Tenzing provides infrastructure, security and performance solutions for ecommerce with a suite of services designed to address the specific goals, challenges and issues facing online retailers. Likely thanks to many high profile security incidents in the past year, we find ourselves talking more and more about security with our clients. What once were conversations about checking the PCI compliance boxes, are now deep discussions about building a comprehensive ecommerce security program.
When discussing ecommerce security, there are many terms that come up frequently, and even if you’re not a technical person, it can help to know them. For example, if you’re discussing network security, you may hear people talking about the security of different layers, how certain services protect level 3&4 for example. If your organization is considering advanced security services like Web Application Firewall, understanding these layers is critical.
The OSI 7 layer model
The layers refer to the Open Systems Interconnect (OSI) 7 layer model, which is a conceptual framework for how network connected applications may communicate with each other. The model considers the hierarchy of the layers from the physical (lowest) to the application (highest).
The 7 OSI layers are;
7. Application Layer- The window for the users and application processes to access the network
6. Presentation Layer- Formats the data; it’s the translator between different systems to allow for the exchange of information
5. Session Layer- The layer where the communication connection between systems is established, used and terminated
4. Transport Layer- Scans and makes sure the data is valid and delivered error free, also manages the disassembly and assembly of the data into segments
3. Network Layer- This layer routes the data – it adds the destination, source (IP Address to the data segments)
2. Data Link Layer- The packets are turned into data frames for transmission across the network
1. Physical Layer- Transforms the data frames into bits and sends over the network via physical hardware or media (like Ethernet).
Here is a great video that explains each of the layers, and how they interact with each other.[youtube id=”-6Uoku-M6oY” align=”center” mode=”normal”]
What are some examples?
Often security attacks will target one or two of these layers, not them all. For example, Network DDoS attacks target the network and transport layers 3/4, sending additional packets and traffic to overload the system and consume all available resources. Application DDoS attacks are designed to overwhelm the application (which is typically harder to detect, as it mimics legitimate user traffic).
What does this have to do with ecommerce security?
When you’re building out the security of your environment, it is important to consider each network layer. For example, a stateful Firewall and IDS filters at OSI levels 3 and 4 (where they accept or reject data connections). In general, the lower the layer of the firewall, the more secure the network. While the OSI 7 layer model is not specific to ecommerce, it is important for online retailers to look beyond PCI to build a secure environment, and understanding how threats relate to each of the layers is a good first step. This understanding will help retailers examine security solutions that address each layer.
How am I supposed to remember all of these layers?
If you’re looking for an acronym to help you remember the layers, there are some fun ones;
- All People Seem To Need Data Processing
- Please Do Not Throw Sausage Pizza Away
- People Design Networks to Send Packets Accurately
- Please Do Not Touch Steve’s Pet Alligator
- Please Do Not Take Sales Peoples Advice
Find more here.