About MDD - Subscription Info
July 2001
Vol. 4, No. 7, pp 61–62, 74.
sites and software


E-commerce and network security are not simple; diligence is needed to prevent loss.

After hackers disfigured the Chanel Web site in January, a rash of jokes ensued about the vandalism. Which one did you hear: that they couldn’t duck the animal hactivists?

Security breaches could, at the very least, make your company the butt of bad jokes. But they also cause other problems, the least of which are the expense and extra work required to fix the visible damage.The loss of trust, confidence, and respect exact a far higher financial toll. Take Microsoft, for example, where an intruder allegedly had access to highly sensitive information for days, if not weeks or months. Do you know of any other companies whose success depends on their trade secrets?

In spite of these problems, e-business is here to stay. With the savings and efficiencies gained by using the Web, playing it safe by staying off the Internet exacts too great a toll. With good security processes in place, a company can thrive from the increased productivity that e-commerce brings. It is no longer enough to have a firewall and use secure sockets layer (SSL) technology, for security is much more than technology. Securing information involves determining what resources need to be protected, at what levels, and from what perceived threats.

Network security
Network security describes systems that protect networks, such as a local area network (LAN) or wide area network(WAN). Different techniques are used to create a trusted zone in these networks. Firewalls protect your network by permitting only specified traffic to enter it from the outside (from the Internet, for example). In other words, firewalls are a type of access control for networks. Because of the Internet, firewalls have come to play an important role in modern business technologies. In large organizations, firewalls also separate internal networks from each other, keeping an intruder in one network from gaining access to another or preventing unauthorized access by employees to certain files.

Firewalls divide the information technology world into two parts: the inside, trusted zone and the outside, untrusted zone. They function like locks on doors and windows, keeping uninvited folks out. Like physical locks, firewalls must be maintained. The best lock in the world will not protect your house if you forget to lock it or if you leave a key under the doormat. If your business is to thrive, it is important that firewalls not block needed traffic and frustrate your users. It is hard to bring groceries into your house if the door locks behind you every time it closes. To work effectively, firewall rules and policies must support your business.

There are many security issues, however, that firewalls cannot help with. For example, they cannot restrict undesired behavior by your employees, whether negligent or intentional, on your network. To the firewall, each insider is equal. Nor can firewalls protect your network from viruses that are brought to it on floppies or tunneled. Tunneling makes a secure connection over the Internet between remote clients and Web servers (or private networks). Malicious or buggy code can enter a network in this manner. Other security processes, such as virus protection and access control, take care of these situations.

Intrusion detection
Intrusion detection systems provide additional layers of protection. Like motion detection systems for homes, they are designed to protect your resources after someone has breached the door or window locks. These systems can detect and log suspicious activity, alert appropriate personnel, and block the anomalous behavior on your network or its constituent hosts.

Intrusion detection systems vary from broad, multipurpose tools to highly specialized tools that look for specific features or activities. An example of a broad tool is a network sniffer, which monitors and analyzes network traffic so that a network manager can keep it flowing efficiently. Sniffers can also capture data sent over the network. Although sniffers were originally developed for administrators needing to troubleshoot problems, they were quickly adapted by hackers to access information such as passwords and files.

Weakness of security
A major weakness of firewalls and intrusion detection systems is that they must be managed continuously. This can be a major drain on information technology departments already overburdened with ongoing administration and management tasks.

One solution is outsourcing. Outsourcing firewall and intrusion detection management provides companies with a large pool of security expertise in vulnerabilities and patches and brings them economies of scale.

Network security is necessary, but security zones for businesses cannot be all-or-nothing—business demands interactions and the flow of information to its partners, suppliers, contractors, distributors, and channels, as well as its employees. If the Internet is the natural carrier of such capabilities, application-level security is the immune system that protects resources accessed through the Web.

E-commerce security
Companies are doing more and more business on the Web as interactions become faster and less expensive. And while gyrations on the stock market and the crash of many dot.com firms have distracted investors, there will be no retreat from e-business. The Web’s new efficiencies, however, bring more security concerns.

The basic needs of Web and regular security are the same. You need to know that users, internal or external,

  • are who they say they are (authentication),
  • have permission to do what they want (authorization),
  • are accessing information that cannot be altered or read in transit (data integrity and encryption),
  • can be held responsible for their actions (accountability), and
  • can make agreements with sites that are legally enforceable (notarization).

And, of course, all these functions must be easy to manage and transparent to the end user.

Doing business over the Web consists of a chain of events; various products and techniques are used to secure the parts of the chain. With that fact in mind, below are descriptions of the main categories of security needs.

Authentication comes in two major levels: strong and standard. A “personal identifier” (name) and something you know (password) are the standard level. If a higher level of security than passwords is needed, people can be required to “have something” as well as “know something”. The have-something category includes biometrics (e.g., fingerprints), tokens, smartcards, and a private or public key infrastructure (PKI) key.

Solutions for authentication usually vary in a large organization; senior accountants, for example, need to access sensitive financial data, but a salesperson should not have access to the same data. Individuals accessing highly sensitive data need strong authentication, while standard authentication works for other employees. Technologies supporting flexible authentication and authorization are readily available.

Authorization also needs to be established for the different parties with whom you do business. To return to the home analogy, just because you have invited someone into your house does not mean that the person has the right to examine your tax returns or read your love letters. Authorization provides the same controls for digital environments. You may be collaborating with company A on a business deal but competing with them on a different contract. Obviously, you would not want all your information to be available to them. In this case, only people authorized according to your business rules should be able to access the relevant information.

In addition, access controls can limit resources down to individual records in a database and work with authentication. Within large databases, groups or individuals can be granted access to different information using tools that offer fine-grained access control. Different levels of authentication may be demanded on the basis of what information is accessed. Senior employees may not need to pass stringent security to see the company’s annual report, but they may later be asked to pass higher security to see unreleased financial information. These kinds of flexible authorization are necessary for e-commerce.

Data integrity means that data are not changed in transit. Generally, a hash is made of the data, and an automatic comparison is made between the expected hash and the received one. A hash is the result of transforming a string of characters into a fixed-length value or key that represents the original data. Hashes can be compared quickly, and because even small alterations change the hash value, the comparison shows that data integrity has not been maintained. Whether the change is small and inadvertent or large and significant, a difference is registered and the data resent.

Encrypting messages prevents eavesdropping. Reliable, efficient encryption schemes are obviously necessary for any business using the Web. PKI combines encrypting data with strong authentication and is the basis of securing most e-business transactions. PKI is a two-key system. One key, the public key, is available to everyone and can be used to encrypt data but not access it. The matching private key, kept by only one person, is used to unlock the data.

PKI is highly scalable, but certificatemanagement is cumbersome (certificates associate each public key with an individual), and so more-limited uses of salient parts of PKI technologies are widespread. SSL, the de facto encryption standard for Internet transactions, uses parts of PKI technology, as do virtual private networks (VPNs), which establish secure point-to-point pathways through the Web and other public networks. Internet protocol security (IPSec) helps implement VPNs and extends security services to multiple Internet protocols, parties, security domains, and types of platforms.

Accountability is often taken lightlyby people when they are on the Internet; however, it is important in an e-business environment. Audit trails are used to track important changes in order to make users accountable. However, audit trails must be as flexible as the business processes that they service. That is, audit trails must be configurable, allowing administrators to focus attention on regions that are either more valuable or more prone to attack.

People who conduct business over the Internet may also need proof of their actions, as, for example, when they are signing a contract or making a trade, so that they cannot later deny that they authorized the action (nonrepudiation). PKI supports such digital signatures. For additional security, the signatures can be time-stamped.

Security vendors have made great progress in developing tools that extend your protected network into the open e-commerce world; detect would-be intruders; hold users accountable for their actions; stop malicious code encrypted in messages from reaching their targets; and letting you, the owner of the Web site or application server, decide who gets to access what. And best of all, these procedures and tools are transparent to your users. Today, security solutions enable your people to work better and faster than ever before.

Este Armstrong is a program marketing manager for Ubizen, an e-commerce security firm. Send your comments or questions regarding this article to mdd@acs.org or the Editorial Office by fax at 202-776-8166 or by post at 1155 16th Street, NW; Washington, DC 20036.

Return to Top || Table of Contents