|
The Challenge: Building and Managing Secure Websites
With its extended reach and power the Internet has fundamentally changed traditional business processes. E-business has ushered in the widespread deployment of intranets, business-to-business (B2B) extranets and e-commerce websites. These sites extend business processes to the furthest reaches of the Web, enabling partners, customers, and employees to access critical applications, information, services, and transactions anytime and anywhere.
Organizations are redeploying the applications that they have built over the years with web front ends, as well as deploying new applications on web servers, J2EE based application servers, and even mainframe systems that include web servers. As they open up their businesses to new users through the web, they face new and complex challenges.
Organizations must solve a new generation of manageability and compliance issues, from deployment of online resources throughout a global environment to enforcing policies, monitoring, and reporting of online activities for regulatory compliance. IT professionals need to support heterogeneous environments by providing flexible deployment approaches. They need to provide enterprise class performance, availability, and scalability to support potentially millions of users. And they must ensure a long life for these systems by embracing open standards and platforms.
From the security and compliance perspective, there are several factors that must be carefully considered:
- Authentication. Who will access the applications and data? Will multiple user communities, such as partners, customers, and employees, need access? How will authentication across multiple websites be handled? Is a simple password authentication sufficient, or are stronger credentials and controls needed?
- Authorization. Organizations need powerful security policies that can be easily leveraged over multiple applications and services. They need to implement a single shared security service to simplify and speed administration, to ease compliance related auditing and reporting, and to reduce the security related burden on application developers.
- Audit. Organizations must closely track how applications and data are used, and how the security system is helping to provide IT controls. System administrators need detailed system data to fine tune performance. Business managers need activity data to demonstrate compliance with security policies and regulations.
- Entitlement service. How can organizations tie in all of the entitlements, that is, profile characteristics of individual users, from multiple directories and user stores into a single, shared security service?
- Enhancing the user experience. How can organizations provide a personal, easy to navigate online session for their users, and at a low cost?
From a user perspective, these new generation Web applications must be:
- Responsive. Delivering high performance applications, whether they're for customers, partners, or employees
- Interactive. Providing the right users access to the right applications, data, services, and other resources
- Simple. Providing a seamless user experience with cross-domain application access.
Today, enterprise IT infrastructures are often insufficient to meet the demands of e-business and unable to manage multiple types of applications accessed by multiple types of users (employees, customers, suppliers and partners) using multiple types of devices (laptops, PDAs, cell phones). Many sites must accommodate millions of users and many millions of transactions without jeopardizing security. In particular, implementers face several challenging business and technical problems grouped into two major areas: first building the secure website and then managing the secure website.
Building the Secure Website
For web developers the process of building a secure website can be very complex. Whether it's managing multiple user directories or creating a shared service for authentication, authorization and audit, they need new tools to design and provide robust security.
Choosing the correct authentication technology Due to implementation and management challenges, security managers often struggle to define a unified authentication strategy across Internet and intranet applications. The result is that either high value applications are not protected by equally secure authentication systems or low value web applications are protected by authentication systems that might actually over do it and push users away. Companies need a single system on which to deploy and manage multiple authentication systems. Organizations need to provide a comprehensive strategy that ensures high value applications are protected by strong authentication while lower value applications are protected by simpler user name/password approaches.
|
