| TECHNOLOGY |
September
2000 |
PLAYING IT SAFE
The computer industry and governments
are taking notice of a new approach to on-line security. CFOs
should too.
By Adam Lincoln
On a recent visit to Hong Kong, David
Flint, a UK research director at the US-based Gartner Group,
regaled listeners with tales of on-line insecurity. His best
story was about an employee of a leading financial institution
in London. One morning, the young banker telephoned his manager
to say that he wouldn't be going to work that day - in fact,
he didn't need his job anymore. You see, he'd stolen about
£22 million (US$35 million) from the company. But because
he was generous of spirit - and didn't really need that much
money to support his lifestyle - he was willing to give half
of the money back. He was also willing to explain how he managed
to steal it in the first place.
This generosity had a catch: the firm would have to guarantee
the cyberthief immunity from prosecution. Mortified by the
prospect of damaging publicity and the potential for copycat
crimes, the company agreed. An £11 million pay-out was the
lesser evil.
The story supports one of Flint's key
messages: security is a matter of economics, not technical
possibilities. Keeping the bad guys out of a corporate network
is not a new challenge, just a bigger one since the Internet
became essential to business life.
E-business is about letting people in - from employees and
customers to business partners and suppliers. Virtual business
dealings involve the exchange of documents, information and
dollars in what is essentially thin air. And, despite the
many technology-based security options, the cyberworld still
relies to an alarming degree on good old-fashioned trust.
The trouble is, businesses can't
conduct high-volume transaction processing over the Net without
exposing themselves to a shopping list of threats: loss of
confidentiality or privacy of customer information; unauthorized
data changes; duplication or deletion of information or transactions;
malicious acts; human error. And still they press ahead. "Organizations
feel obliged," Flint says. "It is a commercial playoff
they accept, rather than delay until they can get everything
right."
Passing on Passwords
What is needed, then, is a security mechanism that provides
assurances of user identity. In this context, the self-registration
and password systems currently used for most applications
are a joke - albeit a popular one. According to a study of
50 global companies conducted by Forrester Research last year,
no less than 98 percent of businesses use passwords to authenticate
employees. In addition, 64 percent use passwords to grant
network access to business partners.
Unfortunately, passwords are pretty
useless. People generally choose easily guessed words, or
even worse, leave their password on a post-it note attached
to their monitors. Efforts to upgrade basic security beyond
the password has been mired in industry disagreement, absence
of legislative support, and lack of interoperability between
vendor solutions. Enter PKI (public key infrastructure), an
approach to security that should alleviate a lot of corporate
teeth-gnashing.
PKI itself is not particularly new, but it is being propelled
into the spotlight by much-needed customer, vendor and government
support. A technology security infrastructure that is gaining
a reputation among e-business companies, PKI provides a sound
framework for encryption and digital signature services (see
box), technologies that enable individuals to identify themselves,
indisputably, for transactions. Indeed, the respondents to
the Forrester survey expect that digital certificates will
soon be the most widely used mechanism for authenticating
both employees and partners. By 2001, 52 percent of companies
will authenticate employees using digital certificates and
46 percent will use digital certificates to authenticate business
partners. The reason for the switch: 78 percent and 58 percent
of respondents, respectively, cite e-commerce and partner
extranets as the main incentive for changing their approach
to security.
The vendors like it too, which is important because PKI doesn't
work in isolation. According to International Data Corp (IDC),
the PKI market will grow from US$122.7 million in 1998 to
US$1.3 billion by 2003. Microsoft's Windows 2000 includes
fully integrated PKI, which means applications in Windows
2000 understand what to do with PKI. Therefore, Windows 2000
users get PKI out of the box, making it easy for companies
to get involved, speeding up PKI deployments. It's also being
built into the emerging standards for WAP, the protocol for
web-linked mobile phones. Well-known names such as Checkpoint
Software, Cisco Systems, Novell, PeopleSoft and SAP have banded
together to create the PKI Forum, which among other objectives
advocates product interoperability. In other words, PKI is
on track to becoming a commodity.
Stepping Up to BAT
One company placing faith in PKI is British American Tobacco
(BAT). Tony Judge, the company's Hong Kong-based regional
security chief, admits the company isn't yet doing much in
the way of on-line transactions - and those that are being
done use proprietary systems unique to each supplier or business
partner. But that should change, and soon. "The adoption
of PKI as a strategic security application is expected to
provide the enabling technology which will allow a rapid transition
to secure electronic commerce," Judge says.
Previously, BAT's worldwide communications were run on private
leased lines, safe from the perils of the web. Access to the
Internet was managed from stand-alone computers with an 'air-gap'
between those computers and corporate networks. More recently,
the company invested in PKI software from US-based RSA Security,
a leader in the field. The software is married to other solutions
such as firewalls, VPNs (virtual private networks) and monitoring
technology to provide what Judge believes is a sound platform
for new ways of doing business. "Because it provides
strong user authentication, PKI brings immediate benefits
other than being the basis of e-commerce activity - [almost]
single sign-on and facilitation of secure remote working are
obvious examples," he says.
The cost of PKI deployment depends on whether a company builds
its own PKI or outsources it, as well as the size of the deployment.
RSA Security has said its PKI software starts at about US$50
per person and declines in cost as user volumes increase.
There are also deployment costs and maintenance costs, which,
like most software products, average 10 to 20 percent (annually)
of the purchase price.
This being so, upfront cost is not
a big obstacle to implementing PKI. But because PKI applications
are still limited, companies must get involved with complex
integration projects. Another issue that needs to be resolved
is development of the PKI registration model, including policies,
procedures and processes. Industry watchers say this is a
matter of maturity and that over time, models will be created
that are repeatable. Efforts are boosted by legal recognition
of digital signatures by a growing number of governments.
In the meantime, says Gartner's Flint,
the corporate community should count itself lucky. "They're
protected to a large extent from the threat of common criminals
by the simple fact that most crooks tend to be rather stupid,"
says Flint. Even more stupid than a company that is careless
and ignorant of security issues, he adds. 
Adam Lincoln is a senior writer at
CFO Asia |
Digital Certificates
To
Key, or Not to Key
Public key infrastructure (PKI) is built
on four fundamental components:
Digital certificates: These are tamper-proof, non-forgeable
electronic files that function like a kind of on-line passport
to verify the identity of the holder. The holder may be a
person, a connecting website, or even a network component
such as a router. They are issued by an enterprise certification
authority (CA) to users who register with that CA. Issuance
of a certificate requires authentication of the user, usually
by a registration authority.
Public key cryptography: An operation in which two separate
keys, one publicly available and one held privately, are used
to perform a secure transaction. A secure operation is initiated
using one key and undone with the other. The central operations
in public key cryptography are encryption and digital signatures:
Encryption: First, data is encrypted with the public key of
each intended recipient. These public keys are accessible
to all because they can be used only to encrypt, not decrypt.
Once they have received the secured data, recipients can use
their matching private key to decrypt the data. Needless to
say, the private key must be kept secret.
Digital signatures: Electronic signatures initiated by the
author using a private signing key. Recipients use a verification
key, publicly issued by an author for authenticating documents
the author has signed. Each time a digital signature is generated,
a one-off representation of the data is created. Called a
hash, this is then encrypted with the private key of the sender.
The receiver confirms his identity by
successfully decrypting the hash with the sender's public
key.
AL |
Cyberinsurance
Have You Got Protection?
The Internet is every insurer's nightmare;
a myriad of potentially devastating financial exposures. Small
wonder then that insurers have taken time to warm to the idea
of using their capital to absorb corporate cyber-risks. Three
years ago only one underwriting agency, Atlanta-based Insuretrust.com,
offered specific on-line risk transfer products. But parties
on both sides of the equation are changing their tune. For
their part, insurers have recognized an opportunity to charge
high premiums. Aside from the obvious growth in e-business
activity, they can do this because companies have been spooked
by a series of on-line security breaches.
The fact that some of biggest names in
e-business have fallen prey - and paid a huge price - has
the corporate community on edge. In February, denial-of-service
attacks shut down Yahoo, eBay, Amazon.com and other popular
websites for several hours. The Yankee Group, a Boston-based
analyst company, tallied each company's lost revenues, lost
market capitalization due to plunging stock prices, and the
cost for systems security upgrades - and came up with US$1.2
billion in total losses. Then there was the 'Love Bug' virus,
which was transported by e-mail and rendered even the most
basic of Internet applications a threat to security.
Adam McDonough, senior vice-president
at Willis Insurance Services in San Francisco, says that increased
attention has meant the "user unfriendliness" that
characterized cyberinsurance products is fast disappearing.
His advice: "Corporate purchasers should focus on covering
their liabilities to others resulting from a security breach
to their network, [such as] sensitive data falling into the
wrong hands, contaminated or destroyed data resulting in financial
loss to customers, a denial-of-service attack leading to delayed
or lost orders, and so on." Limits to consider will vary
widely, depending on the nature of operations, but McDonough
believes US$5 million to US$20 million is a good start.
Several major and a handful of minor insurers
are stepping into the void left by most property/casualty
policies, including AIG, Lloyd's of London, Zurich Insurance
Group and Chubb Group. So how much will peace of mind cost?
According to McDonough, costs have come down. One year ago
US$1 million in coverage for a large company cost from US$45,000
to US$50,000. Today the price has dropped to around US$15,000
to US$25,000. McDonough's prediction: "As more capacity
enters the market in the form of new competitors, and loss
experience continues to be positive, pricing will fall to
the point where coverage becomes affordable for smaller and
mid-sized companies."
RB
|
