Upload
kasper-kronmann-nielsen
View
195
Download
1
Embed Size (px)
DESCRIPTION
Here is the concept definition of how to make a low cost eBusiness platform with high customer focus and supporting the existing business process and suply chain. The solution is no longer active in Shell but the concept still apply.
Citation preview
“Thin front end solution” for eBusiness.
The background for the genesis of the “Thin front end solution”.
eBusiness ordering is in it simplest form just to be seen as the customers doing what the
CSC do today and that view gave birth to the concept of the “Thin front end solution” back
in 1999 in Denmark.
If we were able to just replace the “blue and green screens” in the CSC with a web page
interfacing direct to our ERP, you would have the ideal and simplest solution for
eBusiness. (See simplified drawing below)
The benefits with the “Thin front end solution” would be that you still follow the business
rules and process already in place in the ERP for the other sales channels, as all processing
(price calculation etc.) would be done in the same place (software and hardware) and
hereby align with other sales channels.
Beside this you would also only have all the data in one place connected to the customer
meaning an integrated view from the CSC and no replication/synchronization of data to
other systems hereby keeping cost at a low level.
Another reason for it to be a low cost solution is that the only new hardware to buy is the
hardware to handle the presentation of the web layer to the users/customers. This does not
need to have big processing power nor big data storage capacity as all these things is
done/stored by the ERP hereby utilizing the processing/storage power of that. The rest of
the infrastructure needed is already in place with GID-mini hub set-up.
Programming of the business process would not be needed, as it is a matter of reusing the
once already existing. You will also be relying on the people maintaining the ERP and
hereby not need new skills to be developed.
Concerns has been if it would overload the ERP, but here you should look at it as you
have just moved the work from the CSC to the Customers, meaning in theory that you have
the same load on the ERP if you have the same amount of customers. Because what the
customer will do, the CSC would have done in the past.
Security is another concern when you give the customer access from the Internet to your
systems.
The first decision was to send userID and password by different channels eg. UserID via
mail to the legal owner of the accounts connected to the online User and Password to the
provided e-mail address, hereby protecting against social hackers. These channels should
also be the only used when people forgot one or another. Exception was Sales rep. handing
over Face to Face the userID and password.
In Scandinavia a tool has been used that proves the security of the “Thin front end
solution” is of the highest standard for eBusiness, see embedded information for more
information on the issue.
Butler Group Technology Audit
Gardner research on product used
Reference list of companies using tool
For firewall configuration see
For developing secure thin front solution see
The Top Ten Web Application Security Vulnerabilities
How does the “Thin front end solution” work?
Technical the “Thin front end solution” starts with a user, accessing the site eg.
www.shell.dk/shellonline, hereby a “Dispatcher” (Communication program on the web
server) is initiating “Call first Page” and the “Page generator” (Program that build the
web pages) makes the login page. Via an algorithm and the hidden fields in the page a
Digital Signature is made for the page by the Page generator.
The user than type in information and trigger the event log in on the web page, this is send
to the “Dispatcher” that first checks the Digital Signature of the page/information and than
takes the information and deliver it to the right “Event handler” on the web server.
(Program that handles what should happen when the event is triggered).
The event handler can than trigger from 0 to many APIs (Interfaces between web and the
ERP system in a specified record format).
This could be to get a price for an order, here calling the pricing module in the ERP or it
could be to show an account statement, here be the module taking hand of getting the
account statement data being activated. It could also be to get information’s that normally
would have demanded several screens in the CSC (modules in the ERP) hereby making it
much more user friendly and easy to navigate in the web solution.
The information coming back is than send to the Page Generator (Program that puts the
data in the right template for building up the page to return to the user, the Page Generator
can also call the ERP via APIs to get the data to build the right page) and than the circle is
starting again.
The template could be user dependant meaning the for different user the data and action to
be build into the customer facing page would be different. Eg. a Reseller/agent should have
the data presented in another way than a private customer or a BtoB etc. beside this you
could also exclude things on the template site meaning that a CSC version would have all
possibilities but the other user types would have subset of the functionality and the data
site. This would mean only developing the interfaces for each functionality/service once for
all groups of users and hereby lowering development cost.
More security information.
Websydian Security
Security on the Internet is a major concern and must be addressed at different levels from
the application level by, ensuring data integrity, enforcing user authentication etc. to the
operating environment level, where a number of threats such as hacking or denial-of-
service attacks exists.
At the application development level Websydian includes ready-to-use solutions for data
integrity protection, user access control and complete audit control and management, which
all cover important issues of E-Business application security. These patterns can be used in
any E-Business development project, and requires no additional programming.
Enhanced reliability, security and protection of corporate data in the operating environment
are realised with the improved Distributed Websydian Architecture (DWA) which provides
high protection of corporate data and protection of e.g. denial-of-service attacks to
propagate from web servers to back-end servers - attacks which can jeopardize business.
High availability is ensured through the Websydian Server, by continuously monitoring
applications and performing error recovery operations if necessary. High performance can
be achieved by distributing applications across several servers using Websydian Server
Agents.
Websydian provide security at all the different levels from the application layer to the
operating system environment and has been used for development of a number of high-
security E-Business applications.
White paper
This white paper analyses the role of Websydian and developers using
Websydian for each of the top ten web application security vulnerabilities
http://www.owasp.org/documentation/topten identified in the Open Web Application
Security Project http://www.owasp.org. The analysis shows that Websydian takes care of
nine of the ten issues with little or no intervention required by the developer.
On top of this it can be mentioned that the encryption algorithm default included in
Websydian is MD2. However, Soft Design has already a stronger encryption algorithm
SHA 1, which are used by a number if of our customers.
If that is not strong enough, other algorithms can easy be used instead.
Further, is included a presentation we made at the Plex user conference in Barcelona.