E- business data exchange-security essentials. (Security).While media attention on privacy and security tends to focus on consumer information on the Internet, much broader issues are at the core of business success in the electronic age. Whether the concern is the protection of corporate assets, compliance with industry or government regulations, or guarding sensitive personal information, business processes and procedures must adhere to adhere to verb 1. follow, keep, maintain, respect, observe, be true, fulfil, obey, heed, keep to, abide by, be loyal, mind, be constant, be faithful 2. the security policies of an organization. As companies extend their business processes electronically to customers, partners and other external constituencies, there is a need to ensure the security of those transactions and of the sensitive business data that is being shared. The integration middleware A redundant term for "middleware." The concept of middleware is integration. See middleware. and infrastructure that supports electronic business must have robust security features to satisfy these requirements. ELEMENTS OF A SECURE E-BUSINESS ENVIRONMENT Corporate security policies define levels of trust within the organization, and implement appropriate barriers between unauthorized users or malicious intruders, and valuable corporate information. In the context of e-business, security policies extend to the protection of business information shared with external constituencies. Whether internal or external, security policies address the following elements. * Authorization and authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC. (2) Verifying the identity of a user logging into a network. of users * Access control to applications, data and other resources * Protection of confidentiality and integrity of stored or transmitted information * Proof of participation in an electronic transaction * Intrusion detection See IDS and IPS. and prevention Authorization and Authentication of Users Authorization is the process of granting user access to corporate resources These resources may include specific computer systems or networks, corporate data, applications and the like. Users may be internal to the organization or they may be external entities granted access to specific resources. Whether a user is an individual or an application, it is typically identified by a user ID with which certain privileges are associated In some environments, a specific set of privileges may be defined for a role in the organization or a particular group of users Assigning an individual user to the role or group grants the appropriate privileges. Authentication the process of verifying the identity of the user attempting to access corporate resources, is often accomplished through a challenge/response technique, of which the login Signing in and gaining access to a network server, Web server or other computer system. The process (the noun) is a "login" or "logon," while the act of doing it (the verb) is to "log in" or to "log on. procedure with prompt for password or Personal Identification Number (PIN) is probably the most familiar. The security of a challenge/ response system relies on maintaining the confidentiality of the response data (such as the password or PIN). Authentication may also be accomplished through presentation of a certificate that has previously been validated by a trusted party. Regardless of the technique used, authentication mechanisms guard against unauthorized intrusion by verifying that the user, application, or system attempting to gain access to resources ,is who they claim to be. In the case of system-to-system communications, this provides security against such hacker tactics as IP address spoofing In computer networking, the term IP (Internet Protocol) address spoofing refers to the creation of IP packets with a forged (spoofed) source IP address with the purpose of concealing the identity of the sender or impersonating another computing system. . Access Control Access control describes the mechanisms used to control access to corporate resources by authorized users. The simplest form is physical--resources are secured by denying physical access to unauthorized users. Familiar examples include locks on doors or filing systems and ID badges that permit the holder to have access to specific locations within the physical plant. Controlling access to electronic resources may be accomplished in a variety of ways, such as * By the privileges granted to an individual user, role or group * By the rules associated with a specific file, database or other data source * Through the application required to access the data Access may be controlled by facilities within the operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. or network or by application or system sol, are. Data Privacy, Confidentiality and Integrity Ensuring the privacy and confidentiality of data extends beyond mere access control This is especially true when data is exchanged among departments within an organization or with external entities When data is transferred from one system to another, privacy must be ensured during the transfer. This may be accomplished by using a private connection (such as a WAN or leased lines) or by encrypting data that transits public networks. Increasingly, industry and governmental privacy regulations as well as corporate security policies require encryption of data in transit, regardless of the physical security of the network over which it travels. The Cryptography Technote--provides additional details on the concepts and implementation of cryptography for ensuring data privacy. Despite all other security precautions, it is still possible for a data packet to be intercepted and changed during transmission. Data integrity checking guards against tampering tampering The adulteration of a thing. See Drug tampering. with data in transit, Typically, a message digest A condensed text string that has been distilled from the contents of a text message. Its value is derived using a one-way hash function and is used to create a digital signature. See digital signature and MD5. (or hash value The fixed-length result of a one-way hash function. See hash function and hash total. ) is computed independently at both the sending and receiving locations and is compared to verify the accuracy of the information received. Proof of Participation Proof of participation in an electronic transaction is also referred to as `non-repudiation.' Non- repudiation is typically achieved through the use of digital signatures, which are transmitted with the electronic transaction and may be stored with the data for later reference. A digital signature provides both proof of origin of the data and proof of participation by the sender. The United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. has recently passed legislation giving digital signatures the same legal authority as handwritten hand·write tr.v. hand·wrote , hand·writ·ten , hand·writ·ing, hand·writes To write by hand. [Back-formation from handwritten.] Adj. 1. signatures for certain types of transactions. Intrusion Detection and Prevention This category of security precaution guards against the penetration of corporate resources by unauthorized external entities. Like access control, some aspects of intrusion detection and prevention are associated with physical access to facilities and resources. For electronic transactions, one technique for controlling intrusion is implementation of one or more firewalls between public networks. The simplest configuration is a single firewall between corporate systems and public networks. In today's complex business environment, where companies often exchange data with partners and customers, a common configuration is two firewalls with a `demilitarized zone See DMZ. " (DMZ (DeMilitarized Zone) A middle ground between an organization's trusted internal network and an untrusted, external network such as the Internet. Also called a "perimeter network," the DMZ is a subnetwork (subnet) that may sit between firewalls or off one leg of a ) between them. External entities can traverse the outermost out·er·most adj. Most distant from the center or inside; outmost. outermost Adjective furthest from the centre or middle Adj. 1. firewall for access to resources deployed in the DMZ. Traversal of the innermost in·ner·most adj. 1. Situated or occurring farthest within: the innermost chamber. 2. Most intimate: one's innermost feelings. n. firewall is restricted to trusted users or applications with authority to access back-end systems and to move data from the DMZ into the company's most secure environment. Policies implemented on the firewall govern how far into a company's systems a user may penetrate, what types of data may traverse the firewall, and whether access is permitted in a single or bidirectional The ability to move, transfer or transmit in both directions. mode. www.sterlingcommerce.com |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion