Apply Offline Security Lessons to E-Assets

By Peter Coffee  |  Posted 2002-06-17 Print this article Print

The goal is to look good to customers, not to impress the audience at an IT conference.

Do you protect yourself against hackers by crossing your fingers and hoping for the best? Thats the strategy of choice, it appears, for more than a third of the thousands of eWeek online readers whove replied to our poll on this subject.

Even if our poll respondents (see results at ) were being flippant in their answers, we all need to apply the hard-learned lessons of the offline world to protect our e-assets. Our poll asked only about active measures, such as software-based ID systems or hardware intrusion detection appliances, but we should also look at the entire spectrum of risk-reduction measures that we use—without even thinking about them—in our other business and personal activities.

A physical storefront, for example, can protect itself against defacement of its windows with an elaborate system of infrared beams and electronic links to armed-response security services. It would be more cost-effective, though, to use storefront materials that are easy to clean, depriving graffitists of the satisfaction of seeing their work displayed. After one or two disappointments, theyll look elsewhere.

Electronic storefronts, likewise, should be implemented with technologies that resist casual attack, with facilities in place to roll over to a "hot site" backup in the event of a more determined attack. Its easy to think like a technologist and spend lots of money trying to make a site attack-proof, but it makes more sense to think like a business owner. The goal is to look good to ones customers, not to impress the audience at the next case study presentation at an IT security conference.

Physical storefronts also reduce their appeal to potential thieves by removing high-value merchandise from their windows when theyre closed for the night. Why show off whats worth stealing? It should likewise be an axiom of enterprise Internet presence that if someone isnt authorized to use something, it shouldnt even be apparent that it exists. Instead of delivering access through browsers, with or without passwords and other access controls, why not look toward application-to-application communication that conducts conversations only among known and properly privileged participants?

Attack-proofing is impossible; lets make it less important.

Share your risk-reduction strategies with me at

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developers' technical requirements on the company's evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter company's first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel