A Secure E-Business Environment

As companies worldwide move from a model of web-presence to

one of web-business, more and more direct business (transactions) is being

conducted on the Internet. According to certain estimates, in 1999 alone, the

total value of e-business was to the order of $130 billion. A large part of that

obviously happens in a few countries, like the United States. The true potential

of Internet as a platform for commerce will be unleashed once its global

character is exploited. Many countries today have limited Internet reach but are fast getting online. Once the Internet

becomes a truly global medium, the value of business on the net will rise

dramatically.

It is no more a matter of debate whether companies that shy

away from the reality of e-business will survive. Most companies understand they

will not. There is a mad rush among companies, big and small, to embrace

e-business.

While all this–smart moves, enhanced operating efficiencies

and faster penetration of new markets through the Internet sounds too

impressive, there is a concern that still looms large. That of a not so secure

environment to conduct e-business.

There are two sides to the security problem. One is the

security problem itself. The other is the concern about a possible security

problem. Both act as barriers to the growth of e-business. According to Computer

Emergency Response Team (CERT), the number of reported cyber-vandalisms in 1999

was 8268. There must be many more that go unreported. Similarly, without a

proper legal validation of an Internet transaction, there is a lot of concern

among businesses.

However, this concern among businesses is not the only

concern that comes in the way of e-business growth. A bigger barrier is the

concern of the buyer - whether the environment in which he buys something is

secure or not. "In fact, 12.5 percent of e-commerce transactions are abandoned by customers because of security

concerns," says Simon Perry, vice president, security, Computer Associates

(CA).

"You have to understand that the e-business network that

allows you to conduct business is very, very different from the corporate

network that you are used to," explains Perry. "Here, it is not just

your employees who use your information or your applications. They are used by

millions of customers, suppliers & channel partners. In case of some online

shopping sites, customers are looking up the actual inventory directly. It is

not just a question of scale or complexity. Securing your e-business is

fundamentally different from having a secure corporate network."

With B2B online marketplaces becoming more active on the

Internet space, the auctions and negotiations will be with multiple, unknown

parties. That introduces a few more threats. A simple example is, in an online

marketplace, if your identity is somehow detected and revealed to all by someone

in a reverse auction to all the parties, you lose your premium positioning in

the market.

The Concerns

There are basically three types of security related concerns

for an e-business environment. They are:

• Direct attacks

• Privacy

• Trust

Direct attacks are the most well known security problems.

Many of these happen in the corporate network environment as well, though the

possibility of such attacks is more in an e-business, simply because of the fact

that their detection is difficult. Most common direct attack examples are

viruses, intrusion, and vandalism.

Direct attacks can happen anytime and a proper defence

mechanism is a must for tackling direct attacks. Some of the tools include

anti-virus/virus detection, content inspection software, intrusion detection

mechanism, firewalls and a more proactive risk assessment and security audits.

However, the fundamental nature of these security problems is the same as direct

attacks that happen in corporate network environments.

Privacy is a concern as important data can be intercepted and

misused by unknown parties. Though data tampering can be dangerous in an

e-business environment, the technical nature of this problem, like direct

attacks, is very similar to problems that arise in large corporate networks.

However, in an Internet environment, the network is not just accessed by a

company’s employees but also by its suppliers, channel partners and customers.

The threat is certainly more.

This can be tackled to a great extent by having foolproof

access control mechanisms. A good access control mechanism should be able to

determine who can access a particular piece of information, who can invoke what

service, and who can impact the system. Proper access control, though it sounds

simple, is a tough task to implement.

Trust is the most important security issue in e-business.

This, being a legal rather than a technical concern, is unique to e-business.

This is not an issue in normal IT networks, when you do not conduct any

business. In that sense, it is more of a business issue than a technical issue.

Some of the most important aspects of trust related security

concerns are as follows.

Authentication

In simple terms, knowing the identity of the person who is

trying to do some business with you. Passwords are the most primitive method of

doing that. However, passwords can be stolen and misused. Often, stricter

authentication like digital certificates, smart cards, etc., are required.

Confidentiality

The Internet is open to all. It is difficult to know the

identity of people who use the Net. Keeping information out of the reach of

people who are not authorised to have it, is what confidentiality seeks to

achieve. Encryption is the most popular method to do that.

Information Integrity

Once a document is created, it needs to be kept intact.

Alterations could mean serious financial and legal implications.

Non-repudiation

Making sure that a deal is a deal. Non-repudiation means that

a party cannot deny having agreed to or sent a document. Just imagine a

situation wherein a person buys 1000 shares of a high premium stock and the next

day, when the share price crashes, denies having bought that. The loss to the

broker could run to lakhs.

Trust Infrastructure: Public Key Cryptography

The TINA factor of e-business is increasing day by day. There

is no other option but to make this business as hassle-free and secure as

possible. One way of building a high-trust e-business infrastructure that is

increasingly getting popular, is what is called the public key cryptography.

Cryptography uses mathematical algorithms to encrypt and

decrypt data. Public key cryptography is a method where a pair of large numbers

is used as keys to encrypt and decrypt data. One key, with the owner (sender),

is called the private key, this is known only to himself; and the other, called

public key is distributed to others. This pair of keys is such that a document

that has been locked by one can only be unlocked by the other.

A sender uses his private key to encrypt the message and

appends this encrypted data to the message. This is called digital signature.

The receiver uses the public key of the sender to decrypt the message as well as

to verify the identity of the sender. This solves the problem of authentication,

message integrity and non-repudiation.

Though this solves a lot of problems, there still remains a

major gap. That is, even after being sure about the electronic identity of a

person, how do we make sure that the electronic identity of the sender is the

same as what he claims to be? This problem is addressed by digital certificates.

Based on a popular standard called X.509, digital certificates are issued by a

trusted third party called the Certification Authority (CA), and bind the actual

identity of a person/company to their/its electronic identity.

The process of digital certificates establishing secure

transactions is called public key infrastructure (PKI). Today, PKI is becoming

the most preferred security mechanism.

In India, the new IT Act has made it easier for companies to

do e-business in a trusted environment. The Controller of Certification

Authorities in India will license companies to provide certification and PKI

services in India. Three companies so far have publicised their plans to provide

PKI services. Satyam, the first name in the Indian Internet scenario, has roped

in US certification company, Verisign, to establish SafeScrypt that will issue

digital certificates in India. While HFCL is planning to do the same with

GlobalSign, Europe’s biggest certification agency, Baroda based Ecomenable

will work with Canadian agency Entrust to do the same.

Shyamanuja Das