Transaction security harming web services

A new report contends that the potential for widespread use of web services in business is being held back by poor network security.

US research firm The Tolly Group conducted interviews with 52 network architects at companies, universities and government organisations with over 250 employees.

It found that two-thirds did not encrypt or otherwise protect data while it was being transported between application servers - a fundamental requirement for business web services use.

Franklyn Jones, director of product marketing at network security company Ingrian, told vnunet.com: "End-to-end e-transaction security is the new security requirement for business.

"Many companies have put a strong security fence with firewalls and routers around them. But now you've got people outside the perimeter, so you need private transaction paths that extend the enterprise."

The report confirmed that, of the organisations interviewed which were actively evaluating and implementing enterprise network security, almost all had virus security and firewalls as protection.

But product complexity, costs and lack of personnel with appropriate technical expertise is holding back the proliferation of enterprise-class network security tools.

"Despite the range of security technologies being deployed, users are not securing data on an end-to-end basis. A critical security gap exists inside corporate firewalls," said the report.

Over a third (37 per cent) thought that their business-critical data is susceptible to hackers, internal sabotage or catastrophic events, while 36 per cent also acknowledged that critical data held at remote offices is vulnerable to attack.

The problem of securing data appears to be widespread. The organisations surveyed came from the US (59 per cent), EMEA (22 per cent), various Pacific rim countries (10 per cent) and Canada (nine per cent).

Jones explained that US-based Ingrian, which this week announced its expansion into the UK and online banking company Egg as a new client, had identified six key areas needed to achieve end-to-end transaction security:

Access control - authentication/authorisation of users involved in the transaction.

Secure connectivity - a secure transaction path between the two web entities, from remote web clients through to internal servers and databases.

Applications protection - the inspection and filtering of transaction data.

Securing of storage - protecting sensitive data on back-end servers and databases when a transaction is complete.

Key management - securing cryptographic keys used throughout the transaction.

Audit trails - generated for transaction participants, applications, servers and data.

The report was commissioned by Nortel Networks, Enterasys Networks, Check Point Software, Netilla Networks and Ingrian Networks.