E-commerce, e-procurement and project extranets are bringing increasing benefits for companies in terms of collaboration, sharing and communication, but there is a downside.
An online document management store or procurement system is effectively an open database, and even though protected by a security system, project documents are at risk of being exposed to the outside world. Critical business applications could be disabled or compromised.
There are a number of different types of security attack that need to be identified, quantified and mitigated against, according to Felix Bauer, head of technology development at procurement solutions provider Indeco.
The easiest to perpetrate, yet very hard to guard against, explains Bauer, is a 'denial of service' attack. This slows down or disables a web or database server, denying access to users.
More severe is a 'sniff attack', which captures network traffic to obtain database passwords or private information to alter, corrupt or steal information. Most severe is a 'spoofing attack', which falsifies a site to steal data or disrupt services.
These attacks prey on a number of vulnerabilities which systems need to address, says Bauer, starting with the system installation.
'Most web applications come pre-installed on a non-dedicated server used by many companies, ' he says. 'These installations are harder to be tailored to the security needs of individual companies.'
Furthermore large numbers of users are accessing web applications through open ports.
'Both legitimate users and attackers will connect to the system via open ports, so it is important to keep the least number of ports open, ' says Bauer.
'This can be better secured if companies and their suppliers work on their own dedicated web application and server.'
The key is for applications to have an integrated security system that combines intrusion detection with vulnerability assessment, with the application's provider controlling and monitoring the risk and taking action as necessary, explains Bauer.
'Systems should allow different levels and layers of security, ' he says.
A robust security system will ideally incorporate four key security features across all areas and on different layers of the application: authentication, authorisation, integrity of data during transfer, and integrity of data during storage.
On most computer networks, authentication is commonly done through the use of passwords. But the weakness in this system is that passwords can often be stolen, accidentally revealed, or forgotten.
For this reason, a more stringent authentication processes using a unique digital signature is becoming popular. This electronic 'credit card' contains the user's name, a serial number, expiry dates, and the digital signature of the certificate-issuer.
Logically, authentication is followed by authorisation. In multi-user computer systems, a system administrator defines which users are allowed access to the system and what privileges of use they have (such as access to which file directories, hours of access, or the amount of allocated storage space).
At the next level, ensuring the integrity of data during transfer and storage is also of paramount importance. Online transfer of data should only occur in an encrypted form, typically using secure protocols such as https - the secure version of the standard http web language. Stored data needs to be protected by state of the art firewalls which are audited and regularly updated.
However, managing user access remains the most effective way of combating security breaches. 'Despite rumours to the contrary, the greatest security threat to any organisation comes from within, ' explains Bauer. 'Over 90% of security breaches are conducted by employees. Companies should carefully consider who is given access to what information and how that is to be administered.'