Who owns and understands the security posture for the organization?
I would start with making an assumption that if you were a WebSphere Commerce architect, specialist, or a developer, you will agree with me that it will be foolish to attempt to respond to the loaded question – ‘Is our eCommerce site safe?’
This would be something that is under a purview of a Chief Information Security Officer (CISO). If you are interested to see a sample of the job responsibilities of a CISO profile in a commerce organization, have a look at this linkedin entry
The infographics on cyber-attacks from Threat Intelligent Report
IBM X-Force Threat Intelligent Report published by IBM, shows the 2015 security incidents and the retail industry is the second most attacked industry.
The components of a commerce shop that would typically need a CISO’s attention
There are several areas of a commerce shop that require to be at a desired level of security maturity model.
- To start with there is a need to have a Governance structure in place. This would include the processes established inorder to manage and report on the compliance
- Focus on the People aspect of the business, that would talk about identity and access management
- Infrastructure security would cover several pieces, networks, servers and the endpoints
- Protection of Data is key and this may entail industry standards and compliance
- Application security will include all the different applications and the security levels would be different based on their exposure to the internet
How does IBM help companies and businesses to be secure, and this would apply to eCommerce
The following areas of focus, will help the security stakeholders to engage with IBM
Your organization’s security program - Understanding risks, establishing the right policies and programs and having a strong, cohesive team to implement changes is critical to building a next-generation security environment. IBM® Security can help you design an integrated framework to simplify the challenge of securely protecting the enterprise.
Tackle Advanced Threats – You are uncertain on the advanced threats and how to be prepared to manage them. IBM® Security can help you with a view the security landscape with a wide-angle lens to thoroughly understand the origins and distinctive features of attackers. Fraud, endpoint and data protection. Security intelligence and analytics. Incident response. They're all part of a comprehensive approach using extensive research and detective work to pinpoint, outsmart and stop them.
Protect critical assets – You have an internet facing business, with potentially millions of customers, partners, vendors accessing the systems. IBM® Security can help you leverage analytics and insight for rapid detection and response to protect critical systems and records.
Further, IBM provides services where the security experts will do an assessment of all the aspects of an organization from a security maturity model. This will allow the CISO to understand the security posture for the organization and the desired posture for each of the components mentioned above, like people, data, and infrastructure. This is an important step in securing organization and business against the cyber security threats.
Security of the WebSphere Commerce empowered storefront
The CISO’s governance and strategy will form the backbone of the eCommerce security. This will ensure that each of the applications follow the guidelines and demonstrate adherence to the security framework.
The eCommerce program manager will own the security aspects of the WebSphere Commerce implementation. It will therefore be the individual responsibility of every member involved in the implementation to understand the application guidelines for WebSphere Commerce and consider them at design, development, testing and deployment phases.
The product KnowledgeCenter has a topic in itself on ‘securing’, that details on the topics of authentication, authorization, session management. There is also section to cover security standards ‘National Institute of Standards and Technology’ (NIST) that provides guidance on the use of stronger cryptographic keys.
The Payment Card Industry (PCI) Data Security Standard (DSS) is applicable if your eCommerce system is capturing and holding credit card and payment-related data into the system. The product has created a summary of specific configuration that are required in the WebSphere Commerce implementation in order to comply with the PCI-DSS.
Having pointed the readers to the Knowledge Center for a lot of product documentation on the topic, I am also doing a PART 2 of this series to cover a simplified version of the aspects of the WebSphere Commerce product’s security considerations. Look out for the second part for a quick and clear insight areas of Access control, Hardening against common attacks types and Data security.
Credit: Thank You Sreekanth for your inputs and review on the topic.
Sreekanth Iyer is an Executive Architect with the IBM Cloud (CTO Office) team and works on defining the technical strategy and development of IBM Cloud Security. He has over 20 years of industry experience and has led several client solutions for Telco, Electronics, E&U, Govt, BPO & Banking industries. He is an Open Group Certified Distinguished Architect, IBM Master Inventor, Certified Ethical Hacker and Member of IBM Academy of Technology.