Security, online as well as off, basically involves
locks and keys. Here's a list of garden-variety security methodologies for
securing data on the web. These security methods all depend upon good
rules regarding the distribution and management of passwords, and also
upon internal security measures such as network and database security.
|
Type
|
Description
|
Appropriate for:
|
|
single password protection on a web site
|
One password protects one or more web pages
from unauthorized viewing. The password is distributed by an
Administrator, via phone or email.
|
non-sensitive information such as an online
file server or discussion group that would preferably remain
accessible only to a specific group or individual. A single password
means a simple system. Suitable for informal groups where no
explicit security agreements are in place. This method is easy and
secure enough that most small web sites are maintained using this
method.
|
|
multiple password protection
|
One password is assigned to each user. So users
will typically have a user ID and a password. Users can be
recognized by the ID and password they use, and can be granted
different access privileges.
|
non-sensitive information that expires or that
otherwise should permit easy changing of password administration.
Suitable for formal and informal groups, and when different levels
of security are required. Explicit security agreements or terms of
use may or may not be needed. Account information may be sent via
email.
|
|
secure sockets layer added to password
protection
|
Encryption of all data transferred between the
viewer and the server, thus actively hiding while in transit across
the web.
|
Client data, credit card information, other
sensitive confidential information should be protected this way.
Users must be identifiably authorized via some transaction, over the
phone or by giving other identifying information. Explicit security
agreements or terms of use must be used. Email distribution not
feasible unless a custom email encryption system is used. Active
user administration must be in place to ensure expired accounts are
disabled and new accounts verified.
|
|
Digital signatures and certificates
|
offer complete assurance that both computer
terminals are the ones they say they are.
|
When large amounts of highly sensitive data are
transferred, such as in large wire bank transfers, or highly
sensitive data replication between between servers. This requires
custom installation of signature reading software, and also a
registration fee to signature authorization service.
|
