E-business security basics
SearchCIO.com, 04 Apr 2001
What are the basic elements of e-business security? Daniel Amor, in his The e-Business (r)Evolution, published by Prentice Hall PTR, discusses how most people view the components of electronic business security.
Once the company intranet is secure it is possible to start communicating over the Internet. Organizations and people describe their needs for information security and trust in terms of five major requirements: Confidentiality, integrity, availability, legitimate use and non-replication. Confidentiality is necessary to control who gets to read the information and to conceal the information from all others. Integrity needs to assure that information and programs are changed only in a specified and authorized manner and that the data presented is genuine and was not altered or deleted during transit. The availability needs to ensure that authorized users have continued access to the information and resources. Legitimate use means that resources cannot be used by non-authorized persons or in a non-authorized way.
These five components may be weighted differently depending on the particular application. A risk assessment must be performed to determine the appropriate mix. A number of different technologies can be used to ensure information security.
Confidentiality and integrity can be implemented through cryptography, which offers a high degree of security. By encrypting the data no one is able to tell what the information is about. Through strong authentication it is possible to ensure that nobody sees, copies or deletes a certain piece of information. Using strong authentication and strong encryption the only way to break in is to have the necessary certificate for authentication and the key for the encryption. An authorization system is able to prevent access in a non-authorized way by authenticated people. Non-repudiation requires a trusted third-party, which time stamps the outgoing and incoming communication and which is able to verify the validity of a digital signature. By time stamping the communication it is easy to find out if a certain e-mail had been sent out in time.
To ensure end-to-end security this does not suffice. It is also necessary to protect the computer of the customer. First of all they need to be educated as well about the security issues of the Internet. While they normally do not need additional technology to secure the communication (the browser and the mail program are capable of doing this), a digital certificate will make life easier for customers and businesses to make deals over the Internet.
The digital certificate allows customers to identify the real identity of the business and vice versa, making it possible to build up a trustworthy relationship between the two. The digital certificates are issued by trustworthy third party organizations that are able to verify the identity of the holder of the certificate. The so-called certificate authorities issue the certificates and allow users to verify the certificates at any given time. The only problems for digital certificates are the missing legal frameworks in the countries.