Security

The walls of our ironclad security fortress are largely invisible to our users, as they should be. There is no reason to publicize our security measures unless we are trying to provoke hackers and crackers. Users notice authentication challenges, such as usernames and passwords, use of encryption (secure sockets layer), and the use of cookies.

There are three general levels of security that apply to portals. For a public portal, the first and loosest level is support for anonymous users. If you are trying to attract new customers, constituents, or other users to your portal, you need to allow them anonymous access. There is little point to improving your search engine results if the first thing users see is a login screen, and they are forced to create an account on your portal. New users need to be able to kick the tires a bit and become comfortable before they divulge personal information or spend money. In fact, the bulk of the portal content may be available to these anonymous users, as it is for many portals. If you support online purchasing, you will have to solicit personal information during the checkout process. At that point you may give customers the choice of simultaneously creating an account for future use and entering the necessary information for the current transaction.

The second level of security is for authenticated portal users. The primary means of authentication at this level is the pair of a username and password. Your portal needs a way to create and maintain these user accounts, performing such tasks as changing passwords and helping users who have lost their passwords. Typically email is used to communicate these administrative actions to users. For instance, Microsoft provides special content for its business partners in the Solution Provider program, such as technical information, sales resources, and downloads. To access this information, the user must log into the Microsoft web site. In this case, Microsoft uses the .NET Passport service, an authentication service that is shared by multiple web sites inside and outside Microsoft, as shown in Figure 2.3.

One of the advantages of .NET Passport is that it reduces the number of passwords that must be maintained . I can use the same password to obtain premium partner content, change my corporate profile on the Gold Partner site, register for Microsoft seminars , and book travel on Expedia.com. You may want to consider using this service as a convenience to your customers. They would need active Internet connections because the public .NET Passport service does not work through an intranet that lacks an outside connection.

All higher forms of security can be lumped into the third level. These measures are more intrusive or demanding than the typical customer might expect, but they are necessary to safeguard proprietary information. For instance, you could implement IP filtering to restrict the range of IP addresses that can access certain pages. This precaution effectively limits the locations from which the page can be accessed. You could add a hardware token to the security mix, such as a smartcard. A customer would need a smartcard reader, along with the card and matching username and password, to be granted access. This is the level at which biometric security, such as fingerprint readers or retinal scans , could be implemented.