More than a third of UK businesses are failing to implement any kind of online security strategy, according to recent research from Novell.
Here, Terence Green examines some of the crucial issues involved in developing a safe eBusiness solution

Electronic commerce is transforming the way companies do business. From consumers buying books and CDs on the web to companies opening their networks to their suppliers and partners, electronic transactions are big business. By all accounts business-to-business commerce is already far larger than the business-to-consumer sector and growing faster. Analysts and researchers say business-to-business transactions will top a trillion dollars by 2003.

The open standards and protocols which enabled electronic commerce are also driving new business models in which companies replace manual procedures with Web-based applications, converting processes which were previously labour-intensive into self-service operations. Electronic business, e-business as it is widely known, offers reduced costs, greater customer satisfaction, and higher revenues if properly implemented. But UK companies have been slow to adopt it. Surveys always deliver the same answer when organisations are asked why they're haven't embraced electronic business. Security. But, when the Computer Security Institute of San Francisco asked companies with web sites whether they had detected unauthorised access or misuse of their sites within the last 12 months, a full 33 percent of respondents said they "didn't know".

In the rush to get onto the web many companies have simply forgotten about issues that they deal with as a matter of course on their internal networks. The issues which matter in respect of data - integrity, availability, and confidentiality - remain the same for electronic commerce, although the nature of the risks does alter somewhat.
Businesses are used to protecting their network boundaries but once employees gain access to the Internet they may make unauthorised use of it, perhaps downloading pornography or engaging in inappropriate e-mail conversations, and open the company to legal action. Steve Webb, director of marketing at network security specialist Integralis says, "Employees need to know that when they send an e-mail or publish information on a company web site, they may be exposing their employer to liabilities while simultaneously recording the evidence of any misdemeanours on their own server and the servers of all recipients of the information for later use in a court of law".

A variety of content filtering software has emerged to meet this need. Products such as surfCONTROL from JSB Software filter, monitor, block, and report on Internet usage. SurfCONTROL is available in a variety of configurations for IP networks and can be configured to work with both Microsoft and Novell network user names. JSB helped develop the original specification for the Windows Sockets standard, which drive mass use of the Internet, and its surfCONTROL product family emerged from this project.

Ray Binnion, chairman of Tekdata, noting that the 1998 Data Protection Act (which requires employers to take appropriate measures against unauthorised or unlawful processing of data) also applies to external attacks in company data, says an emerging class of products called Internet and Network Security Appliances (INSA) will provide effective protection for small and medium sized organisations. SonicWALL, an INSA sold by Tekdata, combines firewall protection with content filtering, works with all operating systems, and can be installed within half an hour.

FIGHTING FIRE WITH FIRE
A firewall can help when used correctly - otherwise they can actually be a hindrance to electronic commerce. If
incorrectly configured a firewall can give a false sense of security. For example, If configured to address every need the filtering rules can become too complex and slow or hinder access. In order to provide remote access to its network while using a firewall a virtual private network (VPN) solution may be required. Companies also need to protect themselves against a variety of threats such as mail-borne viruses which firewalls
and content filters may not stop. Advanced protection from external attacks can now be provided by specialised network intrusion detection software. Wick Hill supplies security systems which are based on WatchGuard firewall and VPN tools combined with WebTrends detection and security analysis products.

WatchGuard offers a suite of security software comprising a centrally managed security suite together with an online service offering support, security alerts, and updates which can be managed from a central control centre, with GUI 'wizards' helping the administrator to configure the systems and implement security policies. WebTrends products monitor the firewalls and proxy servers, providing information on attacks and security violations as well as helping with troubleshooting when there are configuration problems

ETHICAL HACKERS
Some companies can provide a penetration test and analysis service. With the customer's agreement, Secure Computing, a provider of firewalls, website filtering, and authentication tools, will engage computer security experts to actively try to break into the corporate network. At the end of the programme a full report is presented to the customer detailing the weaknesses that have been found and the level of access gained.

At the high end of the security business global service organisations such as IBM and Hewlett-Packard can offer complete solutions to businesses of all sizes, right up to multinationals who want to outsource the security and management of their entire networks. IBM says security used to be thought of in terms of software but is now becoming more of a consultancy business - looking at the culture of the company, how the employees use information systems, the long and short term risks and how to achieve the balance between the need to share information and the protection of personal privacy.

As part of its security consultancy IBM also uses 'ethical hackers', who identify flaws in existing systems through real-world testing of security measures. Like Hewlett-Packard, IBM provides a one-stop shop for all the software, hardware, and services a company needs when moving onto the Internet. IBM's preferred solution is an AS/400 and IBM SecureWay FirstSecure software, a combination which IBM says their security testers have never been able to 'hack'. SecureWay is a standards-based framework which can be integrated with any other software based on Internet standards.

HP's top of the line product is VirtualVault from the HP Internet Security Division. Used by leading banks and retailers, VirtualVault combines a trusted, military grade operating system; a strictly partitioned Web runtime environment; and a securely integrated Web server. VirtualVault web servers and back-end applications run on any type of computer system including UNIX, Windows NT, and IBM mainframes.

NAVIGATING THE OPTIONS
Some security consultancies build complete solutions using in-house products. AXENT offers a broad range of integrated security products and services built around its Lifecycle Security methodology. Their aim is to provide a structured approach to security design, implement and management which works well in extended enterprises. AXENTs product portfolio includes risk assessment, Firewall, VPN, and intrusion detection, and access control tools which can be combined in many ways to provide an integrated security solution with common repositories and common administrative and monitoring consoles.

VPNs and firewalls are widely used but have limitations according to Colin Tankard, the European managing director of extranet specialist Aventail. Tankard says "VPNs and firewalls are ideal for applications linking a company's offices or remote employees but new technology is needed when complex applications result in lengthy firewall rules that slow down the flow of traffic". Firewalls can also impose conditions on external sites. "Companies should never have to involve a partner's network administrator in managing their extranets or need to ask them to make changes to their own firewalls and security policies," says Tankard.

Tankard cites a recent report by Forrester Research which describes current solutions as lacking in fine-grained access control to corporate data. The report says: 'firewalls are crude; passwords are a hack; DMZs are a bear; and point products a stop-gap.' Tankard says the answer is an application-oriented solution such as Aventail ExtraNet Center, a secure, scaleable platform supporting all current security, network and directory standards.

SECURITY POLICY
Before they even get to the point of calling in the security consultants, companies should step back, look at their business, consider their objectives, and develop a security policy for the management and protection of their key assets - company data. Darrell Woodward, Security Product Manager for Wick Hill says "The use of company information drives electronic commerce. Security is not about
hiding information but about making it available in a secure way".

Woodward believes the impetus for a security policy must come from the top: "Management must make the policy reflect the ethics and philosophy of the company and show staff that the board is committed to making it work". Wick Hill has produced a book and CD called 'Information Security Policies Made Easy' which explains the thinking around the setting up security policies and outlines the processes involved. The most important single element in security is the co-operation and commitment of staff according to Woodward. "You need to sell the value of a security policy to staff," says Woodward, "If you introduce it over their heads you're likely to get rebellion".

Any security policy must also take into account the ever-changing nature of the Internet, according to an e-business security white paper produced by Internet Security Systems (ISS). ISS says that rigidly-applied security measures can often be defeated with ease by simple errors. An employee with an unauthorised modem can open the network up to an external attack regardless of the number of firewalls, authentication servers, and other security measures in place. In the opinion of ISS, point solutions such as firewalls, encryption servers, card keys, and VPNs, can also result in risk being shifted from one part of the network to another instead of being eliminated.

ACCESS SECURITY
Despite implementing comprehensive security solutions some companies still rely on simple password protection for access control, even though it can easily be defeated. A standardised access control system based on the Public Key Infrastructure (PKI) and digital certificates will provide a more secure means of establishing identity, but PKI solutions have had slow adoption rates because governments have delayed legislation giving legal validity to digital certificates.

Digital certificates are issued by a 'trusted third party' known as a Certification Authority (CA), and can be used as proof of identity or right of access. They also form the basis of digital signatures, which are used to guarantee the privacy, confidentiality, and integrity of communications. Most importantly for electronic commerce applications, digital signatures provide for non-repudiation. Certification authorities also serve as an independent time stamping authority to guarantee the date and time of important legal or commercial messages.

As yet digital signatures do not have universal force of law except in Germany and Italy, and most recently in New York State. Governments, especially the UK and USA, have long delayed digital signature legislation in order to ensure that they have free access to documents encrypted with digital signatures, reasoning that it was necessary for reasons of national security and crime prevention. However, the UK recently accepted the broad framework of the proposed European Directive on electronic signatures, which does not permit governments to demand key storage, and legislation is now moving ahead.

Despite the absence of legislation it is still possible for companies to use digital signatures according to Samoera Jacobs, the vice president of legal management at GlobalSign, a CA based in Brussels. "Companies can freely implement their own agreements as to the legal validity of digital signatures". Many already do so. The widespread use of browser-based Secure Sockets Layer (SSL) encryption in consumer-oriented electronic commerce constitutes a de facto agreement but large corporations also rely on SSL.

Don Taylor, international vice president for Tumbleweed Corpo ration, which provides secure document exchange for the European Commission, UPS, Pitney Bowes and others says, "most people, including the European Commission are happy with SSL. We feel it won't be until next year that most companies will use PKI in online applications".

Once digital certificates are widely accepted Individuals and small companies will be able to use the services of a CA directly, but larger organisations and those with online commerce web sites will look to PKI certificate servers such as the Keon Certificate Server 5.0 from Security Dynamics, a subsidiary of RSA Data Security. The Keon Certificate Server is a Public Key Infrastructure (PKI) offering using a Netscape Server and Verisign certification which has been designed for enterprise customers. The Keon server provides automated certificate management for SSL Web servers, VPNs and Secure MIME-enabled e-mail and can be integrated into custom enterprise applications, third-party directory services, routers, and firewalls.

SOMETHING YOU ARE
Certificates in one form or another are set to become an important enabler of electronic commerce, because secure access controls cannot be based on a password alone. Passwords are notoriously unreliable. People forget them, write them down, use passwords which are easy to guess. For strong security a user should be able to supply at least two of the following attributes - something one has, something one is, and something one knows. A password (something one knows) together with a digital certificate (something one has) meets this requirement. So does another access control method now gaining popularity - the SmartCard. A smart card (something one has) containing encrypted identification data can be used in conjunction with a PIN or password. With 16 years experience in developing certified authentication, access control, and encryption for the mobile, network, and e-commerce markets, Ultimaco Safeware has now added smart card security to its portfolio of hard drive and data encryption products and its secure authentication systems for TCP/IP-based networks.

ActivCard is another security provider using smart cards to provide strong authentication in conjunction with partners including Novell and Sun. ActivCard's Digital Identity technology enables the management of digital credentials using PKI certificates and keys and its technology is also being embedded into solutions offered by VISA and Mondex. Despite all this activity there is as yet no universal smart card standard. In an effort to jump start one, VISA has begun to establish a standard smart card infrastructure, GlobalPlatform, that it hopes will enable multiple applications from various industries to employ a single smart card.

Biometric identification (something one is, a fingerprint for example) is also gaining support. The combination of a smart card and biometrics can create a highly secure access control mechanism for electronic commerce systems. Informer Systems Ltd does away with the need for passwords by means of a keyboard with built-in card reader and fingerprint scanner which works with Windows 95, 98 and NT and an ISL Secure-IT authentication server which supports RAS and RADIUS connections. ISL managing director Derek McDermott says "Smart card and biometrics technology enable staff to access on-line resources without having to remember complicated passwords or PINs. It is also safer from the threat of hackers who have traditionally targeted passwords as potential weak spots".

TESTING
Finally, once you've perfected your solution, don't forget to test it before going live. Gareth Evans, marketing director of Cyrano, a supplier of web testing products, says that companies who rush onto the Web in haste often overlook the importance of validating the quality, performance and security of their eCommerce sites with disastrous consequences. "Users who encounter errors or unresponsive servers simply move on. Why would they retry the original site again if they had problems when there are plenty of others to choose from?" The first time a problem is discovered will be when the sales director sees a daily report showing plenty of hits on the site but no sales.

For Evans, the answer is to implement a testing strategy integrated into the company's eBusiness strategy. "Test applications end-to-end, and do it every time a change is made". Use web-based application testing software to build reliability and scalability into web sites and applications before deployment. One test is not enough as hackers continuously find new techniques to attack systems so regular tests are crucial. "It's important to look at the risk of NOT testing the site, and the level of risk you are willing to take, before incorporating testing into your eBusiness strategy and purchasing a Web testing tool."

Public companies may open themselves up to legal challenges from shareholders if they fail to test their systems adequately before going online. Doug Turner, general manager for Compuware QACenter test products says, "With recent, highly publicised failures of high-profile web sites,
companies are learning firsthand that downtime to an organisation's e-commerce site can be devastating."

"Poor performing or unavailable sites can translate into a huge hit to a company's stock price, and, just as importantly, to a company's customer base, which is only a click away from the competition."