| |
Headline: E-business security - A structured approach for secure e-business
Source: Euromoney
Date: June 2000
Author: John Meakin
Security, or the lack of it, is often cited as one of the most significant barriers to further business exploitation of the internet. Is this a reasoned business position, or just another aspect of the hype surrounding every aspect of the web at a time when e-mail viruses are headline news? Even if security is that significant a barrier, how can the businessman move forward and manage this particular risk confidently? After all, doing business is all about taking risks and making the gains when successful. John Meakin reports
There are many difficulties in grasping the business opportunities of the web and exploiting them for business advantage. They include product and market definition, technical delivery, logistical and distribution support, etc. In fact the majority of businesses today are already doing e-business. Many business transactions and processes are assisted, smoothed and even transacted via electronic mail. However you define e-business, one of the key difficulties is the threat presented to its security: The need for e-security is pressing.
Linking business strategy and security
While security is widely recognised as an important issue for the budding internet entrepreneur, there is a widely held misconception that it is a technical problem to be solved by the techies.
My most important argument here is that the reverse is true: security in the e-business is first and foremost a business problem, to be solved through business decisions and leadership. True, security requires us techies to apply highly technical solutions. However these must follow an analysis of business needs for security to ensure that the right solution is to be put in place. In short, the right approach for the right security for e-business is to examine business strategy to derive business requirements, harness business decisions to provide the context for implementation of technical solutions and to focus on-going management of the security of the e-business.
Business is about trust - has been about trust for centuries. We engage in business transactions having established a relationship between counterparties who need something on one side and can supply something on the other. This relationship is, to a greater or lesser degree, about establishing trust. This applies whether that trust lies in the supplier's ability to supply quality goods or in the value of the monies given over in return for the goods. Indeed, in the financial sector, the fundamental quality characteristic of the service provided is the trust earned by the service provider: trust in the security of money held on deposit; trust in the quality and worth of investment advice; trust in the effectiveness and completeness of financial transactions mediated for the customer.
However, business on the internet breaks one of the most important manifestations of trust in normal business relationships: trust in the identity of the supplier or purchaser. On the net, "no-one knows you're a dog"! So, in a fundamental manner, establishing the security of the e-business is about applying structured approaches to recouping all those forms of trust that are devalued or put at risk in doing business on the net. Therefore the e-business strategy must address the question: what is security for our e-business and how are we going to achieve it?
Unfortunately, certain other key characteristics of e-business strategy will tend to conflict with the need for security. For instance, the way e-business exploitation is typically pursued today involves trying to achieve as rapid time to market as possible. This, in turn, requires the initial IT infrastructure to be minimal. Equally, the cost of establishing the e-business is expected to be spread over as long a business cycle as possible, minimizing the additional risk to capital resulting from uncertainty in the internet business model and entry to profitability. In contrast, getting the security right will in all probability involve significant time spent up-front. It will possibly include building a cryptographic infrastructure to enable the efficient and effective implementation of the key security mechanisms. There will consequently be significant financial cost up-front.
Therefore a balance is needed: it is crucial to an effective e-business strategy to identify what the right level of security needed is. Numerous surveys over recent years have indicated that the e-business market demands that the security question be addressed. However all such surveys are much less specific about what exactly constitutes the right level of security and the right way to do it.
The right security: what's at risk?
What is the right level of security? To answer this we must start by defining what security is for any such e-business venture. In general, the security needs of a business can be expressed in terms of four key characteristics of the information that is used to do business and that represent its value to the business.
Confidentiality: in the financial sector, this characteristic would cover any business sensitivity to maintenance of Chinese walls, privacy of data surrounding the customer relationship and any other information that might have a direct or indirect market impact.
Integrity: this covers the needs for protection of accuracy of key data that otherwise might result in direct financial loss or customer liabilities.
Availability: this characteristic captures the business process and information requirements to be available whenever needed and protected against loss. In business terms, it translates into the business ability to keep in the customer's face and offer an effective service at all times the customer demands it. Loss of it would tend to harm customer loyalty.
Accountability: this final characteristic covers the need within the business to preserve a clear, demonstrable record of actions and responsibilities as business is conducted, answering the question, "did they or didn't they?"
The security needs of the business can then be straightforwardly related to the level (that is high, medium, low) of requirement for each one of the characteristics. But how can the required level be determined? How can the characteristics be quantified for any specific business?
In fact this can be achieved by a statement of key assumptions or targets for the way the business will operate in any specific market. Using a hypothetical electronic trading system as an example, the assumptions could be expressed as the answers to certain key questions, for example, as follows:
Is the electronic trade complete and binding? What trust (credit, market risk) model applies?
Does knowledge of pending trades give market advantage?
Does knowledge of trading patterns give market advantage?
Has the trading relationship changed?
Is the market closed or open (counterparties)?
Is the trading platform extensible?
Is the electronic trade an adjunct or replacement?
Is the market liquid?
Each answer to a question can be logically translated to the requirements for each of the key security characteristics, as illustrated here.
This process gives enough granularity to the security needs to then enable the specific security requirements to be derived by assessing whether the requirement for each characteristic against each assumption is high, medium or low.
The growing threat to e-security
However, there is another factor that will partly determine the security requirements: the level of risk to each of the security characteristics (confidentiality, integrity, availability, and accountability). In general, the e-business does not want to spend money securing an information characteristic that is not at risk. This level of risk will be partly determined itself by the details of how the e-business systems are built. But it's also determined by the extent of the threat.
Risks to security of business information and function are not new. What is it about the new internet-driven e-business world that makes the threats more critical? In fact, the threat to security on the internet is growing and its nature is changing. And of course, the expanding rush to exploit the internet for business is magnifying the impact of each breach and the motivations for those parties that could and would exploit the threats.
The threats are growing because the onward march of technology that is making the internet a more effective business and communication tool is also furnishing more sophisticated tools that can be used to exploit weak security on the net. Also these tools are generally easy to use and can accomplish complex tasks speedily and with limited user interaction - like all good computer software. Their development has lowered the knowledge and skill barrier for the potential abuser of security on the net. So, exploiting security weaknesses on the net has become easier and more popular, involving organized crime, industrial spies, even investigative journalists, as US government research demonstrates.
It has been a truism in the professional security community that the historic record demonstrates that up to 80% of actual breaches of security are perpetrated by insiders: the employees of the business itself. So, how does this "fact" sit with the supposed growing threats from the external internet?
In fact recent research has demonstrated that actions perpetrated by outsiders, including individual "hackers" and more organized, targeted groups now account for up to 70% of reported successful security breaches. So, the risk is real. And it's growing.
These trends are clearly demonstrated by learned assessments of real losses resulting from breaches in security. For example, the FBI estimated in 1996 that worldwide losses due to computer crime amounted to some $7.5 billion. More recent updates have estimated that total losses have almost doubled. The respected US think-tank organization, the RAND Institute indicated in a study that more than 50 intrusion incidents per year in Europe and the United States were associated with losses greater than $10 million each. However, estimates of total loss vary widely. Many losses are never reported and many are undoubtedly small. But remember that most financial loss figures do not include the waste of management time and the potential reputational damage.
Therefore the specific security requirements for the e-business can be identified from the business strategy, the needs for security characteristics and the level or risk, which is growing. Once they have been identified for the budding e-business, how can these requirements be satisfied?
There are two levels at which the e-business should take action to address these needs. Firstly and most importantly, the e-businessman needs to lead the implementation of technology within his own e-business that demonstrably satisfies these security needs. But there is also scope for industry co-operation and lobbying for government action that is required to ensure that the whole range of security risks is addressed most effectively.
Industry-wide and government action
This second level of action is driven by three aspects. Firstly, In simple terms, all e-businesses are at risk because they are all part of this shared, global network environment that is the internet. Within this environment, some of the threats to security are targeted at the specific business and some not. Secondly, there are some specific security threats that rely on security weaknesses in some e-businesses to be exploited to put the security of other e-businesses at risk. The security of the web is only as strong as the thinnest thread. Therefore some threats require concerted action across business participants in the web. Finally, some security mechanisms require industry-wide or international agreement to be effective.
All e-businesses are at risk because the internet connects them all. But risk in this connected world also arises from the increasingly homogeneous technology that supports the e-businesses. The prime example of this is the way in which malicious or computer-virus code has been able to exploit the common electronic mail technology used by the majority of inter-networked businesses. So the Melissa virus and the "LoveBug" were able to spread at startling speed across internet connected businesses, both making protection against the virus tremendously difficult and magnifying the actual business impact of the code. In the case of the LoveBug, the impact of the virus was made even greater by the use of common operating system platforms and computer file storage mechanisms. In this case, with such threats that are not targeted at specific businesses and that exploit common technology to achieve rapid spread and wide-scale impact, it becomes crucial that e-businesses introduce open communication practices with their electronic customers and e-business counterparties and high states of alertness to such developing threats.
Recent developments in understanding of the technology underlying the internet and experiences of security breaches have demonstrated that open communication about wide-spread risks is not enough to protect the e-business. In fact a weakly secured e-business may pose a threat to other, unrelated e-businesses.
Access denied
In February 2000, certain premier e-commerce web sites, such as eBay.com, Amazon.com and Yahoo.com experienced a sudden and rapid developing performance impact on their public web sites - in effect the sites stopped responding to the respective internet customer bases. What was happening is described as a "Distributed Denial of Service Attack". In fact it exploits what can be reasonably termed the soft underbelly of the e-business: vulnerability to loss of availability on the web. In the e-business world, where customer loyalty has become a very transient thing, if the e-business is not one click away, then it may not be in business for very long.
In simple terms, the attack consisted of a bombardment of the web sites affected by massive numbers of meaningless attempts by remote computers to connect to them. The target web sites simply tried to service the avalanche of connection attempts and were swamped. More significantly, the connection requests were coming from large numbers of other, perfectly valid e-business web sites. What had happened to enable this was that security weaknesses at those sites had been exploited by an attacker to enable malicious code "agents" to be placed on the sites, then triggered to specific targets and bombard the affected web sites. While the attack, once discovered, was quite straightforward to recover from, the immediate business impact (loss of business) was significant and the future preventive action is not straightforward.
The lesson is that all e-businesses have an interest in the good management of security on all bona fide internet presences. At present it is not feasible to envisage an internet-wide mechanism that would begin to set standards and provide assurance mechanisms that would target an acceptable level of security on all such web sites. Therefore the individual e-business has to fall back on critical monitoring of what is happening on their connection to the web.
However, in the future the need for common standards and demonstrable security levels across the web is one of the biggest security challenges faced by governments seeking to "regulate" the internet, the current internet governance bodies and the wider community of serious e-businesses. The eventual result may be industry-wide or government stimulated action to demonstrate acceptable levels of security. This might be some accreditation scheme against an appropriate, recognized standard (eg the British Standard 7799 for Security Management). Or it might be based on a multitude of specific e-business groupings or one-to-one relationships that set standards for their specific interactions and share resources in monitoring for threats coming from other parties or sources on the net - providing an early warning system.
This has already begun through the various computer emergency response teams (CERTs) that already exist to monitor security threats and disseminate information in the public domain regarding them. The industry or government action might also eventually extend to mutual or third-party regular testing of the actual security of e-business and other web sites.
The degree to which the e-business can confidently exploit the key security technology for the web - cryptography - has been largely determined by the pace of government regulation of what has been historically viewed as a militarily sensitive technology, principally by the US government. Fortunately, the pace of change in regulation and the practical applicability of it have become much more favourable over the past three years. This has fostered a strong growth in application by e-businesses of powerful encryption technology and the integration of the technology by major IT suppliers in their e-commerce focused products.
However, there remain large areas of uncertainty regarding the legal status and implications of such technology for the e-business. For example, how can contractual liabilities and accountabilities within an e-business relationship be best defined and protected? The best answer is through the application of cryptography to "digital signatures". However, in most legal jurisdictions around the world, the legal framework that defines the acceptability of a purely electronic contract and the legal strength of a digital signature applied to a contract or to indicate the validity of a specific trade does not yet exist. Slow progress is being made, but the pace of legal development needs to be increased. This is well recognized in the key economies such as the UK.
Testing, testing, testing
So what must the e-businessman be doing to respond to the specific security needs of his e-business? Once the risk-driven objectives for security have been set, the responsibilities for implementation, operation and continued evolution of the security mechanisms must be defined. We can call this establishing the security organization. This does not necessarily mean that specific security specialists need to be employed, although this is probably the most effective way of ensuring clear ownership and responsibilities.
However, it does mean that the e-business IT organization needs to be clearly instructed to accept and deliver against the security requirements as well as the business functionality. They need to be given the mandate by the e-businessman to treat the satisfaction of these well-defined and risk-related requirements as mandatory, regardless of the ever-present pressure from the e-business for rapid delivery of the working IT.
Once this key step has been taken, the priority action that remains on the path to a secure e-business can be summarised as implement, monitor and test, monitor and test.
The implementation of the necessary security mechanisms will be guided directly by the security requirements and a good IT organization can be relied upon to apply the essential technology to achieve them. This will include cryptography both to protect confidentiality and integrity of e-business transaction flowing over the net. It will also include cryptography and possibly physical devices (eg Smartcards) that are used to provide strong proof of the identity of e-business customers connecting over the net. It must include use of strong security gateways (ie "firewalls") at the point of connection between the net and the e-business internal network. The following table gives some broad guidelines on the security technologies that are needed to be implemented to address the various types of requirement highlighted earlier.
However as an equal priority, the e-businessman should be looking for high levels of assurance in the quality of the implementation of these mechanisms. This can only be achieved by testing. This testing will obviously include testing prior to live operation of the e-business systems. But it must also include testing after live operation - testing that is done from the outside (penetration testing) as if the tester was an attacker on the e-business. In addition, as the technology of the Web never stops evolving, so that the technology or vulnerabilities that can be exploited by the attacker is always evolving, continuing regular monitoring must be demanded by the e-businessman of IT. To complement this monitoring, the e-businessman must ensure that all parties in the business, including especially IT, are very clear as to how any immediate or potential new threat disclosed by the monitoring will be reacted to.
In addition, for a significant number of e-businesses that are developing as adjuncts to existing businesses with existing investment in IT, it will be necessary to tighten-up on existing technology. This will be driven by the fact that the e-business systems will probably be linked in some way into the existing business systems, for reasons of continuity and efficiency. This must be combined with the realisation that many existing businesses do not achieve high levels of effectiveness of existing basic security controls, such as controlling who amongst the business staff gets access to what information and function. Typically, staff get more access than required or the access of departing staff gets left active. Also, security breaches that result from such weaknesses typically remain undetected for considerable periods of time due to relatively infrequent or non-existent security monitoring. With the additional risk that is posed by connection (albeit with additional security controls such as firewalls) to the internet, the potential negative impact of such laxity in basic security is magnified.
Also, if the e-business systems will eventually require the management of access via the web by large numbers of electronic customers of the business, then weakness in the existing administration of staff access will not provide a firm base for quality, secure management of customer access.
Messages for the future
In summary, a coherent reaction to the real, growing threats to the security of the e-business involves these essential steps:
Linking business strategy to security requirements, applying a simple, straightforward risk model.
Implementing those requirements in the technology as mandatory parts of e-business function.
Testing, testing, testing - both before live operation and after.
Monitoring - both of the e-business' specific systems and for developing threats out on the web.
Where appropriate correcting any security deficiencies in the existing IT, especially basic access control.
Identifying clear security responsibilities.
Having the e-businessman take the lead in driving forward this coherent security approach.
And for the future, bear in mind that the hackers don't stand still. So prove continually your security works - but you'll have to work harder and you'll need to be alert, 24 hours a day!
John Deakin is global head of IT security at Dresdner Kleinwort Benson
|