Trust me ... I'm in business

You can't trust anybody nowadays, which is why all security strategies should rely on layers of user authentication technology....

You can't trust anybody nowadays, which is why all security strategies should rely on layers of user authentication technology. Nathalie Towner reports

The biggest business facilitator on the Internet has finally been dragged into the limelight. Trust is now recognised as the ultimate e-business enabler without which nothing of much significance would happen. But it can only exist in a secure environment.

Security fulfils the obvious function of protecting against internal and external threats, but its very existence has allowed a climate of trust to develop that in turn has generated untold numbers of business opportunities.

Securing e-business is the very antithesis of traditional IT security, which was all about keeping company data safe from outsiders. Now it's all about encouraging the outsiders in, but trust must be given carefully as clearly not all visitors are welcome. Striking the right balance is key.

So with typical e-business speed the process of building trust between two or more parties is accelerated with the use of technology.

This is a complex task because to make a system more secure than necessary could have a detrimental effect by slowing the system down and impeding the authorised users. But if the balance is ill-judged, information and access can get into the wrong hands.

"The logical solution is to have different layers of security depending on who is accessing the system," says Graham Titterington, a senior consultant at Ovum and lead writer on its security white paper.

"At Ovum we call this ubiquitous security. Security measures are applied flexibly to different parts of the e-business. Perimeter security is inadequate as it is just protecting the system from the outside when lots of internal levels are necessary," he says.

Web browsers must have easy access to content but all they require is read-only access. Trading partners working on collaborative projects, however, will need to view confidential material and suppliers may need to check and adjust stock levels.

A company can no longer focus solely on its own security, but is also responsible for the entire supply chain with which it comes into contact electronically.

A well-conceived security system permits a company to be competitive, as the perception that it is reliable and safe will help the company attract alliances and customers.

Despite regular press coverage of damage inflicted by high-profile hackers, up to 80% of e-business crimes are committed by insiders. So the same principle of layered security applies within a company.

Employees will have different requirements depending on their status. For example, only the human resources department should be able to alter salary details, but a line manager may need to view a team member's salary before an appraisal.

A company must be sure that it is authorising the right users. User ID and a password is the most common solution, but these can be easily forgotten or intercepted. Alternatively, people can be identified not by what they know but by what they have - a digital key stored on a smart card or a digital certificate. The most sophisticated method is biometrics, which includes eye and fingerprint scanning. Biometrics is currently far too costly for most companies and until this changes cryptography will remain the preferred solution.

One of the most popular forms is Pretty Good Privacy (PGP), which is based on the public key method. It has been widely adopted simply because it is effective and free to use. The sender uses the recipient's public key to encrypt the message and the recipient uses his private key to decrypt it.

Before a company is prepared to carry out important transactions online it is crucial that it has proof that the recipient is who they say they are. A user can easily lie at the identification stage of registration. This is why the importance of Certification Authorities is set to increase, although different bodies will offer different assurances - some only require an email as proof of identity.

Recently introduced into EU law is an official categorising scheme for certificates indicating the level of checking that has been carried out. This allows companies to choose what level of trust they require.

"Even for this system to work you have to trust the issuer," says Titterington. "Trust in e-business is identification and identification is authentication."

Large well-established companies will have far less problems building up trust in the supply chain and with customers. Not only will they be viewed as reliable but they in turn will already know whom they operate with making authentication less of a headache.

Although dotcoms can claim to start with a clean slate and no worries about legacy applications, the need to get to market as quickly as possible makes them more vulnerable to inadequate security policies. However, according to the Ovum white paper, throwing lots of money at security products is no answer.

"The key to successful security is planning and assessment," it states. "Many of the most effective steps you can take do not require expensive products, although some will be needed within a comprehensive strategy".

No quick fix

To work effectively, software products must be successfully implemented and managed, and even then they cannot be made solely responsible for a company's security strategy.

The range of software on offer includes encryption, antivirus and authentication, authorisation and administration packages. One of the most common technologies is the firewall, which sits between the internal and external network and prevents and detects any security attacks. Firewalls are generally viewed as the first line of defence.

Encryption provides a higher level of security. Users can avoid the expense of communicating via a privately leased line by using Virtual Private Networks, and thanks to encryption the exchange remains private.

Security products themselves present a problem as they often can only be integrated together on a crude basis. "Incompatibility pervades the whole security issue," says Ovum's Titterington.

This is why all businesses trading online should have a security policy and it should be reviewed at least every three months. Security is not a one-off exercise. It is necessary to assess and prioritise the risks a company is likely to face. Outsourcing does not do away with the issue, as a company must have absolute trust in the service provider.

There is no escaping the need for sophisticated technological solutions but their role and cost must be kept relative to what they are meant to be protecting. The combination of a good business plan with the appropriate software will convince the market that a company is trustworthy and worth doing business with. Security gives the competitive edge.

Layered security: risk categories and possible solutions

Access Security: Who is able to use the system
Solution: Authorisation, PKI, firewalls

Communication Security: Securing messages, such as file transfers and email
Solution: Encryption, VPN

Content security: Securing processes on an application
Solution: Virus detection, content filtering. Restricting Internet access for employees, checking outgoing messages

Security Management: Managing the entire security policy against intrusion, denial of service attacks
Solution: Security assessment and management and intrusion detection

Information taken from Ovum's white paper on security: E-Business, New Direction and Successful Strategies

Access: open to abuse

Operational

  • Denial of service attacks
  • Loss or corruption of important data

    Legal

  • Impersonation of messages
  • Vandalism of websites with offensive material
  • Attacks that violate safety regulations
  • Theft of copyright material

    Financial

  • Fraud
  • Corruption of financial data
  • Theft of bank account or credit card details

  • Read more on Antivirus, firewall and IDS products

    SearchCIO
    SearchSecurity
    SearchNetworking
    SearchDataCenter
    SearchDataManagement
    Close