Problem solve Get help with specific problems with your technologies, process and projects.

E-Commerce Security Needs

This excerpt is from Network Security: A Beginner's Guide, written by Eric Maiwald.

This excerpt is from Module 17, E-Commerce Security Needs of Network Security: A Beginner's Guide, written by Eric Maiwald and published by McGraw-Hill/Osborne Media.

Differences Between E-Commerce Services and Regular DMZ Services

It is obvious that e-commerce services can be provided using similar infrastructures as those needed for Internet connectivity. Web servers, mail servers and communication lines are all necessary. But there are differences between how e-commerce services are designed and how normal Internet services are designed.

The differences between the two begin with the requirements of the services. For regular Internet or DMZ services (see Module 16 for more information on DMZ), the organization wants to provide information to the public (Web sites) or transmit information between the organization's employees and the public (mail). The organization may want to verify that it is providing correct information over its Web site and that the Web site is usually up. The same is true for mail. The mail service is store and forward. Sometimes it takes a while for a message to be delivered. If inbound mail is delayed due to a system failure, it is not a big deal to the organization. Inbound mail is not critical for day-to-day business and thus the source of the e-mail does not need to be verified beyond the source e-mail address.

Now think about the requirements for commerce. The organization still wants to provide a service to the public (for business-to-consumer e-commerce, anyway); however, the organization must know who is ordering goods and who is paying for them. At the very least, the organization must verify the identity of the person ordering the goods. Since we do not have universal identity cards, the organization must use some other form of identification. Most often it is a credit card in conjunction with the shipping address for the goods.

Another new aspect of e-commerce services is the need to keep some information confidential. The information may be what is being sold (so that the organization is properly compensated for the information), customer information that has been held for safekeeping, or it may be the information used in the purchase (such as credit card numbers).

These two primary differences, verification and confidentiality, differentiate the e-commerce services from regular DMZ services. There is one other issue that must be taken into account when e-commerce is discussed. That is availability. No longer is the Web site just for information about an organization. Now the e-commerce site generates revenue and provides a service to the customers. Availability becomes a critical security issue for the e-commerce site.

>> Read the rest of Module 17, E-Commerce Security Needs.

This was last published in July 2003

Dig Deeper on Web application and API security best practices