(Published in NewMedia October 1999)OUTSOURCE
Rent A Cybercop
Your e-commerce site looks great: It's graphically dynamic and simple to use; products are displayed clearly with succinct descriptions; and placing an order is easy and fast. But how protected is your site?
According to a recent study by ResearchPortal, one-quarter of potential Web shoppers do not purchase products and services over the Internet because they're worried about lax online security. What can you do to keep your content safe?
Outsourcing for security guards is nothing new in the bricks-and-mortar world. So why not do the same online and entrust your security to the experts? Major Web security providers such as GTE CyberTrust, Entrust, Certicom, SSH Communications Security, and VeriSign can offer your company various sets of services, depending on your needs, the size of your business, and how much you're willing to pay.
Although choices abound, e-commerce security is rarely as simple as installing a single piece of software. "Good out-of-the-box solutions are not readily available to small or large sites," says Paul Lambert, a senior architect with Certicom. "Most sites need to follow guidelines to carefully craft a site and/or hire consultants and integration experts."
Some of the tools Certicom employs are public-key cryptography, Secure Socket Layer (SSL) tool kits for OEM developers, security reviews, consulting, integration and architecture services, and public-key smart cards. Clients and partners include such heavyweights as 3Com's Palm Computing, Hewlett-Packard, and VeriFone.
One of the biggest hurdles Lambert faces is convincing companies to take site security seriously. He points out that just as a bank needs guards, door locks, alarms, cameras, liability insurance, and auditors, a Web site needs its own array of security safeguards.
Rodney Thayer, director of technology at SSH Communications Security, agrees. "The best way a company can protect and secure its e-commerce site," he says, "is to treat security as a mission-critical aspect of site management, just like other infrastructure issues."
SSH provides two pieces of technology to help secure e-commerce sites: SSH and SSH IPsec Express Toolkit. SSH provides a secure means to remotely access UNIX and other systems. SSH IPsec Express Toolkit is used by Internet infrastructure equipment providers for secure TCP/IP networking.
The tools, techniques, and procedures that Web security firms like Certicom recommend and employ can include any or all of the following: clear security policies within the company, good physical security, firewalls, "trusted" platforms, authentication, network encryption, and a policy that employees use only trusted applications.
The major problems Lambert sees? Some sites are still using SSL 2.0, which is subject to attacks, unlike SSL 3.0. And many small- to medium-size sites fail to reconfigure Windows NT or Linux to prevent attacks. What's more, many sites still put all their trust in firewalls, which, according to Lambert, are leaky and prone to infiltration.
"Consider the big picture," says Thayer, "and make sure you're securing things in all the right places, not just the obvious ones."
As more people begin to shop online, Web security concerns are growing. But so, too, is the number of companies dedicated to addressing them. By 2002, the Internet security software market will be worth more than $7.4 billion, according to International Data Corp. With so many firms offering security solutions and so much money being dedicated to the issue, there's really no excuse for leaving your shop unguarded.
Outsource October 1999