Better safe than sorry

Headlines about viruses and hackers keep security issues at the forefront of most IT minds, but is it really just about...

Headlines about viruses and hackers keep security issues at the forefront of most IT minds, but is it really just about installing firewalls? David Bicknell offers advice on key e-business issues.

Recent research in the US found that the total annual cost of online security breaches to corporations was around $15bn. Yet 50 per cent of companies admitted to spending less than 5 per cent of their IT budget on network security.

So, how do you go about implementing effective security for e-business?

A good starting point is to understand that no systems can ever be 100 per cent secure, and that products alone won't help, although there are some excellent ones which should be considered.

Companies rarely have boundless budgets for security, and not every company dealing with e-business can realistically start from a greenfield site. Security has to fit with what already exists and cannot be seen in isolation, and has to be in the context of what the business is trying to achieve. There is no point in paying millions out to cover a risk, if the total sum at risk of a breech is £20.

According to Simon Jenner, head of security practice at Lucent Technologies, technology alone will get systems nowhere near 100 per cent secure. In fact, it can only achieve 20 per cent, whereas good policies, procedures and training will help achieve the rest, at least into the high 90s.

Some organisations believe that putting products in place is enough. What they fail to realise is that those products have to be configured to reflect the business needs and the threats the business faces. 'Too many believe they need X and Y, and then they'll be all right,' said Jenner.

First stop should be a study to assess the risks of managing your business as a whole and needs to reflect the philosophy, ethics and culture of the organisation. It should cover not just obvious issues, such as viruses and hackers, but also the ways employees work - for example, how e-mail is used within the company, or whether employees have Web access in business hours. By common consent, one of the best aides in developing a security policy is a book by Charles Cresson-Wood, called 'Information Security Policies Made Easy', which gives examples of what your thinking should be in setting up such policies.

Business risks
Jenner warned that in many organisations, security should be considered not just by the techies, but more importantly by the business too. In fact, there has to be a mixture of the two. If not, the technical staff will not have considered the real business risks, while the business people may be unaware of the merits of some technology solutions.

One of the mistakes that many companies make is to believe that all they need to ensure that their systems are secure is a firewall. But this is not enough, according to Steve Woollard, technical director of security specialist Utimaco.

'The firewall is not the be all and end all of security,' he says. Other security measures that should be considered, he suggested, are disk and file encryption methods, antivirus software, penetration testing and intrusion detection, access controls - which might involve the use of smart cards, encryption keys or biometrics - and the use of virtual private networks.

Jenner believes, in some cases, it is better to think not of hardware or software, but simply 'appliances'. And having those dedicated 'appliances' or closed systems in place - with the appropriate policies behind them - may be more secure than trying to haphazardly bolt a number of solutions together.

It is a different story with operating systems. For example, Windows NT has to be all things to all users, and cannot be seen to have security as is its raison d'etre. Whilst Unix has long been regarded as more secure than the Microsoft operating systems. Alan Liddle, technical director of Trustis, suggested one means of enhancing security might be to put your firewalls on one operating system, your servers on another, and finally, your back-end systems on a third. It may seem like using the proverbial sledgehammer, but it does mean that any penetration of one of the elements, will not mean penetration of them all.

Ian Kilpatrick of security group Wick Hill suggested that in too many cases, companies pay less heed to their information security needs, than they do about physical security. They might have a 24x7 secure facility, and yet no firewall. 'It is the same as organisations who pay attention to health and safety at work. In some, you will be told exactly how to get out of a building if you visit their premises, while others will happily have you stepping over loose electric wiring.'

Securing businesses to deliver e-commerce operations has, in the minds of some suppliers, led to hopes that two methods of achieving security - smart cards and public key infrastructures (PKI) - a way of portraying the use of particular encryption 'keys' - might finally get away from the tags of being 'technologies looking for a solution'. Both are applicable in the arena of authentication - in which users have to identify that they are who they say they are. There is a case for saying that smart cards - more popular in continental Europe, may have a future, especially in companies where the need to remember a string of passwords for different applications has driven demand for products offering one 'single sign on' capability.

Horror stories
However, users considering a PKI must know precisely what they are doing. Many have been 'sold' a PKI without necessarily having any business need for it. There have already been horror stories of users buying hundreds or thousands of certificates for use in their systems, only to find they have used literally only a handful. And although opinion differs, depending on which supplier you ask, most would agree that PKI implementation is tricky, and can be expensive and time consuming. Perhaps that is why more and more services organisations are prepared to host PKI applications, though that is still no reason why users should necessarily believe they have to use a PKI. Even organisations such as security specialist Trustis, with expertise in PKI development, have found themselves warding some users away from their adoption, simply because although they the users had heard about adopting a PKI, they didn't actually need one.

Biometrics - the use of machine-computer identification and verification using biological or physiological characteristics, such as fingerprint, iris or retina scans - is another technology that wants to be associated with e-business security. Although its adoption has largely been more for giving staff access to corporate IT systems, there are some trials in place designed to use biometrics to try and increase general trust in Net technologies. According to Neurodynamics, in one pilot project in Austria, driven by Visa, Compaq, and IBM, Net users are operating fingerprint sensors to authenticate their transactions. Other biometric methods which may be adopted in the future, include voice recognition systems, facial recognition, and keystroke dynamics, with identification being dependent on the mechanics of your typing.

One other are of e-business in which security will be important is in the mobile commerce arena. According to mobile security group Integralis, the delays over the roll out of 3G mobile applications, has helped give everyone more time to think about security. A couple of solutions cited in this space include Baltimore Technologies' Telepathy product, which offers Secure Sockets Layer-like encryption, and Ericsson's Wireless Identity Modules, which function as a second SIM card within a handset to authenticate the user. Over the next 18 months, you can expect many more security offerings to emerge to support mobile commerce.

Protection - Some e-business costs
  • Anti-virus protection - about $40 per workstation

  • Firewall - usually about $20,000 per gateway

  • Strong authentication for dial-up connections - $100 per user

  • Virtual Private network - $150 per user, $5,000 per link

  • Audit log tools - about $2,000 per system

  • Intrusion detection tools - about $5,000-$100,000

  • PKI system - from $25,000

  • Single sign-on - about $1,000 per user

  • Vulnerability analysis - about $25,000

Source: Ovum, The cost of e-business security tools, 2000

Read more on Antivirus, firewall and IDS products