Fine-tuned Security

All-or-nothing security doesn't cut it anymore. Serious e-commerce requires security tuned at the application level.

The smallest e-commerce Web site that offers personalized content and the biggest business-to-business online marketplace have one thing in common: the need to give specific users access to discrete portions of behind-the-scenes data.

For Web sites that do little more than provide information, a firewall - which blocks off a group of servers inside a company - is often enough.

But sites that allow Internet business transactions such as banking, supply-chain or retailing need more. There, individual customers must be authorized to access certain applications and data that reside on specific servers. Those users must also be stopped from seeing other data.

Such application-level security is critical to e-commerce, says Rob Enderle, an analyst at Giga Information Group Inc. in Santa Clara, Calif. "Without that granular access, many things like online banking wouldn't be able to exist," he says.

While the need for such tools is clear, the per-user pricing models can make them expensive, and a lack of direct support for some key back-end systems can mean extra programming.

Think of application-level security this way: If a bank's checking, savings, retirement and investment systems were a house, application-level security would be a quick-witted sentry who checks visitor credentials and lets them into only the appropriate rooms.

Among the many vendors that offer such products are BorderWare Technologies Inc. in Mississauga, Ontario; enCommerce Inc. in Santa Clara, Calif.; Gradient Technologies Inc. in Marlboro, Mass.; and Netegrity Inc. in Waltham, Mass.

In addition to fine-tuned user permissions, these products also give online companies the ability to let users access several different applications but to log on to the Web site just once.

Single sign-ons were key to The Prudential Insurance Company of America. The financial company, which has $362 billion in assets, has several business units - insurance, investing and financial planning, among others. But it wanted to present one face to the Web world, says David Kennington, vice president of information systems at Prudential.

Waiting for Wireless

Newark, N.J.-based Prudential uses enCommerce's getAccess product to help usher authorized users through the Prudential Web site and into copies of mainframe databases.

"Through our single portal, you can see the current value of all your products," Kennington says.

Prudential chose getAccess because it provides the kind of user-access management the company wanted, Kennington says. Also, there were few other products available in 1997, when the financial services firm started to investigate the market, he adds.

Prudential is working on a new feature that will let its customers create a "family view" of all the accounts of spouses and other relatives - providing the user has the right access permissions. For that, the company must build a more granular level of entitlements within applications, Kennington says. He hasn't decided whether to work with enCommerce or another vendor or consulting firm to make this happen, he says.

One thing missing is wireless support, Kennington notes. Prudential wants to let users of handheld computers access their accounts. That would require enCommerce to rewrite sections of its code to handle user authorization data other than the common cookies stored on users' PCs.

Alberto Yepez, chairman and CEO of enCommerce, says support for the Wireless Access Protocol (WAP) is due from the company this quarter.


Most application-level security products lack direct integration with popular enterprise resource planning systems from SAP AG, PeopleSoft Inc. in Pleasanton, Calif., and others. Instead, they require information technology staff either to wrap back-end systems in an open framework such as the Common Object Request Broker Architecture from Object Management Group in Framingham, Mass., or to insert an open directory between the company's Web server and legacy systems (see diagram).

However, Netegrity has written custom interfaces for customers using systems that aren't supported by its SiteMinder software, says Bill Munroe, senior product marketing manager at Netegrity.

Out-of-the-box direct connections to PeopleSoft and SAP are due from Netegrity by year's end, Munroe says. So is WAP support.

Another downside is that many application-level security products are priced on a per-user basis. That means the customer pays for every person who has a log-on and password for a Web site.

Netegrity, for example, charges between 10 cents and $20 per user, depending on the number of users and type of application. Business-to-business customers are more expensive than business-to-consumer users. EnCommerce also uses per-user pricing.

Gradient bucks the per-user trend, offering its NetCrusader/Web for $28,000 per server.

Despite any drawbacks, Enderle advises IT managers to use prepackaged security products rather than try to build something similar.

"They're the security expert, you're not," he says. "You don't want to expose yourself before you figure out how to resolve all problems."

Copyright © 2000 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon