Anyone who has spent much of his/her time or money in online shopping ought to understand that for an ideal e-commerce site to succeed, it requires the following things: fast loading web-pages; wide-ranging inventory; an interface that is easy-to-use; and competitive prices. The website of my choice is Amazon.com, an e-commerce website, because it offers innovative extras, e.g. “customers who bought this book also bought…”feature. The new economy is being driven by e-commerce and its primary facilitator is the internet. The internet is simply a communication network that has transformed the manner in which information is accessed, used, and shared by individuals (Siklos, 2006).
The advantages of e-commerce may encompass the following: the internet is accessible, ever-present, and low-priced; various forms of technologies, such digital TVs, computers, mobile phones, and PDA’s can access eCommerce; it shortens the marketing time; with e-commerce, one is able to card payment schemes that are in existence; it provides significant chances for downsizing, as well as rationalizing operations; it has no geographical restrictions; it can eliminate middlemen from the chain of supply; it is capable of eliminating or minimizing stockholdings through manufacturing procedures that are just in time; it can minimize the costs of transactions by eliminating points-of-sale that are physical and reducing administration overheads.
Currently, the internet is being explored by the majority of organizations in a way that is commercial. To that effect, the postal address has been impacted by this. Amazon.com (www.amazon.com) is a sales portal that has been well established. Idyllically, it is a better example of an e-commerce firm, which escalates sales, particularly for the posts. Nonetheless, this company is now trading at multinational, local and nationwide levels (Siklos, 2006). In this paper, it is required that a student selects a website and then presents a case study for the security implementation of that website. Ideally, the website can be an e-commerce website or a personal website. Consequently, the fundamental elements of e-commerce security ought to be covered in the case study on the basis of: client-side vulnerabilities, and security; how the data transaction can be secured; how the e-commerce server can be secured; how the e-business architecture can be secured; and the effects of denial-of-service attacks on e-commerce transaction.
Furthermore, this research will scrutinize how PKI can be used to secure the transaction, as well as, the authentication and authorization of their website users. These are vital aspects of the case study in this research. Basing on this information, this paper aims at presenting a case study of the security implementation of www.amazon.com, the website of Amazon.com
The security implementation of Amazon.com
The website of Amazon is typically full featured and wide ranging and this capability has enabled it to develop and operate e-commerce businesses. Moreover, the website is capable of managing each facet of operating an e-commerce business from merchandising/design, to inventory/catalog management, to payment/checkout processing with fraud-detection. Idyllically, the website of Amazon.com combines tools that are easy to use, so as to facilitate an easy design and fast implementation, which has full branding control, as well as customer experience, flexibility, merchandising and design. Amazon.com allows firms to deliver a cross-channel and personalized experience, specifically for applications for customer service, and phone/store ordering. Indeed, it gives a single-interface for visibility as well as a unified management across channels. Amazon’s website has incorporated e-commerce proficiency for the ongoing accomplishment, which easily incorporates with other services that are offered by Amazon, such as Amazon’s fulfillment and Amazon selling. Nevertheless, Amazon.com has leveraged the reliability, security and strength of Amazon’s infrastructure. It has implemented its website, in essence that it is capable of delivering features that are rich as well as design flexibilities that are of necessity, so as to be able to develop and operate in sophisticated environments (Bartlett & David, 2000).
Amazon’s website is built on the infrastructure of Amazon that is highly secure, scalable and steadfast, and which permits sellers to self-assuredly manage catalog/orders size; traffic spikes; and high volumes of traffic. Amazon’s website is secure because the infrastructure, which hosts Amazom.com, is also the one that hosts the website. Furthermore Amazon has leveraged the current security technique that encompasses a VeriSign SSL (secure socket layer) certificate for its website, so as to make sure that all payment data, together with sensitive-customer data is encrypted.
When someone enters an Amazon.com website, he/she can select “Amazon.com Accounts” feature to permit millions of Amazon customers, who are capable of shopping online. If someone chooses this type of account, the Amazon A to Z Guarantee will protect both the customer and his/her business from fraud. Similarly, if he/she selects the Amazon WebStore Account, A to Z Guarantee will not apply, but the customer will merit from services of fraud protection that are correlated with processing of payments. Ideally, the design of www.amazon.com did not require technological expertise even though it is uniquely branded and professional. However, to make it more sophisticated in its design, the website offers Cascading Style Sheets, which are able to be edited, so as to give it a unique look. Furthermore, the website has various interface widgets that can permit someone to add custom-features that have been designed with Flash, HTML, or Java script for a richer functionality of the site (Kotha, 1997).
Also, Amazon.com has Amazon RDS (Amazon Relational Database Service). Amazon RDS is a web-service that makes Amazon’s website easy to scale, operate and set-up a relational-database in the cloud. Furthermore, it offers a resizable capability while managing administration tasks that are correlated with time-consuming. This frees someone and enable him/her focus his/her applications. Moreover, Amazon Relational Database Service usually morsels the database/software automatically, backs-up the database, and stores those back-ups for a retention period that is user defined. To that effect, the user can merit from flexibility of being capable to scale the storage-capacity, or computer resources that are correlated with relational database via the AWS Management Console or a lone API call.
Amazon Relational Database Service is deemed to be secure because it assists in managing the work that is involved in implementing a relational database, that is, from provisioning the requested capacity of the infrastructure to installation of the software/database. The moment the database starts running on the DB instance, administrative tasks e.g. database patching and performing back-ups are automated by Amazon RDS. In fact, Amazon Relational Database can be used to manage replication of synchronous data across automatic failover and/or Availability zones.
Basic elements of Electronic Commerce Security in Amazon.com
No matter the size of Amazon.com, its website lets the company to think big. Despite the commodities or services it offers, the levels of internet in Amazon.com are the playing field because they have enabled Amazon to successively compete and be among the biggest e-commerce businesses, by reaching its consumers around the globe who are able to purchase from their website (online storefront) at any time. In this competitive globe, for Amazon.com to expand its business and escalate its profits online, its management requires vital steps as well as careful planning. Nonetheless, Amazon.com addresses fundamental risks together with pitfall (Leeds, 2007).
The opportunity of e-commerce has been fully taken by Amazon as it has based its online business on a solid basis that tackles each element of electronic commerce. In doing so, it has done the following: established its identity; found the online home that is of necessity; developed a storefront that is attractive; let their customers to trust them; made an easy way in which customers can use to pay; and let their website to be accessed globally. Thus, the basic elements of e-commerce security in Amazon.com will be on the basis of the following: client-side vulnerabilities and security; securing data transaction; securing commerce server; securing e-business architecture; and the effects of denial-of-service attacks on electronic commerce security.
v Client-side vulnerabilities and security in Amazon.com
Vulnerabilities that are critical are common in PC software, encompassing operating systems (OS) and applications, keeps on escalating in number and currently, they are the main concerns in the e-commerce security. As Roberts, 2003 puts it, client-side applications, such as media players, web browsers, productivity suites, and electronic mail clients are become worried. This is due to the fact that the attention of hackers has been shifted from flawing the operating system to vulnerabilities in the application layer, in which they have found abundant affluence of probabilities for infecting personal computers with botnet or spyware programs.
Unless something significant is done so as to improve the coding habits of the software developers, or so as to better test the applications that are better with regards to such concerns before they reach end-user computers, attackers can be capable of proceeding with their attacks against corporate devices/networks for the near future. Idyllically, the number of vulnerabilities has dramatically escalated, specifically in the applications, such as: Microsoft Office, media players, and web browsers. To that effect, security is being bolstered by Amazon.com, but PC users still pose-a-risk if they are able to download information from the internet. Indeed, the assaults are expanding due to the fact that the majority of hackers ar capable of primarily defeating security systems, such as the antivirus by obfuscating the code.
A number of tools that are powerful, and which have been adopted by hackers in hunting probable targets are “the same industrial-strength applications fuzzing tools” that are being employed by software vendors while searching gaps in their commodities (Lund, 2001). Amazon.com has enforced policies that are stricter, which dictate the kinds of applications that their workers are permitted to install on the work machines. Similarly, technical means is being employed by Amazon, so as to make sure that those set of rules are strictly being followed. Also, Amazon.com is hindering its end-users from utilizing applications, such as message clients, media players, etc, which has moved from the consumer sector to the corporate world, so as to limit the numerous client-side applications that hackers might choose from.
Application usage standards have been enforced by Amazon, so as to utilize technological means of blocking unwanted wireless-access points, unwanted software, and unwanted devices. Nevertheless, the company has realized the want of putting more effort in the defending of client-side vulnerabilities. In view of the fact that Amazon.com is thinking about its future security concerns, it ought to scrutinize additional security concerns that can be put in place with wider adoption of techniques, such as Voice over IP (VoIP). Individuals ought to think ahead of the existing client-side vulnerabilities. In spite of VoIP having many advantages, it can as well be attacked by hackers. It is mandatory for Amazon.com to secure configuration during the time of installation for all its applications, so as to: frequently verify patching as well as upgrade both the system software and the application software; to keep their systems secure and up to date; and to frequently scan for new client-side vulnerabilities.
The better way of educating users with regards to the problem is for Amazon to develop a counterfeit spear-phishing threat, and then distribute it to internal end-users, so as to determine the kind of persons that are likely to be caught by the scheme, and then follow-up with extra training. As Becket (1998) assert, another area that is of concern is critical vulnerability in the systems/software that offer primary services as well as the operating environment to server-side software, or computer services.
v Securing the data transaction
Amazon.com uses digital certificates to secure its data transaction. Digital certificates are also referred to as digital IDs/authentication certificates/SSL server certificates, and they are vital to offering security to customer transaction. A digital ID is a message that one party sends to another party at the commencement of an internet session that is secure. The sender’s identity is verified by the authentication certificate, which then vouches for the integrity of that individual, or Amazon. Indeed, the identity of someone in the cyberspace is established by the SSL server certificate. This is due to the fact a digital ID holds a mapping amid an encryption key and a user. This is a user’s private key and can only be used by that user. Furthermore, the information that is of necessity to permit users to securely exchange data and transact online business in contained in the SSL server certificate (Leeds, 2007).
Typically, a CA (Certificate Authority) organization is the one that issues a digital certificate. Idyllically, it is not possible to forge this SSL server certificate due to the fact that non-repudiation is ultimate requirement of securing communications. Upon demand, a message source ought to be first proven. Precisely, an SSL server certificate is simply a minimal piece of data that is unique, and which uses both the authentication and encryption software. Consequently, when doing online corporate transactions, the credentials of a user are established by this SSL server certificate. The digital ID does this by connecting minimal file to the transaction of data. The contents of that file may encompass the following: the name of the certificate’s owner; serial number; date of expiration; public key of the certificates owner (used for message encryption); and the certificate’s digital signature that will permit verification (by the recipient) of its genuineness.
Once a secure session is requested by a customer of Amazon.com, its information that is contained in the digital signature is sent by their web server to the client/browser, which encompasses the following: the public key; the serial number of the certificate; the validity period of the certificate; the official domain name of the web server; and the Certificate Authority’s domain name. The Certificate Authority’s private key is then used to encrypt this information. When the customer’s web browser receives this digital certificate information, it will validate it on the basis of the following criteria: validity, is the information valid with the present date; ownership, does the information belong to the right server that transmitted it; CA, is the Certificate Authority that issued the SSL server certificate trusted and recognized; and public key, can the Certificate Authority’s public key be used to decrypt the digital signature of the CA.
Suppose the do not pass any of the tests, a customer is issued a warning by the client/browser. The figure below illustrates what a customer of Amazon might see when accessing www.amazon.com via a web browser. In the figure, we will use a secure server feature of Amazon.com. The moment a customers signs to Amazon’s website, by use of “sign in using secure server option,” the digital certificate of Amazon.com will be invoked. In order to see the information on the digital certificate, the customer ought to simply right-click anywhere on the web page.
This will result to a pop-up or a drop-down menu, from that menu, the customer ought to click on “View Page Info.” That will result to a “Page Info” window, which contains various tabs at its top; select the “Security” tab. This action will result to a window that is entitled “Web site identity verified” and amid that window, is a “view” button. In order for the “Certificate Viewer” to be brought up, the customer ought to click at the “view” button. At that moment, the details of the digital certificate of Amazon.com can be viewed by the customer, as shown in the figure below.
Thus, electronic commerce websites widely employ digital certificates, so as to offer security to online credit card, or data transactions. For instance, if a website has been issued with a digital certificate, its customer will be capable of verifying that the website that is actually being displayed on their machines (i.e. computer screen) is actually what it should be, that is, the website of Amazon, but not some imposter that masquerades Amazon’s website with the aim of intercepting the communications of the visitors of www.amazon.com.
v Securing the commerce server
If a customer purchases a credit card at Amazon.com, he/she is backed by the security guarantee. Superlatively, the information will be encrypted by use of Amazon’s secure server software. This will ensure that the online transaction remain protected and private. In circumstances whereby there is an occurrence of unauthorized usage of a credit card that has been purchased from Amazon.com, one has to notify the provider of that credit card in accordance with the procedures and rules. If it was not one’s fault, and the credit-card company notices fraud but do not relinquish one’s entire accountability to the unauthorized claims, the remaining liability will be reimbursed by Amazon.com. This guarantee will only apply to purchases of those credit cards that were manufactured using the secure server of Amazon.com.
In order to secure the commerce server, Amazon.com has employed “The Netscape Secure Commerce Server.” Typically, any information that one types in is encrypted by this server. To that effect, a customer can safely enter his/her credit-card number on the secure-server, which is incapable of reading it in transit. Obviously, one is capable of using the secure-server, even if he/she wants to pay by means of check, or simply enter the last 5 digits of his/credit number. If the secure-server is selected by someone, then all the information that he/she enters on the order-form (such as, name, contact phone number, contact address, etc, are encrypted safely (Hansell, 2008).
v Securing the e-business architecture
In order for Amazon.com to secure its business architecture, it has employed “the Mercator E-Business Integration Broker suite as a key technology for its B2B (business-to-business integration strategy.” This Mercator B2B software is flexible because of its strong data-transformation capability, which enables to offer a solution that is lithe and scalable. This has enabled it to expand its business as well as offer more service and options to its customers. The goal of Amazon.com is to join forces with its suppliers, so as to get better the inventory turnover as well as escalate efficiencies. The Mercator B2B software has facilitated the incorporation and sharing of information amid Amazon.com and its corporate partners.
Nonetheless, Mercator B2B software has permitted Amazon to simplify its corporate procedures by minimizing the number of connecting interfaces that are complicated. Moreover, Mercator has enabled Amazon to squeeze its production time by accelerating the incorporation of information from sundry corporate partners of varying technological capabilities and sizes, thus optimizing B2B trading associations as well as minimizing costs. The use of Mercator B2B software by Amazon.com is being expanded as the vital technique to manage transactions that are event driven, as well as to facilitate the incorporation of its worldwide corporate procedures. In fact, Mercator software offers Amazon.com with EDI functiionality as well as a scalable integration of information architecture, which facilitates data transformation and allows Amazon.com to replicate its infrastructure in a manner that eases worldwide expansion of its services and commodities (Kotha, 1997).
Therefore, through the implementation of Mercator B2B software as the electronic business backbone of their policy, Amazon.com has been able to computerize and rationalize its corporate procedures. The chain supply procedures of Amazon.com are highly complicated and they require scalability and litheness from its incorporation and transformation of a technology. Superlatively, the Mercator technique is capable of handling any format of B2B, e.g. package, XML, legacy, or EDI application, over any kind of transport, such as value-added network, hyper text transfer protocols, message middleware, MIME/SMTP, or File Transfer Protocol. Usually, this will give Amazon.com the capability to adapt quickly to their infrastructure as the requirements of partners/customers will vary as worldwide standards develop.
Mercator B2B software incorporates electronic information through any corporate application with its partners and/or customer applications, while leveraging present techniques investment at each step. Mercator B2B software is being used by the majority of customers to speed up their conversion to electronic business. Most partners, encompassing the providers of application of software, Net-markets and system incorporators, resell or implant Amazon’s technique, so as to enhance the offerings of their services or commodities. We ought to put in mind that it is vital to comprehend that actual result and Amazon’s actual outcomes could vary materially in comparison to those in forward looking statements.
Factors that are capable of causing actual outcomes to vary materially may encompass uncertainties/risks, like alterations in the electronic business incorporation software, alterations in the incorporation of application demand, and the firm’s integration of electronic business broker-suite of commodities, particularly delays/difficulties in developing enhanced/new commodities, the ability of Amazon.com to expand it multinational operations, the capability of Amazon.com in managing expanded worldwide operations, the capability of Amazon.com to continue adding resellers as well as channels of distribution, and the accomplishment of third parties in exploiting and marketing Amazon’s commodities, or seasonality while operating the results.
v Impacts of denial of service attacks on e-commerce security
For the last ten years, the www (World Wide Web) has greatly expanded, and this has posed challenges that are new, specifically for the internet society, with the top slot being occupied by security. In fact, the security threat of a website or a network can translate into being a threat to computer information and therefore, can be of harm to the networks, as well as their computing possibilities, or the web-services they give. In view of the fact that they are various kinds of attacks that are constantly interfering with the websites, it is vital to employ security measures that are stringent. Nonetheless, substantial harm to the website has been caused by the Denial-of-Service attacks, and has also pretense a serious danger to the security of the internet.
According to Brustoloni (2002), internet assails against private/public organizations has escalated by 28 percent in this year. Ideally, the emergence of Denial-of-Service assails aimed at several targets on the web. To that effect, new challenges were instigated within the network-security societies. For instance, an assailant with resources that are limited is capable of carrying out such assails on networks/websites that were sophisticated, thus resulting to enormous monetary losses; disturbance in the dispensation of key public utilities; and a sense of security being inducted in the world that is escalating its dependence on the internet.
Denial-of-Service assails can be countered by Quality-of-Service based methods by isolating awful traffic from justifiable traffic, and then fixing the resources for that traffic that is deemed to be good, thereby making it hard for the assailant to assail that traffic part that has been reserved for the critical or justifiable traffic. Denial-of-Service assail simply refers to the prevention to any unauthorized access to system resources, or delaying the functioning and operation of a system by an attacker through various means. This kind of assail might be pooled with other kinds of assails that will make the most of the snowballing impact. Furthermore, it could be directed to the entire network or to a specific machine.
A number of methods techniques have been used to perform Denial-of-Service assails, with the crux being to: consume resources that are restricted/sparse; alter the configuration of the website, or the communication facility; and physically disrupt the facilities of a network. For instance, VIPnet refers to a value added web service that is used to protect electronic commerce websites from Denial-of-Service assails. In VIPnet, ISPs is paid by electronic merchants, so as to carry the electronic merchants that are deemed to be best clients, and in privileged Class-of-Service.
Nevertheless, the mechanisms that are employed in the Quality-of-Service attacks are mainly found in routers, such as WFQ (weighted-fair queuing), diffserv, or priority based, which are then employed the VIP Class-of-Service from the best effort Class-of-Service, which other packets employ. In view of the fact that VIP traffic is performed in its own Class-of-Service, as an effect of Denial-of-Service assail, the VIP traffic ought to be lagged from congestion. The clients are allotted with VIP rights on the basis of the number of transactions that are carried out for a certain epoch. Consequently, after the expiry of that epoch, in circumstances whereby a new transaction is performed, a fresh VIP right can be issued. As a rest, the electronic merchants will then decide the clients that will be selected, and then be issued with the VIP privileges. Idyllically, a VIP right can be employed in carrying packets to only one electronic merchant.
In order to minimize Denial-of-Service attacks, two payment modes ought to be supported by the by the server, i.e. fixed and transaction based. During the initial communiqué, the client is informed by the electronic merchant via a message that the kind of payment that it supports. For those websites that contain flat-fee billing scheme, the moment a client registers him/herself, he/she is issued with a static internet protocol address. This information will then be conveyed by the sites management together with other information that is of necessity to the VIPG (ISP), which will then store packet amounts that the client sends. Moreover, a flat-fee ought to be paid by the electronic merchant for certain data amounts that sent, as well as the used time resources. When the permitted resources/time allowed expires, the VIP rights will be terminated by the VIP which then alters the client status to regular, and then sends him/her a message notifying him/her of his/her treatment as a selected/regular client. Therefore, due to these mitigating impacts of Denial-of-Service assails on networks and e-commerce websites, these modifications are of necessity because they permit e-commerce websites that charge a fee to implement as well as merit from VIPNet (Brustoloni, 2002).
Securing the transaction by PKI and authenticating and authorization of the users of this website
A PKI (public key infrastructure) refers to a management system that has been premeditated to control public-key certificates as well as cryptographic keys that are asymmetrical (Roberts, 2003). All the same, a PKI acts as a component that is trusted, which guarantees the binding authenticity and the information that is secure, encompassing identity that is involved while securing a transaction by use of a public key transaction. Typically, information is protected by the PKI in a number of fundamental ways, which may encompass the following:
v Authenticates Identity: SSL server certificates that have been issued as part of a public key infrastructure permits users of a website to recognize and confidentially validate every party in an online transaction.
v Verifies integrity: an SSL server certificate guarantees that the document/message that has been signed by the certificate is not corrupted or altered while in online transaction.
v Ensures privacy: during transmission via the internet, the information is protected from interception by an SSL server certificate.
v Authorizes access: typically, PKI SSL server security will easily replace the frequently lost or guessed user passwords and identifications, so as to minimize MIS (Message Incorporation Service) overhead and rationalize log-in security for the intranet.
v Authorizes transactions: with public key infrastructure remedies, Amazon.com will be capable of controlling unauthorized access for particular online transactions, and
v Supports non-repudiation: the identities of users are validated by digital certificates, and this makes it improbable to repudiate a transaction that has been digitally signed, such as an online purchase
From this case study, we can say that Amazon.com, which is an electronic website, has successfully secured the implementation of its website because its website is built on the infrastructure of Amazon that is highly secure, scalable and steadfast, and which permits sellers to self-assuredly manage catalog/orders size; traffic spikes; and high volumes of traffic. Furthermore, the fundamental elements of Electronic Commerce Security in www.amazon.com have been implemented. This is in essence that: it has developed a counterfeit spear-phishing threat, and then distributed it to internal end-users, so as to tackle client-side vulnerabilities; it uses digital certificates to secure its data transaction; it has employed the Netscape Secure Commerce Server; and it has employed the Mercator B2B software to secure its business architecture.