As companies worldwide move from a model of web-presence to
one of web-business, more and more direct business (transactions) is being
conducted on the Internet. According to certain estimates, in 1999 alone, the
total value of e-business was to the order of $130 billion. A large part of that
obviously happens in a few countries, like the United States. The true potential
of Internet as a platform for commerce will be unleashed once its global
character is exploited. Many countries today have limited Internet reach but are fast getting online. Once the Internet
becomes a truly global medium, the value of business on the net will rise
dramatically.
It is no more a matter of debate whether companies that shy
away from the reality of e-business will survive. Most companies understand they
will not. There is a mad rush among companies, big and small, to embrace
e-business.
While all this–smart moves, enhanced operating efficiencies
and faster penetration of new markets through the Internet sounds too
impressive, there is a concern that still looms large. That of a not so secure
environment to conduct e-business.
There are two sides to the security problem. One is the
security problem itself. The other is the concern about a possible security
problem. Both act as barriers to the growth of e-business. According to Computer
Emergency Response Team (CERT), the number of reported cyber-vandalisms in 1999
was 8268. There must be many more that go unreported. Similarly, without a
proper legal validation of an Internet transaction, there is a lot of concern
among businesses.
What's In A Number? |
|
Can you repeat the question after reading the table? |
|
Seconds it takes for the first intrusion attempt after you log into AOL |
90 |
Intrusion attempts on www.ca.com in October 2000 |
157 |
Number of reported cyber-vandalisms reported by CERT in 1999 |
8268 |
Number of sites that provide free hacking tools |
2000+ |
Number of seconds it takes to invade your system |
4 |
Percentage of intrusions that remain undetected |
85% |
Percentage of e-commerce transactions abandoned because of security concerns |
12.50% |
Percentage of intrusions that come from within your own organisation |
74% |
Source: Computer Associates |
However, this concern among businesses is not the only
concern that comes in the way of e-business growth. A bigger barrier is the
concern of the buyer - whether the environment in which he buys something is
secure or not. "In fact, 12.5 percent of e-commerce transactions are abandoned by customers because of security
concerns," says Simon Perry, vice president, security, Computer Associates
(CA).
"You have to understand that the e-business network that
allows you to conduct business is very, very different from the corporate
network that you are used to," explains Perry. "Here, it is not just
your employees who use your information or your applications. They are used by
millions of customers, suppliers & channel partners. In case of some online
shopping sites, customers are looking up the actual inventory directly. It is
not just a question of scale or complexity. Securing your e-business is
fundamentally different from having a secure corporate network."
With B2B online marketplaces becoming more active on the
Internet space, the auctions and negotiations will be with multiple, unknown
parties. That introduces a few more threats. A simple example is, in an online
marketplace, if your identity is somehow detected and revealed to all by someone
in a reverse auction to all the parties, you lose your premium positioning in
the market.
The Concerns
There are basically three types of security related concerns
for an e-business environment. They are:
-
Direct attacks
-
Privacy
-
Trust
Direct attacks are the most well known security problems.
Many of these happen in the corporate network environment as well, though the
possibility of such attacks is more in an e-business, simply because of the fact
that their detection is difficult. Most common direct attack examples are
viruses, intrusion, and vandalism.
Direct attacks can happen anytime and a proper defence
mechanism is a must for tackling direct attacks. Some of the tools include
anti-virus/virus detection, content inspection software, intrusion detection
mechanism, firewalls and a more proactive risk assessment and security audits.
However, the fundamental nature of these security problems is the same as direct
attacks that happen in corporate network environments.
PKI |
||||
PKI Company |
Website | Indian Partner |
Global Agency |
Website |
Indiasign | NA | HFCL | GlobalSign | www.globalsign.com |
SafeScrypt | www.safescrypt.com | Satyam | VeriSign | www.verisign.com |
Ecomenable | www.ecomenable.com | Ecomenable | Entrust | www.entrust.com |
Privacy is a concern as important data can be intercepted and
misused by unknown parties. Though data tampering can be dangerous in an
e-business environment, the technical nature of this problem, like direct
attacks, is very similar to problems that arise in large corporate networks.
However, in an Internet environment, the network is not just accessed by a
company’s employees but also by its suppliers, channel partners and customers.
The threat is certainly more.
This can be tackled to a great extent by having foolproof
access control mechanisms. A good access control mechanism should be able to
determine who can access a particular piece of information, who can invoke what
service, and who can impact the system. Proper access control, though it sounds
simple, is a tough task to implement.
Trust is the most important security issue in e-business.
This, being a legal rather than a technical concern, is unique to e-business.
This is not an issue in normal IT networks, when you do not conduct any
business. In that sense, it is more of a business issue than a technical issue.
Some of the most important aspects of trust related security
concerns are as follows.
Authentication
In simple terms, knowing the identity of the person who is
trying to do some business with you. Passwords are the most primitive method of
doing that. However, passwords can be stolen and misused. Often, stricter
authentication like digital certificates, smart cards, etc., are required.
Confidentiality
The Internet is open to all. It is difficult to know the
identity of people who use the Net. Keeping information out of the reach of
people who are not authorised to have it, is what confidentiality seeks to
achieve. Encryption is the most popular method to do that.
Information Integrity
Once a document is created, it needs to be kept intact.
Alterations could mean serious financial and legal implications.
Non-repudiation
On |
|
Security Solution Companies |
|
Baltimore Technologies |
www.baltimore.com |
Celo Communications |
www.celocom.com |
Checkpoint | www.checkpoint.com |
Computer Associates |
www.ca.com |
Entegrity | www.entegrity.com |
Entrust Technologies |
www.entrust.com |
Globalsign | www.globalsign.com |
Rainbow Technologies |
www.rainbow.com |
RSA Security |
www.rsasecurity.com |
VeriSign | www.verisign.com |
WiseKey | www.wisekey.com |
Xcert Software |
www.xcert.com |
Making sure that a deal is a deal. Non-repudiation means that
a party cannot deny having agreed to or sent a document. Just imagine a
situation wherein a person buys 1000 shares of a high premium stock and the next
day, when the share price crashes, denies having bought that. The loss to the
broker could run to lakhs.
Trust Infrastructure: Public Key Cryptography
The TINA factor of e-business is increasing day by day. There
is no other option but to make this business as hassle-free and secure as
possible. One way of building a high-trust e-business infrastructure that is
increasingly getting popular, is what is called the public key cryptography.
Cryptography uses mathematical algorithms to encrypt and
decrypt data. Public key cryptography is a method where a pair of large numbers
is used as keys to encrypt and decrypt data. One key, with the owner (sender),
is called the private key, this is known only to himself; and the other, called
public key is distributed to others. This pair of keys is such that a document
that has been locked by one can only be unlocked by the other.
A sender uses his private key to encrypt the message and
appends this encrypted data to the message. This is called digital signature.
The receiver uses the public key of the sender to decrypt the message as well as
to verify the identity of the sender. This solves the problem of authentication,
message integrity and non-repudiation.
Though this solves a lot of problems, there still remains a
major gap. That is, even after being sure about the electronic identity of a
person, how do we make sure that the electronic identity of the sender is the
same as what he claims to be? This problem is addressed by digital certificates.
Based on a popular standard called X.509, digital certificates are issued by a
trusted third party called the Certification Authority (CA), and bind the actual
identity of a person/company to their/its electronic identity.
Also See… |
|
Indian IT Bill |
www.mit.gov.in/it-bill.htm |
Understanding PKI |
www.rsasecurity.com/products/keon/whitepapers/pki/PKIwp.pdf |
Digital Signature |
www.abanet.org/scitech/ec/isc/dsg-tutorial.html |
Resources on PKI |
www.ecomenable.com/learning/white_papers.htm |
PKI Resources |
www.dstc.qut.edu.au/MSU/projects/pki/index.html |
Baltimore Technologies |
www.baltimore.com/public_key_infrastructure.html |
The process of digital certificates establishing secure
transactions is called public key infrastructure (PKI). Today, PKI is becoming
the most preferred security mechanism.
In India, the new IT Act has made it easier for companies to
do e-business in a trusted environment. The Controller of Certification
Authorities in India will license companies to provide certification and PKI
services in India. Three companies so far have publicised their plans to provide
PKI services. Satyam, the first name in the Indian Internet scenario, has roped
in US certification company, Verisign, to establish SafeScrypt that will issue
digital certificates in India. While HFCL is planning to do the same with
GlobalSign, Europe’s biggest certification agency, Baroda based Ecomenable
will work with Canadian agency Entrust to do the same.