| || |
and Rules Create Opportunity
by Mitchell Levy,
has been much controversy and discussion about privacy and security and how it
affects e-commerce. Quite often, new regulations and laws can be perceived as
just more bureaucracy that gets in the way of doing business. However, as security
issues are mitigated and standards are commonly deployed for security and privacy,
new opportunities will actually be created for business.
e-business securely, especially in a global environment, requires assurance of
buyer and seller identities, confidentiality, and a way to make the contract binding
for purposes of non-repudiation. In the business- to- consumer space, credit cards
and billing information provided some level of comfort for both merchant and consumer,
but business-to-business transactions on the Internet are more complicated. In
a typical Global 2000 firm, purchasing managers retained most of the authority
for procurement of items not already integrated into supply chain or MRO activities.
But the advent of the Internet has brought purchasing capability to thousands
of employees at each of these firms. With commerce comes security challenges.
We'll review the landscape and the new opportunities for e-business security.
Why is security important? A 2001 Computer Security
Institute (CSI) / Federal Bureau of Investigation (FBI) survey of U.S. corporations,
federal agencies, universities, and financial institutions on security problems
- 40% had unauthorized access
by an outsider.
- 70% said their Internet connection was a frequent point
- 85% detected security breaches in the last 12 months.
were hit by a virus - probably higher.
- 64% had financial losses as a result
of security breaches.
Combined with encryption,
privacy, and non-repudiation of transactions, these add further to e-business
Weighing the Costs:
is no different from any other investment to support business objectives. The
costs comes in many forms: delayed access to a website for customers, multiple
passwords for employees, hardware and software expenses, firewall installation
and configuration difficulties, and others. But compared to the potential damage
incurred, including lost business during downtime, damage to company reputation
and loss of customer confidence, security could be one of the best investments
a networked enterprise can make.
There are countless ways to cause great trouble and pain,
not only by stealing information, but also through fraud, denial of service attacks,
and sometimes the destruction of entire websites. Fortunately, the combination
of more intelligent firewalls, new encryption technologies for documents, and
the rising adoption of digital keys and certificates is giving e-business a powerful
set of tools that possibly could transform the Internet into the safest place
to do commerce.
Encryption keys - and
SSL and HTTPS:
Encryption is the use of mathematical keys called algorithms,
which scramble and descramble data. Symmetric keys, where all parties have
the same key to encrypt and decrypt, must remain secret to be effective. Asymmetric
keys, used in public key cryptography (PKI) are much different. These
keys are produced in pairsóthe public key and the private key.
What one key does, only the other can undo, and one key cannot be deduced
from the other.
The Secure sockets layer
(SSL) and the hypertext transport protocol (HTTP) work together as
HTTPS to create secure connections for sending information over the Internet.
Asymmetric keys are used to encrypt a symmetric key exchange, called a session
key, which serves to encrypt the transaction. More importantly, the server sends
a digital certificate, a document provided by a trusted third party and signed
with the serverís private key, verifying its identity. These digital certificates,
issued by firms such as Verisign, give both parties in a transaction mutual assurance
of their identities, and most importantly, create proof that both parties engaged
in commerce - non-repudiation. Contracts, purchases, exchange of legal documents,
and even email correspondence can be "digitally signed". Combining SSL with public
keys and signatures ensures privacy, authentication, and "non-repudiation", and
managing digital certificates and keys for businesses, persons, and computers
is a billion-dollar business annually.
and Application Security:
A firewall is a combination of hardware and
software that provides a secure perimeter of defense for a companyís private
network, with precisely defined access points called firewall (or server) ports.
Firewalls are not "impermeable membranes" but instead allow configurable access
for trusted parties, either business partners or employees through virtual private
networks (VPNs). Construction and configuration of firewalls and VPN access around
application servers has become a multi-billion dollar business. Unfortunately,
firewalls alone are not enough to provide complete enterprise security. Recently
discovered holes in security of operating systems and application servers are
weaknesses; these were overlooked during development because most e-business applications
are tested for function rather than security. Microsoft, Netscape, Oracle, IBM,
and Sun are now building robust platforms for developing e-business with security
as a core design principle rather than an afterthought.
and Authentication, Digital Signatures and Digital Certificates, and Public Key
Authorization and authentication is a key enabler of secure
transactions, especially in banking and finance, and in a growing number of healthcare
and human resource firms. When engaging in e-business transactions that have high
value, unique proof, such as a personal identification number (PIN) in conjunction
with a password, is required to authenticate who you are. Non-repudiation means
that once a transaction is performed, there is no denying it. A third party adjudicating
any dispute will most likely trust the evidence of non-repudiation provided by
using encryption keys. The digital certificate is the link between a public
key and its owner and the digital signature is used to create a unique
data string on the message. If any change occurs to this message, from corruption
to intentional tampering, the string will also change. While signatures are not
used in most Internet commerce today, e-business is adopting them now. Public
Key Infrastructure (PKI) is the security architecture that supports the use
of encryption keys, digital certificates and digital signatures; PKI will likely
be the workhorse for secure e-business transactions.
architectures and Internet computing:
N-tier architectures used by most
enterprises for browser based Internet and distributed computing leave the database
behind several levels of protection, including firewalls, Web servers, and application
servers. The business logic and database for Internet computing are both "in the
line of fire" of the e-business transaction. Direct access from a browser client
to the database creates a risk of unauthorized access. Controlling access through
authentication and authorization will be needed as e-business moves into the realm
of "pervasive computing" and e-services advocated by HP, Compaq, Oracle, and Microsoft.
Maintaining n-tier security for e-business is an opportunity for third party vendors
that understand both network performance and application security.
Using VPNs (Virtual Private Networks) is a good substitute
for the privacy and assured delivery provided by value added networks used in
EDI. Digital certificates are increasingly being used by businesses on VPNs to
provide secure identity for buyers, sellers, payment processing entities, and
even network routers as described by SET (Secure Electronic Transactions). Both
Visa and MasterCard have employed various versions of SET for B2B.
Two separate initiatives are looking to develop an XML standard
for moving security information including authentication, authorization and user
profiles across disparate online trading systems. The goals of Security Services
Markup Language, or S2ML, are to allow customers to move across online exchanges
and other e-business systems using a single sign-on. A standard security language
to enable businesses to remain in control of online transactions, called AuthXML,
is in progress. Each initiative expects to submit proposed XML (Extensible Markup
Language) to standards bodies, including the World Wide Web Consortium, by year's
Security is a
journey and process, not a destiny or product. In E-Commerce Management (ECM)
it is a series of operations in which clear rules, policies, and procedures must
be carefully designed and meticulously deployed throughout an enterprise. More
than just a layering of appropriate technologies, it is the application of business
rules, authenticated identities, and countermeasures to ensure the success of
enterprise ECM in the complex world of the Internet
Mitchell Levy, is President and CEO of ECnow.com (http://ecnow.com),
a training business service provider helping companies transition its employees,
partners and customers to the Internet age through off-the-shelf and customized
on-line and on-ground training. He is the author of E-Volve-or-Die.com, Executive
Producer of ECMgt.com, an on-line E-Commerce Management (ECM) e-zine, Chair of
comdex.biz at Comdex Fall and Chicago and the Founder and Program Coordinator
of the premier San Jose State E-Commerce Management Certificate Program (http://ecmtraining.com/sjsu).
Mitchell is a popular speaker, lecturing on ECM issues throughout the U.S. and
around the world.
hope you enjoy this eZine.
See you in cyberspace,
Executive Producer, ECMgt.com <http://ECMgt.com>
President, ECnow.com <http://ecnow.com>
Founder and Coordinator, SJSU-PD ECM Certificate Program <http://ecmtraining.com/sjsu>
- ECMgt.com is the premier monthly ECM e-zine.
- ECnow.com is an e-commerce strategy,
e-marketing and training firm. helping start-up, medium and large corporations
change their business to harness the power of the Internet.
is a book one must read to help them figure out how to e-volve-or-die
Jose State University, Professional Development, Electronic Commerce Management
(ECM) is a Certificate Program for e-commerce professionals <http://ecmtraining.com/sjsu>.
subscribe to ECMgt.com, please visit http://www.ECMgt.com
or send e-mail to VMS3.Subscribe@ecnow.com?subject=ecmgt.Aug2001+subscribe
to the main ECMgt.com Page (http://ECMgt.com)
Back to this issue: