"The Net + Web Business Architecture"

In Part 2 of this highly prescient 1995 article, we see why
Kevin Mitnik isn't really the 'Net Bete Noire'
the New York Times says he is.

Franco Vitaliano

To First Part, Last Issue

Numerous commercial possibilities abound once the Net + Web become a fundamental part of your business. In particular, providing enhanced customer service via the 'Net + Web will be one of the big success stories of the decade. Take, for example, United Parcel Service and FedEx, which both offer Web sites for package tracking (see UPS sidebar).

In May of '95 alone, 90,000 packages were tracked via the FedEx site. UPS and FedEx customers, if they chose to, could also write a simple script macro that would automatically call up the shipper's Web site, enter a package tracking number, get a result from the server, and then write that data into a desktop spreadsheet, which then transmits and writes the result into the corporate data center, and is finally relayed on to a Data Warehouse.

One very important use for customized Web browsers is Electronic data Interchange (EDI), which today is in wide spread use by very large organizations that buy and sell products and services to each other. EDI is a proven electronic means for getting rid of the paper mountain that can block the buying and selling of goods in a just-in-time (JIT) manufacturing scenario.

Up to now, however, the problem with EDI adoption has been the costs associated with the requisite proprietary hardware and software, which all participants would have to adopt in the transactions. Interactive Web servers and smart browsers take EDI to the next logical level of automation and standardization. Conceivably, the use of digital 'cybercash' as a means of vendor payment may one day come to play a significant role in EDI, as well.

DigiCash Inc. for example, is the developer of ecash, an electronic money scheme based on public-key encryption. For those who want to know more, the DigiCash site, at, features information about network money, as well as the DigiCash Cybershop, an experimental shopping area for ecash.

In short, the 'Net + Web construct is evolving to where it will soon provide a nearly total shrink-wrap variant of EDI.

The Internet Service Economy

Web clients, however, are only half the story. There is another equally important yet little discussed key for accelerating organizational change: the Web server Common Gateway Interface (CGI). The CGI is the all important specification for passing data between a Web server and an external program. The CGI opens the door to integration of your Web server with the rest of your company's legacy systems -- in particular, with your database management system (DBMS).

For example, when you fill out one of those ubiquitous registration forms on a Web server, a CGI script, or some other type of CGI program, is passing your entered data to a DBMS, getting the DBMS response, and then sending it back to your Web browser. Using CGI scripts to integrate mainframe legacy applications with their Web servers, numerous corporations have produced easily accessible home pages where everything is presented to users in a uniform way via standardized Web clients.

These home pages feature customer-service oriented applications, such as on-line product documentation, and product shipment tracking. It would be wrong, however, to think that the flow of data in these applications is unidirectional. While home pages supply customers with all the information they need to remain happy and loyal, other applications are collecting important background information.

Using CGI scripts, the customer profiles garnered from these home pages are frequently stored in corporate databases for use in internal marketing reports that feature in-depth customer analysis. The cumulative synergy arising from interactive Web browser clients and complex CGI-interactive server applications means almost unlimited flexibility for transacting your day to day operations over the Net.

Net Security

Nonetheless, such flexibility raises the issue of security. Historically, security has been the Net's weakest area, certainly one that the TELCO's will focus on in terms of value added network services.

On the other hand, one needs also to recognize that the issue of the Net being vulnerable to malicious hackers is mostly media-inspired hysteria. Historical evidence indicates that most theft and destruction are not done by people from outside of the corporation. Rather, such data mayhem usually originates from inside the organization.

The Kevin Mitniks of the 'Net notwithstanding -- who, in fact never actually stole/misappropriated anything of financial value, even though he had illegally gained access to the credit card numbers of some 20,000 people -- your security concerns should really be focused on the occasional miscreant who works for you.

This is not to say that you should forget about securing your digital assets. It is just that, to avoid data malfeasance, you may be better advised looking closer to home than worrying about some remote hacker.

A balance must be struck between the level of insecurity your organization can tolerate and the degree of inconvenience it can comfortably endure. Unfortunately, security schemes that are completely bullet-proof are also so user-unfriendly that everyone goes screaming for the CIO's throat.

Next, realize any security system you implement, no matter how elaborate, can always be broken, eventually, by a determined hacker. Just as in making your car theft proof, simple deterrence usually keeps out all but the professional thieves.

As a result, the best security plan is to realize you can never be totally secure, and act accordingly.

Vendors now offer firewalls aimed to protect your network's inner sanctum from being overwhelmed by foreign data packets. Like some cyber-onion, firewalls have multiple layers of security.

Typically, a proxy machine is setup outside the firewall. The proxy or gateway acts as the target for all incoming as well as outgoing traffic. It's advisable to keep all users from directly accessing the Net in order not to leave any back doors open for unauthorized persons to enter your network.

Firewalls can be rigged so that only certain types of Net services are available to machines inside or outside the firewall, such as file transfer protocol (FTP), E mail, and Web browsing. The cumulative effect of all these actions is to render your network invisible to the outside world.

But again, the best 'Net security plan is to assume that you have no security, no matter what system you install.

Apart from outside hacker attack, the biggest hue and cry about Net security seems to center around sending unsecured credit card information over the Net. But ask yourself this: How many times have you, without any further thought, given your credit card to a gas station attendant, a waiter, a bartender, a store clerk, or sight unseen telephone mail order house?

Your name, credit card numbers, signature, address, and telephone number are all out there, everywhere, for the maliciously inclined to use as they please. Now multiply your experience by the many hundreds of millions of other such daily credit transactions.

By the bugaboo reckoning of many self-styled security seers, the massive credit card crime resulting from that magnitude of such unsecured transactions should have crippled the world banking system by now. But as usual, reality does not match self-interest hysteria.

In any event, there are currently two Net security mechanisms about to gain widespread commercial acceptance. Both can provide secure information flow across the Net .

One mechanism is the Secure Sockets Layer (SSL), first proposed by Netscape Communications. SSL accepts all kinds of data packages from a site, creates a safe, encrypted passageway, and delivers the packets secure and unharmed to another location. SSL is thus a general purpose mechanism for transmitting sensitive information across the 'Net.

The other means for achieving Net security is the Secure Hypertext Transfer Protocol (SHTTP) from Enterprise Integration Technologies. SHTTP puts an encrypted digital signature in a packet envelope and thereby secures individual messages. In contrast to SSL, which secures the communications channel, SHTTP secures just the message. However, Netscape has also announced it's own encrypted envelope system, called Secure Courier, and is based on Netscape's SSL.

An effort is now underway that integrates SSL and SHTP. Spearheading this effort is Terisa systems, which has the backing of most of the big players in the on-line industry, including America Online, Prodigy, and Compuserve.

There is also the ongoing standards battle between the Microsoft/Visa/Secure Transaction Technology (STT) vs. the IBM/MasterCard/Secure Electronic Payment Protocol (SEPP). At issue is who will 'own' the protocol for securing credit card transactions over the 'Net. Last word was that Microsoft may have backed down, as Visa seems to have sided with IBM. Driving the Visa defection decision seems to be the tacit realization that STT is basically proprietary, and SEPP is not. This battle is still not over, so this is one to watch. But one thing is for sure: Nobody wants dual standards for credit card transactions, as it will only hurt everyone's business.

But no matter which secure-encryption technology wins, it is only a transitory victory. Low cost supercomputers, like the DSP-based ICE machine, are becoming increasingly available. The result is that the average hacker will soon have National Security Agency quality, desktop code breaking systems at his or her disposal. So, no matter what standards are set, you can expect that within a short period of time the secure codes will be broken in a well-publicized way. 'Net security has become a never ending war of wits.

To keep continually abreast of Net security issues, and intruder/virus alerts, note the National Institute of Standards (NIST) Computer Security Resource Clearinghouse. This server is run by the Forum of Incident Response and Security Teams. CERT's FTP server, which can be accessed via, also has lots to offer the security conscious.

If your appetite for security is merely whetted by these sites, then it is worthwhile to check out something called the Computer and Network Security Reference Index. But if your fear an imminent attack from the folks in the Black Helicopters, try a Purdue site with one of the best security listings on the 'Net, with a good discussion of privacy issues.

In the end, how you put together all these Net + Web pieces matters less than when you do it. Procrastination in making this new client/server construct part of your business would be a big mistake. Early internal adoption will be a powerful springboard for the day you start doing business on the Net.

When you make that leap, you will be better prepared, better organized, and have more money in the bank than many of your behind-the-times competitors.

Copyright 1995, Franco Vitaliano, All Rights Reserved

21st, The VXM Network,