There will always be a need to give customers confidential and sensitive information from an Internet based Web Server & application. Historically all of this logic has resided on the web server, but there are new ways to disconnect the Internet from your sensitive information and still give the customer what they want.
One great way to protect your Internet website is to eliminate all of the business logic from the site and rely on a corporate web service that is further back behind the firewall security level.
If you’re not too sure what a web service is, consider it to be like a secure web page that has no user interface. So I can get to most web services to see what they have to offer by keying them into my browser, but daily operations are all in-band – no user interface.
One example of a web service might be to calculate a customer’s current balance. The old style would be to put the SQL statement as well as the communications parameters (including login and password) to get to the SQL server right on the website. Now, this is the outside website, so it has a bit more exposure to the dark side of the Internet. This is actually very common practice and fairly secure, but there is a better way.
On your internal web server, create a web service that has the needed function – in this case a function called ‘GetCurrentBalance’. Inside of that function and safe from the Internet are all of the SQL statements, connection strings and business logic that will give the correct answer back to the requestor.
Your customer website that is looking for a balance, now asks a simple question to the web service, and presents the answer. There are a lot of other steps – mostly authentication and security related, but bottom line is that all of the confidential and business critical information has been removed from that exposed web server.
One tangential benefit is that you don’t need high-end programmers to write pages that ask for a current balance [for example]. One line that asks the web service can be handled by most 9th graders, so you can apply a bigger resource base against your projects.
One other hidden benefit is that although you have to (or should) write wrappers for these functions within the web service, your code base will get homogenized and consolidated into a single set of class libraries – something that is typically problematic when you have multiple web servers / applications. Microsoft and the world will tell you to compile and distribute these libraries, but it’s a forced way of doing things.
Disconnect your website by connecting to a web service.