The Three A's of Internet Security

Reprinted with permission from Grain & Feed Marketing

Carnegie Mellon's organization coordinates responses to Internet security threats through funding from the Federal government. In the first half of 2001, CERT has responded to 15,476 security incidents compared with 21,756 for all of last year. Most attacks were on systems that were not well protected, says Bill Boswell, chief technology officer, E-Markets, Ames, Iowa. Established in 1996, E-Markets has developed several online tools for the agrifood industry, including the first online grain production contracting system and the first Internet-based input ordering system.

Fortunately, there are measures that companies can take to prevent their confidential information from being viewed by unauthorized people, says Boswell. These measures will vary on the level of security needed by a company and whether the company hosts its own Web site or uses an outside service. But, a good rule of thumb is to remember the three A's of Internet security-- access, authentication and authorization, says Boswell.

"First, make sure the people you provide access to are authenticated users (or who are indeed who they say they are)," says Boswell. "Then, give them proper authorization to access only the information you want them to see."

E-Markets, for example, sets up proper accounts for the people its customers (e.g., grain elevators, grain processors) want to access their information. It then provides secure passwords for these people. E-Markets also uses software that enables its customers to define certain access parameters (or levels of access they want people to have) that are based on job roles and geographic locations.

What are some tips for companies wanting to set up and maintain their own Internet security system? "It really depends on what they want to do through the system they are implementing," says Boswell. If the company is just going to post general data on a Web site, it probably does not need as much security as if it were conducting e-commerce or e-mailing sales data to outside sales reps. The company should carefully consider what could potentially happen if an unauthorized person were able to access such information, says Boswell.

Some basics include encouraging users to change passwords often, using passwords that are not obvious and shutting down computers after use. "Remember that your Internet security is only as good as your company's overall security," says Boswell.

"If you are building a Web site, take fundamental precautions," says Boswell. "Establish a firewall between your Web site and your internal network. If you are going to use e-mail, make sure you have a virus scanning program on your computer." Firewalls are like the doors of a house with locks on them, he says. Continuing with the house analogy, he says one should think about securing windows (the different ports on your computer). If someone is rattling the windows of your system, intrusion detection software can help prevent a break-in. If firewalls are the guarded entries to your house, then intrusion detection software is like your burglar alarm.

Physical security and information security are the two basic elements of overall Internet security, says Boswell. "Physically, we a data center with restricted access, emergency power, and fire suprression system. This includes 24-hour, 7-day a week service people that monitor and corrects potential security problems. The company also has internal a hot spare standby database, tape backups, and disaster and recovery plans.

In terms of information security, in addition to firewalls and intrusion detection software, E-Markets sends encrypted data over the Internet. For example,with its AgOrderSM input management tool that connects ag retailers with suppliers and customers for input ordering and inventory management, information is protected as it is transmitted and stored.

Again, Boswell stresses that users are authenticated to verify that they are who they say they are. They will see a padlock at the bottom of their computer screens, indicating they are protected by secure sockets layer (SSL) encryption software.

If you are considering dealing with a service provider, check out the provider's privacy policy. Many companies post such policies on their Web sites and it is helpful to know just how information is protected.

The cost of setting up and maintaining an Internet security system will again depend on the individual operation and the level of security needed. Setting up a firewall to protect one's own network, for example, could cost from a few thousand dollars to tens of thousands. Companies requiring multiple levels of security could spend from tens of thousands to hundreds of thousands of dollars.

Grain elevators planning to build their own e-commerce systems can expect to make a moderate investment, says Boswell. Software is available for companies that set up e-commerce sites. When one buys third party software, one can expect to pay an annual maintenance fee of 15-22 percent of the original purchase price. Conversely, maintenance fees are generally incorporated into the services that customers of application service providers offer.

Getting started with E-commerce and Internet security for your company can seem like an overwhelming and daunting task. Fortunately companies like E-Markets do this everyday, and can help you understand how to get started remembering the three A's of Internet security.