You can't trust anyone nowadays

No security system can be 100% safe. Behaving as if your company is invulnerable leaves you open to attack

Put up as many firewalls and install all the anti-virus packages you like to protect your corporate data, but you will never achieve true security until these tools are built into an overarching security strategy.

Technology in itself will not prevent people exploiting computer networks, as Barings Bank discovered to its cost in 1995. A weak point will always be found - and often it is the human element that proves to be at fault.

Security surveys consistently highlight the fact that more than 50% of companies suffer security breaches. The problem is that they are taking the wrong or at least an inadequate approach to the issue. "A point solution like a firewall is not enough," says Geraint Evans, product marketing manager for UK network integrator Chernikeeff. "The important point is to deploy a whole methodology in approaching security," he says.

A methodical approach will enable companies to tackle every link of the e-commerce chain, testing each one in isolation and working out how to deal with remaining weak points.

Analyst company Gartner Group believes that safe commerce-grade transactions can be performed on the Web, but ensuring the integrity and privacy of such transactions is not so easy since it relies on securing components including the fingers of the user or the exhaustion of the back-office engineer.

Gartner's report, Secure Commerce Via the Web, argues that three choices face enterprises today:

  1. Investing in the technology and human resources to do the job safely.
  2. Refraining from making Web-based transactions.
  3. Risking successful attack.

Clearly the first option is the only option.

Holistic approach

What is an holistic approach? In short, it is built of micro-strategies that deploy combinations of appropriate technology and well-developed policy that relate specifically to each scenario being secured - a case of horses for courses. The option is developed in a report from analyst company Ovum, entitled E-Business Security: New Directions and Successful Strategies.

"The old security model tends to rely on perimeter security - protecting the outer boundaries of the organisation," says Graham Titterington, senior Ovum analyst and lead author of the report.

"But that is based on a hierarchy of trust which places 'internal' users at the top, and 'external' users at the bottom. This is plainly wrong for e-businesses which need to allow customers and suppliers into the heart of their systems. And, as we all know, the biggest security threats can lurk well within the boundaries of organisations, whatever their size," says Titterington.

Ovum's solution is a model which it calls "ubiquitous security", where security measures are applied flexibly to specific parts of the e-business environment. This relies on access control measures to grant user access selectively, depending on the level of trust placed in the user and the access device. Different applications would be afforded varying levels of protection, according to how mission-critical or sensitive they were judged to be, allowing time and cost to be spent on developing defences where they would be the most appropriate.

One of the central points Titterington makes is that policy - possibly the most important element for security - cannot be bought off the shelf. Requirements differ drastically according to organisational structure.

Tax returns

The kind of detail that this implies is demonstrated by work being done to secure the Inland Revenue's ELS network. This system allows accountants to file tax returns. Here, the specificities of the situation focus on securing a virtual network of people and technology, in which users have no contact with the system except when they log- on. At one level the solution deploys a number of standard security features that would be expected, including a firewall, which check all data before coming into the internal system.

But the matter of the virtual relationship that users have with the network will, in the first instance, be mitigated by users having to be known apart from their electronic relationships. They must be accountants in good standing and demonstrate that they have the means to take responsibility for protecting their online identification and authorisation.

Further, users are required to purchase prescribed hardware, which exercises control over the terminals that access ELS. There are plans to move to an open, Internet-based service but they are at least three years off, which allows time for the security issues around moving to a far less well-defined environment to become better understood.

Security technology itself is, of course, becoming more sophisticated by the day. Systems that focus not so much on preventing intrusion but providing alerts when one is suspected are some of the more interesting developments. Exception monitoring is an example, in which system management software detects when something unusual is happening and triggers an alarm. But ultimately, no system is ever complete. To behave as if it is, is to invite attack.

Shot from all sides – pinpointing the risks

Security, it's just a matter of buying in the right kit, isn't it? If only life were that simple ...

  • Dial-up access to networks is a particular source of risk. One London-based international bank's security policy mandated a front-end firewall but also allowed modems on PCs. Hackers staged a dramatic attack on the firewall and while the IT security teams were distracted managing it, hackers dialled in to the modems and made off with millions.
  • Projects involving many interested parties pose particular problems when it comes to security. Last year the Open for Business project, to computerise benefit and pension payments, was scrapped when the Post Office and Benefits Agency could not agree on systems specifications. Reports said, "It was a classic case of the public sector acquiring IT before formulating a business strategy," which includes an integrated approach to security.
  • Policy involving authorised users - their needs and their identities - must be at least as well developed as the security technology deployed. The problems with NHSnet illustrated this when X.400 messaging was chosen, trumpeted as being secure against hackers. It was, in reality, too secure and, therefore, too slow - a fact that put the medical profession off using the system. Further confidence was lost when they thought that the policy governing who had access to patient records was too lax.
  • When many partners are involved in an IT project, there is a risk of infiltration. The FBI recently only just prevented a major computer crime when the Mafia set up consultancies to fix Y2K problems in banking systems. Millennium bugs were fixed but they also installed trapdoors that would have later enabled major fraud.

Read more on Hackers and cybercrime prevention