Confidentiality, Integrity, and Availability
The critical “ility” characteristics of Web commerce computing platforms and networks build upon the fundamental information system security concepts of confidentiality, integrity, and availability (the C-I-A triad).
Confidentiality
Confidentiality refers to the prevention of intentional or unintentional unauthorized disclosure of information involved in Web commerce transactions. This information includes configuration settings, logic, and interfaces. Web commerce platforms must be protected from reconnaissance probes, denial of service (DoS) attacks, viruses, Trojan horses, man-in-the middle exploits, and a variety of other emerging threats.
Encryption is commonly used to preserve confidentiality in encapsulated data and software. The following are examples of the use of encryption in Web commerce transactions:
- Software may need access to a database. A possible scheme for protecting the database user password is to encrypt the password and store it in a protected file. The decryption key should be supplied to the software via a command line or protected file, and the salt (random bits that are used as an input to derive the cryptographic key) should be embedded in the code itself. In this way, the software requires the decryption key, salt, algorithm, and encrypted password to gain access to the database.
- An additional approach to meeting encryption requirements in scalable implementations is to encrypt data on-the-fly and store it ...
Get Web Commerce Security Design and Development now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
