishment of security policies that reflect the structure of the organization, yet are flexible enough to fit the needs of specific groups or applications. The default policy for employees could be to provide access to human resources and other general corporate information. Specific needs of different groups can be met simply by creating new group profiles where needed. For instance, marketing people might get access to the default systems plus specific sales information. This approach avoids the need to define and maintain separate sets of access rights for each user.
 
Support for existing Enterprise Software:
The solution should integrate with existing enterprise applications, so that an organization does not have to build and maintain two independent security infrastructures. This means that the solution should support standard interface technologies used by other applications. In addition, provide integration with specific products that are widely in use. The infrastructure should also be able to take on security tasks for other applications. Finally, it should be able to make use of existing authorization policies by accessing security technology that is already in place. One key interface is the Authorization API (aznAPI), an industry standard supporting a full set of authorization services. AznAPI can be accessed from applications based on standard technologies such as C, CORBA, and Java. AznAPI support also enables other applications to use the e-business security infrastructure for authentication and authorization, making it easier to extend existing applications to the Web. In addition, custom interfaces to specific industry-standard products speed the process of integrating with existing applications. An example of such a product is IBM’s MQSeries, a message-passing technology that is widely used for application to- application communications. Another key standard is Lightweight Directory Access Protocol (LDAP), a standard directory interface. LDAP-compliant directories are used by many organizations and applications to store user and other information. An LDAP interface enables a security infrastructure to accommodate and integrate with LDAP-compliant products.
 
Manageability:
The security solution occupies a central role in the e-business environment, and will be heavily used by administrators to maintain the access rights for all e-business applications. Manageability is key in keeping administrator workload to a minimum. The solution should let administrators define access rights for all users and applications from a central console. A role-based approach reduces the everyday workload by minimizing the need to set up access rights for individual users. An additional useful feature, particularly in large organizations, is the ability to delegate subsets of management authority to different groups. This means that a business unit can be given responsibility to make changes for its own users, or that management tasks can be delegated to specific administrators.
 
Scalability and Reliability:
E-business involves being available 24 hours a day, seven days a week. The solution must be offered on well-supported, highly scalable server platforms and capable of operating in redundant configurations for increased reliability. It should also be able to operate in replicated, load-balanced configurations across multiple servers so that organizations can be confident that the software will scale to meet demands. The security infrastructure can play a further role in improving resource use across the e-business environment. Because it processes all access requests, the infrastructure is in a position to direct requests to the least heavily used resources. In an environment where replicated e-business application servers are used to meet demand, the security structure can play a load-balancing role by monitoring server use and directing incoming requests accordingly.

Monitoring technology is equally important as compared to authentiction and authorization. Read more on Monitoring technology
 
Back 
  
 
Signup for Newsletter
E-Business White Papers

Resources
©2007 www.eBusinessProgrammers.com. All rights reserved.
Ecommerce Solution and Offshore Software Development Powered by MachroTech, a leading ECommerce Software Company
legal privacy
Your information highway http://www.eCommerceProgram.com  
Your premiere destination for Offshore IT Development http://www.OffshoreITOutsourcing.com