How to Minimize E-Commerce Risk

Top infosecurity pros offer 5 strategies for protecting corporate networks even as you link more closely with your business partners

Various tools and services can help speed up this inventory process. Dave Cullinane, CISO at Washington Mutual, a Seattle-based bank with 2,500 offices, mentions services provided by Lumeta as an example. Lumeta creates maps that help companies understand how their global network connects to their partners and to the Internet. Companies use the maps to identify previously unknown routes into the network or to see where users are making unauthorized connections. This kind of work doesn't come cheappricing for Lumeta's IPsonar service starts at $21,500 for a one-time scan and limited licensebut should be weighed against the potential cost of a breach. "Network mapping is essential," Cullinane says. "Ideally, it should show how to segment the networkso if an attack occurs in sector A, you can prevent it from spreading to the other sectors."

This inventory and mapping chore never really ends. Albert Oriol, privacy and data security officer at The Children's Hospital in Denver, is finding that a sound e-commerce security map is a work in progress. When Oriol started at the hospital in 2001, he first had some internal security gaps to close. Only after he and his team implemented redundant firewalls, invested in an intrusion detection system and deployed antivirus software to all servers, did Oriol start finding time to look outside his own network. Now, he's helping security officers from the hospital's five affiliates understand how patient data flows through the network and addressing issues such as standardizing remote access and e-mail encryption. Those needs don't sit still. "We're trying to get the things that need to flow through on the network, and the things that don't off it," he says. "We keep refining it. It's a never-ending process."

(Think the little guys are safe from e-commerce-induced vulnerabilities? Read the sidebar to this story, "Small Company, Big Trouble." )

2. Mete Out Access

Once they complete an inventory, companies need to understand what applications and parts of the network will be shared and how to share them. Frequently, one business partner wants more than the other is willing to give.

The key step in defining partner access levels is to weigh risk against the need to share information. One example is a Fortune 100 company using three security levels to segment its 2,500 suppliers. These levels, determined by a team of technical managers and businesspeople, are documented and defined according to each partner's need for access. The manufacturer, with its staunch policies that include not speaking on the record to the press about security, leaves little to chance.