Scott Hebert

Company X is a fictional manufacturer of gourmet snacks and treats.

The security concerns for an online business can be broken down into three main categories: web server, data transmission, and end-user system security. These three areas each correspond to an individual portion of the whole communication between the company’s web site and the customer’s web browser. Each area has significant security concerns. In order to ensure that company information and customer privacy is protected, all phases of the communication process must be as secure as possible.

The first order of business for a company beginning to secure its online communications is to focus on the security of the web server. Like the overall e-commerce security process, securing the web server focuses on three main areas. First, the company must ensure the server itself is secure. This means closing any security holes presented by the operating system and applying any patches available from the vendor. Next, the web server software must be secured. It is important to ensure that the software is running with the proper security permissions to prevent would-be attackers from exploiting it and gaining elevated system privileges. Finally, the interaction between all software components must be secured. This process requires an intimate knowledge of how the web site works to understand when non-web communications such as file or database access happen (Garfinkel, 2001). There is no use securing all portions of the server except the communication between web server and database server that contains critical user information. Together these security measures will help protect the server environment from outside intrusion.

Data transmission refers to the traffic crossing the Internet between a web server and a customer’s web browser. The main concern for security professionals is eavesdropping of these transmissions when they cross a portion of the Internet outside the control of interested parties. The proliferation of wireless networks and related technologies has made eavesdropping a pressing common concern than ever before. One method for securing these communications is to employ private line communications networks between suppliers and end-users. This methodology has its uses for business-to-business communications where the number of involved parties is relatively low, but is impractical in any business-to-consumer application. The only real method for securing data transmissions is to secure the communication with Secure Sockets Layer (SSL). SSL uses private key encryption to ensure that transmissions between the two parties are secure. SSL implementations are easy to deploy with relatively low cost SSL certificates available from many vendors (Garfinkel, 2001).

The final e-commerce security is the end-user’s system. Viruses, spyware, and adware are distributed daily by hackers in an attempt to gain access to sensitive information on end-users’ computer systems. This data is not only sensitive to the end-user, but may reveal critical information about the operation of the company’s web site. Unfortunately, maintaining the security of individual user system is well outside the scope of any e-commerce company. Originally, efforts to increase user security focused on educating people about online dangers. Due to the complexity of computer systems, these education efforts failed. The new focus is on providing end-users with software to automatically check and maintain the security of their systems (Garfinkel, 2001).

Company X must develop a strategy to address each of these three security concerns. The cheapest and easiest problem to solve is SSL communication for sensitive data transmissions between the server and end-user. Thawte, Inc. offers SSL web server certificates for as little as $249.00 per year (Thawte, 2008). This cost is inconsequential compared to the amount of security it provides. Unfortunately, the security of the web server will not come so cheaply. The web server will require an initial security audit, followed by regularly scheduled security reviews. These audits and reviews require the work of a security professional familiar with the software and server platform. Although the initial audit will have a higher price tag, the ongoing reviews should be substantially less expensive. Finally, Company X must address the security of end-user systems. Since Company X can not reasonably provide security software to all of its end-users, education is the only option. Company X should provide an informational page discussing security and privacy concerns relating to the use of their website, and offering advice for end-user security.

References

Garfinkel, S. (2001). Web security, privacy & commerce (2nd. ed.). Sebastopol, CA: O’Reilly.

Thawte, Inc. (2008). Buy thawte SSL certificates. Retrieved October 28, 2008.

Further Reading

Rayport, J. F., & Jaworski, B. J. (2004). Introduction to e-commerce (2nd ed.). New York: McGraw-Hill/Irwin.

Tags: e-commerce, management