The management of "Cater Matters" is aware that an approach to security based solely on the concept of "defending against attacks" does not meet the needs of the business.
It is important that customers of "Cater Matters" have up-to-date information about their orders, outstanding payments, etc. and this requires interaction with the company's ERP.
Clearly, this raises a number of additional security problems, as channels to the outside have to be opened up from within the organisation's IT core.
The management of "Cater Matters" has decided to create a series of Web Services allowing access to this information while preserving its confidentiality and integrity. This requires a review of the Security Plan and the security sections of the SLAs in force.
As basic security measures:
- The range of IPs which the service is able to access is limited. The service is only available from authorised customer IP addresses.
- Encryption protocols are implemented for the XML files exchanged.
- Authentication is required in order to access the service.
- Interaction with the application is monitored to detect possible outside attacks.
- A log is kept of when, how and by whom the service is used.
- A single input channel is authorised for the local services through the company's web servers.
A periodic evaluation of the service is proposed in order to detect vulnerabilities and adopt corrective measures.
The objective is to offer a quality service with high levels of security so as to build customer loyalty at a time or rapid development when the competition is just a click away.