Fault Tolerability

Whenever a hardware or software component of a trusted Web commerce system fails, it is important that the failure does not compromise the security requirements of that system. In addition, the recovery procedures should not provide an opportunity for violation of the system's security policy. If a system restart is required, the system must restart in a secure state. Startup should occur in the maintenance mode that permits access only by privileged users from privileged terminals. This mode supports the restoring of the system state and the security state.

When a computer or network component fails and the computer or the network continues to function, it is called a fault-tolerant system. For fault tolerance to operate, the system must be capable of detecting that a fault has occurred, and the system must then have the capability to correct the fault or operate around it. In a failsafe system, program execution is terminated and the system is protected from being compromised when a hardware or software failure occurs and is detected. In a system that is fail soft or resilient, selected, non-critical processing is terminated when a hardware or software failure occurs and is detected. The computer or network then continues to function in a degraded mode. The term failover refers to switching to a duplicate “hot” backup component in real time when a hardware or software failure occurs, which enables the system to continue processing.

A cold start occurs in a ...

Get Web Commerce Security Design and Development now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.