Security 101: The Challenge to Secure E-Business is Growing

In the last installment we suggested that the vulnerability of the Internet was a weak link to the successful growth of e-commerce. Although anti-virus protection, firewalls and intrusion detection were proposed as the first line of defense for an Internet-based e-business, the total security picture should also include security management solutions at the e-business infrastructure level.

An e-business has the potential for tremendous amount of activity-including potentially millions of Web site accesses, online financial transactions, customer registrations, product downloads and, of course, e-mail. As a result, user access requirements can be extremely varied. Recent software innovations such as Web access controls and virtual private networks (VPN) are able to provide more secured Internet access based on whether the user is a customer, a partner or contractor, or an internal employee. These solutions incorporate a combination of authentication, Web authorization and access control technologies.

Not long ago a customer would travel to an organization's brick-and-mortar facility and conduct business in person. The customer was identified by sight recognition. With the advent of telephone communications and, later, urban shopping centers, sight recognition became impossible. As a result, alternate verification features such as Social Security Number (SSN) and mother's maiden name were used. With the rise of Web transactions, both established and new validation methods are being examined to find the "long distance" equivalent of sight recognition.

Of all the authentication technologies currently being proposed for providing a secured path for e-commerce, none has attracted more attention than public key infrastructure or PKI. PKI is a security management system for communication over public networks, and consists of various technologies and policies to create, validate and distribute key pairs and digital certificates. It is based on the X.509 protocol originally published in 1988 through a collaboration of the CCITT/ISO working groups, now called the International Telecommunication Union (ITU) and revised several times thereafter by ITUPKI uses encryption algorithms such as DES, Triple DES and RSA. The key pairs are both private (for use when signing documents) and public (for use when accessing documents). Central to the PKI system is the use of a third-party service commonly known as the Certificate Authority (CA), which validates user identity, stores the public keys in the form of individual digital certificates, issues digital certificates, and signs digital certificates to make them legally binding.

For example, you want to do business with XYZ, your favorite e-commerce Web site. With a PKI system in place, you request a certificate, which is issued by a registration authority within the CA. Next, you send the certificate to XYZ, and XYZ then sends you their certificate. The exchanged certificates are then verified and cross-certified through the certificate authority process. You have now verified that you are dealing with XYZ. Both parties can now be assured of non-repudiation through a combination of the integrity of the exchange and positive identification. This is a simplified view of what is actually a complex system for establishing trust. PKI systems in their current forms have been criticized for being too complex. PKI vendors have undergone severe criticism for delivering systems that require excessive resources including high costs, lengthy deployment cycles, and large number of technical staff.

Generally, the baseline for establishing identity depends on three factors: (1) what you know, e.g., a password; (2) what you possess, e.g., a smart card; (3) who you are, e.g., an individualized physical trait. Any combination of those three factors can supply a high level of authentication assurance. Biometric authentication devices have been in existence for decades and include a variety of forms for establishing identity based on physical characteristics. The most popular biometric techniques include fingerprints, handprints and retina or full-face scanning. Other less popular techniques that have been touted by certain individuals include voice recognition or the way you type on a keyboard. As standards are rapidly being established for network protection, biometrics will one day make it possible for customers and e-businesses to communicate across the network with the same degree of non-repudiation attributed to face-to-face meetings. It is highly likely that improved security engineering, increased IT security budgets, and possibly, new legislation will accelerate the use of advanced authentication techniques such as biometrics or smart cards; establishing a strong foundation for successful e-commerce through increased security for network transactions.

As mentioned earlier, regardless of whether users are employees, company partners or anonymous customers, different classes of users may require unique access and privileges to many different applications. Applications have become increasingly complex--spanning multiple platforms, systems and even organizational boundaries. As Internet technologies continue to advance at an incredibly rapid rate, already overloaded IT staffs are busy designing, developing, and deploying new applications to stay ahead of the competition. Oftentimes, those applications adopt distributed multi-tiered architectures and leverage powerful programming languages such as Java, ActiveX, DCOM, and CORBA; adding to the difficulties of thwarting security threats. The dynamic nature of user requirements and technological innovation has caused existing security policies to become ineffective. An increasingly complex enterprise infrastructure, and a growing number of incidences of internal and external security breaches, has prompted IT professionals to incorporate into systems management tools that will help simplify, centralize and maintain security processes. Set forth below is a list of some popular types of security management tools:
Access Control: Policy-based authorization and access control across the distributed enterprise. Also, web-based solutions are available such as Web access control, Web authorization and Web SSO.
Auditing: Centralized audit for the enterprise. Will collect enterprise-wide security and system-level audit data for a consolidated audit picture. Events can be triggered with suspicious activities.
Policy Compliance: Enterprise-wide analysis of security policies, including automatic corrective measures, and prevents problem reoccurrence through the monitoring of system security. Will effectively allow administrators to manage security risks.
Single Sign-On: Automated secure single login for applications, databases and systems across the distributed enterprise, including the Web. This tool helps administrators to manage user access, authentication and authorization.
User Administration: Policy-based user and resource management across heterogeneous enterprise directories and namespaces. Simplifies administration of complex environments.
VPN: Trusted virtual private network with authorization and authentication. Offers privacy for communications over public networks and between servers behind the firewall.

2001 Computer Associates International, Inc. (CA) All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.