ADT/February 2001 issue OPEN SOURCE E-business without security is not an option By Graham Titterington and Paola Bassanese Security gives a company a competitive advantage, protection of its assets and control over its own situation. Scarcely a day goes by without another headline story about an e-business security lapse resulting in either a loss of service to the organization's customers or a loss of privacy to its clients. We have recently seen Microsoft added to the hackers' collection of scalps. A small portion of the attacks is part of a criminal act such as fraud-but this still adds up collectively to a massive loss. So why is the problem so intractable? E-business is about open access for customers, potential customers, suppliers, partners and mobile employees. On the other hand, IT security has traditionally been about excluding people from using the systems. IT security is evolving into e-business security, a new approach based on the application of security techniques in a way that enables, not excludes, new business opportunities. The environment in which e-business systems operate is continually evolving, introducing new threats. Security has to be continually re-assessed to keep up with the threat, even if applications are not actually changing. Many security lapses, notably in e-banking applications, have occurred as a direct result of apparently minor changes being made to applications without fully assessing their security implications. When software upgrades of all types, hardware reconfiguration, new services, increasing workloads, new viruses and the increasing sophistication of hackers is considered, the reason emerges for regularly reviewed security assessments. Even a snapshot security assessment is far from simple. An enterprise-wide network is complex; interactions with external organizations' systems about which not much may be known, malicious persons both inside and outside an organization, accidental risks, a multitude of system configuration settings with security implications, and large numbers of software applications with their interactions and access to shared data are just the starting point. The risks of accidental damage to systems need to be remembered. Most security breaches are committed by employees, and most of those are accidental. So designing systems to be as accident-proof as possible is an important part of a security policy, the "rules of the game" for a good security strategy. What can companies do about security? First, the right attitude can make a big difference. The required budget will never be obtained by preaching doom and destruction for those who fail to heed warnings. Rather, stressing that e-business security is the key to enabling the business to boldly go into new areas where it has never gone before-to unlocking the utopia of e-enabled business-could be the necessary angle. E-business without security is not an option. Security will inevitably cost a lot of money, but a skillful approach can minimize the cost. It may restrict the way business processes operate, but one of the main objectives of the security specialist has to be to reduce these restrictions to the absolute minimum. The issue is getting the right balance, the one that is most appropriate for the business. Second, throwing money and resources at trying to avoid the disaster that struck yesterday is not a good idea. Just as with systems development, starting with a review of the requirements, then specifying the protection needed, and designing and implementing a shield is the most sensible sequence of events. Once a company has a shield, it needs continuous maintenance in the form of regular security re-assessments and corrective actions. So the cornerstone of e-business security is a "security policy." This mythical document (or set of documents) is a peculiar combination of requirements analysis, specification, design and operations manuals. The first part to address is the risk assessment. A trusted method should be used as a guide through the maze of deploying a security policy. For example, the BS7799 standard prescribes a strong process that is well tested, particularly for the earlier stages of producing a security policy. When a security strategy is planned, operational practices and different types of products from a wide range must be selected. Products are still a difficult area. The industry is characterized by good point solutions, with little interoperability and still less integration between them. Many of the leading vendors are technology-led companies that have only been in operation for a short time. Mergers and acquisitions are widespread. This process will encourage, but not ensure, that more attention is paid to producing integrated security solutions. Buying everything from one vendor does not guarantee an integrated solution. Buying security services as an alternative to providing infrastructure should be considered. Implementing security is complex, specialist staff members are scarce and services can provide a quicker route to market. But delegating responsibility for security is not a good idea-it is a core part of any business strategy and managers must drive the actions that are taken to underpin their business and its initiatives. Security gives a competitive advantage, protection of assets and control over a company's situation. Security enables new business processes and greater efficiency and automation. Security is not just an insurance policy (important as that is)-there are real benefits that can offset part of the cost of implementation. A manager should be selective, maximize the benefits and minimize the costs-but not ignore e-business security. Security is like immunization: once a vaccine against malicious attacks is obtained, a system is less likely to be struck. What can security do for an organization? Trust is the foundation of e-business. E-business requires an organization to trust people it does not know. Good e-business security raises confidence in business associates to the level of confidence in partners found in traditional businesses, and imposes safeguards to limit and control the damage that impostors can do to the organization's information assets and IT systems. Everyone who trusts someone with information about themselves or their business must have confidence that that person will keep it secure. Security is an essential component of privacy policy. Having the highest ethical standards about using and disclosing information is pointless if hackers can walk in and steal the information at will. Allowing the violation of the privacy of personal data is itself an offense in the European Union states and several other countries. Allowing the disclosure of government information is an offense in almost every country. Throughout the world concern about personal privacy is increasing and is responsible for many customers avoiding involvement in electronic commerce. Growing a business requires it to build confidence among all its contacts. Protecting credit card details is the least of these requirements. How does security enable e-business? Security enables people and computers to access IT systems safely. For example, remote employees working away from the office, suppliers, customers, potential customers and business partners can be permitted to run processes and access data. Customers can find out when an order will be delivered, suppliers can find out when restocking is necessary, employees can obtain the information they need when they need it and business partners can work on collaborative projects. By allowing direct access to IT systems, the need for expensive call centers to act as filtering points can be avoided. Faster and better services can be offered. When computers interact directly with computers in other organizations, entire processes can be automated. However, much of this information is confidential and could be damaging to an organization if it were to get into the wrong hands. Security is needed to ensure that users only get to see-and change-information where they are authorized to do so. Figure 1. Ubiquitous security applies security measures flexibly to specific parts of the e-business environment. How are security needs changing? E-business is growing in complexity. For example, large organizations are using e-business systems to run their supply chains, often with thousands of suppliers. In some industries (such as in the U.S. automotive industry), large corporations are coming together to share a combined supply chain management system. Across industries, organizations that entered into e-business by Web-enabling a few applications are now moving toward putting all their IT assets into a Web-based infrastructure. These moves are both increasing the level of risk associated with Web-enablement and are producing environments that are much more complex to protect. Single e-business applications often involve customers, partners, suppliers and employees. Many of these have their own network that becomes part of the e-business environment. Perimeter security, which is focused on protecting the outer boundary of the e-business environment, is outmoded in this scenario. In e-business defining the boundary is difficult, and in most cases it is so wide that many threats already lurk within it. The internal threats must be protected against. There is often no common security policy across the entire e-business environment. Zonal security, in which critical parts of the network are protected at their boundaries, is the next strategy. However, this type is too inflexible for the needs of e-business. Organizations therefore need ubiquitous security, where security measures are applied flexibly to specific parts of the e-business environment. In this scenario each asset (that is, a process, processor or unit of data) is protected to the required level by a local defensive device such as an encrypted filestore or a local firewall (see Fig. 1). Getting the right security strategy An organization has to decide what its appropriate level of security is. The starting point is therefore to examine the business and its IT systems to determine the assets that are most important and the threats that the organization faces. This audit needs to consider: the business issues, the legal framework in which the organization operates, the operational implications of an attack, the organization's business profile and political prominence, and the needs of its partners. When considering possible solutions, the costs and benefits of the various options need to be evaluated. After an e-business system has been commissioned, a risk assessment must be performed regularly. Threats faced by the organization are continually changing. Inherent vulnerabilities of the e-business applications change as systems, and their usage, evolve. Risks change continually, so they have to be monitored. Countermeasures include detection, monitoring, prevention and damage limitation. Designing a security strategy is vital to the success of an organization. Choosing security products can be time-consuming, because the market is currently populated by niche players, rather than by integrated solutions. Choose an appropriate balance of tools and other measures, with an emphasis on cost-effectiveness. Once an organization has identified its security needs, it can start planning how to scope its security infrastructure. The security market is currently fragmented. There are various tools available that can counter different types of threats and attacks. These products may not be compatible when they are installed on the same system, so a lot of integration is needed to have a fully functional security infrastructure in place. Every organization has different security requirements according to its structure. For example,a dot.com company is focused on the need to get to market quickly. Overlooking security is a major risk. On the other hand, dot.coms have a great opportunity to get their security right, because their whole IT infrastructure is created from scratch. A "brick and mortar" company has to re-engineer its existing security and IT infrastructure to allow greater access and restructure its policies to cater to thousands or millions of users. Because it is a traditional type of business, the security investment required to automate and e-enable its processes can be substantial. A "clicks and mortar" organization is a fully developed e-business that needs the most sophisticated security infrastructure to enable the smooth running of transactions and processes over wired networks and mobile devices. The technologies deployed here are disparate and have to integrate seamlessly. Access control and security is vital to all e-businesses and needs to be fine-grained to protect information held on the systems. PKI-based user authentication is one of the technologies that many e-businesses will find is too expensive for their current needs, but this situation may change as unit costs fall. However, without fine-grained access control, PKI is a waste of money. Determining the identity of a user is fundamental to all stages of an e-business transaction. Apart from direct use in authorization and authentication of users, the non-repudiation mechanisms for establishing whether transactions are completed are dependent on being able to prove who performed a transaction and when. Proof of identity for a user in e-business is usually based on a two-stage process involving something the user knows (which could be a PIN, a password or a piece of confidential information) and something the user has (usually a digital key that is stored on a smart card or on a SIM card in a mobile phone). Both of these can be stolen, and greater security requires something more directly connected with the person, such as voice recognition or a fingerprint. These technologies are rarely used at present, but are becoming more popular. Thus in the e-business world, cryptography is the root technology for proving identity, as well as for maintaining secrecy. Some tools are an essential part of e-business security. Threats strike at electronic processing speeds and so only an automated response can prevent these attacks. For example, an anti-virus tool is essential to detect a virus in a message. Security audit and assessment are tasks that could be done manually, but in practice they are so complex that they are best automated. For example, the audit needs to consider the exact version of all the software products employed within the environment, and whether security patches have been applied to the operating system. Figure 2. The four categories of e-business security tools. There are four categories of e-business security tools: access security, communication security, content security and security management. Access security will be the most fertile ground for new products during the next two years, as the enabling technology develops rapidly within a profitable market. Organizations need fine-grained access security to control who can do what down to an adequate level of detail. A non-exhaustive list of the types of security products found in each category follows. Access security products include: user authorization management; user identification, including smart cards, biometrics devices and password/PIN-generating "key fobs"; firewalls; and digital certification and PKI products.Communication security products include: message encryption and Virtual Private Network (VPN) Content security products include: content filtering to eliminate undesirable content from Web sites, files, databases and communications; encrypted filestore and databases; and virus detection. Security management products include: security assessment, intrusion detection, vulnerabilities assessment, and support for the development and implementation of security policies. Mobile devices-whether mobile phones or Personal Digital Assistants-currently offer limited capability as access devices to e-business systems because of the limited bandwidth and the slow switching speeds of most of the mobile network. Mobile technologies do not yet provide secure communications with these devices. Current security is adequate for low-value business-to-consumer transactions or for passing messages to and from mobile employees, but not for providing general access into corporate IT systems. Organizations should restrict the access rights of mobile devices to the minimum level consistent with operational efficiency for now. Investment in security for mobile devices across an organization is a major expense, and at present it is unclear which mobile technologies will be the long-term winners. Soon bandwidth and switching speeds will improve, which will make possible the implementation of secure communication to and from these devices, as well as make attractive the performance of more computationally complex transactions. This will be the time to get serious about implementing a mobile access strategy. To keep down the cost of security, the first step should be to implement the types of measures that will give maximum return on investment. At this stage, considering both insourcing and outsourcing solutions, depending on the level of expertise and the resources available, is a wise idea. If high levels of in-house expertise are present, as, for example, they are in many universities, open source products can be used. Many important security countermeasures do not require any immediate investment-for example, reconfiguring operating systems to close loopholes that can be exploited by hackers, changing all default passwords and disabling the "guest" accounts. The global security environment E-business operates throughout the world and the legal jurisdiction of transactions that cross boundaries is not clear. This, of course, makes it doubly important to secure the transactions so legal redress will not be sought. But the lack of accepted standards also affects dealings much closer to home. Strong user authentication is mostly based on digital certificates and the "electronic signatures" they contain, which are issued by certification authorities. When faced with a new certificate, users trust it and what it tells them to the extent that they trust the organization that issued it. The trust structure is hierarchical, and so if they do not know the organization that issued the certificate they can ask who issued its "root certificate" and use that "grandparent" organization as the basis of trust. The best example of this trust structure so far in existence is Identrus, a membership body for banks and other regulated financial services companies throughout the world. Any Identrus member can be regarded as being equal in trust to one's own bank. But even trusted Certification Authorities issue different classes of certificates, reflecting the level of verification that they have applied to checking each person's identity before issuing the certificate. Lax verification of users when issuing certificates is the weakest part of the process defined in the PKI-based Internet Trust Model. There are some emerging standards in the area, such as BS7799 (which, at the time of this writing was expected to become an ISO Standard before the end of 2000) mentioned earlier on, or the U.S./Canadian CPA Web Trust scheme. However, these do not guarantee security. They recommend good practice for implementing e-business security, but they need an accreditation framework built on top of them to monitor the execution of their recommendations. The business insurance companies are likely to encourage moves in this direction by offering lower premiums to e-businesses that can demonstrate that they have taken reasonable precautions to safeguard themselves. So why bother with e-security? The most powerful companies in the future will compete on the levels of information they have. Information security is therefore essential for maintaining competitive advantage. Customers and partners demand protection of their confidential and sensitive information with which they trust companies. The protection of digital assets is the key to success; what managers can do today is to start planning, and deploying, their own security strategy. Graham Titterington and Paola Bassanese are co-authors of Ovum's report "E-business security: New directions and successful strategies." Table of Contents Subscribe | News | Current Issue | Special Topics Search | Industry Events | About ADT | Privacy Policy | Home Copyright 2001, 101communications LLC. See our Privacy Policy. 600 Worcester Rd., Suite 301, Framingham, MA 01702 Phone: 508-875-6644, e-mail:general@adtmag.com