©2003 IDC
#3577
7
Companies are subject not only to fraud and the direct loss of assets but also to the
value of lost business. When their services are denied by a deliberate overload of
bogus requests, they lose the value of the potential business that would have been
transacted during the period of denial. Another less tangible but perhaps ultimately
more disastrous effect of such attacks is damage to reputation. The harm can be
irreparable. Public confidence in a company may be shaken beyond repair by a
particularly malicious attack or series of attacks. For electronic commerce to function,
customers and partners need to be able to trust the ebusiness process.
And security requirements will only rise as companies turn increasingly to ebusiness.
Although the encryption technologies today are sufficient to guarantee complete
confidence and, mathematically, a user can have perfect assurance that a message
is unique and really did come from the person who says he or she sent it, in order for
the system to be a trustworthy enough medium in which to do business, the
infrastructure must be whole. Given that most companies' security focus is on network
servers, routers, and firewalls, it may be that the client node is the overlooked weak
link in the security chain, but it is by no means the only possible point of penetration.
Breaches can be internal or external. Often, depredations come from the employees
themselves. Employees must be protected from each other so that all intranet users
trust the system. And corporations must be shielded from external threats, hostile
outsiders who may enter the castle from the Internet via the many connections most
firms maintain to communicate with the outside world. For both internal and external
transactions, users must be able to trust and be trusted.
S E C U R I T Y T E C H N O L O G Y : F R O M G L O B A L T O L O C A L
Public key encryption and its associated infrastructure address the issue of trust at
the global level. Of the many elements that make up a total security solution,
however, PKI is the most dependent on completeness; that is, any two parties
participating in secure transactions must both agree to rely on a third party, a trusted
authority, sometimes called a certificate authority.
It is because of the complexity of implementing the PKI infrastructure that companies
have recently turned to less ambitious tasks with respect to guaranteeing security at
the client node. Encryption similar to that used to pass keys back and forth over a
network between participants in a PKI scheme can be used to perform far simpler —
but no less important — jobs at the local level. For example, without having to resort
to the network at all, a PC client can provide its user with securely encrypted folders,
the contents of which would look like gibberish to any hacker who managed to open
them. Using one or more authentication techniques (e.g., some combination of
biometric access control, proximity badge, and password), only the legitimate owner
of the locked-away files can open them as readable data. This same type of
authentication can be pressed into service to authorize the client node's user to the
network and all the corporate resources it contains.
T H E E V O L U T I O N O F S E C U R I T Y T E C H N O L O G Y
Security has come a long way since the need for it was first perceived. The
development of security technology has followed both the leapfrog-like need to stay
ahead of the competition and the availability of the means to do it.
The essence of encryption is the systematic altering of text or other data by
mathematical transformations (algorithms), processes that are inherently abstract
(i.e., they can be embodied in either software or hardware). Also critical to the
success of any security scheme is a set of procedures for handling both the original
(clear) and transformed (encrypted) text. In this area, some sets of procedures are
distinctly better than others, as we shall see.