|Lesson 6||Security software|
|Objective||Describe the functions of security software. |
Security Software in ecommerce
Within the domain of e-commerce, the imperative for robust security measures is heightened due to the sheer volume and sensitivity of the transactions involved. Security software plays a multifaceted role in safeguarding these digital commerce platforms against a multitude of cyber threats, ensuring the integrity, availability, and confidentiality of user data and transactions. The functions of security software in the e-commerce context are both preventive and responsive and can be delineated as follows:
- Authentication and Access Control: Security software is responsible for confirming the identity of users, typically through login credentials, biometrics, or multi-factor authentication methods. It ensures that only authorized individuals gain access to sensitive areas of the e-commerce platform, such as user accounts or administrative panels, thereby providing a primary defense against unauthorized access.
- Encryption: To protect data in transit, security software employs encryption protocols such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS), creating a secure channel for the transmission of data between the user's browser and the e-commerce server. Encryption obscures the data, rendering it unintelligible to eavesdroppers and interceptors.
- Secure Payment Processing: Security applications facilitate secure payment transactions by complying with Payment Card Industry Data Security Standards (PCI DSS). They ensure that credit card information is encrypted and securely stored or transmitted, reducing the risk of financial fraud.
- Intrusion Detection and Prevention: Intrusion detection systems (IDS) and intrusion prevention systems (IPS) are used to monitor network traffic and user activities for suspicious behavior. They help in detecting and stopping potential attacks before they compromise the website.
- Data Integrity Checks: To prevent tampering of data, security software performs data integrity checks, ensuring that the data sent, received, or stored has not been altered. This function is vital for maintaining trust in e-commerce transactions.
- Firewalls: Firewalls act as a barrier between the secure internal network and untrusted external networks such as the internet. They scrutinize incoming and outgoing network traffic based on an applied rule set and block data packets that are deemed dangerous or unnecessary.
- Anti-Malware: Security software includes anti-malware functions to protect the e-commerce platform from viruses, worms, trojan horses, ransomware, and other malicious software that could be used to steal data or disrupt operations.
- Vulnerability Management: Regular scanning for vulnerabilities within the e-commerce system allows for the timely detection and patching of security weaknesses that could be exploited by attackers.
- Fraud Detection: Advanced security solutions use anomaly detection and behavior analysis techniques to identify potentially fraudulent transactions. By flagging these activities, e-commerce sites can prevent unauthorized purchases and minimize financial losses.
- Data Privacy Compliance: Security software helps e-commerce businesses comply with data privacy laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), by enforcing data handling policies and providing the necessary tools for data protection impact assessments.
- Audit and Reporting: Comprehensive logging and reporting capabilities of security software enable the tracking of all activities, which is critical for auditing purposes and for investigating incidents after a security breach.
In an academic exposition of e-commerce security, these functions demonstrate the breadth and depth of security software's role in constructing a resilient digital commerce environment. This multi-layered approach is essential to fortify e-commerce platforms against the continuously evolving threat landscape in cyberspace.
There is a wide variety of software-related approaches for the providing Web site security required by business needs. Security software protects the following:
- Web resources (for example, it deters vandalism of a site)
- Internal network resources (for example, Asteron's internal network)
- Users and customers (for example, customers in an e-commerce transaction)
Security is an entire field unto itself with a wide range of products from hardware and software providers. For non-specialists, these basic concepts are sufficient to allow them to understand the standard security software. At a minimum, the following standard set of controls (interventions) should be considered for most sites:
- Secure transaction and encryption technologies
- Secure email technologies
- Additional anti-attack software
Secure Transaction and encryption Technologies
Secure transactions protect both Web site operators and their users or customers. Most secure transaction software involves encryption,
the transformation of data into a form that is unreadable without access to the proper decryption algorithm. Two secure transaction protocols that are used in e-commerce are:
- Secure Sockets Layer (SSL)
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET) is not widely used for ecommerce websites today. It was an early communications protocol developed in 1996 to secure electronic debit and credit card payments. SET was designed to protect sensitive cardholder information by using digital certificates, encryption, and digital signatures. However, it was also complex and expensive to implement, which limited its adoption.
In the late 1990s, Visa and Mastercard introduced 3-D Secure, a simplified and more cost-effective alternative to SET. 3-D Secure has become the dominant standard for securing online card payments, and it is now supported by most major card issuers and acquirers.
SET is still technically supported by Visa and Mastercard, but it is not recommended for new development. If you are developing an ecommerce website, you should use 3-D Secure instead of SET.
Here is a table summarizing the key differences between SET and 3-D Secure:
3-D Secure is a more practical and widely used security protocol for ecommerce websites.
It is easier to implement and more cost-effective than SET, and it is supported by a wider range of card issuers and acquirers.
A digital certificate is an electronic verification of the identity of an organization or individual.
In e-commerce, digital certificates ensure the legitimacy of the vendor. Certificates are obtained from a recognized certificate authority that has approved an online vendor.
Software is only part of what constitutes a firewall (hardware and network configuration are also very important).
A firewall involves three elements: firewall software, network configuration, and appropriate hardware (usually a firewall resides on a dedicated server that separates the Web server from a company's internal network). All elements need to be combined appropriately for the firewall to be effective.
Secure email Technologies
If a Web site application involves the use of email (for example, as part of a transaction or as confirmation of a transaction), you will want to ensure your email exchanges are as secure as possible.
PGP and S/MIME are two encryption schemes that are used in business-to-business transactions.
While PGP and S/MIME have been the standard bearers for email encryption for decades, newer alternatives have emerged that offer enhanced usability, improved security, and broader compatibility. Here are some modern email encryption alternatives to PGP and S/MIME:
- Virtru: Virtru is a cloud-based email encryption platform that provides a user-friendly interface and seamless integration with popular email clients like Gmail, Outlook, and Apple Mail. It utilizes end-to-end encryption to protect emails and attachments, ensuring that only authorized recipients can access the content. Virtru also offers advanced features such as revocation and expiration for emails, allowing senders to control access and protect sensitive information.
- ProtonMail: ProtonMail is a secure email service based in Switzerland, known for its strong privacy protections and end-to-end encryption. It utilizes open-source cryptography and offers a zero-access architecture, meaning that even ProtonMail employees cannot decrypt user emails. ProtonMail provides a free plan with limited storage and features, as well as paid plans with additional storage, custom domains, and more advanced security features.
- Tutanota: Tutanota is another secure email service based in Germany, offering end-to-end encryption and a focus on privacy. It utilizes open-source cryptography and provides a free plan with limited storage and features, as well as paid plans with additional storage, custom domains, and advanced security features. Tutanota is known for its intuitive interface and integration with various email clients and mobile apps.
- Mailvelope: Mailvelope is a free and open-source encryption plugin for web browsers and email clients, providing end-to-end encryption for emails and attachments. It utilizes OpenPGP and GnuPG encryption standards, offering a secure and user-friendly option for those familiar with PGP. Mailvelope integrates seamlessly with various email clients, including Mozilla Thunderbird, Gmail, and Outlook.
- CipherMail: CipherMail is a cloud-based email encryption platform that offers end-to-end encryption and a user-friendly interface. It integrates with popular email clients and provides advanced features such as revocation and expiration for emails, as well as secure file sharing and collaboration tools. CipherMail offers a free plan with limited features, as well as paid plans with increased storage, custom domains, and more advanced security features.
These modern email encryption alternatives offer a range of features and benefits that make them viable choices for individuals and organizations seeking to secure their email communications. They provide end-to-end encryption, user-friendly interfaces, and integration with popular email clients, making them more accessible and practical than traditional PGP or S/MIME solutions.
Additional anti-attack software
While firewalls are designed to filter and prevent many kinds of attacks on a network, there are additional measures that provide additional security. Virus-scanning software and network-scanning software help detect and destroy viruses and other harmful attacks.
Question: What is a digital certificate?
Answer: A digital certificate is an electronic verification of the identity of an organization or individual through the validation services of a third party. In e-commerce, digital certificates are installed on commerce sites
(via the server) to ensure the legitimacy of the vendor. The confidence associated with a certificate is similar to purchasing a new TV from a store versus from the back of a stranger's truck.
Certificates address the buyer's need for stability by validating the legitimacy of the vendor as part of the certification process.
In the next lesson, you will learn more about specific examples and properties of bundled software solutions.