A report on best security practices for e-business has taken a lead from Australian initiatives such as the Federal Government's Gatekeeper accreditation scheme and the Australian Tax Office's digital certificate system.
The report by Deloitte Touche Tohmatsu is the second instalment in a two-year, four-part research initiative for the Information Systems Audit and Control Association (ISACA) -an international body for IT professionals with 25,000 members.
"Key pieces of the report come from Australia, particularly sections concerning PKI (public key infrastructure). So much is going on here. We have some of the best examples in the world," said Dean Kingsley, a partner with Deloitte Touche Tohmatsu's Enterprise Risk Services division.
The 50-page report has a focus on PKI, "which is a side effect from a market move towards B2B (business to business operations), which requires strong identification and authentication," Kingsley said.
Authentication must have a strong foundation, according to Kingsley, who finds fault with digital certificates as managed by VeriSign. "Best practice shows that digital certificates offer security only if they have a strong registration authority. You can go to VeriSign and get a certificate easily, your e-mail address doesn't even have to match. In any business applications we'd have to say 'gee, that's not much better than nothing at all'," Kingsley said.
The Australian Tax Office's technology is based on technology from VeriSign' s competitor Baltimore, which was the first company to meet the Federal Government's Gatekeeper standards.
A previous report by the Deloitte Touche Tohmatsu in January, based on a global survey of ISACA members, was weighted to B2C (business to consumer) outfits, Kingsley said. Some respondents "thought security was about firewalls and if they had one then they thought the problems were solved."
"In this report we provide an experts' view of what the key security problems are and what the best organisations are doing about them. The document doesn't contain case studies but, for example, the way the Australian Tax Office is approaching security is considered best practice."
"Best practice always has to be relevant to the kind of business. B2Cs are mostly worried about disruption to their services and credit card fraud, but when it comes to B2Bs' large-scale transactions there are far more security factors."
The report, called E-Commerce Security: Enterprise Best Practices, lists the ingredients for addressing the most feared e-commerce security concerns. While elements, such as PKI and digital certificates are well known, others have a lower profile: Simply remembering to maintain security is a hard task for some companies, according to Kingsley.
"Every day your security is not maintained it is degrading. It's not hard to install technology. The challenge is keeping it secure. Almost everyone overlooks this. The reason sites get broken into is that they haven't updated their security for a year," Kingsley said.
Deloitte Touche Tohmatsu's research indicates the biggest perceived is of external attack, for example, hackers defacing a Web site. "Although this is unquestionably happening, it's really a nuisance. Disruption of service, however, whether from technical failure or by Distributed Denial-Of-Service attacks, is by far and away the biggest risk for both B2B and B2C operations," Kingsley said.
Next step in the research project will be to provide about eight detailed technical reference guides for e-business security. The final instalment will be case studies of companies who have had "challenging business security problems and how they have turned them into enablers," Kingsley said.
"A B2B exchange couldn't exist without strong security allowing you to do business with suppliers you don't already deal with. If it was just the people you already knew, then the exchange would just be replicating an existing system. Now, for an exchange to handle people you don't know it would need to be using PKI."
