Taking a look at the dynamics shaping the business environment, a few issues arise to support the argument that security is becoming crucial to business. There is a decreasing emphasis on travel and a greater reliance on distributed computing environments. Both these factors lead to greater use of the Internet to conduct business transactions.
Early Internet use centred on information sharing and text messaging and featured Web site access and FTP file sharing. Therefore, the earliest security products focused on controlling traffic in and out of the corporate network. For example, as hackers tried to take advantage of the open environment of the early Internet, firewalls appeared, effectively protecting Web sites from disruption and controlling outbound activities.
Other security products, such as intrusion detection, were also deployed to mitigate this external threat to corporate Internet/intranet sites, as hackers remain ready to attack.
Similarly, early authentication products focused on limiting types of access by groups of users to collections of corporate assets. Simpler authentication schemes, such as resource-level passwords and associated directories, basically controlled access to internal resources. The more mature security products in place today targeted the simpler security demands of the mid-to-late 1990s.
Today, the Internet environment provides the platform for an immense number of e-business transactions that IDC projects will generate $US1.6 trillion in revenue in Asia-Pacific (excluding Japan) by 2006. Suppliers, customers and corporate insiders blend into an integrated IP-based business fabric. A growing array of data sources, applications, transaction types, services and resources supports this wider population.
As Internet usage becomes more sophisticated, it's no longer enough to lock out the "guys in black hats" or encrypt important e-mail; a myriad of additional and valid users must access "their" data seamlessly.
Some leading-edge adopters are building to this challenge, but many display overconfidence in more traditional solutions. IDC's end-user research indicates an over-reliance on firewalls and antivirus solutions as the first line of defence.
Preventing unauthorised inside access
A dominant thrust of e-business is to widen Web access to product, process and corporate information for customers and partners. IT managers must now manage the authentication and authorisation credentials of far more users as customers and suppliers gain access to what had previously been "internal only" data and applications.
They must enable users on multiple different environments - many of which include their own directory of users - to access applications, secure databases, servers and Web sites. All of these can include a separate directory of authorised users. Often these directories do not tie together or cross-link, making the establishment and maintenance of secure authentication an onerous task. Despite these challenges, the threat of inside access to privileged data remains high. The potential damage from such access rises sharply in industries such as healthcare and financial services.
Integrating the security infrastructure
Systems builders are trying to make sure that any given business process works end to end across platforms, databases, legacy back ends and security technologies without a hitch. Many in the market feel that the wide range of security offerings do not play well together.
Customers want to maintain and leverage their legacy security investments. They are requesting solutions that integrate existing security product investments and with newer security capabilities.
Protecting decentralised data
As e-business grows, privileged data is rapidly proliferating to different Web servers and clients. Customers can no longer rely on mainframe control and protection of key databases. Effectively implemented security policies and broader security procedures are key to maintaining distributed data security.
However, successful policy implementation needs the accompanying technologies - authentication, authorisation, application calls, data encryption, and more - traditionally available on the mainframe environment.
Customers seek the ideal of central management, but with widely distributed data security solutions. At a minimum, they need support for data access control, authentication and authorisation on multiple Web servers.
Protecting assets from hacking
Puerile and prankish Web site vandalism and hacking remain near the top of every security manager's nightmare list. Security managers pay close attention to these threats, ensuring solid antivirus protection on server and clients, wiring together multiple layers of firewalls and monitoring the most advanced intrusion detection and vulnerability assessment technologies.
However, most threats come from within, once again making access control, authentication and authorisation come to the fore.
Security supports e-business openness
Despite the risks and exposure, system builders feel duty-bound to keep security demands to the end user low-profile, as too much security focus at the expense of user interface or speed-of-development cycle runs the risk of rejection. On the other hand, users and business-line managers sponsoring a given systems initiative recognise the need for security. Once again, a delicate scale balances both sides.
With these pressures in mind, e-business system builders seek solutions that limit intrusion on the application development process. They attempt to streamline development and to isolate security processing from application logic, avoiding requirements for multiple authentication steps - a difficult challenge because applications link multiple separate application, platform and database access steps.
Finally, e-commerce managers show little tolerance for security layers that retard processing speed.
Natasha David is a senior software analyst with IDC Australia.