电子商务安全翻译Word下载.docx
《电子商务安全翻译Word下载.docx》由会员分享,可在线阅读,更多相关《电子商务安全翻译Word下载.docx(7页珍藏版)》请在冰豆网上搜索。
So,howtoensurethate-commercesecurity?
1E-businessSecurityIssues
E-businessisapowerfultoolforbusinesstransformationthatallowscompaniestoenhancetheirsupply-chainoperation,reachnewmarkets,andimproveservicesforcustomersaswellasforsuppliersandemployees.However,implementingthee-businessapplicationsthatprovidethesebenefitsmaybeimpossiblewithoutacoherent,consistentapproachtoe-businesssecurity.Traditionalnetworksecurityhasfocusedsolelyonkeepingintrudersoutusingtoolssuchasfirewalls.Thisisnolongeradequate.E-businessmeanslettingbusinesspartnersandcustomersintothenetwork,essentiallythroughthefirewall,butinaselectiveandcontrolledway,sothattheyaccessonlytheapplicationstheyneed.Todate,organizationshavecontrolledandmanagedaccesstoresourcesbybuildingauthorizationandauthenticationintoeache-businessapplication.
Thispiecemealapproachistime-consumingerror-prone,andexpensivetobuildandmaintain.Emergingtechnologyprovidesanewrole-basedaccesscontrolinfrastructureforalloftheenterprise’se-businessapplications.ForExample:
E-businessshoppingcartsoftwareslikeGoECartequippedwithlatestsecurityfeaturesaaremakingonlineshoppingexperiencesafeandsecure.Withthisinfrastructure,developersnolongerneedtocodesecurityfeaturesintoeachapplication.Thiscangreatlyspeedupandsimplifythedeploymentofnewapplications,cutmaintenancecosts,andgiveorganizationsaconsistentsecuritypolicy.Thisnewaccesscontrolinfrastructurealsoletsorganizationsimplementconsistentprivacypoliciesandensuresthatauthorizedpeoplearedeniedaccesstosensitivebusinessinformationsources.Inaddition,acentralizedsecuritysolutionlendsgreaterflexibilitytosupportingnewtechnologiessuchasmobileInternetdevices,whichareexpectedtoproliferateoverthenextfewyears.Besidescontrollingaccess,organizationsalsoneedtomonitorsecurityeventsacrosstheenterprisesothatsuspiciousactivitiescanbequicklypinpointed.Thisisbecomingcriticalasenterprisenetworksgrowrapidlyincomplexityandstrategicimportance.Newmonitoringtechnologyletsorganizationsconsolidatedatafromalltheirdisparatesecuritysensors—firewalls,anti-virussoftware,hostsystems,androuters—andprovidesacoordinatedsingleimageofpotentialintrusionsforeffectiveincidentresponse.
2ApproachtoE-businessSecurity
Oncetheorganizationhasdefinedaclearlistofsecurityrequirements,itcanbegintoidentifytechnologythatmeetsitsneeds.Bycombiningauthenticationandauthorizationwithmonitoringtechnologyacomprehensivee-businesssecuritysolutioncanbebuilt.First,authenticationandauthorizationtechnologyisusedtocontrolaccesstoe-businessapplications.Thistechnologyisvaluableforanyorganizationbuildinge-businessapplications.Businessesshouldevaluatethetechnology’scapabilitiesinmultipleareas:
•Coreauthenticationandauthorizationfunctions,includingsinglesignon
•Theabilitytosetpoliciesforsecurity
•Supportforexistingenterprisesoftware
•Manageability
•Scalabilityandreliability
•Privacy
•Softwarequality
Second,monitoringtechnologyminimizesthebusinessriskassociatedwithpotentialnetworkintrusions.Thistechnologyisparticularlyusefulfororganizationswithlarge,complexnetworks.Keyfeaturestoconsiderarethetechnology’sabilitytocorrelateinformationfromawiderangeofdatasources;
itsabilitytoautomateresponsestoroutineproblems;
anditsmanageability.
2.1AuthenticationandAuthorizationTechnology:
Todate,Webapplicationdevelopershavegenerallycodedsecuritylogicintoeachoftheirapplications.Eachapplicationhadtomaintainitsownaccesscontrollistofusers,resourcesandtherightsgrantedtoeachuser.Asthee-businessenvironmentgrows,thisapproachrapidlybecomesproblematicforseveralreasons:
•Itisexpensivebecauseoftheneedtoreplicatedevelopmentandmaintenanceworkacrossmultiplesystems.
•Itrequirestime-consumingdevelopmentwhenthereisoftencorporatepressuretogetonlineasquicklyaspossible.
•Maintenanceistime-consuminganderrorprone.
Oncetheapplicationsareonline,itisvitaltoensurethataccesscontrollistsarekeptuptodateandinstepacrossmultipleapplications,andtomakesurethatassecuritypolicieschange,thosechangesaresimultaneouslyreflectedacrossthewholee-businessenvironment.Eachofthesestepsisanopportunityforerror,inconsistencyordelay,andcanresultinsecurityloopholes.Analternativeapproachisnowpossible.Technologyisavailablethatprovidesasecurityinfrastructureforallofanenterprise’sWeb-basedapplications,eliminatingtheneedtocodeandmaintainsecuritylogicforeachapplication.Thisapproachhasbeenacceptedasastandardmethodfordevelopingmainframeapplicationsforyears,butthetechniqueisonlynowbeingextendedtoWebapplications.
Tobecapableofmanagingaccesstotheentireenvironment,thissoftwareshouldhandleabroadrangeoffunctions.
2.2AuthenticationandAuthorization:
Thefundamentalrequirementisfortechnologythathandlestheauthenticationandauthorizationofallusers(whetherinsideoroutsidetheenterprise)accessingalle-businessapplications.Alluserattemptstoaccessane-businesssystemarehandledbythesecurityinfrastructuretechnology,whichauthenticatestheuserandgrantstheappropriateaccesstotherequestedsystemorsystems.Manyauthenticationmethodsexist,rangingfromsimpleusernamesandpasswordstostrongermethodssuchastokensordigitalcertificates.Differenttypesofauthenticationmethodsmaysuitdifferentorganizations.Applicationsandaccessmethodstendtobecomelessconvenientforusersandbecomemoreexpensiveastheyincreaseinsecurity.Passwordsandusernamesencryptedontransmissionmaybeadequateforsomeresources,andmaybethemostpracticalapproachforaccessviamobiledevicesthathavelimitedcomputingpower.Foraccesstosensitivebusinessinformation,token-basedproductsordigitalcertificatesmaybemoreappropriate.Anadditionalfactoristhatorganizationsmayhavealreadyinstalledoneoftheseauthenticationtechnologiesandwanttoextenduseofthetechnologyfornewe-businessapplicationsaswell.Asolutionshouldbeabletosupportallofthesetechniques,whichimpliesthatitmustbeabletointerfacetotheleadingspecializedauthenticationtechnologies,suchasTokensfromRSA,orPKIsystemsfromEntrustorIBM.Amajoradvantageofasecurityinfrastructureisthatorganizationsshouldnothavetochangetheirapplicationlogicinordertochangeoraddnewauthenticationtechnologies.Further,theyshouldbeabletoimplementchangesatthesecurityinfrastructurelevelandhaveapplicationsevolvetransparently.
Inmanycases,centralizingsecurityintoaninfrastructureproducthastheadditionalsecuritybenefitthatofremovingtheneedtoholdauthorizationinformationinmultipleplaces,suchasapplicationserversanddesktops.Adoptingasecurityinfrastructurealsomeansitshouldnotbenecessarytochangethesecuritylogicinapplicationsinordertotakeadvantageofnewdevices—amajorconsiderationwhenorganizationsarelookingatsupportingaccessfromthousandsofhandheldwirelessdevicesduringthenextfewyears.Theinfrastructureshouldbeabletohandleaccessviawirelessnetworksandhandhelddevices,souserscanaccessapplicationswhetherathome,intheoffice,orontheroad.Thismeansthatitmustinterfacetothegatewaysthathandletrafficfromwirelessnetworks.
2.3SingleSign-On:
Arelatedandextremelyusefulbenefitinsometechnologyistheabilitytoprovidesinglesign-ontoallcorporateapplications.Whensecuritylogiciscodedintoeachapplication,thenumberofpasswordsandloginsthatusershavetorememberandentergrowsalongwiththenumberofe-businessapplications.Thisalsoimposesaconsiderablemanagementburden.Administratorshavetoadduserstoeachsystemtheywilluse,anddeletethemfromeachsystemiftheynolongerhaveaccess.Becausethesecurityinfrastructuremaintainsauthorizationinformationforeachuserandresource,itisabletoauthenticatetheuseronce,andthenseamlesslyprovideaccesstoeachsystemtheuserisauthorizedtouse.
2.4PolicySetting:
Aninfrastructureproductprovidesacentralpointforimplementingsecuritypolicyacrosstheorganization.Ideally,aproductwillallowtheestablishmentofsecuritypoliciesthatreflectthestructureoftheorganization,yetareflexibleenoughtofittheneedsofspecificgroupsorapplications.Thedefaultpolicyforemployeescouldbetoprovideaccesstohumanresourcesandothergeneralcorporateinformation.Specificneedsofdifferentgroupscanbemetsimplybycreatingnewgroupprofileswhereneeded.Forinstance,marketingpeoplemightgetaccesstothedefaultsystemsplusspecificsalesinformation.Thisapproachavoidstheneedtodefineandmaintainseparatesetsofaccessrightsforeachuser.
2.5SupportforexistingEnterpriseSoftware:
Thesolutionshouldintegrat