2. Objectives
• Software development lifecycle
• Build vs. buy decision
• Considerations in choosing appropriate hardware
and software
• Considerations for monitoring and improving
website performance
• Identify key security threats to e-commerce
• Describe tools used to ensure security
• Explain online payment processes
• Describe features of bill presentment and
payment
3. Assignments Due Today
• Read chapters 4 and 5 in the textbook
• Submit case study analysis
• Discuss an article related to cutting edge
technology used in e-commerce
• Submit ISP analysis
• Develop action plan for e-commerce paper
5. Group Exercise
• Select a website where you like to shop
online
• You are in charge of developing a new e-
commerce website for this company
• Draw a diagram representing the System
Development Lifecycle
6. System Development
Lifecycle
• Systems Analysis/Planning
• Systems Design
• Building the System
• Testing
• Implementation/Service Delivery
• Let’s examine each
7. Best Practices – Systems
Analysis
• What do we want to do with e-commerce
and what can it do for our business?
• Let business decisions drive the technology
• Identify objectives and then identify
technical functionality to meet those
objectives
• The real difference in planning for and e-
commerce store vs. a retail store
8. Best Practices – System
Design
• System design specification – simply a
description of the main components
• Logical Design is the data flow
• Physical Design translates the logical
design into physical components
9. Best Practices – Build vs.
Buy
• Outsourcing means that you hire an outside
vendor to provide services
• Lately, outsourcing has become a touchy subject,
a more politically correct term is “Co-Managed”
• Build: Out of the box, benefits, drawbacks
• Host: Benefits, drawbacks
• Build and Host
• Class’s opinion?
• Instructor’s opinion!
10. Best Practices - Testing
• Unit Testing – each module
• System Testing – everything together
• Acceptance Testing – Internal AS WELL as
external facing testing is important.
11. Best Practices -
Implementation
• Monitor
• Adapt
• Maintain
• Expensive!
• Benchmark to competitors: Speed, Quality,
Design, Pricing, Promotions, Keeping
Current
12. Software and Platform
Selection Considerataions
• Operating System – Commercial vs. Open
• Commercial benefits – More refined, mature,
supported
• Commercial drawbacks – Higher purchase cost,
more well known to hackers, may be less
robust….Less so currently
• Open Source benefits – cheaper (or free), lesser
known to hackers, may be more robust
• Open Source drawbacks – Less user friendly
(requires more expertise), little or no support, less
mature in some areas, so SLA available
13. E-Commerce Software Tools
Site Management Tools
• Identify dead links on your site
• Identify orphan files
• Traffic patterns
14. Dynamic Page Generation
Tools
• Original web pages had static content
• Webpage contents are now often stored as
objects in a database
• The advantage of modern architecture is
dynamic, user specific page generation
• Open Database Connectivity standard
(ODBC), means that a web server can
connect to virtually any backend database,
regardless of vendor
15. Discussion
• System Development Lifecycle
• Buy vs. Build decision making
• Software and Platform selection process
• E-commerce software tools
17. E-Commerce Security
Threats
• Malicious code – such as SQL injection
• Virus: replicate file to file and deliver a
payload
• Worm: replicate computer to computer
• Trojan Horse: looks harmless, but isn’t
• Bot: waits and then executes commands
received from an external source, making
your computer a “zombie”
19. E-Commerce Threats
• Internal staff
• Contractors
• Janitorial services
• Third party business partners
20. Class Exercise
• What do you believe are the major threats
to e-commerce?
• Which solutions can help mitigate these
risks?
21. Class Article Discussion
• Describe the article you found in summary
• Describe a leading edge technology that
may change e-commerce
• How will it change?
• Will it make it better or worse from the
viewpoint of the consumer and the service
provider?
22. E-Commerce Function Paper
• Introduce the company
• Introduce the industry sector
• Introduce the corporate website
• Identify the company mission and vision
• Identify methods used to create value for its
customers
• Describe the web application and function
being analyzed
23. E-Commerce Function Paper
(More Detail)
• Analyze the corporate website application
and describe the benefits to the
organization
• Critique the content, context and
infrastructure of the website from the
customer perspective
• Provide an overall critique of the
website, including a SWOT analysis
• Make recommendations for improvement
24. Class Exercise
• Have you changed your shopping and
banking habits over the past five years?
• Do you shop more online than you used to?
• Do you use and trust PayPal? 1 to 10 scale
• What is your confidence level?
25. Payment Systems
• B2B = Business to Business
• B2G = Business to Government
• C2C = Consumer to Consumer
• G2B = Government to Business
• G2C = Government to Citizen
• C2B = Consumer to Business
26. B2B
• Business-to-business (B2B) describes commerce transactions
between businesses, such as between a manufacturer and a
wholesaler, or between a wholesaler and a retailer. Contrasting terms
are business-to-consumer (B2C) and business-to-government (B2G).
• The volume of B2B transactions is much higher than the volume of
B2C transactions. The primary reason for this is that in a typical
supply chain there will be many B2B transactions involving
subcomponent or raw materials, and only one B2C transaction,
specifically sale of the finished product to the end customer. For
example, an automobile manufacturer makes several B2B
transactions such as buying tires, glass for windshields, and rubber
hoses for its vehicles. The final transaction, a finished vehicle sold to
the consumer, is a single (B2C) transaction.
27. B2G
• Business-to-government (B2G) is a derivative of B2B
marketing and often referred to as a market definition of
"public sector marketing" which encompasses marketing
products and services to government agencies through
integrated marketing communications techniques such as
strategic public relations, branding, marcom, advertising,
and web-based communications.
• B2G networks allow businesses to bid on government
RFPs in a reverse auction fashion. Public sector
organizations (PSO's) post tenders in the form of RFP's,
RFI's, RFQ's etc. and suppliers respond to them.
28. C2C
• Consumer-to-consumer (C2C) (or citizen-to-citizen) electronic
commerce involves the electronically-facilitated transactions between
consumers through some third party. A common example is the
online auction, in which a consumer posts an item for sale and other
consumers bid to purchase it; the third party generally charges a flat
fee or commission. The sites are only intermediaries, just there to
match consumers. They do not have to check quality of the products
being offered.
• This type of e-commerce is expected to increase in the future
because it cuts out the costs of using another company. An example
on cited in Management Information Systems, is for someone having
a garage sale to promote their sale via advertising transmitted to the
GPS units of cars in the area. This would potentially reach a larger
audience than just posting signs around the neighborhood.
29. G2B
• Government-to-Business (abbreviated
G2B) is the online non-commercial
interaction between local and central
government and the commercial business
sector, rather than private individuals
(G2C). For example http://www.dti.gov.uk is
a government web site where businesses
can get information and advice on e-
business best practices
30. G2C
• Government-to-Citizen (abbreviated G2C)
is the online non-commercial interaction
between local and central Government and
private individuals, rather than the
commercial business sector G2B. For
example Government sectors become
visibly open to the public domain via a Web
Portal. Thus making public services and
information accessible to all. One such web
portal is Government Gateway.
31. • Consumer-to-business (C2B) is an electronic commerce business
model in which consumers (individuals) offer products and services to
companies and the companies pay them. This business model is a
complete reversal of traditional business model where companies
offer goods and services to consumers (business-to-consumer =
B2C).
• This kind of economic relationship is qualified as an inverted business
type. The advent of the C2B scheme is due to major changes:
• Connecting a large group of people to a bidirectional network has
made this sort of commercial relationship possible. The large
traditional media outlets are one direction relationship whereas the
internet is bidirectional one.
• Decreased cost of technology : Individuals now have access to
technologies that were once only available to large companies (
digital printing and acquisition technology, high performance
computer, powerful software)
37. Digital Certificates
Continued
Digital Certificate
Electronic Passport
Good for authentication
Good non-repudiation
Proof of authorship
Proof of non-altered content
Encryption!
Better than username - password
39. Public and Private Keys
The digital certificate has two parts, a
PUBLIC key and a PRIVATE key
The Public Key is distributed to
everyone
The Private Key is held very closely
And NEVER shared
Public Key is used for encryption and
verification of a digital signature
Private Key is used for Digital signing and
decryption
41. Getting Someone’s Public Key
The Public Key must be shared to be
Useful
It can be included as part of your
Email signature
It can be looked up in an LDAP
Directory
Can you think of the advantages and
disadvantages of each method?
43. What is PKI?
• PKI is an acronym for Public Key
Infrastructure
• It is the system which manages and
controls the lifecycle of digital certificates
• The PKI has many features
44. What Is In a PKI?
• Credentialing of individuals
• Generating certificates
• Distributing certificates
• Keeping copies of certificates
• Reissuing certificates
• Revoking Certificates
45. Credentialing
• Non technical, but the most important part
of a PKI!
• A certificate is only as trustworthy as the
underlying credentialing and management
system
• Certificate Policies and Certificate Practices
Statement
46. Certificate Generation and
Storage
• How do you know who you are dealing with
in the generation process?
• Where you keep the certificate is important
47. Distributing Certificates
• Can be done
remotely – benefits
and drawbacks
• Can be done face
to face – benefits
and drawbacks
48. Keeping Copies – Key Escrow
• Benefit –
Available in case
of emergency
• Drawback – Can
be stolen
• Compromise is
the best!
• Use Audit Trails,
separation of
duties and good
accounting
controls for key
escrow
49. Certificate Renewal
• Just like your passport, digital certificates expire
• This is for the safety of the organization and
those who do business with it
• Short lifetime – more assurance of validity but a
pain to renew
• Long lifetime – less assurance of validity, but
easier to manage
• Use a Certificate Revocation List if you are
unsure of certificate validity
50. Trusted Root Authorities
• A certificate issuer
recognized by all
computers around the
globe
• Root certificates are
stored in the
computer’s central
certificate store
• Requires a stringent
audit and a lot of
money!
52. Using Certificates to Secure
Email
• Best use for certificates, in my opinion
• Digital certificate provides proof that the
email did indeed come from the purported
sender
• Public key enables encryption and ensures
that the message can only be read by the
intended recipient
53. Secure Email is Called
S/MIME
• S/MIME = Secure
Multipurpose Mail
Extensions
• S/MIME is the industry
standard, not a point
solution, unique to a
specific vendor
54. Digital Signing of Email
• Proves that the email came from you
• Invalidates plausible denial
• Proves through a checksum that the
contents of the email were not altered while
in transit
• Provides a mechanism to distribute your
public key
• Does NOT prove when you sent the email
55. Digital Signatures Do Not Prove
When a Message or Document
Was Signed
You need a
neutral third party
time stamping
service, similar to
how hostages
often have their
pictures taken in
front of a
newspaper to
prove they are still
alive!
56. Send Me a Signed Email,
Please, I Need Your Public Key
57. Using a Digital Signature for Email
Signing
Provides proof that the
email came from the
purported sender…Is
this email really from
Vice President Cheney?
Provides proof that the
contents of the email
have not been altered
from the original
form…Should we
really invade Canada?
60. What if This Happens at UW-
Madison?
Could cause harm in
a critical situation
Case Scenario
Multiple hoax emails
sent with Chancellor’s
name and email.
When real crisis
arrives, people might
not believe the
warning.
It is all about trust!
61. Digital Signing Summary
• Provides proof of the
author
• Testifies to message
integrity
• Valuable for both
individual or mass
email
• Supported by
Wiscmail Web client
(used by 80% of
students)
62. What Encryption Does
Encrypting data with a
digital certificate
Secures it end to end.
• While in transit
• Across the network
• While sitting on email
servers
• While in storage
• On your desktop
computer
• On your laptop
computer
• On a server
63. Encryption Protects the Data At
Rest and In Transit
Physical theft from office
Physical theft from airport
Virtual theft over the network
64. Why Encryption is Important
• Keeps private information private
• HIPAA, FERPA, SOX, GLB compliance
• Proprietary research
• Human Resource issues
• Legal Issues
• PR Issues
• Industrial Espionage
• Over-intrusive Government
• You never know who is
listening and watching!
65. What does it actually look like in practice?
-Sending-
66. What does it actually look like
in practice (unlocking my
private key)
-receiving-
67. What does it actually look like in practice?
-receiving- (decrypted)
71. New Applications Coming
Online This Summer!
• Bye bye old ID card!
• Hello Smartcard!
• One card does it all!
• Email encryption,
document signing, web
access to sensitive
applications and whole
disk encryption
72. Digital Certificates For Machines
Too
• SSL – Secure Socket
Layer
• Protection of data in
transit
• Protection of data at
rest
• Where is the greater
threat?
• Our certs protect both!
73. Benefits of Using Digital
Certificates
Provide global assurance of your identity,
both internally and externally to the
UW-Madison
Provide assurance of message authenticity
and data integrity
Keeps private information private, end to
end, while in transit and storage
You don’t need to have a digital certificate
To verify someone else’s digital signature
Can be used for individual or generic mail
accounts.
74. Who Uses Digital Certificates at
UW-Madison?
DoIT
UW Police and Security
Office of the Registrar
Office of Financial Aid
Office of Admissions
Primate Research Lab
Medical School
Bucky Badger, because he’s a team
player and slightly paranoid about his
basketball plays being stolen
75. Who Uses Digital Certificates
Besides UW-Madison?
US Department of Defense
US Department of Homeland
Security
All Western European countries
New US Passport
Dartmouth College
University of Texas at Austin
Johnson & Johnson
Raytheon
Others
76. The Telephone Analogy
When the
telephone was
invented, it was
hard to sell.
It needed to
reach critical
mass and then
everyone wanted
one.
77. That All Sounds Great in Theory,
But Do I Really Need It?
• The world seems to
get along just fine
without digital
certificates…
• Oh, really?
• Let’s talk about some
recent stories
79. Class Exercise
• Encryption, Public Key Cryptography,
Digital Signing
• Draw and discuss diagrams
• 5.9, 5.10, 5.11
• Pages, 284, 287, 288 in textbook
80. Class Discussion
• Protecting privacy and intellectual property (encryption
and digital signing)
• Internet Protocols (http vs. https) Is https safe enough
(Hint, think about the ENTIRE system, including data in
TRANSIT as well as data at REST)
• Tools to ensure Internet security (Hint, host based tools
such as AV and Firewalls, Intrusion Detection, Intrusion
Prevention, Honeypots, Physical Security, Employee
training, Social Engineering
• Functional requirements for conducting financial
transactions on the web (Hint, Authentication,
Authorization, Securing data in transit, Securing data in
storage, data retention policies, PCI compliance
81. PayPal Case Study Analysis
Discussion
• What is the value propositions that PayPal
offers consumers? How about Merchants?
• What are some of the risks of using PayPal
when compared to credit cards and debit
cards?
• What strategy would you recommend that
PayPal pursue in order to maintain its
growth over the next five years?
• Why are cell phone networks a threat to
Paypal’s future growth?
82. Wow, That Was a Lot!
• My favorite area of e-commerce is security!
• Questions, comments, further discussion?
• Assignments for next session:
• Read chapters 6 to 8 in the textbook
• Submit Ethical Implications paper
• Select an article to discuss in class that involves
ethical or legal issues in e-commerce
• Project team, case study----you pick!
• Work on your e-commerce function paper