Previous | Table of Contents | Next |
Monica J. Garfield and Patrick G. McKeown
Internet security is a holistic process that is only as strong as its weakest link. Using an analogy to home design, this chapter presents a framework for understanding the issues involved in Internet security and assessing available security options.
As an easy-to-use interface that supports sound, video, and graphical displays, the World Wide Web is being increasingly employed by organizations of all sizes for electronic marketing and advertising, customer service, and ordering centers. This growing commercial use introduces new opportunities as well as new security risks. Many security concerns stem from flex-ible design techniques used to build the Internet, some of which make it difficult to identify exactly where data and requests are coming from or where outgoing data will travel.
Hackers are breaking into computers daily to sabotage or explore mission-critical data. Formulating a plan to thwart these curious onlookers and potential computer villains is no easy task, because there are many ways unwanted intruders can attempt to gain access to a corporate computer These are a range of measures available to help secure that environment.
Given the loosely controlled Internet infrastructure, the best way an organization can protect its Web environment is to provide security at the front door. Before an organization can do so, managers must first ask two questions:
Exhibit 1. Internet Access Options
Enterprise Network Connectivity | ||
---|---|---|
Type of Connection | Yes | No |
Direct | Full Direct Connection | Standalone Direct Connection |
Indirect (through third party) | Full Buffered Connection | Standalone Buffered Connection |
The answers to these questions provide the basis on which to formulate a security policy. This paper presents a framework that helps managers assess the broad range of issues involved in the creation of an Internet security plan. It does not provide the technical details needed to deploy security measures but rather a road map of the options that should be considered.
The method an organization chooses to connect to the Web plays a major role in the level of functionality it obtains and the level of risk it faces. Exhibit 1 depicts the most common ways companies gain access to the Web, each of which is associated with different degrees of flexibility, costs, and security risk.
A full direct connection means that an organization has its own Web server directly connected to the Internet and to its enterprise network. This connection method has the greatest flexibility, the highest security risks, and potentially the highest start-up costs. It gives employees full access to the Web and the enterprise direct control over the Web site.
The actual hardware and software costs to set up a simple Web server are not high all that is needed is a machine that can run as a server, which can be a Windows-based PC, a Macintosh workstation, or a minicomputer, plus server software. This software is typically easy to use and understand. The higher costs associated with a full direct connection result from the organizations need to protect the internal network from intruders. Securing a Web server from potential hackers requires a fairly high level of technical knowledge, because hackers are constantly improving their techniques.
A full buffered connection means that an organization has a Web server connected to the Internet through a third party and directly connected to the enterprise network. This type of connection is comparable to the full connection in terms of security risks but, depending on how the third-party vendor designs the Internet connection, may provide less flexibility. Although the third-party vendor may also set up most of the necessary security components, many companies believe that further security is necessary. Under this configuration, the organization must still purchase and maintain the server hardware and software.
Exhibit 2. Degree of Flexibility, Costs, and Security Risk of Internet Connection Options | |||
Degree | |||
---|---|---|---|
Option | Flexibility | Costs | Security Risk |
Full Direct Connection | High | High | High |
Full Buffered Connection | Medium | Medium | High |
Standalone Direct Connections | Medium | High | Low |
Standalone Buffered Connections | Medium | Medium | Low |
Previous | Table of Contents | Next |