"Today, it is all about profits."
E-commerce Times reporter Michael D. Peters just published a very comprehensive story about how e-commerce apps are putting sites at security risk. He gives an excellent overview about the "hows" and "whys," but then this point struck me: As developers continue to push the limits of feature and functionality, these slicker, faster applications are prompting retailers concerned with security to ask, "Which applications are leaving my site most vulnerable?" The simple answer is that they all are. Any application that is human-facing presents opportunities for theft and corruption. However, it's an important distinction to note that "human-facing" is not limited to the dangerous world of cybercriminals beyond the gates. While hackers certainly pose significant threats to an e-commerce site, trusted internal sources like employees, partners, vendors -- even auditors -- can introduce an even greater risk. Ah- trusted sources... that leaves a bit of a problem with this list of solutions: Following is a brief checklist of considerations in the planning stages: •Privacy: the relationship between collection and transmission of data and the expectation of privacy. Privacy concerns exist wherever personally identifiable information is collected and stored in electronic or physical forms. •Encryption Technologies: the process of transforming electronic information using a software cipher to make it unreadable to anyone except those possessing the key. So there lies a concern- internal sources deemed trustworthy until they aren't anymore. And becoming "nontrustworthy" isn't always deliberate. For example, someone could accidentally leave an office unlocked, giving unintended access to thieves. Joe McKendrick of Information Management recently ran an article about methods of securing data. I participated in this article, sharing insight into the added benefits of data masking over encryption: The threat isn't just outside thieves or hackers; production data is often sent to other parts of the enterprise, such as development shops, where it can fall outside of the control of security teams. Encryption doesn't quite go as far as data masking in protecting data, Logan says. “Unlike masked data, encrypted information is merely a puzzle that takes a little time to decode. Also, if masked data is misplaced or stolen, it does not need to be reported, unlike encrypted data.” The bottom line is, encryption, while effective in many respects, still carries significant risks because of its reversibility. Something Michael brought up in his E-commerce Times article that I found especially interesting was the changing nature of the thieves motives: In the past, hackers were often interested in doing no more than hacking into and defacing a site. That is no longer the case. Today, it is all about profits. Cybercriminals are well funded and going straight for the customer information. This naturally makes applications like the shopping cart, which handles financial information, a greater target than the library application for product information. So yes- lock down that data!