next up previous
Next: 2.2 Local Computing Environment Up: 2 What is Security Previous: 2 What is Security

2.1 Introduction

The security services that will enable widespread use and acceptance of commerce over the Internet include the following:

* Authentication:
whereby an individual, an organization, or a computer can prove its identity.
* Authorization:
the ability of a system, once identity is verified, to control access to specific resources.
* Confidentiality:
the ability to maintain the secrecy of the contents of a transmission between authorized parties.
* Integrity:
the capability of ensuring that a transmission arrives at its destination in exactly the same form as it was sent.
* Non-repudiation of origin:
the ability to ensure that when an entity sends an authenticated electronic communication, it cannot later deny the origin, or contents of the communication.

In applications of electronic commerce, encryption is typically used to provide security. However, the industry seems to recognize that cryptography, while a critical component of secure networking, is not enough to protect a business from fraud. Cryptography provides for transaction security, but does not do much to prevent unauthorized access to information and accounts. A good analogy would be using an armored van to transport cash from one branch to another, and then leaving it in the middle of the lobby once it reaches its destination. Information needs to be ``put in the vault'' once it reaches its destination, and another component is needed to do this: a firewall to secure this local network from Internet access.

Security methods, such as Internet firewalls, are very popular now, but many organizations may believe, or be led to believe, that an Internet firewall alone is sufficient for securing their network. It is like getting the most secure front door money can buy for your house but leaving the garage door unlocked, or the same, weak sliding door entrance from your back deck. Only if everyone plays by the same rules is it effective. Thus, we may expect to see smart cards and their related technology flourishing, as a mean to provide businesses with reliable access control and authentication processes: smart cards may be used to carry and to prove the user's identity, as well as other relevant personal information, and all this in a secure manner.

However, firewalls and smart cards are not enough. A risk and business analysis is almost always required, leading into the development of a security policy and the prescription of security mechanisms and methods for implementation within the local computing environment. Besides, doing this once is not enough. Threats change, vulnerabilities change, business requirements change, and the available counter-measures change: all of these must be periodically and routinely reevaluated.


next up previous
Next: 2.2 Local Computing Environment Up: 2 What is Security Previous: 2 What is Security
Denis Arnaud
12/19/1997