In the e-business arena, the security of users - including partners, employees and customers - is a complex issue that involves protecting a wide variety of disparate e-business assets. These include websites, databases, enterprise servers, applications, data warehouses and ERP and CRM systems.
Danny Ilic, business development specialist (Enterprise Management and Security), at Computer Associates says that e-business security should focus on three key aspects: strategic management; defence; and access. "While addressing these areas, system designers should also strive to reduce complexity, minimise risks and cut management costs," he says.
According to Ilic, management - which primarily involves regulating access to critical business assets - can be boiled down to five points. These are:
* Access control.
* Policy compliance.
* Single sign-on.
"The concept of strategic management covers not only access to simple browser-based applications, but extends to enterprise security systems and directories up to mainframe-based systems such as the OS/390, z/OS and VM business transaction environments," he says.
"A successful management strategy allows companies to prepare against unauthorised usage or attacks by identifying potential weak points in an organisation's security policies.
"Ideally, access control must provide homogeneous security across platforms and across the organisation, while admin - in providing for 'hire to retire' user provisioning - must also offer wide platform and applications support without the requirement of a framework.
"Auditing is about reducing security operations costs, and involves centralised, automated auditing in an easy to query database," Ilic adds. "An auditing solution should provide for an easy update and threats notification process through a Web interface, as well as providing for the quick and easy detection of any deviation from policies."
E-business defence is the most public of all security procedures and revolves around anti-virus, content inspection, intrusion detection and firewall technologies.
"Antivirus systems must provide realtime, enterprise-wide protection against viruses, while content inspection technology isolates malicious code activity and provides realtime attack prevention including automatic detection, blocking and notification of all types of malicious content," Ilic explains. "Content inspection protects an e-business at its gateway, blocking the introduction of malicious content in the corporate environment."
He points out that antivirus systems must also be able to minimise end-user intervention, as well as enforcing consistent policies.
"Intrusion detection combines surveillance and alert capabilities to help stop abuses and attacks and firewalls uniformly enforce security policies throughout the enterprise, safeguarding all mission-critical network resources."
The third key aspect of e-business security - access - brings in directory technology, PKI, online certification status, VPNs and web access control.
"Web access control enhances overall e-business security by combining authentication and authorisation methods, while PKI provides a reliable, trusted mechanism for business transactions," Ilic says.
"VPN technology can be used to transparently secure all application data, centrally manage all servers and provide detailed audit logs for comprehensive analysis."
He also emphasises that while directory technology is becoming increasingly key - with corporates across the world routinely turning to directory technology as a critical cornerstone of their e-business activities - corporates must look to true multiprotocol solutions that combine the strengths of X.500 and LDAP V3.