PKI Security In The New Extranet Marketplace.
To achieve its full potential, however, e-commerce must deliver the same levels of privacy, integrity, and trust that traditional business practices enjoy. Furthermore, online business processes using the Internet must mirror the binding, contractual qualities of existing paper processes. Several security technologies have been applied to e-commerce to secure transactions: passwords, firewalls, and Virtual Private Networks (VPNs) all contribute to partial online success (Fig 1). Yet only the recent developments of digital certificates and secure extranets permit companies to conduct online business as safely as if it involved traditional paper.
When remote communications policies were introduced, corporations initially played a defensive game. Remote users proliferated and local users wanted email access to the outside world. Corporations, therefore, looked at their internal operations and asked, "How do we defend our employee desktops, company files, and internal operations from intrusions? How do we protect our enterprise-centric world from viruses, hackers, and thieves?"
The defensive answer was flrewalls--a hardware and software buffer between an internal corporate network and external users. Corporate intranets use firewalls, Personal Identification Numbers (PINs), and passwords to block unauthorized remote users. These methods are not fully secure for several reasons: they do not offer a strong proof of identity, they do not provide a comprehensive audit trail of user activities, and they are easily lost, shared, or stolen. According to one study, 40 percent of all help desk calls involve lost or forgotten PINs/passwords--a lot of overhead for a system with incomplete security.
Corporate intranets also posed business problems. Corporations wondered if they were being too defensive to take full advantage of the Web. Might companies profit from an offensive, e-commerce strategy that welcomed outsiders--customers, suppliers, and partners--into internal systems? Might online business processes--that is, changing internal systems from static and protected to dynamic and open--be more efficient?
Extranets And VPNs
Extranets use the Internet to take business--and the internal systems that support business--online. Extranet users ideally have access to company systems that reflect their involvement in the company's business such as paying invoices, placing orders, or collaborating on product designs. With such important information being placed online, extranets ought to be secure. Security, however, initially took a back seat to economy as companies fashioned e-strategies.
Businesses looked for a way to replace costly private leased lines with the public Internet. If they could achieve the same level of security available with passwords and leased lines by using the public network, they were saving money and making progress. Hence, Virtual Private Networks (VPNs) were born.
VPNs offer a rudimentary extranet. They use an assortment of protocols to encrypt a private path for business over the Internet. The VPN path is so much cheaper to use than the dial-in technology of leased lines that some companies estimate they save between $1,000 and $2,000 per employee per month with a VPN.
Information exchange across a VPN, however, is only protected as long as businesses control both ends of the path. Organizations using either leased lines or a VPN, therefore, take a risk: they trust remote users not to pry into a corporate database where they don't belong and not to edit data inappropriately. Businesses are eager, therefore, to take e-commerce security to a higher level.
What makes an extranet truly secure is a set of technologies that implements trust. This business trust--traditionally implemented by paper documents--is characterized by four elements:
* Data confidentiality and integrity
* Finely grained access control
* Audit trails
* Non-repudiation, or the guarantee that once a transaction occurs, neither the originator nor the recipient of the transaction can deny that it took place.
These elements are available through digital certificates. Chosen at first by institutions with high-level security needs such as governments and banks, digital certificates are becoming more popular as a broad range of businesses seeks Internet security.
The digital certificate is a passport to the extranet. Installed in a browser or on a smart card, a digital certificate authenticates the certificate holder. These certificates extend extranet access and authority to users based on their roles and business privileges, while the certificates ensure confidentiality and integrity of the data that users send, receive, and access.
Digital certificates use a Public Key Infrastructure (PKI). The most robust security technology established to date, a PKI is a collection of Internet technologies that manage mathematically related public and private keys and digital certificates. Within a PKI, a Certificate Authority (CA) issues digital certificates in the same way the Department of Motor Vehicles issues legal documents authenticating both institutions and individuals.
Certificate-based authentication offers greater data confidentiality and integrity than regular PIN/password systems because its algorithms would take even the most sophisticated hackers years to crack. Digital certificates improve upon VPN-based access control by granting users access that can be as particular as reading one file. Digital certificates also offer the security of audit trails.
Audit trails tell network managers who is doing business on the network and what users are doing. Unlike VPNs, which may offer some level of audit trails, digital certificates support the following kind of record: John Smith from Company X accessed the site of Company Y at 9:40 a.m. on Monday, September 13th. Smith read Company Y files 1,2, and 3, and updated Company Y files 4 and 5. Because Smith's digital certificate does not authorize him to read or modify files other than 1-5, Company Y's data and processes are protected (Fig 2).
The data integrity, access controls, and audit trails provided by digital certificates are not available through firewalls, passwords, and VPNs. But digital certificates contain another critical feature for online commerce: the digital signature. A digital signature allows business partners to sign binding documents electronically, while it prohibits unauthorized parties from becoming involved.
Benefits Of A Secure Extranet
Secure extranets also offer additional benefits aside from essential security measures. These include the ability to:
* Cement business relationships by giving trading partners online access to important transactions, business processes, and information.
* Increase profitability and competitive advantage by managing mission-critical knowledge in the most timely, cost-effective manner.
* Preserve the integrity of physical-world processes and bind transactions online with signing capabilities and audit trails.
* Manage security risks through data confidentiality and integrity.
* Identify online partners and customers irrefutably.
* Increase satisfaction among clients and trading partners by providing enriched usability and service.
* Implement an e-commerce strategy through a tested, open, security platform that grows with a client base.
Secure extranet applications will continue to redefine the electronic marketplace. They will safeguard the transfer of electronic funds, preserve the confidentiality of medical records, exchange confidential information between vendors and suppliers, and protect classified government information. As more organizations employ secure extranets, virtually anything that can be done face-to-face and with pen and paper will be possible to do online.
Peter J. Hussey is the president of GTE CyberTrust (Needham Heights, MA).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Industry Trend or Event|
|Author:||Hussey, Peter J.|
|Publication:||Computer Technology Review|
|Date:||Oct 1, 1999|
|Previous Article:||ENCRYPTION ISSUES: MOVING TOWARD HIGHER PERFORMANCE NETWORK SECURITY SUBSYSTEMS.|
|Next Article:||DIRECTORIES FOR 2000:.|