According to the Internet Commerce Model, version 6.1 the worldwide value of business-to-business e-commerce transactions reached $2.4 billion in 1994 and is expected to increase to $ 1.2 trillion by 2004. This ever-increasing IP based electronic marketplace is posing new challenges in the security scenario. The earlier security products concentrated on controlling the traffic in and out of the corporate network and the authentication products concentrated on limiting types of access by groups of users to collections of corporate assets. The Internet environment provides a platform for immense business transactions and suppliers, customers, internal employees and their resources are fused into one e-business fabric.
This heightens the need for a robust security model for refined authentication, access and authorization.
Some enterprises realize the importance to beef up their security arrangements while others display overconfidence in their traditional solutions. Of the seven security mistakes that companies make, according to the SANS Institute list, reliance on a firewall tops the list.
Not only IT managers but CEOs are now showing heightened concern for security infrastructure for their company. They reflect the need to balance widening Internet access and effective security. They have to be able to prevent unauthorized insider access while ensuring only those with valid credentials are able to access website content. IT managers have to ensure that the entire range of security products work together without any excess administration overhead. Controlling sensitive data's availability as it replicates across multiple web servers is also another aspect of a security solution. Apart from this the company data has to be protected from the attack for hackers and to ensure that at the same time the security arrangements supports e-business openness.
Preventing unauthorized insider access
As the e-commerce business grows, so does the number of people who are included on a companies authorized users list. Even though information has to be open to the customers, a company has to ensure that their competitors are not able to gain access to confidential information. Though the thrust of today's IT scenario is to widen the doors, the challenge for IT managers is to manage the authentication and authorization credentials of these users. It has also been seen that the directories of authorized users are not cross-linked and thus the threat of inside access to privileged information remains
Security managers need to ensure that the security solutions support authentication and authorization for multiple, different populations. It should ensure that the solution supports different levels of authorization within each population and coordinates authorization across different applications, databases, platforms and web sites while allowing varying levels of authorization within each.
Integrating the security infrastructure
The biggest challenge for IT security managers is to ensure that the security products are compatible with each other. System builders are trying to ensure that any business process works end-to-end across platforms, databases, legacy backend and security technologies without any interruptions. Security products differ by vendors and the IT staffs are struggling to create custom-created interfaces to bridge this gap.
Protecting decentralized data
When all the data was in one database in one computing center it was easy to control access to sensitive data. Now data is being downloaded from the mainframe to Sun and NT servers every day and this requires that the protection level remains the same.
Privileged data is rapidly proliferating to different Web servers and clients and customers can no longer rely on mainframe control and protection of key databases. Effectively implemented security policies and broader security procedures are the keys to maintain security of data, which is distributed. However the success of this depends on the availability of additional technologies like authentication, authorization, etc other than the ones already available.
Protecting assets from hacking
A single incident of hacking can cause considerable embarrassment and loss of faith and trust for a company. Every security manager's nightmare is website vandalism and hacking.
Yet, wiring together traditional stand-alone security products is not enough and since most of threats come from within, it is necessary that the e-business fabric and protection layers become more sophisticated. Access control, authentication and authorization play an important role in protecting valuable assets, such as corporate web pages, etc.
The first, most basic step for security of corporate data is the solid implementation of anti-virus solutions to protect servers and clients, this is an issue which security managers pay close attention to.
Security supports e-business openness
Despite the threats that security managers face today they have to ensure that the security demands to the end user is low. Security focus at the expense of user interface runs the risk of rejection. Thus a delicate scale balancing the security arrangements and the demands made to the end-user has to be maintained. Apart from this even e-commerce/ e-business managers show little appreciation for security layers that retard the processing speed.
Keeping in mind these issues Security managers seek solutions that limit intrusion and at the same time it does not put any excess burden on the end user or limit the functioning of the e-commerce managers.
Putting it all together: The ideal authentication/ authorization solution
The core of e-business is authentication and authorization. Each of the key e-business security concerns outlined above translates into authorization and authentication solution requirements.
(The author is Country Manager India, Symantec Limited and is responsible for business development and expansion of Symantec's operations in India.)