When you have 45,000 "customers" and thousands more potential users and administrative personnel accessing Web-based applications on a regular basis, security becomes a grave concern.
For Texas A&M University, that means putting strict controls in place to verify the identity of users--something especially important for students using the university's class registration system. To achieve the appropriate level of security, the information technology staff used the software-based Microsoft Enhanced Cryptographic Provider built into Windows 2000. By encrypting each student's ID number and password into a unique cookie and then saving the cookie in the student's Web browser, the system can easily determine whether the encryption has been tampered with, says Timothy Chester, project manager for distributed software applications in the university's Computing and Information Services division.
To make the encryption mechanism easier for programmers to use, the team also installed AspEncrypt, a class library from Persits Software, of Arlington, Va., that allows programmers to better use the features Microsoft provides.
For applications containing sensitive student information, the IT staff uses Web server-based Secure Socket Layer (SSL) encryption. All applications reside behind a firewall (Chester declined to identify the make and model for security reasons), which restricts access to individual services on specific machines, and each service has one or more associated TCP/IP ports that must be allowed through the firewall before the service is accessible via the Internet, Chester explains.
Security is especially important because if one computer system is compromised, that system can be used to attack other computers from within the firewall, effectively bypassing the firewall protection, Chester explains. For that reason, the IT staff addresses a comprehensive list of issues before any service is allowed through a firewall. Security concerns are so great that for the time being at least, Chester has chosen not to make Web services available through the firewall at all. Instead, Web services will be primarily for internal use.