In applications of electronic commerce, encryption is typically used to
provide security. However, the industry seems to recognize that
cryptography, while a critical component of secure networking, is not
enough to protect a business from fraud. Cryptography provides for
transaction security, but does not do much to prevent unauthorized
access to information and accounts. A good analogy would be using an
armored van to transport cash from one branch to another, and then
leaving it in the middle of the lobby once it reaches its destination.
Information needs to be ``put in the vault'' once it reaches its
destination, and another component is needed to do this: a firewall to
secure this local network from Internet access.
Security methods, such as Internet firewalls, are very popular now, but
many organizations may believe, or be led to believe, that an Internet
firewall alone is sufficient for securing their network. It is like
getting the most secure front door money can buy for your house but
leaving the garage door unlocked, or the same, weak sliding door
entrance from your back deck. Only if everyone plays by the same rules
is it effective. Thus, we may expect to see smart cards and their
related technology flourishing, as a mean to provide businesses with
reliable access control and authentication processes: smart cards may
be used to carry and to prove the user's identity, as well as other
relevant personal information, and all this in a secure manner.
However, firewalls and smart cards are not enough. A risk and business
analysis is almost always required, leading into the development of a
security policy and the prescription of security mechanisms and methods
for implementation within the local computing environment. Besides,
doing this once is not enough. Threats change, vulnerabilities change,
business requirements change, and the available counter-measures
change: all of these must be periodically and routinely reevaluated.