So, too, must the security of e-business transactions cease to be a high-profile customer concern; only then will the online marketplace reach its full potential. In the same way airlines can now boast that air travel is safer than driving, in terms of passenger miles, e-business operators must be able to affirm that doing business on the Internet is at least as safe as buying and selling in any other medium.
From that starting point, the distinctive strengths of electronic business; its convenience, its selection, its efficiency, will enjoy their full advantage.
There are retail establishments, such as high-end jewelry stores, that put their security up front and in plain sight. Many retail Web sites have much the same aura, with their user names and passwords, cookies and browser dialog boxes advising, "You are about to view pages over a secure connection."
However, a jewelry store with guards in front may have an unlocked service entrance in back. And a store may check the identification of every customer who wants to pay by check or credit card, while routinely admitting anyone wearing a UPS or FedEx uniform.
Likewise, a Web site may intimidate users with the outward inconvenience of conspicuous security while actually leaving itself and its customers at risk because of misconfigured servers or flawed storefront software that builds vulnerability directly into its design.
The site that relies on user names and passwords, but that tries to reduce the inconvenience of these access control tools by packaging them in browser cookies, is authenticating the device, not the user- a conceptual flaw that's also common to the security protocols of, for example, Bluetooth wireless technology.
Business-to-business situations are even more likely to involve shared access terminals, increasing the need to find ways of controlling transaction privileges (such as allowable order amounts and approvals) by person rather than by connection.
Costs of biometric scanners are already falling, especially as voice hardware becomes part of mainstream convergence-driven systems, and growing bandwidth enables more transparent processing of fingerprint maps, face scans and the like. Businesses will benefit from the nonrepudiation of transactions that comes with means of authentication that are so closely tied to the individual user.
Another authentication option is the physical token, associated with the user rather than with the information appliance.
Portable tokens, attached to key chains or jewelry, let users move among many different client devices in a setting such as a large retail store or factory floor. Unlike biometric methods, they enable convenient transfer of authority as readily as handing someone a conventional key.
Better than mechanical keys, though, are electronic means of revoking authority quickly and with precision in the event of changed assignments or a departure from an organisation. B2B system planners must think in the same circumspect terms as an engaged couple drawing up a prenuptial agreement, envisioning the possible need for withdrawing privileges as well as making it convenient to grant them. Key-distribution and management mechanisms, such as those commonly called public-key infrastructure, must be part of the plan.
|
Talking points
|
|
|
Cookies weaken ID/password methods and authenticate the user, not
just the device
Biometrics are fast and reliable, ready for use at public Internet terminals Physical tokens, such as Speedpass and iButton, rapidly gaining ground Misconfigured servers harbor well-known (but often unremedied) risks Software patches, regardless of inconvenience, must be applied Applications may have security flaws inseparable from their functions Internal trust links loopholes into tunnels and minimizes components' privileges As technical attacks grow more costly, social attacks (such as bribes) will grow |
