E-Commerce

Site hosted by Angelfire.com: Build your free website today!

Technology Issues and Strategies

Issue 1: E-Commerce Integration and Program Management

Leading companies recognize e-Commerce as a complete business platform than can span business-to-consumer activities all the way back through business-to-business collaboration: product conceptualization, engineering manufacturing and distribution across an inter-enterprise value chain. They likely have multiple e-Commerce initiatives underway on both the buy and sell-sides of the business. These companies now have their eye on a prize much larger than the sum of all the individual initiatives: customer self-selling and self-service. Putting the customer in complete control of the value-chain, is the ultimate outcome of the customer-driven business.

Companies that are taking the path toward becoming a fully digital, customer-driven business realize that no e-Commerce application is an island. Rather than creating islands of e-Commerce, they design enterprise and inter-enterprise architectures whose centerpiece is e-Commerce integration. The process of integration begins with identifying the patterns of business logic and data common to e-Commerce applications. Those patterns are translated into specifications for core e-Commerce application components and often include user access and role-based profiles, event management and notification, data and business object integration, trading services, business policies and rules, process management and workflow. Establishing and managing these "e-Commerce engines " as a shared business asset is the singular defining step toward e-Commerce integration and the brave new world of e-Services. These assets may be jointly designed, managed and shared across the enterprise and across trading partners, suppliers and customers.

Having an infrastructure in place that fosters e-Commerce integration does not guarantee success. Those assets must be well managed through a program management organization that is empowered to coordinate people, projects and business resources. While governance of each e-Commerce initiative remains with business units, the shared commerce infrastructure should grow in synchronization with the evolution of the overall business architecture. Successful program and project management are the keys to an orderly transition to becoming a digital business. Well managed corporations are experienced with program management and will extend their management processes to the needs of inter-enterprise program management, coordinating multiple projects in multiple organizations. The program management organization should be chartered as a business unit to ensure that e-Commerce is totally business-driven, now and throughout the greater transition to becoming a virtual corporation.

Issue 2: Security is Prerequisite

The Internet allows a company to open its business to the world. The potential benefits of giving customers, suppliers and trading partners direct access to the business are compelling - increased revenues and decreased costs. The Internet proposition has, however, one very serious implication - security concerns are often cited as the greatest barrier to electronic commerce. A business does not want the outside world to have unrestricted or unauthorized access to company information and business processes. Likewise for customers.

Security is concerned primarily with managing risk. The degree of security needed will depend on the importance of what is being secured, how much money is available to implement and maintain the system and the number of weaker links. It is more expensive to add security after the fact than to design security into the system from the beginning.

Security must be built-in at both the technical and business process levels. At the technical level, data vulnerabilities while in transit are usually dealt with though a combination of encryption schema and transmission protocols such as Secure Sockets Layer (SSL). The Secure Sockets Layer security approach adds a layer (that negotiates a secure transmission connection) on top of the existing network transport protocol and beneath the application layer. Secure Hypertext Transfer Protocol (HTTP-S) adds a set of security headers used to negotiate what type of scheme (such as bulk encryption) and which specific algorithm (such as RSA public key encryption) to apply to information transfers. In addition, corporate firewalls, consisting of hardware and software combinations, control and limit access to a private e-Commerce network from the public Internet. Firewalls function as Internet Protocol (IP) packet filters, application relays, monitors and logging devices. They provide proxy masquerading of information and concentration of security administration. IP packet filters enforce rule sets as to what types of packets can enter or leave through the gateway.

At the business process level, what is needed is authentication so that no one else can pretend that he or she is an authorized user, and access control so that a particular user can gain access to only those portions of the business for which he or she is authorized. On the stateless and session-less World Wide Web, the user needs to know he is communicating with the right server, called server authentication, and the server needs to know it is communicating with the right user, client authentication. Prior to the advent of e-Commerce, methods of identifying an individual's position, role or authority were accomplished via phone calls, meetings, correspondence and contracts. In retail industries, driver's licenses, photo IDs, Pin numbers, passports and birth certificates are used to vouch for identity. These means of identification now have their counterparts in the digital world.

Authentication procedures must provide convenience as well as security. For example, in a business-to-business context, authentication should provide a single, universal user logon to multiple applications running on multiple servers while controlling access to resources on the system: files, directories and server universal resource locators (URLs). In fact, a single sign-on is a requirement in many business-to-business e-Commerce environments. Authentication procedures typically involve something known, something possessed or something a user is. High-level security applications often demand a combination of factors such as something possessed, like a smart card with a private key, in conjunction with something known, such as a PIN number. Parties to an e-Commerce transaction must feel comfortable in their belief that they are in fact doing business with who they believe they are. Doubt as to the identity of other parties must be done away with by a security system that authenticates by verifying information that the user provides against what the system already knows about the user.

E-Commerce access management requires an authentication and profiling capability that enables the access control processes to be managed electronically, and extended globally to suppliers, trading partners and customers. Authorization involves the control of access to a particular information space once the user has been authenticated and, accordingly, identified to the server's satisfaction. Authorization is intended to limit the actions or operations based on their security clearances that various authenticated users are able to perform in an internetworked space. Corporations already have internal business and technical controls over the use of information systems by their employees, but business-to-business e-Commerce requires extending this controlled access to outside companies, outside employees, and outside computer systems. Information boundaries must be designed to control access and manage sessions as well as assign rights and privileges to trusted partners and new customers or suppliers. Information boundary management (e.g., who is allowed to view what and when) addresses the security, directory services, and access control aspects of content and application functionality necessary to support inter-enterprise business processes, collaboration and application-to-application integration.

Access control mechanisms are based on access rights, or permissions, that define the conditions under which the user can access network resources. Access controls delineate the user's privileges or permissions such as 1) creating and destroying information, 2) reading, writing and executing files and programs, 3) adding, deleting and modifying content, and 4) exporting and importing abilities. The site administrator controls the permissions using an access control list that itemizes the privileges of authenticated users on a resource-by-resource basis. Integrity is concerned with protecting data from unauthorized modification both while in transit over the network and while stored on the system servers or in accessible databases. Changes that the integrity services component of access management must protect against include data additions, deletions and reordering as well as modifications. Security management services support the integrity of e-Commerce

Secure it, or forget it! Security is a non-functional and absolute requirement of all e-Commerce applications. As with all business controls, the cost of the controls must be in line with the assets they protect. The security, control and auditability of e-Commerce applications require the same first principles that are needed in the physical world of management control. The first principles of business controls cover the nine major risk exposures of any corporation whether it is using pencil-and-paper or digital media in its operations. A corporation's auditing team, therefore, is a vital part of the e-Commerce team.

Issue 3: Nonrepudiation: Signing the Contract

In the physical world, business contracts are not legally executed and binding until they are signed. The same must hold true for e-Commerce if nonrepudiation is to be achieved in cyberspace - the document must be signed. What is needed is a digital infrastructure for handling signatures.

The public key infrastructure (PKI) is a comprehensive set of functionalities for encryption and digital services that consists of several components, including a directory, certification authority (CA) and certification revocation lists. PKI's most popular feature is its two sets of keys - a public key and a private key. PKI simultaneously addresses the four issues of authentication (a user is who he says he is), authorization (the user is authorized to be where he is on the network), nonrepudiation (the user is the one who really sent the message) and privacy (no one has read or tampered with a user's message).

Secure Sockets Layer (SSL) protocols, now supported by all popular browsers, are capable of presenting client public key certificates to any Web server configured to require client authentication. To create a client certificate, the user goes to the Web site of a certificate authority and fills-out a form with personal identification information needed to create a public key pair. The public half of the key pair is then submitted along with the personal identification data to the certificate-issuing Web server which then uses its certificate authority root key to digitally sign the user's public key. The signed certificate is then returned to the browser for storage together with the corresponding private key.

A certification authority is the trusted third-party who issues certificates for public keys. Individuals can also generate their own private and public keys and send the latter to the CA for validation. Public keys may be kept in white pages-like directories. Typically, two key-pairs are generated - one pair for encryption and one for digitally signing documents. The term "asymmetric keys" means the use of separate public and private keys. Suppose "Alice" wants to send "Bob" a digitally signed and encrypted document. "Alice" will sign it using her private key and use "Bob's" encryption key to encrypt the message. "Alice" will go to the directory to obtain "Bob's" public key. When "Bob" receives the message, he will use "Alice's" public signing key to see if "Alice" is indeed the originator of the document and that the content has not been tampered with in transit. "Bob" will use his own private key to decrypt the message.

In addition, certificate revocation lists are repositories of invalid certificates and key histories that are for decrypting old information. Cross certification means two separate certificate authorities recognize each others certificates. Nonrepudiation involves digital signatures and time stamping, so senders cannot deny they sent a message in question. Client software is used for certificate validation, storage of the private key and applications that use secure PKI. Directories are essential to implementing PKI and function as a repository for cryptographic information. Support for the Lightweight Directory Access Protocol (LDAP) is important. E-Commerce applications must reside on a solid PKI infrastructure. Nonrepudiation is as essential in cyberspace as it is in the traditional world of commerce.

Issue 4: Trust and Privacy in Cyberspace

In both business-to-consumer and business-to-business e-Commerce, trust and privacy are critical issues that must be dealt with electronically. Trust is a measure of confidence, and TRUSTe, an independent, non-profit privacy organization has taken the initiative. TRUSTe focuses on a company's unaudited, voluntary commitment to meeting certain standards for electronic commerce related to privacy. TRUSTe has developed a third-party oversight "seal" program that alleviates users' concerns about online privacy, while meeting the specific business needs of each of their licensed Web sites. A TRUSTe trustmark is awarded to sites that adhere to established privacy principles and agree to comply with ongoing TRUSTe oversight and resolution procedures, including audits by CPA firms. All Web sites that display the trustmark must disclose their personal information collection and privacy practices - what personal information is being gathered, how the information will be used, who the information will be shared with, choices available to the browser regarding how collected information is used, safeguards in place to protect information from loss, misuse, or alteration, and how a user can update or correct inaccuracies in information.

"Privacy principles embody fair information practices approved by the U.S. Department of Commerce, Federal Trade Commission, and prominent industry-represented organizations and associations. The principles include 1) adoption and implementation of a privacy policy that takes into account consumer anxiety over sharing personal information online, 2) notice and disclosure of information collection and use practices, 3) choice and consent giving users the opportunity to exercise control over their information, and 4) data security, quality and access measures to help protect the security and accuracy of personally identifiable information. To become a TRUSTe licensee, a candidate creates a privacy statement with the help of a TRUSTe online wizard, reads and signs a TRUSTe license agreement, and pays annual fees."

Privacy is a major concern of Internet users and can be divided into concerns about what personal information can be shared with whom, and whether messages can be exchanged without anyone else seeing them. The World Wide Web Consortium's Platform for Personal Privacy Project (P3P) is developing specific recommendations for practices that will let users define, control and share personal information with Web sites. The P3P incorporates a number of industry proposals, including the Open Profiling Standard (OPS). Using software that adheres to the P3P recommendations, users will be able to create a personal profile, all or parts of which can be made accessible to a Web site as the user directs.

In an open network such as the Internet, message privacy usually requires encryption and decryption. The most common approach is through a public key infrastructure (PKI). Providing a trusted and private presence on the Web is essential to any e-Commerce initiative.

Issue 5: Agility and Software Components

Because they span multiple unique enterprises and disparate hardware platforms, e-Commerce applications require the services of a robust distributed object computing infrastructure - they require a Web object model. The key requirement of the underlying object platform is that it separates technology and business concerns and that it be service-based. The components of the architecture supply high level business and technology services that can be used without having to know how those complex services are implemented or delivered. This layered architecture is essential to the separation of concerns needed for agile software development.

Software components throughout the architecture may be changed without affecting the others, and e-Commerce applications can be assembled, disassembled, and reassembled without leaving the semantics of the business to dip into the technology plumbing. It is critical that abstractions used to model e-Commerce application components stay above the distributed object computing infrastructure (DCOM or CORBA). These logical models should be platform independent and conform to Meta Object Facilities such as the XML Metadata Interchange (XMI) format specification so that they may be incorporated into disparate modeling methods and tools. Although UML is the standard for component modeling, differing analysis and design methods and tools are used by corporations. XMI makes it possible for separate enterprises to share UML models and is essential to inter-enterprise development of e-Commerce applications. The whole idea of component-based development is that an application solution to a business problem is an assembly and configuration of defined services. By staying above the technology platform, component models can be distributed and incorporated to gain maximum benefit from technology now and in the future, both at the business modeling and systems deployment phases.

In A Framework for Business-IT Alignment Using Components, Paul Allen describes the range of activities involved in component-based development. "Traditional software engineering techniques are geared to individual applications. CBD goes far beyond traditional software development in its range of activities:

Architect: Achieve an overall software structure for components adaptable to business needs.

Extend: Specialize component interfaces; a form of black-box reuse.

Assemble/Develop: Plug together components, with the minimum of newly developed code, to produce a business solution as rapidly as possible.

Wrap: Build component interfaces based on legacy systems; a form of black-box reuse.

Acquire: Purchase application components.

Upgrade: Replace or evolve existing software to component status.

Subscribe: Use published services from an external component provider.

Engineer: Build new components.

Modify: Specialize component models; a form of white-box reuse used with frameworks.

Integrate: Ensure the various types of components work consistently and coherently together."

Component-based development strategies are the key not only to software agility, they also help eliminate the disconnect between business engineering and software engineering. Traditionally, models of innovative business processes are developed by business people and thrown "over the wall" to software developers to transform them into software. One group thinks with business mental models, the other with computer mental models - disconnects are sure to arise. But what if there were another way? What if the business engineering process was carried out with business components as the modeling medium? After all, business application components are the implementation of the business processes and entities being modeled. Assuming that existing sets of business processes have been implemented as business components and registered in a repository, the existing component model represents the "as is" analysis model of business engineering. The "should be" model results from customizing and reconfiguring the components, and conducting gap analysis to discover requirements for additional components. This compositional approach to business engineering can unlock

rapid business engineering, and

rapid application development.

When the business world operates in Internet-time, the ability to sense and respond to new threats and opportunities is paramount. Rapid business engineering and rapid application development must be fused into a single activity in order to meet the new competitive realities. In short, the Business Object Model and the System Object Model can and must be aligned, integrated and synchronized.

The notion of aligning business and technology is not new, but tangible progress toward this noble goal has been slow in coming. Object-oriented technologies and methods have made significant contributions to business modeling and business engineering. Methods such as Enterprise Engineering's Object-Oriented Business Engineering (OOBE™) and Jim Odell's Object-Oriented Information Engineering (OOIE) are powerful approaches to alignment. Object-oriented technologies and development methods, however, are new and sometimes complex. As we explored in the chapter 2, O-O technologies and methods require new ways of thinking and present steep learning curves - on to components. Component frameworks are the next step in the progression of object-oriented theory and practice and can overcome the drawbacks and obstacles of O-O to deliver on the promise of O-O. Component frameworks can make the business and technology alignment notion real. An agile business powered by agile software can be built with component frameworks - this is the component breakthrough for competitive advantage.