The e-business expansion is bringing with it a wave of automated information exchange, delivering a wealth of cost-saving benefits to the enterprise but leaving a wake of new security risks in the process.
Although business risks are nothing new, the Internet poses some unique challenges for securing the well-being of corporate data assets, particularly when forging external business relationships. With greater numbers of access points into proprietary data streams, the supply-chain gateway quickly becomes one of the weakest links in the privacy chain.
Vulnerabilities are no longer thwarted at the perimeter of your compound, but now extend to the halls of your business and tradingpartners.
The threat to sensitive corporate and customer information via online exposure calls for stronger transactional security measures. Attempts to mitigate some of the new risks associated with e-business and e-commerce have created a demand for new trust mechanisms that are both strong and simple to use.
Undertaking the development of a new security plan can seem like a daunting task, particularly if you lack IT expertise in sophisticated privacy implementations. But failure to defend your company effectively against security threats will result in eroding customer trust, failed partner confidence, and, inevitably, lost revenue.
To help you better gauge your abilities and requirements, we've outlined some of the components that constitute a successful e-business privacy initiative.
You need to consider several "e-safe" essentials when attempting to effectively and affordably batten down the hatches against internal and external threats.
Although firewalls provide a good first defence in an overall security solution, stalling intruders at the gate to your exchange, they do not provide the level of authentication or transactional integrity required for managing access control within your trading hub.
Proper protection over distributed computing environments necessitates some key features. These include assurances for data and transactional integrity, confidentiality during and after transit, user authentication and authorisation in resource availability, and a method of nonrepudiation to ensure responsibility for a transaction.
In addition, your privacy measures should install easily into your infrastructure, delivering an adequate level of scalability and availability, but remaining transparent to end users and existing operations.
No single feature will provide an adequate defence but, in tandem, these crucial components will deliver the level of security necessary to implement e-commerce privacy.
One of the most basic forms of guaranteeing the integrity of a transmission is though a checksum process known as hashing. The sending party delivers its message along with an algorithm, or a hashing function, which the receiving party uses to create a second hash upon receipt. When the two match, the unaltered validity of the arriving data is ensured. Unfortunately, hashing does nothing to protect that data from prying eyes. For this, we must turn to encryption.
Although methods such as SSL (Secure Sockets Layer) and SMIME (Secure MIME) exist for protecting HTTP and SMTP data, respectively, in transit, they can't protect the data from internal threats while it's sitting around after delivery.
Encryption allows plain text to be converted into unreadable characters, requiring it to be decrypted on the receiving end to be understood. The encryption process is controlled via the use of cryptographic keys, used by each party in the transaction to lock and unlock the data, guaranteeing privacy between the parties.
Although encryption such as the open-source PGP (Pretty Good Privacy) has gained widespread acceptance for securing data, there are several notable downsides. Encryption can affect the enterprise concerns of availability of data for archiving and indexing.
For this reason, many rely upon authorisation controls such as secure directory access, rather than encryption, for promoting data-storage security.
Although easy to deploy in small scenarios and instances involving a discrete number of systems and users, encryption's primary stumbling block to large-scale deployment stems from issues of scalability and effective key management.
Keys and certificates
This process can be addressed, however, through deployment of a PKI (public key infrastructure) for distribution and management of encryption keys.
In PKI a key pair is created, consisting of a public key and a private key. The public key is distributed freely, allowing anyone to use it to encrypt information intended for your systems. You must then use your private key to decrypt that transmission. Only your private key can unlock the data encrypted by its corresponding public key.
PKI provides benefits over symmetric key encryption in that PKI doesn't require each holder to exchange key pairs in advance of the encryption as symmetric key encryption does. Thus PKI delivers a flexible and far more scalable solution.
Digital certificates then further your security efforts by supplying authentication of a user's credentials via assignment of a digital "fingerprint." With a digital certificate the public key of a user or Web server, for example, can be directly bound to the identity of the owner.
The process can be integrated into your transport and security framework to provide benefits such as user authentication and nonrepudiation of transactions.
Furthermore, the capability of integrating digital certificates with directory services enables access authorisation and enhanced usability features for users; these include single sign-on access for applications and data.
Certificate authorities, the component of PKI that maintains certification policies and practices, provide key management and maintain the authenticity of your certificates. Added perks provide ready availability for continuous e-commerce access and checks against certificate revocation lists to quickly expose compromises in privacy.
For all its benefits, however, impositions such as directory requirements for cross-certification between partners place burdens on businesses looking to implement PKI between companies. For this reason, PKI is usually easiest to implement from the ground up. Many even prefer to employ more traditional security technologies and practices during the transition period to enable a faster time to market.
PKI provides an effective point-to-point protection that can be extended to any application or device using the X.509 security and authentication standard, but a number of issues such as performance and cost have limited its widespread adoption.
PKI is likely to increase its attraction as products including Windows 2000 - with its built-in PKI support - begin to gain market share and e-business partnerships grow to demand faster and more flexible security measures.
Delivery mechanisms such as leased lines and private networks can also bolster security capabilities between business partners. In cases where private networks cannot be ec nomically justified, VPNs offer a lowcost means of securing communications and verifying intergateway transactions between partners.
Extranet VPNs offer the advantages of encryption and security mechanisms such as PGP (Pretty Good Privacy), PKI, and digital certificates to developing a pseudo-leased-line scenario, allowing you to build tunnels to business partners for whom you grant access to your private network resources.
Although VPNs can be set up quickly, as compared to the wait time on a new frame-relay circuit, VPNs currently pose interoperability and QoS (quality of service) concerns for large-scale enterprise deployment.
And getting business partners to install compatible implementations will likely add further logistic and financial hurdles that must be overcome.
Despite the initial hit to your bottom line, expenditures for security enhancements are a necessity not to be taken lightly. As more data is moved to the digital stage, you must demand stricter compliance to security standards from your employees as well as from business and trading partners. Preserving trust is the most vital component in any commerce alliance.
The bottom line
Ensuring data privacy
Business case: protecting your data assets maintains customer confidence. Benefits such as data integrity and nonrepudiation protect your bottom line from fraud via imposed accountability.
Technology case: privacy measures can be technically daunting and may require outsourcing consulting services for proper implementation. Scalable solutions can grow with your enterprise requirements.
+ Builds consumer and partner trust
+ Protects data during transit and while at rest+ Ensures authenticity and nonrepudiation of business transactionsCons- Expensive- Imposes technology mandates on partnersKeys to the privacy-enabled enterprise