You'd expect a company that conducts business over the Internet to be worried about safe credit card transactions. But security isn't an issue for the Internet Shopping Network (ISN), which has been conducting electronic-commerce online for three years.
To safeguard the privacy and confidentiality of members' personal information, ISN hosts online membership applications on Netscape's Secure Commerce Server - which encrypts application information. Each member receives an ISN membership code and security number identification for online ordering protection.
"The Internet is the safest means of doing business," says Roger Foxe, communications manager for the California-based ISN, which recorded a net of $US11 million in revenues in 1996. "There are no issues with Internet commerce. The problem is perception - because people think that there are holes, and that information can be grabbed off the Internet."
Few companies can adopt such a cavalier attitude, but IS managers have successfully implemented a number of creative approaches to provide a safe Web environment for their business, users, customers, and partners.
It's not exactly easy. Ensuring a secure environment requires significant up-front planning in terms of designing an effective security policy and choosing the appropriate security products and technology from the myriad of solutions available on the market. The implementation of proper security measures requires that you overcome user resistance and often cope with the shortage of skilled technical security staff.
What, me worry?
With hundreds of security products on the market, there's no shortage of technology available to address the challenge. Product categories include firewalls, authentication and authorisation devices, intrusion-detection software, encryption software, and related solutions that perform event analysis and reporting, router security management, content management, or virus protection.
Finally, digital certificates or electronic credentials meet the growing needs of e-commerce. Users say the key is in making all of these products work in concert with the network and company policies.
Whether it's a perception or a reality, there's genuine concern that using the World Wide Web as a business tool may inadvertently compromise the integrity of sensitive information. And it's no wonder that your business partners and customers are sceptical when you consider that Web software, Web servers, and the network all pose potential risks.
The Internet, intranets, and extranets raise different sets of concerns - how do you prevent hackers from penetrating your external Internet firewall or transmitting viruses via e-mail? Can you safely restrict access to confidential human resources information stored on an intranet to authorised managers? And how do you ensure that only authorised strategic partners tap into your extranet?
"Assume that you are going to be broken into," explains John Pescatore, principal consultant at Trusted Information Systems, a US firewall vendor. "Now that Web servers are needed for business processes, security breaches can cost organisations money. The impact of incidents has got higher, though our ability to protect has got better."
It's not surprising that the number of incidents is rising. Remote-access dial-up opens up the potential for numerous security risks, including access to confidential information by unauthorised users or even former employees. Today's IS managers must manage numerous complex security components that are difficult and expensive to administer. Rapidly changing standards and quickly emerging technologies create an expensive headache for IS managers who must manage both new and legacy solutions.
Finally, users often resist complicated password schemes that involve alpha-numeric strings and frequent changes that are difficult to learn.
"Security technology has become an administrative nightmare for IT professionals and hard to administer because it is maintained in so many places," explains Jim Rosen, vice-president of marketing at NeTegrity. "The Internet trend is changing the rules of the game. Remote-access is becoming more mission-critical and the lack of consistent security policy is showing."
Dave Pearson, manager of new technology at The Boston Globe newspaper, agrees. With approximately 1000 system users, even simple password changes have become an administrative and user nightmare. Because auditing procedures require the newspaper to change passwords frequently, all passwords periodically expire and new passwords are issued.
"It becomes increasingly difficult for the user community to keep all this stuff straight. Now it's a nightmare for the user community," Pearson explains. "From the management standpoint, tremendous resources are required to just teach people how to change passwords."
Nor does the traditional user name and password present a long-term solution. The Globe is now using NeTegrity's SiteMinder Authentication Server, a remote authentication dial-in user service that provides centralised verification of user access to the network and applications.
It gets worse
But as The Globe looks to extend its application beyond its South Boston confines to remote users and its business partners, the company has been forced to look more closely at its network.
Six months ago, The Globe implemented virtual-private network (VPN) technology using Digital's AltaVista tunnelling software, which creates a connection across the Internet and encrypts the transmitted data. Authorised remote-access users call their local Internet service provider using the Internet as an extension of wide area network facilities as a safe, inexpensive way to provide remote-access.
The advantage is that The Globe does not need to increase its own infrastructure and chase the technology curve.
For now, Pearson views ease of use as the greatest obstacle.
"Security is a trade-off between ease of use and security," Pearson says. "It's necessary to find a balance."
As for the future, Pearson views a strong, single authentication process as a critical way to ease administrative pain and improve ease of use. He would also like to see vendors adopt common standards.
Robert Moskowitz, a technical support specialist at Chrysler, emphasises that the issue is one of network security rather than Web security. He strongly advises securing access at the network level as a better approach, using IP to secure the host connection.
To this end, Moskowitz is pinning his hopes and resources on the IP Security Protocol. This new Internet Engineering Task Force (IETF) specification is designed to completely secure an IP session - whether it's TCP, unshielded twisted pair, or Internet Control Message Protocol-based - at the IP level rather than at the session level.
"Once you secure at the network you can expose application programming interfaces securely to application needs," Moskowitz says.
As for firewalls, Moskowitz calls them "the Maginot line of security" and an impediment to good security practices. Because they can be bypassed, firewalls promote the archipelago concept of extranets: it is easy to traverse two firewalls by working between islets.
However, most experienced users report that security is only sufficiently addressed when IS departments focus on both the network and internal checkpoints.
"Security issues across a public network have stopped business from being delivered and are so complex that you don't want to get invaded by a hacker," explains MIS manager Mike Cummins.
Cummins says that originally he evaluated the Internet but was uncomfortable about sending client record data across the Internet as it exists today. Therefore, his organisation turned its attention to a VPN built using Internet tools and browser-type technology. But the company is also addressing concerns about secure information flow with firewalls, encryption, and other security technology.
Reaching consensus on the best approach to security may be a pipe dream, but experts agree that effective security planning and policy management holds the key to success. Understanding your organisation's business policy is the critical first step because it will help determine what is an acceptable risk.
However, IS and business line managers often bring different perspectives. Busi-ness organisations tend to take a more pragmatic view towards risk, and IS managers may be more rigid about enforcing security; therefore, compromise may be necessary.
Choosing a security strategy requires IS managers to step back and establish categories and policies for both people and data.
Cummins recommends a multiprong approach: first, decide how secure certain information should be. Second, structure the data so that only items with the highest value for the company are protected at the highest level. Third, undergo a security evaluation.
Cummins also strongly advises the use of outside resources to ensure that all aspects of security are factored into the equation.
Similarly, how do you assign a manageable security policy that accommodates different sets of users and resources? For example, access to customer-account information needs to be restricted to your sales force, and sensitive financial data should be restricted to key accounting personnel.
Many experts recommend focusing on the user. First, define users in groups (sales, managers, and so on) and determine their resource and authorisation privileges. Second, enforce security both from an authentication and authorisation perspective, Rosen says.
Vendors, such as Cisco, are also catching up with policy-based tools. Although it's a large puzzle, the ability to focus on users and policies will make it easier to implement security across the enterprise.