You can't trust anybody nowadays, which is why all security
strategies should rely on layers of user authentication technology.
Nathalie Towner reports
The biggest business facilitator on the Internet has finally
been dragged into the limelight. Trust is now recognised as the
ultimate e-business enabler without which nothing of much
significance would happen. But it can only exist in a secure
environment.
Security fulfils the obvious function of protecting against
internal and external threats, but its very existence has allowed a
climate of trust to develop that in turn has generated untold
numbers of business opportunities.
Securing e-business is the very antithesis of traditional IT
security, which was all about keeping company data safe from
outsiders. Now it's all about encouraging the outsiders in, but
trust must be given carefully as clearly not all visitors are
welcome. Striking the right balance is key.
So with typical e-business speed the process of building trust
between two or more parties is accelerated with the use of
technology.
This is a complex task because to make a system more secure than
necessary could have a detrimental effect by slowing the system
down and impeding the authorised users. But if the balance is
ill-judged, information and access can get into the wrong
hands.
"The logical solution is to have different layers of security
depending on who is accessing the system," says Graham
Titterington, a senior consultant at Ovum and lead writer on its
security white paper.
"At Ovum we call this ubiquitous security. Security measures are
applied flexibly to different parts of the e-business. Perimeter
security is inadequate as it is just protecting the system from the
outside when lots of internal levels are necessary," he says.
Web browsers must have easy access to content but all they
require is read-only access. Trading partners working on
collaborative projects, however, will need to view confidential
material and suppliers may need to check and adjust stock
levels.
A company can no longer focus solely on its own security, but is
also responsible for the entire supply chain with which it comes
into contact electronically.
A well-conceived security system permits a company to be
competitive, as the perception that it is reliable and safe will
help the company attract alliances and customers.
Despite regular press coverage of damage inflicted by
high-profile hackers, up to 80% of e-business crimes are committed
by insiders. So the same principle of layered security applies
within a company.
Employees will have different requirements depending on their
status. For example, only the human resources department should be
able to alter salary details, but a line manager may need to view a
team member's salary before an appraisal.
A company must be sure that it is authorising the right users.
User ID and a password is the most common solution, but these can
be easily forgotten or intercepted. Alternatively, people can be
identified not by what they know but by what they have - a digital
key stored on a smart card or a digital certificate. The most
sophisticated method is biometrics, which includes eye and
fingerprint scanning. Biometrics is currently far too costly for
most companies and until this changes cryptography will remain the
preferred solution.
One of the most popular forms is Pretty Good Privacy (PGP),
which is based on the public key method. It has been widely adopted
simply because it is effective and free to use. The sender uses the
recipient's public key to encrypt the message and the recipient
uses his private key to decrypt it.
Before a company is prepared to carry out important transactions
online it is crucial that it has proof that the recipient is who
they say they are. A user can easily lie at the identification
stage of registration. This is why the importance of Certification
Authorities is set to increase, although different bodies will
offer different assurances - some only require an email as proof of
identity.
Recently introduced into EU law is an official categorising
scheme for certificates indicating the level of checking that has
been carried out. This allows companies to choose what level of
trust they require.
"Even for this system to work you have to trust the issuer,"
says Titterington. "Trust in e-business is identification and
identification is authentication."
Large well-established companies will have far less problems
building up trust in the supply chain and with customers. Not only
will they be viewed as reliable but they in turn will already know
whom they operate with making authentication less of a
headache.
Although dotcoms can claim to start with a clean slate and no
worries about legacy applications, the need to get to market as
quickly as possible makes them more vulnerable to inadequate
security policies. However, according to the Ovum white paper,
throwing lots of money at security products is no answer.
"The key to successful security is planning and assessment," it
states. "Many of the most effective steps you can take do not
require expensive products, although some will be needed within a
comprehensive strategy".
No quick fix
To work effectively, software products must be successfully
implemented and managed, and even then they cannot be made solely
responsible for a company's security strategy.
The range of software on offer includes encryption, antivirus
and authentication, authorisation and administration packages. One
of the most common technologies is the firewall, which sits between
the internal and external network and prevents and detects any
security attacks. Firewalls are generally viewed as the first line
of defence.
Encryption provides a higher level of security. Users can avoid
the expense of communicating via a privately leased line by using
Virtual Private Networks, and thanks to encryption the exchange
remains private.
Security products themselves present a problem as they often can
only be integrated together on a crude basis. "Incompatibility
pervades the whole security issue," says Ovum's Titterington.
This is why all businesses trading online should have a security
policy and it should be reviewed at least every three months.
Security is not a one-off exercise. It is necessary to assess and
prioritise the risks a company is likely to face. Outsourcing does
not do away with the issue, as a company must have absolute trust
in the service provider.
There is no escaping the need for sophisticated technological
solutions but their role and cost must be kept relative to what
they are meant to be protecting. The combination of a good business
plan with the appropriate software will convince the market that a
company is trustworthy and worth doing business with. Security
gives the competitive edge.
Layered security: risk categories and possible
solutions
Access Security: Who is able to use the system
Solution: Authorisation, PKI, firewalls
Communication Security: Securing messages, such as file
transfers and email
Solution: Encryption, VPN
Content security: Securing processes on an
application
Solution: Virus detection, content filtering. Restricting
Internet access for employees, checking outgoing messages
Security Management: Managing the entire security policy
against intrusion, denial of service attacks
Solution: Security assessment and management and intrusion
detection
Information taken from Ovum's white paper on security:
E-Business, New Direction and Successful Strategies
Access: open to abuse
Operational
- Denial of service attacks
- Loss or corruption of important data
Legal
- Impersonation of messages
- Vandalism of websites with offensive material
- Attacks that violate safety regulations
- Theft of copyright material
Financial
- Fraud
- Corruption of financial data
- Theft of bank account or credit card details