Although the majority of security issues that are making the headlines at the moment concern customer-facing applications, the apparent inability to make these secure has to be worrying businesses that are looking at much more complex e-business process integration.
Two aspects immediately become apparent when reading about another clutch of credit card details being opened up to anybody who "accidentally" doesn't browse the site in the expected manner - i.e. plays about with the URL, or uses the "back" button one too many times. Firstly, the applications that are being compromised on an almost daily basis have limited business process interaction. They are quite tightly isolated systems from an externally-influenced functionality point of view. Secondly, the security loopholes almost appear to be inherent in the way that systems have been implemented - a disaster waiting to happen.
When we move towards integrating complex cross-business processes the available entry points will be more numerous, and the complexity of the total systems will be such as to be unmanageable from a human resource level.
As e-business demands that a certain level of entry to internal systems is granted to external parties the question arises as to how the business processes that can have this third-party influence exerted on them can be segmented. Each single business process has to be protected from corruption, in that the total process flow has to complete, with "sensible" data being present at both the start and end points. In this instance, and in terms of transactional flow, this means that data has to lie within certain pre-defined parameters.
Opening up these processes to external manipulation means, in effect, giving powers outside of the organisation to change the data and/or reroute the process. This is no easy task within itself, but becomes far more complex when one considers the fact that different levels of interaction will need to be allowed depending upon the influencing party. I may want to allow a trusted business partner (who may also be a competitor in some other business market) a deeper level of influence than another organisation with whom I do not have such a close relationship.
This leads back to the whole issue of security, and how it is going to be implemented. As it has become increasingly clear that organisations are incapable of protecting total systems or applications from unwarranted intrusion, then how are we going to implement protection at the application process level? It also raises the question as to how many problems are already being experienced at this level with those organisations that have taken up the e-business call to arms?
This would appear to be a classic case of concept having overtaken reality to the point where there is a real and clear danger to businesses. As with the rush over the last few years to "Web-enable your applications" without an awful lot of thought being given to what the back-end transactional systems were going to do when they were asked to handle a million transactions a day instead of the thousand that they had been happily processing when every transaction had to be initiated by Doris Smith in Accounts.
We all know what the result of that was. Fortunately, we could always blame it on the Internet (and quite often did), and the non-technical Web users were actually none the wiser accepting the fact that "inherent Internet conditions" were the cause of the problem, and not the truth that someone hadn't actually given the problem enough thought.
Security is a different ball game, and users (in both the B2C and B2B space) will be less forgiving. Just as we managed to catch up with the transactional problems, at least in the short term (banging in bigger servers was a favoured method), so we will need to catch up on security. The answer, however, may not be so simple.
It should be apparent (although some businesses seemed to have missed the point) that any e-business solution needs a certain framework; it needs to be built on a strong platform with specific essentials in place. Is there really anybody who would open up a new store in the bricks-and-mortar world, stock it with expensive items, and then not bother to buy locks for the doors? In the same vein, is there any business that would invite its competition in to examine its books and look at the plans for the future?
The whole issue of security is by itself immediately important, but even more crucial is the fact that by concentrating on this single subject it should become clear that being an e-business, while different from other business models, is not dissimilar in every aspect. There are certain elements of business that will never change