UNIT

BUSINESS APPLICATION SECURITY:

AN EAI PERSPECTIVE

Names of Sub-Units

Meaning and Evolution of EAI, Application Security: Basic Issues, Understanding Web
Services in the Context of EAI, Business Drivers for Enterprise Application Integration,
Application Communication Through EAI, Role of Web Services in Enterprise Application
Integration, Security Complexities and Complications Due to Enterprise Application
Integration. Electronic Mail system mechanism, Security Threats Posed by Electronic Mails,
Countermeasures to Protect from Threats Posed Through E-Mails, Governance for
Electronic Mail Systems

Overview

Enterprise application integration is a framework for integrating systems and applications

throughout an enterprise. It is made up of a variety of technologies and services. It is the
act of connecting applications inside a single organisation to each other to streamline and
automate business operations as much as possible without substantially altering the
current applications or data structures. In order to provide efficient, reliable and secure
data exchange between multiple enterprise applications and to support common business
processes, organizations rely on integration of diverse applications. This Unit discuss
different dimensions of EAI and the security challenges faced in implementing.
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective

Learning Objectives

In this Unit you will learn –

❖ Meaning and Evolution of EAI
❖ Application Security: Basic Issues
❖ Understanding Web Services in the Context of EAI
❖ Business Drivers for Enterprise Application Integration
❖ Application Communication Through EAI
❖ Role of Web Services in Enterprise Application Integration
❖ Security Complexities and Complications Due to Enterprise Application Integration
Electronic Mail system mechanism
❖ Security Threats Posed by Electronic Mails
❖ Countermeasures to Protect from Threats Posed Through E-Mails
❖ Governance for Electronic Mail Systems

Learning Outcomes

At the end of this unit, you would:

❖ To analyze the various security challenges in Application Integration.

Pre-Unit Preparatory Material

Not Provided

4.1 Enterprise Application Integration

The solution to the lack of communication between enterprise apps is enterprise application
integration (EAI), the implementation of technologies that facilitate communication between
enterprise applications. Enterprise application integration establishes a middleware
framework that helps data flow freely between applications without significant changes to
database configurations or the applications themselves, leading to a streamlined process
and increased data availability.

2
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

Enterprise Application Integration (EAI) represents a new paradigm in the use of

technologies and services. Small, medium and large companies use it to facilitate their entire
business process since it allows them to integrate everything from software applications to
hardware systems.

Figure: Enterprise Application Integration

4.1.1 Implementation of EAI

As an organization grows in size, it adopts an increasing number of enterprise applications

that streamline the management of front-office and back-office functions. Businesses
depend on their accounting software, customer relationship management tools, analytics
platform, and other applications to provide critical business functionalities and services, but
there is a significant issue with the typical deployment model for enterprise applications:
information silos.

Communication between enterprise applications is not automated, and as a result, these

tools are not configured to talk to each other, pass data back and forth, share business rules
or otherwise interact in any way. This results in widespread business inefficiencies:

3
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
➢ If important data is captured in a given application, it must be manually entered into
other applications
➢ If important data is modified in a given application, the changes will not be reflected in
other applications - the changes must be entered manually
➢ If an application needs data that exists in another application, a user must manually
search for that data

These inefficiencies may result in poor access to information, administrative delays, and
slower business processes.

As an enterprise organization deploys more types of applications, the presence and impact
of information silos within the business can increase exponentially. Some of the most
common enterprise application types include:

➢ Accounting systems
➢ Automated billing systems
➢ Business analytics and intelligence platform
➢ Business continuity planning (BCP)
➢ Content management system
➢ Customer relationship management (CRM) tools
➢ Email marketing platform
➢ Enterprise resource planning (ERP)
➢ Enterprise messaging systems
➢ Payment processing
➢ Service desk application

The information silos created by an expanding ecosystem of internally-facing business-

critical applications are the main reason why enterprise organizations are engaging in
enterprise application integration.

4.1.2 Enterprise Needs

There are 3 enterprise needs that are driving the adoption of enterprise application
integration:

a. Data integration - Enterprise organizations that deploy many externally and internally
facing applications need to integrate data from across those applications, ensuring that

4
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

databases are synchronized and streamlining data access and availability throughout the
entire organization.

b. Vendor independence - Enterprise application integration helps reduce an

organization's dependence on individual software vendors by abstracting business policies
or rules from the application and into a middleware framework. Instead of customizing an
application with business rules, the organization instead customizes its enterprise
application integration system with business rules and policies, making it easier to swap out
enterprise applications and choose new vendors when necessary.

c. Common interfacing - Enterprise application integration creates an opportunity for

common facades or common interfaces that can access multiple applications. Instead of
learning twenty different user interfaces for twenty different applications, EAI might allow
employees of an organization to learn a single graphical user interface (GUI) that connects
seamlessly with existing applications, databases, and other enterprise tools. This streamlines
administrative processes and helps employees be more productive using enterprise
applications.

4.2 Benefits and Advantages of Enterprise Application Integration (EAI)

1. Information Sharing: With EAI, you can consolidate all the data across individual
systems to create a single access point. It not only saves time in searching for information
from various methods but it also allows users from different departments to access updated
data. Another advantage of EAI is that it helps improve collaboration between individuals
from multiple departments. Learn how synchronization of legacy ERP systems with
Salesforce.com helped one of the leading healthcare products providers enhance their
productivity and collaboration across the teams.
2. Centralized Flows: Earlier the companies had to develop application-specific
interfaces and connect them point-to-point as required. The result was a complex network,
challenging to maintain and evolve. With EAI, all interfaces converge to a central server (hub)
that processes and redistributes flows to registered applications.
3. Process Automation: The EAI platform helps improve the automation of business
processes and provide timely and accurate information to users and customers. Further, it
bridges the gap between two different systems so that data can flow smoothly between
applications. It eventually improves business processes as well as enhances the transparency
of financial workflows.

5
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
4. Increased Efficiency: By streamlining the business processes, enterprise application
integration benefits the organization’s overall efficiency. It helps to make communication
easier, reduces their time and effort with better functionality, and improved control. Further,
it could even help companies to address the change in market trends, managing their
reputation, and issues related to disruptions in the supply chain and more. For instance, if
you are in the retail industry, you may particularly benefit from integrating your sales
channels, eCommerce and ERP platforms to drive revenue and encourage consumers to
interact with their favorite retail brands. Read more here on how integrating eCommerce
portal with ERP helped improve retail management.
5. Reduced Time: EAI helps in significant reduction in the time needed to integrate new
data or redesign processes. It makes the information system responsive to the company’s
operational or strategic requirements. Moreover, it establishes a link between two or more
platforms. Thus, the data from one platform are accessed by the other platforms meant to
be integrated.
6. Complete Control: One of the key advantages of implementing EAI is that it allows
controlling the information flow. It provides universal access and sharing of all data and
components of the information system, whether standardized or asynchronous. The
different mechanisms in EAI will give full knowledge of the integration that facilitates
complete control of the company.
7. Minimize Errors: EAI provides consistent master data for all applications used. It leads
to a significant reduction of errors that may occur due to incorrect information accessed by
different users. Further, it helps in the immediate elimination of repetitive tasks, errors, and
possible bottlenecks in business processes.
8. Increased Agility: Real-time data, updates, delivered according to established
business rules, significantly improve the efficiency and speed of decision-making processes
in management. It helps businesses to respond to new opportunities and make the most
out of them.
The integration and customization of applications are critical to an organization’s growth
plan. They can add new customers to our system without having to mobilize administrative
resources. Enterprise application integration solutions help to enhance the performance of
organizations, which is in-line with their business goals. As an offshore enterprise application
development company, Rishabh Software can help you modernize your applications. Our
teams combine best practices to support synchronizing of multiple platforms, providing a
central access point to your data.

6
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

4.3 Evolution of EAI

EAI has consistently presented a difficulty for organisations over the years. However, because
businesses used technologies to function and operate, it changed across several
generations. The four generations of EAI are the classic integration strategy, the centralized-
based integration approach, the standard-based integration approach, and the cloud-based
integration approach.

Several generations of EAI has undergone a protracted evolution and overcame numerous
obstacles. Research from various sources indicates that Enterprise Service Bus (ESB) is the
most practical integration strategy so far, and as Integration-Platform-as-a-Service (IPaaS)
is still relatively new to the market, more research must be done to fully understand it. Given
the scattered nature of contemporary IT businesses, which include distributed information
systems, networks, and platforms, IPaaS has the potential to be the appropriate solution for
EAI in the future. In the upcoming years, various research companies like Granter anticipate
that the IPaaS industry would increase significantly.

Depending on the needs for integration, IT organisations continue to employ various

generations of EAI. Small businesses with legacy systems may find that the conventional
approach meets their needs, while larger businesses may still be looking for more advanced
integration options. The integration scenarios that must be considered when choosing the
best integration approach include the applications that must be integrated, the protocols
that will be used for the integrations, the strength of the required infrastructure for the
integrations, the anticipated future integration needs for the enterprise, and the anticipated
increase in the number of integrations and applications.

Today, EAI is evolving with new emerging technologies in IT like IoT, Blockchain and AI. It is
anticipated that these technologies will alter EAI. EAI is facing new difficulties as a result of
the nature of IoT services and equipment. These features include the processing of a sizable
volume of data and the widespread graphical dissemination of IoT devices. In addition, IoT
device services lack standardised descriptions and have inadequate context awareness.
However, the integration of Business Process Management (BPM) in several sectors,
including healthcare, supply chain, insurance, and energy management, has a significant
deal of room for improvement. Block chain technology and business process management
(BPM) can work together to increase trust between various parties and devices, cut costs by
doing away with middlemen, and automate transactions.

7
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
4.3.1 Types of EAI

EAI can be done at different levels, depending on many factors including company size and
industry, integration and/or project complexity, and budget.

There are four main integration levels:

➢ Data Level- Data Level EAI is a database-centric approach that consists of extracting
data from one database and updating it in another. Sometimes the extracted data can
be transformed before entering it into the target database, for example, to apply
specific business rules.
➢ Application Interface Level- This EAI level of integration consists of leveraging the
interfaces provided by custom or packaged applications to access business processes
and simple information.
➢ Method Level- Method-level integration is similar to application interface level but at
a lower level of granularity. The idea here is not to share business functions (as in
application interface level), but to share directly the different methods used to compose
a given business function. All other enterprise applications needing to implement the
same methods can use them without having to rewrite it.
➢ User Interface Level- User interface-level EAI is also commonly called "Refacing" and
consists of replacing existing text-based user interfaces of legacy systems and graphical
interfaces of PCs by a standardized interface, typically browser-based.

4.4 Understanding Web Services in the Context of EAI

When there were numerous disparate applications covering business processes in the early
1990s, the necessity for integration grew difficult (the applications wanted to talk to each
other). Data adapters, message brokering, and other forms of middleware developed as a
result of EAI technology. Point-to-point integration is the goal of EAI-based technology, and
the applications that exchange messages are tightly connected (ie. the interaction is specific
to the two parties interacting). The number of point-to-point connections rises as more
parties participate, making management challenging.

Web services developed as a solution to this problem. Integration issues can be handled
uniformly via web services. Through the use of web services, the provider merely exposes
application functionality in a uniform manner that any consumer may use. EAI (Enterprise

8
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

Application Integration) is, in essence, a notion for integrating many applications (with
various languages and platforms), and Web services provide a method for doing so.

4.4.1 Salient Differences between Traditional EAI Solutions and Web Services

A few essential differences between traditional EAI solutions and Web Services are, as
follows:

Simple: There is no doubt that Web Services are much simpler to design, develop, maintain,
and use as compared to a typical EAI solution which may involve distributed technology
such as DCOM and CORBA. Once the framework of developing and using Web Services is
ready, it will be relatively easy to automate new business processes spanning across multiple
applications.

Open Standards: Unlike proprietary EAI solutions, Web Services are based on open
standards such as UDDI, SOAP, HTTP and this is probably the single most important factor
that would lead to the wide adoption of Web Services. The fact that they are built on existing
and ubiquitous protocols eliminates the need for companies to invest in supporting new
network protocols.

Flexible: Since EAI solutions may require point-to-point integration, changes made at one
end have to be propagated to the other end, making them very rigid and time consuming
in nature. Web Services based integration is quite flexible, as it is built on loose coupling
between the application publishing the services and the application using those services.

Cheap: EAI solutions, such as message brokers, are very expensive to implement. Web
Services, in the future, may accomplish many of the same goals - cheaper and faster.

Scope: EAI solutions, such as message brokers, integrate applications treating them as single
entities, whereas Web Services allow companies to break down big applications into small
independent logical units and build wrappers around them. For example, a company can
write wrappers for different business components of an ERP application such as order
management - purchase order acceptance, status of order, order confirmation, accounts
receivable, and accounts payable.

Efficient: As mentioned in the previous point, Web Services allow applications to be broken
down into smaller logical components, which makes the integration of applications easier

9
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
as it is done on a granular basis. This makes Web Services solutions for EAI much more
efficient than traditional EAI solutions.

Dynamic: Web Services provide a dynamic approach to integration by offering dynamic

interfaces, whereas traditional EAI solutions are pretty much static in nature

4.5 Business Drivers for Enterprise Integration

The most typical types of business initiatives driving integration requirements today include
reducing business cycle times to increase efficiency and competitiveness, improving
customer satisfaction, mergers and acquisitions, and regulatory compliance. Some of these
initiatives are strategic and some tactical. Different business requirements call for different
types of integration technologies

3.4.3 Criteria for Information Classification

➢ Value – the most frequently used criteria for classifying information is the value of data.
If the information is so valuable that their loss could create significant organizational
problems, it needs to be classified.
➢ Age – if the value of certain information declines over time, the classification of the
information may be lowered.
➢ Useful Life – if the information is available to make desired changes as and when
needed, it can be labeled ‘more useful’.
➢ Personal Association – information that is linked to specific individuals or is addressed
by privacy law needs to be classified.

4.5.1 Increasing Business Efficiency and Competitiveness

Companies embarking on initiatives to improve business efficiency can have either a

strategic or tactical focus. Strategic initiatives include moving to real-time business
processes or integrating transactions across the value chain to reduce time and costs. A
strategic approach to improving business efficiency requires integration to automate and
manage business processes. Improving business efficiency is an ongoing process, not a finite
implementation project. Process simulation provides the ability to analyze process flows as
optimized for cost or time. Although still a premium feature among vendors, it will surely

10
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

become a necessity because those companies that use the technology will gain clear
competitive advantage.

Tactical initiatives to improve business efficiency include eliminating reconciliation issues,

data inconsistency, and reporting discrepancies across the enterprise. Tactical initiatives
typically take less time, consume fewer resources, and cost less than an enterprise solution.
The technology necessary to implement tactical solutions is typically only a portion of the
full integration platform. However, to avoid having to integrate the integration technologies,
even tactical solutions should be considered in light of strategic initiatives so a flexible
architecture can be developed and maintained.

4.5.2 Improving Customer Satisfaction

Customer satisfaction can be measured by

➢ Customer retention statistics

➢ Response time to customers
➢ Number of complaints
➢ Issue resolution rate (% and time)
➢ Error rates
➢ Customer value (computed as sales per customer or lifetime value of customer)
Because of the need to track and analyze customer satisfaction, process management
simulation and analytics are key technologies for strategic initiatives. Tactical solutions
typically focus on a particular technology, such as portals or mobile technology, and may
also require a combination of technologies. The key is to enable individual technologies to
be deployed at the lowest cost and least amount of time possible, and integrate easily with
other integration solutions whenever necessary. Companies need to at least have an
enterprise road map to enable the infrastructure to be deployed tactically and work on an
enterprise strategic level as well. Government organizations are often driven to improve the
service to the citizen. There is enormous pent-up demand for these types of initiatives.

4.5.3 Mergers and Acquisitions

Mergers and acquisitions inevitably result in redundant and incompatible systems, leaving
companies with just a few choices:

11
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
➢ Choosing one system over the other and a large data conversion project
➢ Leaving the systems in place and integrating them
➢ Implementing an entirely new system, then converting or integrating both
A combination of approaches may also be used. Integration projects resulting from a merger
or acquisition are usually treated as tactical projects or one-time conversions. However,
companies seeking to improve business efficiency through the merger and acquisition
should also consider business processes integration and management across all business
units, regardless of where they are located or the technology the systems use. This
undoubtedly will require a higher initial investment, but it also offers the highest
potential ROI.

4.6 Security Complexities and Complications due to Enterprise Application Integration

The first thing that may come to everyone's mind taking into consideration this kind of
architecture using a central engine is the fact that there is a single point of failure, as all the
messages between the applications are passing through it.

In addition to this, being the central engine, it can become a bottleneck for messages due
to multiple applications passing the messages to the same point, each consuming a certain
amount of resources. So there is also a need for specific resources on the system where the
Integration stands.

Also, there might be the case that various systems that should be linked together reside on
different operating systems, involving other technologies from different vendors, or even
legacy systems that might be outdated and no longer supported.

Such a responsible area has 6 challenges in enterprise applications development and

methods for avoiding them.

1. The need for quick adaptation

Today, in the field of enterprise applications development, the need to be flexible and
respond instantly to changes is especially acute. Although the work of analysts and system
architects, based on forecasting and analysis, is still vital for the enterprise’s work, you need
to be prepared to make changes literally in the midair, because what seemed like a
reasonable decision yesterday may lose its relevance today. In such conditions, the only right
decision is a course on flexibility and customization at all levels.

12
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

This applies both to the choice of flexible development methodologies, and the willingness
of the development team to quickly restructure their work in response to changes in
business requirements.

2. More strict security requirements

Enterprise information system is a complex structure, which combines the various services
necessary for the functioning of the company. This structure is constantly changing — new
elements appear, the configuration of existing ones changes. As the system grows, ensuring
information security and protecting business-critical resources is becoming increasingly
difficult. The risk rate is high for an enterprise leaking corporate documentation, customer
data and bank account data.

A cyberattack can cost large companies millions of dollars, and it threatens small and
medium-sized businesses with bankruptcy. It is vital to improve the security system from a
technical point of view. Standard tips for preventing cyberattacks include:

➢ Encrypt data.
➢ Use special anti-malware and authorization tools.
➢ Use hack detection tools.
➢ Back up data.
➢ Restrict access to confidential information.

The task of the developers, in this case, is to provide a technical opportunity for each of the
points above.

3. Processing and storage of large amounts of data

The amount of data that companies generate daily is enormous. Even simple storing of all
this information, not to mention analyzing it, is itself a daunting task. Most of this data is not
structured, which makes it difficult to find and analyze.

As part of enterprise applications development, companies have two options for storing
data: locally on their own or leased servers or in the cloud e.g. in the network. Both options
have their advantages and disadvantages.

Local data storage gives companies the freedom not to depend on external servers and
manage all data autonomously. Such an enterprise application is acquired once, and then

13
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
all data is stored on its own servers. This option is somewhat more expensive, but then
everything belongs to the enterprise. The solution is especially suitable for sensitive
customer data as it lends itself to subtle customization.

A reasonable alternative for enterprise applications these days are cloud databases. With
cloud computing, only a license is purchased from the software manufacturer. Then the data
remains on the manufacturer’s servers and can be found online at any time from any end
device. This option is cheaper and makes it possible to work with enterprise applications
from anywhere. Here companies also can make individual changes, but only to a certain
extent.

4. Integration with other systems

When using several business applications at the enterprise, it is often necessary to ensure
their interaction and integration into the corporate information environment. System
integration is a great way to optimize performance, as it provides the ability to view and
update relevant information in real time.

Some enterprises still use "monolithic" systems. Monolithic architecture means that all
functionally distinguishable aspects, such as data input and output, data processing, error
handling and user interface, are all interwoven, and do not contain architecturally separate
components. If a business is heavily dependent on these systems, integration becomes a
problem due to the size and complexity of the application. Testing and coding should cover
both the new application and the full integration testing plan every time some changes are
made.

5. Need for quality post-release support

If the corporate application does not work even for several minutes, it directly affects the
income and productivity of the business. Thus, in case of an application failure, it is crucial
that the software company can detect and fix the problem in hours, or even better in
minutes.

6. Lack of skills in the development team

Finding specialists with skills that meet current needs is the main task for companies that
need enterprise applications.

14
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

In the case of software “out of the box” everything is simple. As a rule, the development
company is not interested in meeting the particular needs of a particular enterprise.
Therefore, the product is assembled with a maximum of possible functions that you may
never need. In this case, it doesn’t matter whether the developers has experience in a
particular industry. However, it was mentioned above, that companies need custom
solutions, and the presence of specialists with experience in your niche is especially
important.

4.7 Electronic Mail System Mechanism

An e-mail system is made up of two primary components that reside in an organization’s IT

infrastructure: mail clients and mail servers.

Users read, compose, send, and store their e-mail using mail clients. Mail is formatted and
sent from the mail client via the network infrastructure to a mail server. The mail server is
the computer that delivers, forwards, and stores e-mail messages. All components-the mail
servers, the mail clients, and the infrastructure that connects and supports them-must be
protected.

Voluntary industry standards (e.g., SMTP, ESMTP, POP, IMAP) for formatting, processing,
transmitting, delivering, and displaying e-mail ensure interoperability among the many
different mail client and server solutions.

E-mail security relies on principles of good planning and management that provide for the
security of both the e-mail system and the IT infrastructure. With proper planning, system
management, and continuous monitoring, organizations can implement and maintain
effective security.

Figure: E-mail communication system

15
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
4.7.1 Security Threats posed by Electronic Mails

Not everyone in the organization needs to know how to secure the e-mail service, but
anyone who handles patient information must understand e-mail’s vulnerabilities and
recognize when a system is secure enough to transmit sensitive information.

E-mail messages are generally sent over untrusted networks-external networks that are
outside the organization’s security boundary. When these messages lack appropriate
security safeguards, they are like postcards that can be read, copied, and modified at any
point along these paths.

Securing an e-mail system is the responsibility of an organization’s IT department and e-

mail administrator. However, anyone responsible for the confidentiality, integrity, and
availability of the information sent via e-mail should be aware of the threats facing e-mail
systems and understand the basic techniques for securing these systems.

Because e-mail is widely deployed, well understood, and used to communicate with
untrusted, external organizations, it is frequently the target of attacks. Attackers can exploit
e-mail to gain control over an organization, access confidential information, or disrupt IT
access to resources.

Common threats to e-mail systems include the following:

a. Malware. Increasingly, attackers are taking advantage of e-mail to deliver a variety of

attacks to organizations through the use of malware, or “malicious software,” that include
viruses, worms, Trojan horses, and spyware. These attacks, if successful, may give the
malicious entity control over workstations and servers, which can then be exploited to
change privileges, gain access to sensitive information, monitor users’ activities, and perform
other malicious actions.

b. Spam and phishing. Unsolicited commercial e-mail, commonly referred to as spam, is

the sending of unwanted bulk commercial e-mail messages. Such messages can disrupt user
productivity, utilize IT resources excessively, and be used as a distribution mechanism for
malware. Related to spam is phishing, which refers to the use of deceptive computer-based
means to trick individuals into responding to the e-mail and disclosing sensitive information.
Compromised e-mail systems are often used to deliver spam messages and conduct
phishing attacks using an otherwise trusted e-mail address.

16
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

c. Social engineering. Rather than hack into a system, an attacker can use e-mail to gather
sensitive information from an organization’s users or get users to perform actions that
further an attack. A common social engineering attack is e-mail spoofing, in which one
person or program successfully masquerades as another by falsifying the sender information
shown in e-mails to hide the true origin.

d. Entities with malicious intent. Malicious entities may gain unauthorized access to
resources elsewhere in the organization’s network via a successful attack on a mail server.
For example, once the mail server is compromised, an attacker could retrieve users’
passwords, which may grant the attacker access to other hosts on the organization’s
network.

e. Unintentional acts by authorized users. Not all security threats are intentional.
Authorized users may inadvertently send proprietary or other sensitive information via e-
mail, exposing the organization to embarrassment or legal action.

4.7.2 Countermeasures to Protect from Threats Posed Through E-Mails

Management, operational, and technical safeguards are necessary to ensure that the
confidentiality, integrity, and availability needs of the mail system, its supporting
environment, and the data handled by it are addressed.

The National Institute of Standards and Technology is a nonregulatory agency within the
Department of Commerce. Its Information Technology Laboratory recommends that
organizations employ the following guidelines in planning, implementing, and maintaining
secure e-mail systems.

a. Implement Management Controls

Management security controls-such as organization-wide information security policies and

procedures, risk assessments, configuration management and change control, and
contingency planning-are essential to the effective operation and maintenance of a secure
e-mail system and the supporting network infrastructure. Additionally, organizations should
implement and deliver security awareness and training, because many attacks rely either
partially or wholly on social engineering techniques to manipulate users.

17
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
b. Carefully Plan the System Implementation

The most critical aspect of deploying a secure e-mail system is careful planning before
installation, configuration, and deployment. As is often said, security should be considered
from the initial planning stage, at the beginning of the system development life cycle, to
maximize security and minimize costs.

d. Secure the Mail Server Application

Organizations should install the minimal mail server services required and eliminate any
known vulnerabilities through patches, configurations, or upgrades. If the installation
program installs unnecessary applications, services, or scripts, these should be removed
immediately after the installation process is complete.

Securing the mail server application generally includes patching and upgrading the mail
server; configuring the mail server user authentication and access and resource controls;
configuring, protecting, and analyzing log files; and periodically testing the security of the
mail server application.

e. Secure the Mail Client

In many respects, the client side of e-mail represents a greater risk to security than the mail
server. Providing an appropriate level of security for the mail client requires carefully
considering and addressing numerous issues.

Securely installing, configuring, and using mail client applications generally includes
patching and upgrading the mail client applications; configuring the mail client security
features (e.g., disable automatic opening of messages); enabling antivirus, antispam, and
antiphishing features; configuring mailbox authentication and access; and securing the
client’s host operating system.

f. Secure the Transmission

Most standard e-mail protocols send, by default, user authentication data and e-mail
content in the clear; that is, unencrypted. Sending data in the clear may allow an attacker to
easily compromise a user account or intercept and alter unencrypted e-mails. At a minimum,
most organizations should encrypt the user authentication session even if they do not
encrypt the actual e-mail data.

18
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

A related control to protect the confidentiality and integrity of the message is to deploy a
secure e-mail solution such as leveraging PKI technology to encrypt and sign the message.
Digital rights management and data leakage prevention systems can be used to prevent the
accidental leakage and exfiltration of sensitive information.

g. Secure the Supporting Operating Environment

While the mail server and mail clients are the two primary components of an e-mail system,
the supporting network infrastructure is essential to its secure operations. Many times, the
network infrastructure, including such components as firewalls, routers, and intrusion
detection and prevention systems, will provide the first layer of defense between untrusted
networks and a mail server.

4.8 Governance for Electronic Mail Systems

Email governance is business’ protection against business brand reputation, email

compliance and client data security. It’s an internal set of rules and guidelines written
specifically for your company that outlines your email policies and best practices.

It’s a set of guidelines for employees to follow in order to protect their data systems and
files, their personal information, personal details of other employees, business data, sales
information and customer/client information.

An email governance document should include information about your backup and
archiving policies, personal usage policies, prohibited email content and confidentiality
guidelines. As such, email governance can be a way to protect your business from litigation
by protecting the personal and sensitive data of your staff, customers and clients.

Maintaining a Secure Mail System:

Maintaining the security of a mail system is an ongoing process, requiring constant effort,
resources, and vigilance, and usually involves the following actions:

a. Configure, Protect, and Analyze Log Files

Log files are often an organization’s only record of suspicious behavior. Enabling logging
mechanisms allows the organization to use collected data to detect both failed and

19
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
successful intrusions, initiate alert notifications when further investigation is needed, and
assist in system recovery and post-event investigations.

Organizations require both procedures and tools to process and analyze the log files and
review alert notifications.

b. Back up Data Frequently

One of the most important functions of a mail server administrator is maintaining the
integrity of the data on the mail server. This is important because mail servers are often one
of the most vital and exposed servers on an organization’s network.

The mail administrator should back up the mail server on a regular basis to reduce downtime
in the event of a mail service outage and support compliance with regulations on the backup
and archiving of data and information, including those found in e-mail.

c. Protect against Malware

Organizations require malware scanning and spam filtering capabilities at the mail client and
the mail system levels. Organizations should also conduct awareness and training activities
for users, including telecommuters, so that users are better prepared to recognize malicious
mail messages and attachments and handle them appropriately.

d. Perform Periodic Security Testing

Periodic security testing of the mail system confirms that protective measures are
implemented correctly, operating as intended, and producing the desired outcome with
respect to meeting the security requirements of the operational mail system. Organizations
should consider using a combination of techniques, including vulnerability scanning, to
assess the mail system and its supporting environment.

Summary

➢ Enterprise application integration represents a new paradigm in the use of technologies

and services. There are 3 enterprise needs that are driving the adoption of enterprise
application integration: Data integration, Vendor independence, Common
interfacing

20
UNIT 4 : Business Application Security: An EAI Perspective JGI JAIN
DEEM ED-T O-BE UNI VE R SITY

➢ The EAI platform helps improve the automation of business processes and provide
timely and accurate information to users and customers. EAI is evolving with new
emerging technologies in IT like IoT, Blockchain and AI.
➢ Four main integration levels of EAI- Data Level, Application Interface Level, Method
Level, User Interface Level.
➢ Point-to-point integration is the goal of EAI-based technology, and the applications
that exchange messages are tightly connected and Web services developed as a
solution to this problem.
➢ An e-mail system is made up of two primary components that reside in an
organization’s IT infrastructure: mail clients and mail servers.
➢ Common threats to e-mail systems include Malware Spam and phishing, Social
engineering, Entities with malicious intent, Unintentional acts by authorized users.
➢ To Protect from Threats- Implement Management Controls, Carefully Plan the System
Implementation, Secure the Mail Server, Secure the Transmission.
➢ Governance for Electronic Mail Systems is business’ protection against business brand
reputation, email compliance and client data security. It’s an internal set of rules and
guidelines written specifically for your company that outlines your email policies and
best practices.

Self-Assessment Questions

Short Questions
1. Where do you use EAI?
2. What is the role of the web services in the Traditional EAI Solutions?
3. Why do we concentrate more on social engineering in the recent times?
4. How do you secure the Mail Server Application?
5. How do you Protect against Malware?

Medium Questions

1. As a security manager, write any two benefits and advantages of Enterprise Application
Integration (EAI).
2. Compare the integration levels ‘Data level’ and ‘Use-interface’ level
3. Justify the need of customer satisfaction in EAI.
4. Mention any five important tips for preventing cyberattacks.

25
JGI JAIN
DEEM ED-T O-BE UNI VE R SITY UNIT 4 : Business Application Security: An EAI Perspective
5. Differentiate ‘Malware’ and ‘Spam’ mails.p

Long Questions

1. Which five applications are important during the implementation of EAI?

2. There are 3 enterprise needs that are driving the adoption of enterprise application
integration – Justify this statement.
3. How do you increasing the Business Efficiency and Competitiveness in EAI?
4. Mergers and acquisitions inevitably result in redundant and incompatible systems –
Justify the statement
5. Security Threats are more vulnerable in Electronic Mails – Justify the statement

4.9 POST-UNIT READING MATERIAL

❖ Stine, Kevin; Scholl, Matthew. "E-mail Security: An Overview of Threats and

Safeguards" Journal of AHIMA 81, no.4 (April 2010): 28-30.

4.10 TOPICS FOR DISCUSSION FORUMS

Not Provided

26