Secure IT

Day 5

There is an optional product from Sterling Commerce called Connect:Direct Secure+. Secure+ will wrap your C:D connections with SSL (Secure Sockets Layer). This will encrypt the connection using any of several cyphers and authenticate the C:D nodes using digital certificates.

OK that sounds great, but why would you want to do that? The answer to that question is well it depends. SSL gives you confidentiality as the connection is encrypted. It gives you authentication as you can verify if the other node’s digital certificate was issued by someone you trust such as VeriSign etc.

Even if you believed that the information you were sending to another node was in the public domain such as your company’s share price, you would still like to be sure that the information had not been modified/falsified and that it came from the correct source and was being sent to whom you intended. This is even more important if the transfer is going over a network you do not control such as the internet.

Even in the case where the transfers are occurring on your internal network you might still use these measures. Some information is very sensitive that you do not want your IT support staff prying into such personal information like salaries etc. In this case you may want to encrypt the data on the file system using something like PGP (Pretty Good Privacy et al).

OK so you have sensitive information that is encrypted on the file system, so you might think you do not need to encrypt the connections between C:D nodes. Even in this case you might still employ Secure+ as you wouldn’t want to receive any PGP’d file from anywhere and forward it onward blindly.

PGP’d files are normally encrypted by the application that produced them and only intended for the target application to decrypt. This is done by exchanging the PGP public keys and adding them to the two endpoint’s “key rings”. That way the sender encrypts with the public key he was given earlier by the receiver, and the receiving application can decrypt with his secret key.

Once a connection between two C:D nodes has been set up, many files of differing data classifications (public, confidential, secret etc.) may flow over that connection. Some of the files will be PGP’d or encrypted prior to transfer, some of the files will not need to have the same level of protection.

You would hate to set up a connection with Secure+ using certificates for authentication and using a null cypher (no encryption) only to find that some time later someone started sending sensitive information in the clear which may be seen by someone monitoring the network.

In my view it is so easy to set up a secure connection between C:D nodes using Secure+ with authentication, encryption and the assurance the data hasn’t been modified, and know that you are not only protecting your data, and potentially your company’s reputation, but also complying with any information security standards or audit regulations you have to comply with.

You should protect your production data as a minimum, and always use Secure+ when using an un-secure network such as the internet or a network you do not have control over.

In short I always set up connections with Secure+.