An Association News Technical Review

Components of Electronic Commerce
Part Two:

E-Commerce Editor

In September, we began examining the construction of an e-commerce implementation. We discussed the first key points in developing an e-commerce application: component interfaces, data compatibility, and database connectivity. This month, we're going to focus on the fourth piece, performance & security.

Security, is a critical issue to electronic commerce, and especially to the consumer. Trust leads the list in areas of concern to consumers. Can we trust the Internet to carry our private information to you, and can we trust you not to sell my private information to another merchant? Security is equally important to the merchant. Can I trust that my invoices, receipts, and customer data will remain mine. Can I protect my information and techniques from competitors, or hackers?

Thankfully, the Internet and its support technology provide us with numerous means to protect ourselves. When Sears & Roebuck implemented E-commerce and examined security issues, we focused on these areas:

  1. Protecting our investment (hardware & software)
  2. Protecting our information (business, and consumer)
  3. Protecting our financial transactions

As soon as we started developing applications and methods to answer these concerns we discovered that the performance of our application, its supporting network, and its scalability were all effected by the addition of piece. As we examine each concern, I'll address the security issues we faced, and the performance hits that had to be managed to provide a solid solution.

Protecting our investment in hardware and software was an early concern. We didn't want the wrong people having access to our machines or applications. For the hardware side of things, this was managed by having our servers hosted by a 3rd party. However, making the protection of our servers their responsibility, we were faced with the challenge of limited access to our own hardware. We answered this challenge through an SLA (Service Level Agreement), that specified how much access we required, and how that access was to be provided.

Protecting our applications and our source code was the next concern. We implemented a RCS solution to manage the files used in development, and quickly adopted a development strategy and reporting process. All of our developments are tracked, and the source files monitored at every checkpoint. Use of password protection and Access Control Lists, (ACLs), on the Server Application helped protect access to our application from the outside, and again, the SLA allowed us to ensure that application support was available 24x7.

Protecting our information from people on the outside or non associated staff brought us to encryption. In its simplest form, we use file permissions to prohibit access to specific resources, and improved password protection to guard access for userids. Protecting our information made us examine the multiple encryption methods available. Each was suited to particular areas of our implementation.

For example, when a customer fills out an information form, the form is passed using the POST method, and the data itself is encrypted with a simple 40bit block-encryption algorithm. The data provided by a customer is important, and we didn't want people easily able to access it from the web, or as it is passed from place to place in our applications. All the data is then stored in an access controlled database.

Protecting financial information, for example when a customer passes Credit information, we upped the security measures used by implementing a hybrid encryption scheme. This uses DSS, RSA, and digital signatures to ensure that the data passed remains safe. Any credit information on our servers is kept encrypted, and removed as soon as it is submitted to our fulfillment organization. This ensured tight control of that critical information.

Unfortunately, when using full encryption of hybrid schemes, performance becomes a critical issue. It takes an extraordinary amount of time to encrypt a document in realtime across the web, so we had to carefully balance the hybrid method to make it transparent to the user, but still effective for us. The serviceability of code and the application itself can become problematical when many of its pieces are encrypted, but again, its a matter of balance. Every business needs to address this carefully, and few implementations will ever be the same.

Performance itself, is the final piece of our implementation components. The performance of your e-commerce application will be influenced by many things (like the security concerns above), some of the most important are: hardware limitations, customer level, network bandwidth, reliability and scalability.

The hardware the runs and supports your application is critical in terms of its processors, speed, and storage. You will need hardware that supports your projected customer level, and can accommodate your hopeful growth. The number of concurrent users you can support, and the amount of raw data your server can hold in the form of files, graphics, scripts, applications, or consumer data, leads us back to processor, speed and storage. Generally having enough capacity to handle 150% of your projected best levels of online business will give you enough flexibility to have your application perform reliably and well, and support scalability later by giving you a grace period in which to handle rapid growth.

Network bandwidth is always a concern. Make sure you know how your business is and will be connected to your consumers online. Be sure to keep the band clear of as much 'dressing' as possible so your critical business data can pass efficiently. Again, its all a matter of balance. When you implement an online catalog, you'll need those beautiful, large graphics to sell your products, but keep the large graphics on a single page, a full page product description page for example, and minimize the impact on your bandwidth and the patience of your customers.

Reliability and scalability are your watchwords. Your online e-commerce application needs to be available 24 hours a day 7 days a week. You need a reliable offering. Again, if you work with 3rd party vendors to provide you with services and support, work out an SLA. The scalability of your project is also very much a concern. You expect your business to grow, right? Don't lock yourself into a hardware of software solution that cannot grow with you. For example, the servers we use all have hot loadable storage modules (ie 4GB drives) so that in the event of spectacular growth we simply need to insert another drive. The architecture we use is scalable in terms of processor upgrades, and reliable through SLAs, and the entirety of our system is archived regularly for safety and disaster recovery.

Building a successful electronic commerce implementation depends on many factors, but will always be a large investment of time, money, and skill. I've tried to give you a brief but thorough understanding of most of the major issues involved in making an e-commerce solution work for your company. As always, you may contact me with questions or concerns. Next month, I will begin examining a variety of electronic commerce issues, but if there is something you'd like me to address please drop me a line.

is in charge of the e-commerce initiative at Sears Roebuck & Co.

[Back to Technical]