SAN MATEO (01/31/2000) - Scantily clad models are a sure sign that a computer conference has hit the big time.
It's no surprise then that RSA Conference 2000 had its fair share of the above -- "Miss RSA" was quite fetching in her silver lame. RSA has also become home to the suit-and-tie set. The security propeller-heads are still there -- they're the ones who wear a suit and tie and don't bother to tuck in their shirts.
But the reason for RSA's slick and glossy transformation is pretty simple: e-business.
Businesses built on a digital backbone -- able to turn on a dime in response to changing market conditions -- is a nightmare security scenario. Already, 2000 is shaping up to be a banner year for security issues.
I got the infamous e-mail from Pacific Bell Corp. saying it was time to change my password, thanks to a youth who cracked the databases of a variety of ISPs.
CD Universe's customers had credit card numbers posted on the Net. The Sunday Times reported that hackers tried to extort 10 million from 12 companies. And MSNBC showed how easy it was to steal credit card information from several I-commerce sites running misconfigured databases.
All of which leads to my point: E-business security is going to be a seminal issue in 2000. As companies ramp up to the e-business freeway, they need to examine the lessons of the business-to-consumer market and apply them judiciously.
Trust no one
Fox Mulder would be proud. Consumers used to worry that hackers would pluck their credit card numbers as they crossed the Net. Well, SSL (Secure Sockets Layer) put everyone's mind at ease. But that easily remedied concern has given way to newer, more complex issues: namely, the consumer might be a liar and the merchant might be incompetent.
Fraud is a major I-commerce concern. By some accounts, 15 percent of transactions are voided because of fraud or refusal issues. Just before Christmas, an order I made from Gap Online was taking forever to get to me.
When I called its customer service, the representative explained that orders over a certain amount were being checked to prevent fraud.
The flip side is that even though nobody saw your credit card number as it crossed the Net, the merchant might not be putting those numbers in a secure place. It's the equivalent of leaving the receipts lying on the counter.
All of which says trust is a two-way street and there's really no good reason to trust. Trust has to be earned. Consider the issue of nonrepudiation.
Nonrepudiation is a method for preventing businesses from denying orders and saying "No, it sure wasn't me who ordered 100 gross of Furbies." Nonrepudiation is critical in business, especially when we're talking about big business.
The glass house
Another security concern among users is privacy. Consider the vast amounts of corporate intelligence that can be gathered in a business-to-business scenario -- information that is valuable to competitors. Information that could have a real financial impact on your business.
Current media darling Transmeta operated under a veil of secrecy for five years. The company wouldn't talk about what it was doing. But you could find information on its patent filings, the trademarking of the name "Crusoe," and the backgrounds of the people who filed the patents. If you knew what data to gather and where, you got a pretty good idea of what Transmeta was up to.
Consider, then, the competitive intelligence implications of supply-chain management and business-to-business exchanges. Perhaps we need strong anonymity tools for businesses, analogous to the efforts taken by the hard-core cypherpunks and companies such as Zero Knowledge Systems.
Who are your friends?
Partners today, competitors tomorrow. Dynamic partnerships are the core of e-business. In the business-to-consumer world, there is usually no pre-established relationship between consumers and merchants. The smart merchants make it as simple as possible for a new purchaser to do business with them. But, in business to business, it's the flip side of this issue.
Businesses tend to establish more formal relationships for things such as payment authorization. But how do you consistently manage the process of adding new authorized users (and propagating it through the system) and cutting off access for others (and propagating that through the system)? A tighter system tends to make it more difficult to add or delete users, whereas a looser one invites the possibility of subscription fraud. As the cellular phone industry has improved security technology, it has had to grapple with the tough issue of subscription fraud -- a growth business according to the International Data Corp., a market research company in Framingham, Mass.
Security makes the top ten list of IT concerns year after year. But it's also an issue that stays low on the list. Security expenditures feel like throwing money into a black hole. So it's time to roll the security spending into the basic infrastructure expenditures. Before you calculate ROI, you'd better include the security spending money as well. What's the return on giving away your company's secrets?
Sean M. Dugan is a Senior Research Editor for the InfoWorld Test Center.
Contact him at firstname.lastname@example.org.