The price of accessibility

Creating a safe and secure Web site, where customers can shop and bank without worrying is essentially what all IT directors...

Creating a safe and secure Web site, where customers can shop and bank without worrying is essentially what all IT directors strive for, but at what cost, asks Julia Vowler

Bringing order to the e-business before it gets out of hand is steadily looming as a key priority. For IT directors, this means there's sure to be a fair bit of agony on the road to e-business ecstasy.

One aspect of the looming e-chaos is the sometimes conflicting area of Web security versus Web access. Obviously, the most secure Web site possible is one that doesn't allow any users on to it at all - it can sit there in cyberspace, clean and unsullied, and completely useless. Alas, that is the equivalent of cutting bank robberies by never keeping cash in a bank - not much use to customers.

Conversely, what customers would really like to do in Web-land is wander wherever their whim takes them, browsing and buying without hindrance. They don't want to be greeted by 'No Entry' signs.

The same dilemma is being played out within the company itself. Ever since client/server computing arrived and empowered the business units, freeing them from the tyranny of central IS, there has existed a tension between the needs of central IT to set standards, and the inclination of departmental IT to evade them. The same thing is happening again in e-business, especially when it comes to Web access management.

All too often, warns Michael Jannery of Web security company, Gradient, different business units each venturing into e-business for good and commercially sound reasons, will do their own thing without thinking through the implications for the company as a whole.

"Access management is undertaken within each business unit," he points out.

Inevitably, central IT is then expected to support all the inevitably different access management systems and policies. This is not only costly and time-consuming for central IT, but also, warns Jannery, makes the company look like multiple companies - any customer accessing, say, a personal banking site has no reason to think it has anything to do with the separate investment banking site, run by a separate business unit.

Not only could they take their business to any other bank's Web-based services, but there may be times when cross-site reference is needed, such as when a customer wants to buy an equity and use funds from his current account - a platinum level customer would be allowed to go overdrawn with impunity to make the purchase, not so the others.

But only the personal banking business unit can decide if a customer is platinum or not - that's their own business-risk decision, not a central standard imposed by IT. It also takes a toll on IT.

"You need to standardise a common (Web-security) infrastructure so that IT doesn't have to support (multiple versions)," argues Jannery. "But if IT manages all Web access, business units will accuse it of getting in the way."

What makes sense, argues Jannery, is to adopt a strategy whereby central IT is responsible for customer/ site-visitor authentication. Meanwhile, each business unit is responsible for setting the authorisation that customers can enjoy when let loose on its Web site to do nothing more than browse innocuously for information or alter records in core systems as they transfer money in and out of their accounts.

"User authentication should be handled by central IT, but access policy should be set by the business unit," says Jannery. "For example, a browser can remain anonymous, but to close an account needs proof of identification by means of, say, a digital certificate."

In his experience, says Jannery, this issue emerges as a problem when about three business units launch e-business. That's when the IT director gets the alert.

"I've spoken to about 12 to 18 banks in the UK and the US and every heads starts to nod," he points out. "They haven't found a way to cut through the problem."

Nor is it just on the issue of security that the problem arises - as the Web matures, personalisation is growing. Again, the split between having a central directory, managed by IT, for authentication, and letting authorisation be decided and applied by the business unit with the e-business, is the way forward, says Jannery.

This division of function should achieve the balance between a secure, coherent Web-security infrastructure - a single method of authenticating identity - and the ability of the business units to remain flexible and in as much local control of what identified Web-users are then allowed to do. But there is, admits Jannery, the issue afflicting all centralised databases and directories, remote access times.

"Providing it's logically centralised," he suggests, "the directory can be physically decentralised with, say, London customers being held in London, Singaporean customers in Singapore, and so on."

Read more on Web software