Issue dated - 24th February 2003

-

CURRENT ISSUE
INDIA NEWS
INDIA TRENDS
NEWS ANALYSIS
STOCK FILE
OPINION
FOCUS
E-BUSINESS
COMPANY WATCH
PERSONAL TECH.
TECHNOLOGY
SECURE SPACE
EVENTS
COLUMNS
TECH FORUM

THE C# COLUMN
BETWEEN THE BYTES
TECHNOLOGY
SPECIALS <NEW>
HMA BANKBIZ
EC SERVICES
ARCHIVES/SEARCH
IT APPOINTMENTS
WRITE TO US
SUBSCRIBE/RENEW
CUSTOMER SERVICE
ADVERTISE
ABOUT US
 Network Sites
  IT People
  Network Magazine
  Business Traveller
  Exp. Hotelier & Caterer
  Exp. Travel & Tourism
  Exp. Backwaters
  Exp. Pharma Pulse
  Exp. Healthcare Mgmt.
  Express Textile
 Group Sites
  ExpressIndia
  Indian Express
  Financial Express

 
Front Page > SecureSpace > Story Print this Page|  Email this page

Defining success in e-business

Surendra Singh elaborates on the advantages of creating a trusted e-business environment

The global economy has undergone major changes in the last decade. E-Business has become an integral component of everyday life—from online banking and brokerage transactions, to chip-based smart cards and e-contracts. Consider the data assets that are being exposed to facilitate any one of these activities.

As more and more companies leverage the Net to grow corporate profits, the number of applications that use public key security and digital certificates have increased. Establishing the trust carried by certificates and managing the use of keys is critical to the proper deployment and maintenance of these products. To succeed in this task, companies require systems to simplify and centralise the definition and administration of keys and certificate management policies and procedures.

At present, companies require digital certificate management systems that would enable them to conduct secure and cost-effective e-business while providing a flexible and scalable system for managing digital identities. A solution that is built to easily integrate into the existing IT environment i.e. an open, modular architecture to help ensure a timely and cost efficient deployment. They require public key infrastructure (PKI)-based certificate management solutions that provide essential elements of a robust security solution like: strong authentication, data confidentiality, integrity and non-repudiation.

Network security is paramount to corporations that store sensitive data digitally. Data that is stored on a network, or that is passed from one user to another over a network, must be protected from malicious attacks and random errors to which the digital medium is susceptible.

To be sure that the data is secure, a security policy that ensures entity authentication, non-repudiation, data integrity, data confidentiality and authorisation is an absolute necessity.

In a secure system, entity authentication is required so that users can be satisfied that they are communicating with only the person, corporation or system, with whom they wish to be communicating. For example, users sending their credit card number across a network to make a purchase want to be certain that they are dealing with a trustworthy merchant, rather than a fraud who may steal their credit card number. If the user verifies the identity of the merchant, he/she will send their credit information with greater confidence.

Data confidentiality plays a major role within the transaction framework. Sensitive data, including business plans or financial transactions, must be safeguarded from prying eyes. Data confidentiality allows the transfer and storage of data with the knowledge that only those who are supposed to see the data will have access to it.

Data integrity systems ensure that the message sent and the message received are the same. To see the importance of using a data integrity system, consider the case of an online banking transaction.

For example, a user sends a request to move $400,000 from one account to another, but in the course of transmission a chance error or a malicious attacker alters that amount to $4,000,000. Both parties, the end user and the bank, would suffer severe consequences. Data integrity mechanisms inform the recipient when the message received matches the message sent, and perhaps more importantly, indicate when they do not match.

Non-repudiation gives a recipient the confidence that the sender cannot deny having sent the data at a later date. This is quite important in financial transactions where someone may wish to refuse a bill claiming that they hadn’t requested the service in the first place.

Using a system that provides non-repudiation, the service or data provider can produce irrefutable evidence that the request was made and the bill is legitimate.

Sensitive data stored on a network requires policies to administer access rights. Authorisation services enable an administrator to ascertain access privileges of an entity before allowing them access to the data, or even before verifying the existence of the data.

So, organisations require security solutions that meet the five requirements for digital security:

  • Entity authentication
  • Non-repudiation
  • Data integrity
  • Data confidentiality
  • Access control

Cryptographic theory is the basis, which creates this secure environment. By meeting these security needs, banking organisations can provide trust in networks in both intranet, extranet and Internet environments.

Let’s take a look at an example of a leading credit organisation (X). This organisation (X) provided investment, working capital and payment systems to more than 300 credit organisations across the nation. The organisation (X) made extensive line of products and services available to its clients through a sophisticated Internet-based extranet system.

Though the organisation (X) had a PKI solution in place, it required a more robust, scalable and industrial-strength PKI solution to meet their unique security requirements on its extranet. After deploying an industrial strengh PKI solution the organisation’s member credit organisations today access its extranet using strong authentication and encryption—thus providing them with the protection they require, and enabling the organisation to safely and securely expand product and service offerings when necessary.

How it helped
The solution served several purposes. First, it ensured that credit organisations have access only to their personal data. This helped to maintain confidentiality among members, assuring that each credit organisation could implement its own competitive strategies with complete privacy. In addition, digital certificates played a key role in an organisation’s ability to maintain the integrity of its extranet. That is, they know which credit organisation accessed what information and when. They also know, specifically, which user’s credentials were used to gain access.

What’s most important though, is that the organisation could operate a highly secure system without being bogged down by continual maintenance and administration issues. For instance, when migrating to the solution, it was not required to regenerate its existing certificates. Instead, they ran parallel systems, and, as a result, drastically reduced time-to-production. In today’s highly competitive and fast-paced financial arena, this is an important capability.

Conclusion
In a world of open network computing, it is important to correctly identify all parties to a transaction. This is especially true in the vertical segments where high value, transaction-oriented Web applications are commonplace. It is incumbent on security professionals to implement security solutions that allow for a trusted e-commerce environment.

The author is the country manager, India and SAARC region, at RSA Security
<Back to top>


© Copyright 2000: Indian Express Group (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in
Mumbai by The Business Publications Division of the Indian Express Group of Newspapers.
Please contact our Webmaster for any queries on this site.