Privacy vs. cybersecurity: the advantages of doing business over the Internet are tremendous--but only if enterprises can ensure exchanging information in cyberspace is secure. (Tech Trends).At the Core This article: * Discusses the conflicting roles of privacy and security for Internet communications * Gives ways to secure information exchanged across the Internet Cyberspace is a playground for information seekers: Enlightening articles and digital encyclopedias can be accessed from anyone's desktop. The Internet enables highly productive workflows for electronic document collaborators. Postal service postal service, arrangements made by a government for the transmission of letters, packages, and periodicals, and for related services. Early courier systems for government use were organized in the Persian Empire under Cyrus, in the Roman Empire, and in medieval and other forms of physical document delivery have been eliminated in some businesses as electronic mail has replaced paper correspondence, and Web sites enable information distribution without significant digital "shipping" charges. Unfortunately, the immediate benefits of using the Internet to communicate and share information often postpone consideration of the long-range consequences of doing business electronically--until a crisis occurs. Interaction with Web sites increasingly demands personal information. Ordering products online requires personal shipping addresses and credit card information. Sharing data often requires trusting business partners across open network architectures and relying on unknown data security infrastructures to complete transactions. When data and documents are transferred across poorly controlled networks and repositories of personal data are accumulated in hidden databases, the potential for corrupted information or compromised personal privacy increases. The integrity of business transaction records may be questionable, and individuals may become victims of identity theft or fraud. Clearly, security and privacy are becoming major issues for the Internet's personal and business users. The communications speed and document-management advantages of Internet use are tremendous, but these conveniences are diminished when users must proceed cautiously because of a lack of confidence in the robustness of security or real concerns about misuse of Internet-based information. Privacy, Security, or Both? Are maintaining privacy and ensuring security conflicting, incompatible goals? High states of security for Internet communications may require limiting access to well-documented individuals or organizations. Such documentation may itself invade individual privacy or organizational needs for confidentiality. After the 2001 terrorist attacks in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , many increased security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security were demanded. These included increased security inspections at airline check-in locations, better readiness for emergency response, and an overall increase in data gathering and surveillance of both citizens and immigrants. Similar demands for new levels of attention to physical security, data protection, and user authentication See authentication. are occurring for computer systems use. New expectations regarding data gathering and surveillance have been met with some resistance by both civil libertarians and the general public. Similar dilemmas challenge organizations that seek to determine the extent to which employees should be monitored in the workplace and constrained on the job with increased security and strict privacy policies. There is no question that limiting access to a computer system increases the overall security of the system. There is also no question that gathering detailed information about computer users assists in identifying potential system saboteurs or criminals intent on taking advantage of unwary individuals. The trade-off, however, is that computer systems that are limited to a few users or generally difficult to access are not cost effective. Policies dictating computer security measures must be strictly enforced for security efforts to be universally effective. For instance, rigorous control of passwords is a simple but effective first step in ensuring that only appropriate individuals can access systems. Education of computer users regarding their responsibilities and the potential consequences of system compromise are also critical. Control of physical entry to computer servers and networking components is vital to ensure that only authorized personnel have access. Security must be stringent so that computer systems are "trustworthy," or individuals and organizations will not use them. Computer security must be robust and seamless, thus guaranteeing a comfort level to ensure comprehensive and effective use. In addition, there are many dangers in globally gathering data about individuals without their knowledge or permission. Any databases of personal information even remotely connected to the Internet must be secure against compromise. When computer security is breached, the professional and business credibility of the organization responsible for the compromised system drops rapidly. In addition to the quantifiable loss of digital assets, there is the potentially incalculable in·cal·cu·la·ble adj. 1. a. Impossible to calculate: a mass of incalculable figures. b. Too great to be calculated or reckoned: incalculable wealth. loss of future business income that might occur, and it may be impossible to know what additional damages may occur over time. In cases where personal or corporate injury can be credibly alleged, legal action can result with damages awarded to plaintiffs. The first wall of defense against Internet subterfuge sub·ter·fuge n. A deceptive stratagem or device: "the paltry subterfuge of an anonymous signature" Robert Smith Surtees. or attack is enforcement of policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental developed to ensure that system integrity is not compromised and personal privacy is protected. Document Transmission Protection Security technologies can enhance the privacy of information and the confidentiality of documents exchanged across the Internet. Whereas password control is considered to be a system administrative function, some technologies impart increased system security simply by their implementation. System-embedded security controls that can enhance the privacy and confidentiality of information processed across Internet architectures include data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign , digital signatures, secure sockets layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ), and cryptographic protocols such as hypertext transfer protocol See HTTP. (protocol) Hypertext Transfer Protocol - (HTTP) The client-server TCP/IP protocol used on the World-Wide Web for the exchange of HTML documents. It conventionally uses port 80. Latest version: HTTP 1.1, defined in RFC 2068, as of May 1997. over SSL (HTTPS (1) (HyperText Transport Protocol Secure) The protocol for accessing a secure Web server. Using HTTPS in the URL instead of HTTP directs the message to a secure port number rather than the default Web port number of 80. ). Data encryption is one of the original means of protecting information; it has been used for centuries by both spies and lovers to send messages. Encryption "scrambles" data with a secret numeric "key" added to a document's computer code. Others with the secret key can "unscramble Same as decrypt. See scramble. " the data, thus ensuring that only authorized viewers can see the information. This symmetric "private key" data encryption method was later modified into an asymmetric "public key" approach when more sophisticated means of creating the keys resulted in an ability to generate "key pairs," one of which could be made publicly available. Public keys are posted on the Internet where they can be accessed by anyone. The ability to locate the publicly available part of a key pair enables individuals that do not know each other to send and receive information across networks securely when they are both participating in the public key infrastructure (PKI (Public Key Infrastructure) A framework for creating a secure method for exchanging information based on public key cryptography. The foundation of a PKI is the certificate authority (CA), which issues digital certificates that authenticate the identity of ). Digital signatures depend on public key cryptography An encryption method that uses a two-part key: a public key and a private key. To send an encrypted message to someone, you use the recipient's public key, which can be sent to you via regular e-mail or made available on any public Web site or venue. , an existing PKI, and the ability to obtain a digital certificate from a certificate authority (CA). CAs serve as third-party authenticators to confirm an organization's or individual's identity. When a digital certificate from a CA is attached to a transmitted document or transaction record, the recipient can verify that the message's senders are truly the entities they purport to be. By encrypting the document or transaction, even more security can be applied to the document-transmission process. SSL technology first appeared with version 1.0 of Netscape Navigator An earlier Web browser for Windows, Macintosh and X Windows from Netscape that provided secure transmission over the Internet. Soon after its introduction in 1994, Navigator, or just "Netscape," as it was commonly called, quickly became the leading browser on the Web. Internet browser See Web browser. software. This network communications protocol Hardware and software standards that govern data transmission between computers. The term "protocol" is very generic and is used for hundreds of different communications methods. A protocol may define the packet structure of the data transmitted or the control commands that manage the was embedded in the client browser software to provide a secure, encrypted user interaction with Netscape's Web server systems. Similar protocols were quickly offered by Microsoft, and eventually an SSL 3.0 version was used by the Internet Engineering Task Force (c/o Corporation for National Research Initiatives (CNRI), Reston, VA, www.ietf.org) Founded in 1986, the IETF is a non-membership, open, voluntary standards organization dedicated to identifying problems and opportunities in IP data networks and proposing technical solutions to the (IETF See Internet Engineering Task Force. IETF - Internet Engineering Task Force ) to develop transport layer security protocol (networking, protocol) Transport Layer Security protocol - (TLS) A protocol designed to allow client/server applications to communicate over the Internet without eavesdropping, tampering, or message forgery. TLS is defined in RFC 2246. (TLS (1) (Transport Layer Security) A security protocol from the IETF that is based on the Secure Sockets Layer (SSL) 3.0 protocol developed by Netscape. TLS uses digital certificates to authenticate the user as well as authenticate the network (in a wireless ) as an Internet standard. SSL/TLS SSL/TLS Secure Socket Layer/Transport Security (IETF) implementations exist in most Internet browsers today and enable software to avoid having to continually perform public key encryption/decryption for every interaction between computer systems. This is done through a cached "master secret" code, preserved between connections during a session. The result is a secure encrypted connection that is transparent to the user. SSL/TLS technology can run on a variety of network communications protocols but was created to operate with transfer control protocol/Internet protocol (TCP/IP TCP/IP in full Transmission Control Protocol/Internet Protocol Standard Internet communications protocols that allow digital computers to communicate over long distances. ), the standard used to support most Internet interactions. However, SSL/TLS should be interacting with a server running a cryptographic protocol such as HTTPS to ensure that passwords are properly protected. SSL/TLS protocol requires additional computational overhead and may not be available from all Web sites or Internet service providers Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. (ISPs). One can tell if an Internet browser interaction with a Web server is using this secure protocol by looking to see if the address window in the browser says https://www.YYZ YYZ Toronto, Ontario, Canada - Pearson International Airport (Airport Code) .com instead of simply http://www.YYZ.com. These protocol and encryption technologies are robust when implemented properly and can address most privacy and security concerns. However, they primarily protect records from interception, or "man-in-the-middle" attacks. The assumption is that a hacker might gain access to a network, intercept communications, and pretend to be an authorized user authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal . Such security and privacy invasions actually are not as common today as more direct attacks against Web servers or client software. Personal computers used to interact with the Internet, as well as Web servers that host data, must be protected against attack. Standard computer security measures such as password protection, security policies, and network firewalls must be used as well. Attacking Private Data Despite the variety of information-protection technologies that are useful for keeping networks and documents secure, there are several features of Internet interactions that can pose a threat to privacy or confidential information. Web surfers should recognize that sharks lurk in the waters, watching every move. Consequences can range from suddenly receiving electronic junk mail from a Web site that profiled a user's interests to receiving credit card charges for goods or services never purchased. Each interaction with Web-based information resources can result in data gathered and compiled for purposes that the user never agreed to. When individuals "register" at a Web site, such as Disney.com or Amazon.com, the data entry screen often asks for name, address, sex, e-mail address, shipping location, and credit card number. Supposedly, this information is protected by the Web site operator's privacy policies. But to what extent are these policies really implemented and enforced? Who, precisely, do these statements bind among the Web site's systems support staff?. Such concerns typically cannot be addressed through auditing, because Web site operators consider their own business activities to be private. The user has no choice but to trust the Web site operator not to abuse the privilege of receiving confidential information. "Cookies" are another convenient way for Web sites to gather information about users. A cookie is a block of text characters that a Web server places on a user's personal computer by using HTTP protocol when Web pages or images are transmitted. The original purpose of cookies was to enable a complex application to work better by remembering the pages a user had visited previously. Depending on how they are implemented, cookies can reveal a lot about a computer user's activities and may divulge personal information about the user's preferences or computer systems interactions. (Editor's Note: Also see article by Cunningham on page 52) Log files are created on most computer systems that indicate logins, brief identities, dates/times of interaction, and applications used. These log files can exist on both the Windows client and on the Web server that hosts an application. Such files may include the "history" file and "temp" files that are created when an individual uses a browser to surf the Internet from site to site. The purpose of these files is to make it easier and quicker for the software to assist the user in seeing previously visited sites and to help computer screens load more quickly. In addition, as server software becomes more complex, site operators may not be aware of the entire set of Web log files created on their own servers. For example, Web server logs may include the name and IP network address of a computer accessing the server, the time of the access request, the pages requested, and the kind of browser used. This information could be cross-correlated with mail server and other system logs to determine actual identities of individuals accessing the system and their interests in information. All of these log files can be used surreptitiously sur·rep·ti·tious adj. 1. Obtained, done, or made by clandestine or stealthy means. 2. Acting with or marked by stealth. See Synonyms at secret. by computer hackers to invade privacy or download confidential information. Only the use of personal and host networking protection software can begin to preclude this misuse of information. Privacy Protection Responsibilities Log files are of even more concern given legislation now under consideration in the United States to encourage ISPs to share information and voluntarily disclose data to government agencies without a court order. Both privacy advocates and ISP (1) See in-system programmable. (2) (Internet Service Provider) An organization that provides access to the Internet. Connection to the user is provided via dial-up, ISDN, cable, DSL and T1/T3 lines. operators are concerned about the personal and legal ramifications ramifications npl → Auswirkungen pl of such broadly sweeping information disclosures. Today's computer systems require constant vigilance to ensure that information being transmitted is being used appropriately. Internet users must protect their personal workspace and investigate the stated policies and actual workplace procedures of Web site operators that they regularly visit to ensure that any required actions are taken to protect privacy. As familiarity with security and privacy technologies grows, organizations and individuals will make more comfortable decisions about how to best apply them to facilitate interaction with friends, associates, and business partners across the Internet. READ MORE ABOUT IT SSL Protocol: http://developer.netscape.com/docs/manuals/security/sslin/contents.htm (accessed 11 April 2002). Firewalls: www.interhack.net/pubs/fwfaq/ (accessed 11 April 2002). Digital Signatures: www.softwareindustry.org/issues/1digsig.html (accessed 11 April 2002); www.youdzone.com/signature.html (accessed 11 April 2002). Privacy and Human Rights: www.cato.org/pubs/wtpapers/991201paper.html (accessed 11 April 2002). References Carlson, Caron. "Info Sharing Bill Advances." eWeek, 4 March 2002. Fisher, Dennis and Carmen Carmen throws over lover for another. [Fr. Lit.: Carmen; Fr. Opera: Bizet, Carmen, Westerman, 189–190] See : Faithlessness Carmen the cards repeatedly spell her death. [Fr. Nobel. "New Attack Intercepts Wireless Net Messages." eWeek, 11 March 2002. Garfinkel, Simson with Gene Spafford. Web Security, Privacy, and Commerce. Sebastopol, CA: O'Reilly and Associates O'Reilly and Associates - The leading publisher of information on the Internet, Unix, the X Window System and other open systems. They also provide the Global Network Navigator service. Home page. , 2002. Gralla, Preston. How the Internet Works. Indianapolis, IN: Que, 2002. Heun, Christopher T. "Fear of Fraud." Informationweek, 4 March 2002. Hulme, George V. "Digital Identities Kept Safe with Security Tools." Informationweek, 25 February 2002. West, Barry. "Security--Best Practices and Lessons Learned." Presentation at AIIM (Association for Information and Image Management International, Silver Spring, MD, www.aiim.org) A membership organization founded in 1943 devoted to creating industry standards and disseminating information about the document management industry. 2002 Exposition and Conference. San Francisco, 6 March 2002. John T. Phillips, CRM (Customer Relationship Management) An integrated information system that is used to plan, schedule and control the presales and postsales activities in an organization. , FM, is the owner of Information Technology Decisions, a management consulting firm. He has more than 20 years' experience in information resources management specializing in automated records management systems and other technology related areas. He can be reached at john@infotechdecisions.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion