Subject: August 2001 New Standards and Rules Create Opportunity brought to you by
Your Link to Worldwide E-Commerce Developments
August 1, 2001 *4,200 subscribers* Volume 3, Issue 8 Online:
View this Issue Online:
Print this Issue:



New Standards and Rules Create Opportunity
Management Perspective
by Mitchell Levy, Author,

There has been much controversy and discussion about privacy and security and how it affects e-commerce. Quite often, new regulations and laws can be perceived as just more bureaucracy that gets in the way of doing business. However, as security issues are mitigated and standards are commonly deployed for security and privacy, new opportunities will actually be created for business.

Conducting e-business securely, especially in a global environment, requires assurance of buyer and seller identities, confidentiality, and a way to make the contract binding for purposes of non-repudiation. In the business- to- consumer space, credit cards and billing information provided some level of comfort for both merchant and consumer, but business-to-business transactions on the Internet are more complicated. In a typical Global 2000 firm, purchasing managers retained most of the authority for procurement of items not already integrated into supply chain or MRO activities. But the advent of the Internet has brought purchasing capability to thousands of employees at each of these firms. With commerce comes security challenges. We'll review the landscape and the new opportunities for e-business security.

Why is security important? A 2001 Computer Security Institute (CSI) / Federal Bureau of Investigation (FBI) survey of U.S. corporations, federal agencies, universities, and financial institutions on security problems revealed that:

- 40% had unauthorized access by an outsider.
- 70% said their Internet connection was a frequent point of attack.
- 85% detected security breaches in the last 12 months.
- 94% were hit by a virus - probably higher.
- 64% had financial losses as a result of security breaches.

Combined with encryption, privacy, and non-repudiation of transactions, these add further to e-business risk.

Weighing the Costs:
Security is no different from any other investment to support business objectives. The costs comes in many forms: delayed access to a website for customers, multiple passwords for employees, hardware and software expenses, firewall installation and configuration difficulties, and others. But compared to the potential damage incurred, including lost business during downtime, damage to company reputation and loss of customer confidence, security could be one of the best investments a networked enterprise can make.

Compromising the Enterprise:
There are countless ways to cause great trouble and pain, not only by stealing information, but also through fraud, denial of service attacks, and sometimes the destruction of entire websites. Fortunately, the combination of more intelligent firewalls, new encryption technologies for documents, and the rising adoption of digital keys and certificates is giving e-business a powerful set of tools that possibly could transform the Internet into the safest place to do commerce.

Encryption keys - and SSL and HTTPS:
Encryption is the use of mathematical keys called algorithms, which scramble and descramble data. Symmetric keys, where all parties have the same key to encrypt and decrypt, must remain secret to be effective. Asymmetric keys, used in public key cryptography (PKI) are much different. These keys are produced in pairsóthe public key and the private key. What one key does, only the other can undo, and one key cannot be deduced from the other.

The Secure sockets layer (SSL) and the hypertext transport protocol (HTTP) work together as HTTPS to create secure connections for sending information over the Internet. Asymmetric keys are used to encrypt a symmetric key exchange, called a session key, which serves to encrypt the transaction. More importantly, the server sends a digital certificate, a document provided by a trusted third party and signed with the serverís private key, verifying its identity. These digital certificates, issued by firms such as Verisign, give both parties in a transaction mutual assurance of their identities, and most importantly, create proof that both parties engaged in commerce - non-repudiation. Contracts, purchases, exchange of legal documents, and even email correspondence can be "digitally signed". Combining SSL with public keys and signatures ensures privacy, authentication, and "non-repudiation", and managing digital certificates and keys for businesses, persons, and computers is a billion-dollar business annually.

Firewalls and Application Security:
A firewall is a combination of hardware and software that provides a secure perimeter of defense for a companyís private network, with precisely defined access points called firewall (or server) ports. Firewalls are not "impermeable membranes" but instead allow configurable access for trusted parties, either business partners or employees through virtual private networks (VPNs). Construction and configuration of firewalls and VPN access around application servers has become a multi-billion dollar business. Unfortunately, firewalls alone are not enough to provide complete enterprise security. Recently discovered holes in security of operating systems and application servers are weaknesses; these were overlooked during development because most e-business applications are tested for function rather than security. Microsoft, Netscape, Oracle, IBM, and Sun are now building robust platforms for developing e-business with security as a core design principle rather than an afterthought.

Authorization and Authentication, Digital Signatures and Digital Certificates, and Public Key Infrastructure:
Authorization and authentication is a key enabler of secure transactions, especially in banking and finance, and in a growing number of healthcare and human resource firms. When engaging in e-business transactions that have high value, unique proof, such as a personal identification number (PIN) in conjunction with a password, is required to authenticate who you are. Non-repudiation means that once a transaction is performed, there is no denying it. A third party adjudicating any dispute will most likely trust the evidence of non-repudiation provided by using encryption keys. The digital certificate is the link between a public key and its owner and the digital signature is used to create a unique data string on the message. If any change occurs to this message, from corruption to intentional tampering, the string will also change. While signatures are not used in most Internet commerce today, e-business is adopting them now. Public Key Infrastructure (PKI) is the security architecture that supports the use of encryption keys, digital certificates and digital signatures; PKI will likely be the workhorse for secure e-business transactions.

N-tier architectures and Internet computing:
N-tier architectures used by most enterprises for browser based Internet and distributed computing leave the database behind several levels of protection, including firewalls, Web servers, and application servers. The business logic and database for Internet computing are both "in the line of fire" of the e-business transaction. Direct access from a browser client to the database creates a risk of unauthorized access. Controlling access through authentication and authorization will be needed as e-business moves into the realm of "pervasive computing" and e-services advocated by HP, Compaq, Oracle, and Microsoft. Maintaining n-tier security for e-business is an opportunity for third party vendors that understand both network performance and application security.

Value added networks:
Using VPNs (Virtual Private Networks) is a good substitute for the privacy and assured delivery provided by value added networks used in EDI. Digital certificates are increasingly being used by businesses on VPNs to provide secure identity for buyers, sellers, payment processing entities, and even network routers as described by SET (Secure Electronic Transactions). Both Visa and MasterCard have employed various versions of SET for B2B.

XML initiatives:
Two separate initiatives are looking to develop an XML standard for moving security information including authentication, authorization and user profiles across disparate online trading systems. The goals of Security Services Markup Language, or S2ML, are to allow customers to move across online exchanges and other e-business systems using a single sign-on. A standard security language to enable businesses to remain in control of online transactions, called AuthXML, is in progress. Each initiative expects to submit proposed XML (Extensible Markup Language) to standards bodies, including the World Wide Web Consortium, by year's end.

Security is a journey and process, not a destiny or product. In E-Commerce Management (ECM) it is a series of operations in which clear rules, policies, and procedures must be carefully designed and meticulously deployed throughout an enterprise. More than just a layering of appropriate technologies, it is the application of business rules, authenticated identities, and countermeasures to ensure the success of enterprise ECM in the complex world of the Internet

About Mitchell Levy
Mitchell Levy, is President and CEO of (, a training business service provider helping companies transition its employees, partners and customers to the Internet age through off-the-shelf and customized on-line and on-ground training. He is the author of, Executive Producer of, an on-line E-Commerce Management (ECM) e-zine, Chair of at Comdex Fall and Chicago and the Founder and Program Coordinator of the premier San Jose State E-Commerce Management Certificate Program ( Mitchell is a popular speaker, lecturing on ECM issues throughout the U.S. and around the world.

I hope you enjoy this eZine.
See you in cyberspace,

Mitchell Levy
Executive Producer, <>
President, <>
Founder and Coordinator, SJSU-PD ECM Certificate Program <>

  • is the premier monthly ECM e-zine.
  • is an e-commerce strategy, e-marketing and training firm. helping start-up, medium and large corporations change their business to harness the power of the Internet.
  • is a book one must read to help them figure out how to e-volve-or-die
  • San Jose State University, Professional Development, Electronic Commerce Management (ECM) is a Certificate Program for e-commerce professionals <>.

To subscribe to, please visit or send e-mail to


Back to the main Page (
Back to this issue: (







Home | Express Your View | eZine Signup | About 
E-Commerce Resources | E-Commerce Examples | Internet Marketing

 is produced by (
Copyright © 1999-2009 by, Inc., All rights reserved
21265 Stevens Creek Blvd., Suite 205
Cupertino, CA 95014, 408-257-3000 (Tel), 603-843-0769 (eFax)
E-mail: General (
Webmaster (