Jeeves

Jeeves Security

This document provides an overview of how Jeeves helps you to provide a secure web site, and discusses each of the key mechanisms provided in the current release.


What Website Security Should Mean to You

Services shared by many people need to defend against a variety of problems. The solutions to these problems are often lumped together as "security". One of the most effective ways to understand what this "security "does for you is to describe the kinds of threats or attacks your website can defend against.

At a high level, Jeeves allows you to defend your website against these (and other) kinds of attacks:

Each website has a security policy which defines "how secure this site needs to be". (Sometimes it's not very well articulated!) A security policy talks about more than just "how to secure this website". It also talks about the kinds of risks that are acceptable, and those which are not. There will always be risks that you deem to be acceptable. Consider your home: just how determined must a burglar be to get access and steal your silverware? Many people don't defend against burglars willing to break windows to get in. Even among those which defend against such burglars, not everyone needs the same degree of paranoia. The same kind of "risk versus reward" tradeoffs need to be made on your website too.

That security policy is implemented by your website administrator. He (or she) uses the web server software and other tools such as operating system security, and physical security controlling access to the server and to its backup media. Your site (the service provider, and its users) needs to trust both the administrator and the web server software to maintain your security policy. Un-trustworthy staff is the number one security risk in any organization. You can never trust only software mechanisms, since they can be overridden.

Jeeves can't help you find a website administrator that you can trust not to violate your security (or that of your clients). Nor can Jeeves help you keep users from being given more trust than they really deserve. However, we do provide a number of mechanisms that a trusted administrator can use to secure your site against common website security threats.


Current Release Features

The current release of Jeeves supports a variety of security mechanisms to help you secure your website:


jeeves@java.sun.com
Last modified: 08/19/96