THINK TANK: Secure the future
- 01 October, 2001 15:44
Although organisations have moved online in droves, many are yet to embrace the re-engineered business models needed to take full advantage of this new channel of opportunity. In an environment of information sites and limited transactions, security, usually in the form of firewalls, plays a protective role. Yet the key to successful e-business is not so much combating threats as grasping opportunities.
Currently, online threats fall under the protective banner of security and are addressed with reactive technology, such as antivirus software. While antivirus technology may save time and money, it doesn't give organisations new business opportunities. Instead, organisations should be looking to couple e-business-enabling security technology - access authorisation, authentication and PKI - with organisational policy, to gain the essential tools to capitalise on the new economy. This approach also lets organisations maximise the benefits of e-business, including cost savings, an expanded customer base and geographic scope, economies of scale, and new service and revenue streams.
E-business security has assumed an enabling position because business issues drive the adoption of e-business, not technology hype. A business manager doesn't simply wake up one morning and say: "I need to buy a PKI today." In reality, they become aware of an online business issue or opportunity and seek the right technology to address it.
But technology alone won't solve an online business issue. Organisations need to develop policies and procedures to help them focus on the business issues and to build an appropriate security profile. A security policy, for instance, can help organisations establish a balance between employee privacy concerns, employer obligations to protect employees, and business issues such as the protection of intellectual property when monitoring e-mail and Internet use. Security technology without a supporting policy is basically useless: it's like putting the best locks on all your doors and windows but leaving the front door unlocked when you leave the house. Furthermore, you can extend this physical-world analogy to help explain how e-business security works. If you are out in the garden, you would probably close the front door but you are unlikely to deadlock it. If you go down to the corner store you would deadlock the front door. If you went on holidays you would lock all windows and doors, engage the alarm and take maximum security precautions.
Similarly, not all online transactions require the highest level of security. To display mildly sensitive information, a user name and password are sufficient. If you take it a step further and provide classified or information relevant only to a particular individual, authentication and authorisation are more appropriate. For a complete transaction facility with ordering and delivering capabilities, a full PKI combined with appropriate authorisation tools is the best option.
Also, security applicable online is subject to the same four cornerstones as security in the physical world - authentication, integrity, non-repudiation and confidentiality.
If an organisation such as the Australian Taxation Office wants to save money by offering online services, it needs to do a number of things. First of all, it will need a trusted method to identify the taxpayer. It will also need to ensure non-repudiation so that the originator cannot deny sending the information. It should have a system to ensure transaction integrity to know that the information has not been tampered with. And finally, it needs to provide confidentiality so customers are confident that the transaction has remained private.
Online medical records have similar requirements if all parties are to be satisfied with the security of communicating sensitive data over the Web. Doctors want to increase customer care and patients want better service without any increase in fees. Current technology lets doctors access and exchange information with other health service providers, such as pathology centres and health insurers. However, a high level of security is needed for the transfer of this type of sensitive data over the Internet.
Until organisations can offer these assurances online, there won't be high- value online transactions and business will not fully leverage online functionality. The channel has a vital role to play in educating customers about security and how it works to improve and increase online transactions. Until consumers are confident about the security of transacting over the Internet, e-commerce and e-business will not come of age. Most people are aware of viruses and many organisations are aware of enabling security, such as access authorisation, but many don't know how to use such security technology properly and hence there is still a protection approach rather than an enabling one.
Some organisations are also critical of the increasing amount of money spent on security, as the business benefits are not always obvious. They fail to realise that they are easy targets for breach-of-security incidents. This is understandable because few companies have internal security experts to help them and security tends to be lumped into one generic basket, instead of differentiating between the different tasks and types of security that apply to different aspects of the business.
The channel is in an excellent position to advise on policy and procedure matters as it is involved in the process of re-engineering many organisations towards e-business. It is certainly worthwhile for the channel to take a more active role since 15 per cent of a typical system deployment is dedicated to security. Of this 15 per cent, 30 per cent is product and 70 per cent is services and policy development.
There is a lot of opportunity for the channel to take a more active role. As well as implementation expertise, the channel can facilitate the provision of managed security services in partnership with a specialist security organisation. This also allows for the development of an annuity-based income stream as security services can be provided on a pay-per-user/per-month system.
Along with security services, the channel could also profit from the development of security-based applications. The shift from complex in-house PKI implementations to readily accessible PKI services from certificate authorities means the channel can focus on providing services rather than building infrastructures.
Public certificate authorities provide a greater number of opportunities for the channel to deliver PKI-enabled business applications. Software developers should leap at this opportunity. Any system that is Internet-enabled is a perfect fit with PKI. Developers can take PKI vendors' developer kits and PKI-enable their applications. Systems integrators are re-engineering most businesses to take advantage of some or all elements of e-business. This is a prime opportunity to implement PKI as a value-add solution.
The support for PKI is abundant. The channel and its customers need to understand that security is not just about protection but about enablement, and that it is flexible enough to meet any organisation's online needs.