E-commerce multiplies security needs

The Internet has shattered one of the fundamental rules of commerce — to always know who you are doing business with. According to Mark Greene, this phenomenon has created an increased need for caution, security and re-evaluation of common business practices.

Greene, vice-president of security for the network computing software division at IBM Corp. in Somers, N.Y., spoke recently in Toronto about the increased role of security that e-business has brought about.

Adopting a pilot project for doing Web-based transactions is usually where the first “security chasm” lies with companies, Greene said, which is one reason more firms have not progressed to include e-commerce functionality on their Web sites.

“Approximately 85 per cent of North American businesses are still stuck in this first phase of preparing a simple Web presence. And only about five per cent are involved in advanced transactions.”

Greene quoted a recent Business Week study which revealed that 80 per cent of companies feel “security is the leading barrier to expanding electronic links to customers and partners,” and an Ernst & Young survey which stated that 54 per cent of corporations “experienced significant financial loss through the inappropriate or malicious use of computer systems.” And companies with transaction-based Web sites experienced losses about seven times higher than this, Greene said.

“So the more business you do on the Web, and the more transactional your Web site is, the greater your security risk will be.”

The traditional Internet as we know it is giving way to pervasive computing, Greene said, which includes technologies such as PKI, host integration, Smart Cards and a multiplicity of front-end systems, mobile devices and appliance-based Web surfers.

“We are headed towards a world in which millions of businesses and billions of consumers are interacting through such devices. So, from the standpoint of security, we are faced with a world where we have to manage the secure access of all those types of devices on a variety of back-end systems.”

Today the average, large company not only has a central system or mainframe, but 10 or 20 subsystems, both internally and across extended enterprises, he said.

“As a result, a common refrain you hear these days is that one simply can’t enforce – at any reasonable cost – a common business-oriented security policy across the enterprise.”

According to Green, the cost of implementing and maintaining security within a company is growing by leaps and bounds.

“It used to be the norm, even for e-businesses, that the cost of implementing and operating your security should be approximately three to five per cent of your total IT budget. But we find many organizations actively engaged in the Internet are now spending upwards of 15 per cent of their budgets on security.” And depending on the type of business, it is not unheard of for companies to spend more than half their budget on ensuring the security of their systems, he added.

The amount of money being exchanged daily by many businesses is upwards of millions of dollars, Greene said. “Companies are phenomenally attracted to the Internet as a way of cost-savings and great communications access, but they are scared to death of losing that much money.”

Businesses need to assess the ability of their current security infrastructure to support electronic commerce, giving special attention to their vulnerability to internal attacks, Greene continued.

“When we think of e-business and losses through security violations, we tend to suspect ‘the other guys’ – somebody out there, and indeed that is a source of loss. But the majority of financial losses still occur from insider employee access.”

In order to address these problems, IBM has introduced an Application Framework for e-business, which includes development and integration, application server software and security and management features. At the core is the Secure Network Platform, which addresses the areas of policy-based and centralized security management, Greene said.

The platform, which will be available in April, includes SecureWay software, Intrusion Immunity virus detection, a security policy director, PKI functionality, a secure business server and a security tool-kit.

“So now you can identify who you are doing business with, detect the anomalies in the security world that those entities work in, process your assets and develop new applications that utilize this security infrastructure,” he said.