Policy As Important As Parts In e-Business Security

So you’re thinking about implementing some security measures for your new e-business, but you’re unsure of what to do?

Well, first let’s back up. When did you decide you needed to be secure: the first time your company sat down to set a strategic direction for your new transaction-capable Web site; or, in the wake of the recent “Love Bug” worm and February’s denial of service attacks against Yahoo, Amazon, et al?

According to the experts, timing is everything. And if you didn’t invite a security representative to the table for e-business planning sessions right from the start, you’re making the same mistakes as the companies you read about being victimized by hackers, or even more commonly, employees.

“What companies often overlook about e-security is the entire concept of e-security,” Victor Keong, a senior manager of e-business technology and security for Deloitte and Touche in Toronto, said bluntly. “It’s not that they don’t think it’s valuable, they have other priorities — explosive growth.”

Keong compared the frenzied buying approach of many high tech companies to that of someone buying up a whole neighbourhood of nice homes, but forgetting to lock the doors.

“They wait until a situation balloons and their names are on the front pages of The Globe and Mail, and they have to react,” Keong said. “The cost of security goes up a factor of 10 afterwards.”

Security comes before e-business

Frank Printz, a security analyst of e-business infrastructure for Forrester Research in Cambridge, Mass., said companies backing into e-business are also to blame for the increasing amount of Internet security breaches.

Many enterprises have had Web sites for years, Printz pointed out, but often it was merely a place to upload annual reports or information about the company. ‘If hackers knock the site down, oh well, we’ll just reload it,’ Printz said was most companies’ general attitude at the time.

“The trajectory that companies had in development of their Web sites lulled them into a false sense of security, because now all of a sudden when they’re actually doing business on the Internet, security concerns become much greater, but they didn’t do it through the front door,” Printz said.

The result is that those same security lapses that once played havoc on an information-only Web site could destroy the future of a company’s new transaction-capable Web site. “On the Internet, business is largely about confidence and your ability to deliver, so if either of those things is damaged, you don’t have a business to be slowed down,” Printz warned.

What to do then to correct the errors in security strategy, or plug existing security holes? Begin by assessing what your company wants to do in e-business, and how much level of risk you’re willing to take. Are you going on-line to take advantage of the booming business-to-business market (which research suggests could reach US$7.5 billion by 2004), or to peddle your wares directly to the bounty of customers surfing the Web? In the former instance, you might find the possibility that someone might deface your site to be acceptable, and a cost and risk of doing business. In the latter case, you might find that same possibility to be unacceptable because you will have to shut down the site for repairs, eliminating user access.

Assessing needs

Once these core objectives and security comfort factors have been established, there are three primary issues to resolve in determining what type of security software, hardware, and processes you will want to install, said Abner Germanow, an Internet security analyst for International Data Corp. in Framingham, Mass.

Authenticating users — This can be accomplished through a variety of methods, including IDs and passwords and Security Socket Layer (SSL) technology, which ensures any information travelling from the client to the server is secure. There also exists Public Key Infrastructure (PKI) technology, which is similar to a passport companies give their clients, and tokens, a technology widespread in Europe that gives customers a one-time only password. Currently, both tokens and PKI are time-consuming to implement, and PKI is extremely expensive (a company’s initial outlay for the technology could range from $400,000 to $1 million), but both protect companies from consumer fraud better than the alternatives, and Germanow predicts within two years these types of authentication technologies will be easier to use for customers than IDs and passwords.

Authorization of users — or basically determining what they have access to. Many companies might want to offer more options and information to a user, depending on their relationship, whether it be customer, employee, partner, or premium customer?

Processing transactions — including what happens after the customer’s information reaches your server. Too often, companies neglect to protect their own environments behind the Web server, thereby leaving customer information open and at risk.

“One of the problems you hear about most frequently is people breaking into systems and stealing 300,000 credit card (numbers),” Printz noted. “You could have designed that system so that the credit cards never resided on your system. That is, you had live validation in the back end of your system directly to the credit card service provider, and you never had to retain anything.”

Then again, Printz said a company often has a good security system — SSL behind the Web server, proper firewalls, an intrusion detection system — yet it still gets burned, because the company chooses to administer its own security.

“To have the system administrator have the security rights…is a little bit like having the fox in the henhouse,” Printz suggested. “Because 50 to 80 per cent…of security breaches come from internal sources.”

Outsource option

His advice? Unless your security needs are very high or very specific (as in financial institutions), or your company’s too big for a security firm to handle, outsource your security needs, preferably to a tech agnostic, best-of-breed solution provider.

“If you think you know how to manage your security, you’re probably wrong,” Printz said. “I’ve done internal surveys of vendors, and asked them, ‘Of your customers, how many of them do you think shouldn’t be running their own security systems?’ And the answers range from 20 to 50 per cent.

Security is hard, and most organizations don’t have the money or the wherewithal to have a dedicated staff to do it,” he pointed out. “If you decide to put in a new router, a new network segment, a new kind of computer, a new database, a new application, each one of those requires an adjustment in your security at the level of monitoring and maintenance and management. It’s a lot to keep up with.”

Both Germanow and Keong agreed. As for the costs, Germanow said companies should realize security is never a static cost, and should not expect an end-all solution. Again, doling out funds comes down to the company’s priority on e-business, added Germanow.

“Is this some sort of pet project, or is this the entire strategic direction of the entire company?” he asked. “If the company is betting itself on e-commerce, then skimping on security is irresponsible, because you’re essentially giving up the store.”