WEB SECURITY ADVISOR
Security architecture for e-business
Michelle Johnston
05.17.2001
Rating: -4.00- (out of 5)
Security for your e-business is a de-facto must. You have to keep
your corporate interests intact, and you have to keep the bad guys
out of your e-business site, while letting the good guys (your
customers, e.g.) in. In this tip, excerpted from
InformIT, Michelle Johnston, e-business expert, talks
about security considerations in the technical design of your site.
Security is a massive topic. To be effective, the security policy of
an organization must be enforced at every level of the technical
architecture and must be reinforced via business policies and
procedures.
Web server hardware should be kept in a secure room, free of
environment hazards, with access controls, air conditioning and so
on. Firewalls and proxy servers must be configured to prevent
unauthorized access and to keep out malicious content (this should
include the disabling of any ports that don't need to be open and
careful control of those that do).
Network configurations and password control should be effectively
managed and monitored.
Audit logs should be kept of all failed attempts to gain access to
the system. Virus-checking software should be installed on file
servers, hard disks and so on, before any device or computer is
allowed access to the network. Web server software-access controls
should be carefully managed; virtual directories should be created
and maintained carefully in the light of security issues.
Operating system permissions (on files and directory structures, as
well as on executable content) should be carefully controlled and
monitored, and database permissions and security controls should be
afforded the attention they deserve. Application-level controls,
where they exist, should be carefully designed, managed and
monitored.
The use of SSL to manage interactions between the browser and the Web
server can help protect sensitive data being sent to and from the
Web. ActiveX controls should only be used in situations where they're
absolutely necessary, and even then with a great deal of caution and
control over what they can and cannot do. Digitally signing an
ActiveX control only provides the user with confidence that he or she
can download it; it doesn't ensure that the ActiveX control cannot
cause unexpected damage or provide a backdoor into the system.
Remember that security is a journey, not a destination -- new security
"holes" are found in software components all the time, new viruses
appear daily and complacent companies are the hacker's dream.
To read all of this tip on technical architecture for e-business,
click over to InformIT. You'll have to sign up there,
but it's free.
Related book
Delivering Security and Privacy for E-Business
Author : Anup Ghosh
Publisher : John Wiley & Sons
ISBN/CODE : 0471384216
Cover Type : Soft Cover
Pages : 256
Published : Feb. 2001
Summary:
With billions of dollars at stake in e-commerce, companies are becoming much more concerned about security and privacy issues. Hackers have made headlines by breaking into Web sites that aggregate sensitive information about all of us, which has caused growing public concern about personal and financial privacy. Some online businesses are inadvertently "sharing" data with others when they interoperate systems. This book examines the external threats to a company's system and explains how to react if your system and business goals diverge. It also presents a nuts-and-bolts guide to enhancing security and safeguarding gateways. Readers will find an extensive reference section for the many tools, standards, and watchdog agencies that aid in the security/privacy effort.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
