2134 A Security Blueprint for E-Business Applications and good functionality can be provided at the same time. A secure e-business environment must also be resilient and scalable. This section will develop a security blueprint for an e-business environment based on a three- tiered e-business architecture and major compo- nents described in the previous section. Security Blueprint Overview This security blueprint emulates as closely as possible the functional requirements of the typical e-business environment discussed in the previous section, which can help people to build or maintain a secure e-business environment for e-business applications. As illustrated in Figure 3, this security blue- print consists of four security control layers, start- ing from physical access, network communication, operating system, to application. As part of this security blueprint, to maintain a secure e-business environment, the major security management processes included and staged are planning, de- ployment, administration, and auditing. Security Control Layers As part of the security blueprint for e-business environment, the security control layers cover all PDMRUFRPSRQHQWVLGHQWL¿HGLQDW\SLFDOWKUHH tiered e-business environment, including physi- cal access, network communication, operating system, and application layer. Physical Access Layer The security control for physical access is an extremely important part of keeping all sensi- tive devices and data secure in an e-business environment. In the typical e-business environ- ment discussed previously, all components of the business logic layer and data layer are considered as critical devices from a security perspective, as illustrated in the Table 1. It is necessary to put all critical devices into a separate space (data center, computer room, and even server racks) and main- tain very strict control over who can enter it, then use card key or keypad systems, log books, and human security to limit unauthorized access. Figure 3. Security blueprint overview 2135 A Security Blueprint for E-Business Applications Network Communication Layer The corporate network and the Internet are the major components that fall into this layer, as il- lustrated in Table 1. These components perform VSHFL¿FUROHVLQDQHEXVLQHVVHQYLURQPHQWDQG WKXVWKH\KDYHVSHFL¿FVHFXULW\UHTXLUHPHQWV 1HWZRUN DWWDFNV DUH DPRQJ WKH PRVW GLI¿FXOW attacks to deal with because they typically take advantage of an intrinsic characteristic of the way the corporate network operates. Hence, most security technologies are applied at this layer to DQDO\]HWKHQHWZRUNWUDI¿FDQGHOLPLQDWHPDOL- cious threats, including router access control, VZLWFKDFFHVVFRQWURO¿UHZDOOLQWUXVLRQGHWHFWLRQ system, virus detection system, virtual private network, and secure sockets layer. Operating System Layer As the most likely target during an attack, the operating system layer presents some of the most G LI ¿FX OWFKDOOHQJHVL Q D QHEX VLQH V VHQY L URQPH QW from a security perspective. In a typical e-busi- ness environment, the major components, such as the Web browser, Web server, application server, database server, and AAA/directory service, are all running on top of various operating systems like Unix, Linux, Windows, and the like, as il- lustrated in the Table 1. Meanwhile, for various reasons, these operat- ing systems provide strong functionality to support different application services while numerous system holes or bugs remain. Because of this vulnerability, operating systems are the most frequently attacked components in an e-business environment. To secure these operating systems, careful attention must be paid to each of the components in the e-business environment. Here are two im- portant guidelines to reinforce operating system layer: (1) keep any operating system up-to-date ZLWKWKHODWHVWSDWFKHV¿[HVDQGVRIRUWKDQG (2) lock down any operating system by disabling unwanted service. Application Layer Most components of a typical e-business envi- ronment, such as a Web browser, Web server, application server, database server, and AAA/di- rectory service, fall into this layer, as illustrated in the Table 1. Table 1. Major components in security control layers Components Layers Web Browser Web Server Application Server Database Server AAA/ Directory Service Corporate Network Internet Physical Access Layer 99 9 9 9 Network Communication Layer 99 Operating System Layer 99 9 9 9 Application Layer 99 9 9 9 2136 A Security Blueprint for E-Business Applications As we know, applications are coded by hu- man beings (mostly) and, as such, are subject to numerous errors. These errors can be benign (e.g., an error that causes a document to print incor- rectly) or malignant (e.g., an error that makes the credit card numbers on a database server avail- able via an anonymous FTP). It is the malignant problems, as well as other more general security v u l n e r a b i l i t i e s , t h a t n e e d c a r e f u l a t t e n t i o n . Si m i l a r to the operating system layer, care needs to be taken to ensure that all applications within an e-business environment are up-to-date with the ODWHVWVHFXULW\¿[HV Management Process Stages To maintain a secure e-business environment, numerous security management processes of the daily operations of e-businesses are involved. As part of the security blueprint for an e-business en- vironment, the management processes have been organized into four stages, planning, deployment, administration, and auditing. Planning Stage The most important stage of security management is planning. It is not possible to plan for security, unless a full risk assessment has been performed. Security planning involves three processes: asset LGHQWL¿FDWLRQ, risk assessment, and action plan- ning, as illustrated in Figure 4. $VVHWLGHQWL¿FDWLRQLVXVHGWRLGHQWLI\DOOWKH targets of the actual e-business environment. Risk assessment is used to analyze the risks for each asset and determine the category of the cause of the risk (natural disaster risk, intentional risk, or unintentional risk). Action planning is used to describe the security guidelines and present a security architecture using the enabling security technologies. Deployment Stage The deployment stage is relatively simpler than the planning stage. At this stage, the action plan developed at planning stage will be implemented accordingly. This stage includes three key pro- cesses: installation, FRQ¿JXUDWLRQ, and testing, as illustrated in Figure 5. Administration Stage $IWHUWKHGHSOR\PHQWVWDJHD³VHFXUH´HEXVLQHVV environment has been built. However, it is not really secure without a proper security admin- istration. This is true because most assets need to be maintained daily to ensure that they have no proven vulnerabilities. In addition, security V\VWHPVVXFKDV¿UHZDOO,'6DQWLYLUXVNHHS generating alerts, events, and logs that require adminito strators take necessary actions. The administration layer consists of four ma- jor processes, including daily monitoring, online blocking, log analysis, and periodic reporting, as illustrated in Figure 6. These processes are not only applied to security systems, but also to other assets in the actual e-business environment. Auditing Stage The auditing stage provides the formal exami- nation and review of the established e-business environment. This layer contains two major processes, periodic auditing and audit reporting, as illustrated in Figure 7. These processes can be carried on by either internal staff or external parties. In an e-business environment, an annual security audit conducted by external party is recommended. CASE STUDY Company XYZ, with its operational headquarters LQ6LQJDSRUHDQGEUDQFKRI¿FHVLQWKH86-D- 2137 A Security Blueprint for E-Business Applications pan, India, Thailand, Malaysia, and Hong Kong, is a telecommunications service provider that provides end-to-end networking and managed services to multinational corporations (MNC) and small and medium enterprises (SME) across Asia. The company has points-of-presence (POP) located in 17 cities across 14 countries. Technical support is available 24 hours a day and 7 days a week. The company has built an Internet data center (iDC) in Singapore to provide e-business hosting services as part of its managed services. Of course, its own e-business applications, such as customer portal system, billing system, and trouble ticketing system, are running on this iDC as well. This section will discuss the applicability of the developed security blueprint using the Singapore- based MNC company as a case study. Figure 4. Processes at the planning stage Figure 5. Processes at the deployment stage Figure 6. Processes at the administration stage Figure 7. Processes at the auditing stage 2138 A Security Blueprint for E-Business Applications Established E-Business Environment $Q,QWHUQHW GDWDFHQWHULVGH¿QHGDVDVHUYLFH provider offering server outsourcing, hosting, and collocation services, as well as IP and broadband connectivity, virtual private networks (VPNs), and other network and transport services. It needs to be physically secure against physical intrusions DQGHTXLSSHGZLWK¿UHVXSSUHVVLRQXQLQWHUUXSWHG power supply, and disaster recovery systems. As a telcom provider and managed services provider, the company’s iDC has a complex architecture and multiple functions. However, the authors just intend to discuss the environ- ment related to e-business hosting service in this FKDSWHU7KHVLPSOL¿HGHEXVLQHVVHQYLURQPHQW is shown in Figure 8. This established e-business environment is mainly made up of core routers (two Cisco 7513 routers), distribution switches WZR &LVFR &DWDO\VW VZLWFKHV ¿UHZDOOV access switches, and other necessary devices. All WKRVH FULWLFDO GHYLFHV DUH FRQ¿JXUHG DV GXSOH[ to provide redundancy to ensure the continuous operations of e-business applications. Figure 8. A case study for security blueprint 2139 A Security Blueprint for E-Business Applications The corporate LAN of this company is con- nected into distribution switches, thus allowing internal staff to access the company’s e-business applications such as the customer portal, billing system, and trouble ticketing system for daily jobs. Putting these e-business applications into iDC will take advantage of the established e-business environment while saving money on the security protection for the corporate network. Security Control Analysis Applying security control to the e-business envi- ronment is critical for building a trust relationship between e-business owners and the company. Physical Access Layer In order to prevent unauthorized people from getting into the company’s iDC, which keeps all the network devices, application servers and important data, the company has implemented very strict physical access control systems, in- cluding biometrics HandKey II system, access card control system, lifetime CCTV recorder system, multi-level password restriction, central- ized UPS system, and standby power generator. Besides these systems, the iDC is also monitored by on-shift engineers all the time. In addition, all equipment (network devices and hosts) are put into server racks and locked, while all network cables DUHSXWXQGHUWKHÀRDWLQJÀRRURUZLWKLQVHUYHU racks. Authorized personnel must sign in and out at memo books to obtain the rack keys. Additionally, to protect the data backup against ¿UHWKHIWDQGRWKHUQDWXUDOULVNVWKHFRPSDQ\ has an agreement with another managed service provider for off-site backup, which allows both companies to store data backup media for each other. The data backup media will be duplicated monthly. Network Communication Layer As most attacks come from the Internet and corporate network, the company has employed industry-standard security systems in place to eliminate risks at the network communication OD\HU 7KHVH LQFOXGH ¿UHZDOO FOXVWHU JDWHZD\ antivirus cluster, intrusion detection system (IDS), AAA system, reverse Telnet access, and VPN access. In addition to the security systems, all network devices including routers and switches are locked down, and access control list (ACL) is applied for better security control. All network devices and hosts are also con- ¿JXUHG WR VHQG simple network management protocol (SNMP) traps and logs to HP OpenView and NetCool systems for monitoring purpose. HP OpenView shows a graphic diagram of the health status of the e-business environment, while Net- Cool collects all logs and SNMP traps from net- work devices and hosts. On-shift engineers keep monitoring this information to ensure the network health and security protection is in place. Operating System Layer The company uses various operating systems to implement its services, such as SUN Solaris, HP- UX, and Windows NT/2000. As required by the corporate security policy, all operating systems must be hardened and kept updated with the latest security patches from their manufacturers. Application Layer The security control for this layer is mainly to keep security patches and service packs for com- mercial applications up-to-date (for example, CheckPoint Firewall-1 service pack 6, Radiator RADIUS patches, virus pattern for TrendMicro InterScan Viruswall, attack signature for RealSe- cure IDS, etc.). 2140 A Security Blueprint for E-Business Applications For customized e-business applications, such as a customer portal system, billing system, and trouble ticketing system, the software develop- ment team is responsible to review program logics and coding to avoid any system holes and backdoors. Management Processes Analysis I n a d d i t i o n t o t h e fo u r l a y e r s of s e c u r it y c o n t r ol i m - plemented at iDC, the company has also installed security management processes to continuously maintain a secure e-business environment. A secu- rity team has been formed by the engineers from different departments (IT, network operations, network planning, and software development) and is led by a security specialist who reports directly to the FKLHIWHFKQRORJ\RI¿FHU (CTO). This section discusses the related security management processes in the established e-busi- ness environment using a real e-business appli- cation — a Web-based trouble ticketing system (TTS). The TTS enables customers to report fault and check status online, and allows engineers to enter the troubleshooting progress and sales to understand the troubleshooting procedure. It couples with the customer portal and billing system to provide a single-point solution to cor- porate customers. The TTS consists of one Web server, one application server, and one database server. Both the Web server and the application server are running at one physical server box, while the database server is running at another server box. Planning Stage Three processes are executed at this stage, in- FOXGLQJDVVHWLGHQWL¿FDWLRQULVNDVVHVVPHQWDQG action planning. :KHQUXQQLQJWKHDVVHWLGHQWL¿FDWLRQSURFHVV WKH PDMRU DVVHWV IRU 776 ZLOO EH LGHQWL¿HG DV follows: Web and application server, database server, and TTS data. Following the risk assessment process, the PDMRUULVNVWRWKRVHLGHQWL¿HGDVVHWVDUHOLVWHGDV follows: physical attack to the server boxes and network devices; network attack to the operating systems, Web server, application server, database server, and TTS application; and attack or damage to the TTS data either physical or remotely. Once the above asset and risks have been LGHQWL¿HGWKHIROORZLQJDFWLRQVDUHGHYHORSHGWR eliminate those risks to the assets: (1) physically locate those server boxes and network devices into iDC and lock them to server racks; (2) deploy the Web and application server boxes according to the GDWDEDVHVHJPHQWXWLOL]HWKH¿UHZDOOFOXVWHU WREORFNPRVWUHPRWHDWWDFNVZLWKFHUWDLQ¿UHZDOO policies; (4) utilize each IDS sensor located at distribution switches to monitor potential attacks and intruders; (5) utilize the gateway antivirus cluster to scan and clean viruses contained in +773W UDI ¿FOR FNGRZQW KHRSHUDWLQJV\VW HP for Web and application server boxes and allow only Web and application services to run; (7) lock down the operating system for the database server boxes and allow only database services to run; (8) examine the TTS program code to prevent any system holes and back doors. Deployment Stage Following the action planning, the installation process will be carried out to setup physically all server boxes and access switches if any, and install the operation system and software such as Web server, application server, oracle server, DQG776DSSOLFDWLRQ7KHFRQ¿JXUDWLRQSURFHVV will go through the lock-down procedures for operation system and application software, and tunes up parameters for better performance. 6RPHWLPHV VLQFH PLVFRQ¿JXUDWLRQ PD\ FDXVH more risks and even bring the server down and crash application services, the testing process will 2141 A Security Blueprint for E-Business Applications ensure that deployment is in compliance with the action plan. Administration Stage The security team coupled with the on-shift opera- WLRQWHDPFDUULHVRXWDOOSURFHVVHVGH¿QHGDWWKLV stage at any time. Daily monitoring includes the following tasks: network diagram view from HP 2SHQ9LHZ6103WUDSVIURP1HW&RRO¿UHZDOO console, IDS console, antivirus console, and syslog window. Online blocking will be carried out once a re- PRWHDWWDFNKDVEHHQLGHQWL¿HG7KHVHFXULW\WHDP will do the log analysis every day and generate security reports every week and every month. Auditing Stage The security team will carry out an internal audit every half year to determine the effectiveness of existing security controls, watch for system misuse or abuse by users, verify compliance with corporate security policies, validate that documented procedures are followed, and so on. An audit report will be generated after the auditing and given to management for review and further action. &RVW%HQH¿W$QDO\VLV The cost of building a secure e-business environ- ment involves not only the one-time hardware/ software/project expenses but also the recurring cost for users, operations, and ongoing changes. For the company’s established e-business environ- ment, the cost analysis can be done via four areas, including iDC features, security systems, network and communications, and maintenance staff. 7 KHSK\VLF DOF R Q VW U X F W LR Q L Q FOXG L QJD ÀRD W L Q J ÀRRU&&79FDPHUDV\VWHPELRPHWULFVKDQGNH\ system, server racks, UPS, and power generator, together form the iDC features. 6HFXULW\V\VWHPVFRQVLVWRIWKH¿UHZDOOFOXV- ter, gateway antivirus cluster, IDS console and sensors, Cisco VPN concentrator, and various monitoring and logging systems. Network and communication cost refers to the expense of the Cisco router 7513, Cisco switch 6509, network cabling, Internet bandwidth subscription, and access switches for individual QHWZRUNVHJPHQWVEHKLQGWKH¿UHZDOOFOXVWHU Maintenance staff means internal skilled manpower needed to maintain this established HEXVLQHVVHQYLURQPHQWIRUIXO¿OOLQJRSHUDWLRQ and security requirements. This mainly refers to Cost (SG$) Acquisition & implementation Operation Ongoing Changes & Growth Total % of Total IDC Features 280K 12K 0 292K 18% Security Systems 350K 36K 15K 401K 25% Network & Communication 420K 168K 27K 615K 39% Maintenance Staff 0 240K 50K 290K 18% Total 1050K 456K 92K 1598K - % of Total 65% 29% 6% - 100% Table 2. Cost analysis for e-business environment 2142 A Security Blueprint for E-Business Applications the company’s security team and on-shift opera- tion engineer team. In this study, the acquisition and implementa- tion cost is a one-time charge and takes a very huge percentage (65%), while expenses for opera- tion costs and ongoing changes and growth are estimated on an annual basis, assuming there are no big changes required on the e-business environment. Table 2 shows the summarized implementation cost and other estimated costs. Although the cost may be high to SMEs, it is indeed cost-effective for large organizations and HEXVLQHVV SURYLGHUV GXH WR WKH JUHDW EHQH¿WV obtained from the secure e-business environment. 7KHVHEHQH¿WVLQFOXGHVKDUHGEDQGZLGWKVKDUHG security protection, scalability, reliability, and total ownership cost saving. CONCLUSION Building a secure e-business environment is very critical to e-business applications. The chapter develops a security blueprint for an e-business environment based on the analysis of a three-tiered architecture and provides general best practices for companies to secure their e-business environ- ments. Also discussed is the applicability of this security blueprint based on the case study of a Singapore-based MNC. This case study shows that the security blueprint for e-business environ- ment is suitable and cost-effective in particular for large companies like multi-national corpora- tions (MNC). REFERENCES Agre, P. E., & Rotenberg, M. (1997). Technology and privacy: The new landscape. Cambridge, MA: MIT Press. Bingi, P., Mir, A., & Khamalah, J. (2000). The challenges facing global e-commerce. Information Systems Management, 17(4), 26-34. Clarke, R. (1999). (OHFWURQLFFRPPHUFHGH¿QLWLRQ. Retrieved July 30, 2004, from http://www.anu.edu. au/people/Roger.Clarke/EC/ECDefns.html Gartner Group (2002). Retrieved May 20, 2003, from http://www.zeroknowledge.com/business/ default.asp Lichtenstein, S., & Swatman, P. M. C. (2001, June 25-26). Effective management and policy in e-business security. In B. O’Keefe, C. Loeb- becke, J. Gricar, A. Pucihar, & G. Lenart (Eds.), Proceedings of Fourteenth International Bled Electronic Commerce Conference, Bled, Slovenia. Kranj: Moderna organizacija. Siau, K., & Davis, S. (2000). Electronic business curriculum-evolution and revolution @ the speed of innovation. Journal of Informatics Education & Research, 2(1), 21-28. This work was previously published in Enterprise Information Systems Assurance and Systems Security: Managerial and Technical Issues, edited by M. Warkentin, pp. 80-94, copyright 2006 by IGI Publishing (an imprint of IGI Global). 2143 Copyright © 2009, IGI Global, distributing in print or electronic forms without written permission of IGI Global is prohibited. Chapter 7.12 A Model of Information Security Governance for E-Business Dieter Fink Edith Cowan University, Australia Tobias Huegle Edith Cowan University, Australia Martin Dortschy Institute of Electronic Business—University of Arts, Germany ABSTRACT 7KLVFKDSWHULGHQWL¿HVYDULRXVOHYHOVRIJRYHU- nance followed by a focus on the role of informa- tion technology (IT) governance with reference to information security for today’s electronic business (e-business) environment. It outlines levels of enterprise, corporate, and business governance in relation to IT governance before integrating the latter with e-business security management. E-business has made organisations even more reliant on the application of IT while exploiting its capabilities for generating business advantages. The emergence of and dependence on new technologies, like the Internet, have increased exposure of businesses to technology-originated threats and have created new requirements for security management and governance. Previous IT governance frameworks, such as those provided by the IT Governance Institute, Standards Australia, and The National Cyber Security Partnership, have not given the connection between IT governance DQGHEXVLQHVVVHFXULW\VXI¿FLHQWDWWHQWLRQ7KH proposed model achieves the necessary integration through risk management in which the tensions between threat reduction and value generation activities have to be balanced. INTRODUCTION Governance has gained increasing attention in recent years, primarily due to the failures of well-known corporations such as Enron ® . The expectations for improved corporate governance have become very noticeable, especially in the . fault and check status online, and allows engineers to enter the troubleshooting progress and sales to understand the troubleshooting procedure. It couples with the customer portal and billing. Security Blueprint for E-Business Applications pan, India, Thailand, Malaysia, and Hong Kong, is a telecommunications service provider that provides end-to-end networking and managed services to multinational. and intruders; (5) utilize the gateway antivirus cluster to scan and clean viruses contained in +773W UDI ¿FOR FNGRZQW KHRSHUDWLQJVVW HP for Web and application server boxes and