Positively determine with just whom you are doing business, writes Tim Pickard from RSA Security. Reports of hackers accessing popular e-business websites and flaunting customer credit card numbers are well known and increasingly common, to the point that they have become every e-business’s worst PR and legal nightmare. With business-to-consumer (B2C) e-commerce expected to reach US$108 billion by 2003, and business-to-business (B2B) e-commerce expected to increase to US$1 trillion over the same period, the need for electronic security has never been more evident. The key to this security is authentication: that is, positively determining with whom you’re doing business.

E-business ‘pressure’ The Internet has revolutionised business with staggering results. This has placed tremendous pressure on companies to quickly establish a presence in the potentially lucrative e-world or risk failure. Unfortunately, with time-to-market being such a critical requirement, the basic approach to launching an e-business is too often of the form: ‘ready, fire, aim’. As a result, e-businesses sometimes pay less attention to implementing the necessary policies and mechanisms that would result in a trusted and secure e-business environment. Inevitably, certain parties have sought to take advantage of this negligence. ‘Trojan horse’ computer viruses that steal passwords; competitors accessing seemingly protected databases using borrowed passwords of acquaintances; personal accounts being exposed to every member of a bank: none of these examples are just threats anymore; they are reality – and it’s not just sophisticated computer hackers who are causing the problems. Thrillseeking teenagers, novice computer programmers trying to make a name for themselves, and criminal organisations are all using password-cracking tools that are readily available on the Internet. As new e-business models become more complex and attackers develop more sophisticated tools, we can only expect the number of security breaches to increase. At the same time, it is important to remember that the essence of e-business is that transactions occur between people who are represented by machines. The anonymity of these transactions makes it more difficult to identify the parties involved and therefore to ensure a trusted business relationship. Since all successful business relationships are based on trust, establishing online trust should be one of the primary goals of any e-business. Data privacy, data integrity and user authorisation are all essential elements of e-security. But the real cornerstone of e-business trust is authentication. This article explains how each of these contributes to a successful e-business strategy.

The keys to securing your e-business Secure e-business can be broken down into four areas:

1. Authentication – ensuring that both the sender and recipient are who they say they are;

2. Data privacy – guaranteeing the confidentiality of information as it moves around the public Internet;

3. Data integrity – ensuring that authenticated users in a transaction are not able to deny actions they have taken;

4. Authorisation – denying unauthorised users access to information they’re not supposed to see.

Authentication This is the cornerstone of e-business security, and is defined as positively identifying and proving the authenticity of those with whom you’re doing business. Without authentication other security measures that you put in place can be ineffective. Passwords aren’t enough Today, requiring a username and password is the most common technique for authenticating a user. On the surface this single factor (something a user knows) may appear to be an adequate solution. After all, there are roughly 2.8 trillion possibilities for an eight-character password composed of random alphanumeric characters. But because we all tend to choose passwords that are short and easy to remember – such as important dates or names of family members – our passwords tend to be relatively easy for others to guess, steal or crack. Social engineering also contributes to the unreliable nature of passwords. Another problem is that your username and password may not be protected as they travel across the Internet. For example, a typical web server’s basic HTTP authentication system, used on many websites, does not encrypt the username or password. And unencrypted passwords are extremely susceptible to interception by hackers who are ‘sniffing’ for them. The bottom line is that you need stronger authentication to create and maintain a trusted environment for e-business.

Levels of authentication Varying levels of authentication strength exist, and your choice will be based on the value or sensitivity of the information that you’re protecting, balanced against other considerations like usability, deployment, and budget. Passwords are the weakest, although most widely used, form of authentication. They help to identify users by requiring a single factor of identification: their secret code. This method of authentication is perceived to be easy to deploy and inexpensive. However, history has proven that these codes are easily guessed, stolen or otherwise compromised and are not as easy or inexpensive to maintain as one might think. Surprisingly, passwords are one of the most ineffective forms of authentication. The use of digital certificates as a form of authentication is becoming more widespread with the growth of Internet transactions. Alone or protected with a password, certificates help identify users by requiring access to digital credentials that should only be used by the rightful owner. However, the relative strength of digital certificates as an authentication solution depends on how securely they are protected. For example, digital certificates stored insecurely on a hard drive can be likened to your wallet left open on your desk. Digital certificates gain strength when they are accompanied by a controlled password policy.

Here, a trusted ‘certificate authority’ issues certificates that verify the digital identity of users’ private keys. Adding a public key infrastructure with a centrally managed certificate policy statement that establishes password requirements (ie every password has to be nine alphanumeric characters in length) can improve the strength of certificates as a form of user authentication. Two-factor authentication is much stronger than password security or unprotected certificates because it requires users to present two forms of identification before gaining access to protected resources. Similar to using a bank ATM, users must both know their PIN and possess their authentication device (token or smart card). The combination proves that users are who they say they are. Combining two-factor authentication and digital certificates enhances the strength of your authentication services dramatically. Often, digital certificates are stored insecurely so anyone can assume the identities of your users. By requiring two forms of identification to access credentials, you are able to bind users’ digital identities to their physical identities, which allows you to be more confident that users are who they say they are. Introducing smartcards to protect digital certificates is one of the strongest levels of authentication service. Not only is access to the smartcard protected with two-factor authentication, but certificates/key pairs can also be generated and stored on the smartcard. In fact, the private key never leaves the card, so it can never be accessed by unauthorised users or copied to a server. By adding a third factor – such as biometrics – to the above, you can achieve the strongest available level of authentication. Biometrics refers to a characteristic that is unique to a user. This measurement can be achieved through fingerprinting, retinal scanning and voice-printing. This third authentication factor when combined with certificates stored on a smartcard is impenetrable.

Data privacy Sensitive information needs to be protected while it is moving from point to point across the Internet. For example, you don’t want competitors to be able to grab a copy of a proposal when you email it to a prospective customer. And you probably want to protect usernames and passwords – and of course credit card numbers – that accompany transmissions. Most web browsers have built-in ‘secure sockets layer’ (SSL) capabilities to ensure the privacy of information that is transferred between a Web server and a user’s Web browser. This is done by encrypting, or scrambling, information before sending it and then decrypting it at the receiving end, making it virtually impossible for the transaction to be translated if intercepted. That means the transaction is private, which is crucial in ebusiness.

Data integrity It is also important that neither party is able to declare that a transaction never took place or that the received data was somehow different from that transmitted. For example, if you receive a large online order from one of your resellers can you really be sure that it’s legitimate? What happens if you deliver the order and they claim that the order they placed was significantly smaller? Or they deny having placed it at all? For non-repudiation you need to be able to prove that the sender and receiver are who they say they are and that the transaction has not been altered. This can be accomplished by using client-side digital certificates that authenticate a transaction – thus proving that the transaction has not been altered during transmission. It should be noted, however, that you still need to prove that users are who they say they are – ie not disgruntled employees or thrill-seeking teens – to make them accountable for the transaction. Only two-factor authentication can definitively bind a user’s physical identity to their digital identity.

Authorisation Different users need access to different types of information, and it’s important to prevent unauthorised users from seeing that information. For example, your HR staff needs to be able to view and update the employee database, but other employees and contractors should not be looking at your salary. Your sales channel needs access to the latest product information, development schedules and pricing, but that internal information isn’t usually something that you want competitors to see. Authorisation involves restricting user access to machines, directories, files, and application programs. There are several levels of authorisation. The first involves limiting access at the URL level to protect machines and their contents. The second provides conditional access to directories and files based on access control lists, and the third involves elaborate rule-based access control. In any of its forms, authorisation helps you enforce data access rules once a user reaches protected resources.

Identity management Authentication is therefore – amongst these other security measures – critical to the success of your e-business initiative. Another considerable threat, however, lies in the staggering proliferation of identities on the Internet. Hundreds of millions of people around the world now use the Internet daily at home and at work, encountering myriad corporate applications, e-business interfaces and web services. Many of these applications require a unique user name and, as a result, an individual will typically possess not one but several digital identities. Additionally, digital identities are not perpetual: they are created for new employees, and when those employees leave their digital identity expires – or should expire – as of their termination date. An employee moving from one part of an organisation to another, or being promoted to a higher management level, may need to have updated access rights and other information attached to his or her digital identity. Therefore companies need to be able to trust the identities of users who seek to access their Internet-based resources. Further, they need to manage and control authorised identities to ensure they are current and being used in accordance with established policies. For this reason, organisations need to assess their own identity management needs, engage in detailed discussions with business partners about their needs and plans, and explore in conjunction with a reliable vendor how to implement and integrate such a solution into their IT environments.

An open standard for identity management – including authentication, single sign-on and web access management capabilities – will help businesses lower costs, accelerate commercial opportunities and increase user productivity and customer satisfaction. Initiatives such as the Liberty Alliance demonstrate how companies are already working together to make e-business easier without compromising credential details. For example, it will soon be possible to organise your complete holiday logistics – rent a villa, article flights and hire a car – in a single online transaction, by authenticating once and then moving freely between affiliated websites without having to repeatedly re-enter your details. A federated approach will bring substantial benefits to users and businesses alike. Online transactions are often abandoned, and users have identified the need to complete and often re-complete forms as being the single biggest reason for this; clearly this is a major obstacle to e-commerce. Within an identity management system, users will appreciate:  the convenience of a single identity and authentication for a wide range of resources, applications and websites;  the ability to specify under what conditions certain pieces of information can and cannot be shared; and  policies and standards on data storage, usage and sharing designed to protect their privacy and prevent fraud and identity theft. In turn, businesses will benefit by being able to:  trust the identities of employees, partners and customers;  receive pre-authenticated users from business partners’ sites; and  introduce new services and identify new business opportunities.

Conclusion None of this is possible without the core foundation of e-security: strong user authentication. Once this is in place, the rest – mitigated network security risk, reduced costs, increased revenues, protected investments and greater compliance – will follow, and companies will be positioned to deal securely, conveniently and profitably over the Internet. Tim Pickard is EMEA Strategic Marketing Director at RSA Security. RSA Security is the most trusted name in e-security, helping organisations to build secure, trusted foundations for e-business through its two-factor authentication, web access management, encryption and public key management systems. A truly global company with more than 8,000 customers, RSA Security is renowned for providing technologies that help organisations conduct e-business with confidence. For further information contact: RSA UK, Ireland and EMEA Sales, RSA House, Western Road, Bracknell, Berks RG12 1RT. Tel: +44 (0)1344 781000; Fax: + 44 (0)1344 781010.