As companies worldwide move from a model of web-presence to one of web-business, more and more direct business (transactions) is being conducted on the Internet. According to certain estimates, in 1999 alone, the total value of e-business was to the order of $130 billion. A large part of that obviously happens in a few countries, like the United States. The true potential of Internet as a platform for commerce will be unleashed once its global character is exploited. Many countries today have limited Internet reach but are fast getting online. Once the Internet becomes a truly global medium, the value of business on the net will rise dramatically.
It is no more a matter of debate whether companies that shy away from the reality of e-business will survive. Most companies understand they will not. There is a mad rush among companies, big and small, to embrace e-business.
While all this—smart moves, enhanced operating efficiencies and faster penetration of new markets through the Internet sounds too impressive, there is a concern that still looms large. That of a not so secure environment to conduct e-business.
There are two sides to the security problem. One is the security problem itself. The other is the concern about a possible security problem. Both act as barriers to the growth of e-business. According to Computer Emergency Response Team (CERT), the number of reported cyber-vandalisms in 1999 was 8268. There must be many more that go unreported. Similarly, without a proper legal validation of an Internet transaction, there is a lot of concern among businesses.
What's In A Number?
|Can you repeat the question after reading the table?|
|Seconds it takes for the first intrusion attempt after you log into AOL||90|
|Intrusion attempts on www.ca.com in October 2000||157|
|Number of reported cyber-vandalisms reported by CERT in 1999||8268|
|Number of sites that provide free hacking tools||2000+|
|Number of seconds it takes to invade your system||4|
|Percentage of intrusions that remain undetected||85%|
|Percentage of e-commerce transactions abandoned because of security concerns||12.50%|
|Percentage of intrusions that come from within your own organisation||74%|
|Source: Computer Associates|
However, this concern among businesses is not the only concern that comes in the way of e-business growth. A bigger barrier is the concern of the buyer - whether the environment in which he buys something is secure or not. "In fact, 12.5 percent of e-commerce transactions are abandoned by customers because of security concerns," says Simon Perry, vice president, security, Computer Associates (CA).
"You have to understand that the e-business network that allows you to conduct business is very, very different from the corporate network that you are used to," explains Perry. "Here, it is not just your employees who use your information or your applications. They are used by millions of customers, suppliers & channel partners. In case of some online shopping sites, customers are looking up the actual inventory directly. It is not just a question of scale or complexity. Securing your e-business is fundamentally different from having a secure corporate network."
With B2B online marketplaces becoming more active on the Internet space, the auctions and negotiations will be with multiple, unknown parties. That introduces a few more threats. A simple example is, in an online marketplace, if your identity is somehow detected and revealed to all by someone in a reverse auction to all the parties, you lose your premium positioning in the market.
There are basically three types of security related concerns for an e-business environment. They are:
Direct attacks are the most well known security problems. Many of these happen in the corporate network environment as well, though the possibility of such attacks is more in an e-business, simply because of the fact that their detection is difficult. Most common direct attack examples are viruses, intrusion, and vandalism.
Direct attacks can happen anytime and a proper defence mechanism is a must for tackling direct attacks. Some of the tools include anti-virus/virus detection, content inspection software, intrusion detection mechanism, firewalls and a more proactive risk assessment and security audits. However, the fundamental nature of these security problems is the same as direct attacks that happen in corporate network environments.
PKI Service Providers in India
|PKI Company||Website||Indian Partner||Global Agency||Website|
Privacy is a concern as important data can be intercepted and misused by unknown parties. Though data tampering can be dangerous in an e-business environment, the technical nature of this problem, like direct attacks, is very similar to problems that arise in large corporate networks. However, in an Internet environment, the network is not just accessed by a company’s employees but also by its suppliers, channel partners and customers. The threat is certainly more.
This can be tackled to a great extent by having foolproof access control mechanisms. A good access control mechanism should be able to determine who can access a particular piece of information, who can invoke what service, and who can impact the system. Proper access control, though it sounds simple, is a tough task to implement.
Trust is the most important security issue in e-business. This, being a legal rather than a technical concern, is unique to e-business. This is not an issue in normal IT networks, when you do not conduct any business. In that sense, it is more of a business issue than a technical issue.
Some of the most important aspects of trust related security concerns are as follows.
In simple terms, knowing the identity of the person who is trying to do some business with you. Passwords are the most primitive method of doing that. However, passwords can be stolen and misused. Often, stricter authentication like digital certificates, smart cards, etc., are required.
The Internet is open to all. It is difficult to know the identity of people who use the Net. Keeping information out of the reach of people who are not authorised to have it, is what confidentiality seeks to achieve. Encryption is the most popular method to do that.
Once a document is created, it needs to be kept intact. Alterations could mean serious financial and legal implications.
On The Web
Security Solution Companies
Making sure that a deal is a deal. Non-repudiation means that a party cannot deny having agreed to or sent a document. Just imagine a situation wherein a person buys 1000 shares of a high premium stock and the next day, when the share price crashes, denies having bought that. The loss to the broker could run to lakhs.
Trust Infrastructure: Public Key Cryptography
The TINA factor of e-business is increasing day by day. There is no other option but to make this business as hassle-free and secure as possible. One way of building a high-trust e-business infrastructure that is increasingly getting popular, is what is called the public key cryptography.
Cryptography uses mathematical algorithms to encrypt and decrypt data. Public key cryptography is a method where a pair of large numbers is used as keys to encrypt and decrypt data. One key, with the owner (sender), is called the private key, this is known only to himself; and the other, called public key is distributed to others. This pair of keys is such that a document that has been locked by one can only be unlocked by the other.
A sender uses his private key to encrypt the message and appends this encrypted data to the message. This is called digital signature. The receiver uses the public key of the sender to decrypt the message as well as to verify the identity of the sender. This solves the problem of authentication, message integrity and non-repudiation.
Though this solves a lot of problems, there still remains a major gap. That is, even after being sure about the electronic identity of a person, how do we make sure that the electronic identity of the sender is the same as what he claims to be? This problem is addressed by digital certificates. Based on a popular standard called X.509, digital certificates are issued by a trusted third party called the Certification Authority (CA), and bind the actual identity of a person/company to their/its electronic identity.
|Indian IT Bill||www.mit.gov.in/it-bill.htm|
|Resources on PKI||www.ecomenable.com/learning/white_papers.htm|
The process of digital certificates establishing secure transactions is called public key infrastructure (PKI). Today, PKI is becoming the most preferred security mechanism.
In India, the new IT Act has made it easier for companies to do e-business in a trusted environment. The Controller of Certification Authorities in India will license companies to provide certification and PKI services in India. Three companies so far have publicised their plans to provide PKI services. Satyam, the first name in the Indian Internet scenario, has roped in US certification company, Verisign, to establish SafeScrypt that will issue digital certificates in India. While HFCL is planning to do the same with GlobalSign, Europe’s biggest certification agency, Baroda based Ecomenable will work with Canadian agency Entrust to do the same.