| Security in E-Business: An Introduction | | | | Checking the access to intranet and access |
| A central issue in the commercial use | | | | to other websites through internet. |
| of the Internet is security. Surveys state that the | | | | Finally but not less important is the physical |
| economic success of electronic business applications | | | | security to Intranet. |
| is inhibited because the Internet lacks appropriate | | | | Use of fault tolerant system, disk mirroring, |
| security measures. One way to increase the trust of | | | | duplicating and use of Raid (Redundant Array of |
| consumers in electronic business applications is to | | | | Inexpensive Disks). |
| establish a standardized quantification of security. It is | | | | |
| important to find a security quantifier – not only to | | | | Web Server Security |
| compare systems with one another but also to | | | | |
| analyze and design electronic business applications. | | | | |
| An Electronic Business Application | | | | The server that connects your |
| (EBA) is a system consisting of a server system | | | | company to the Internet and the Internet to your |
| (at the merchant’s location), a client | | | | company is in constant danger. It is important to have |
| system (at the customer’s location), and | | | | a clear idea about what the dangers are surrounding |
| the transmission way in between, which is assumed to | | | | that server and what security measures can be taken |
| be insecure and un-trusted. | | | | to protect it. |
| We need to secure our environment so that we can | | | | |
| perform things, as we want to get them done. | | | | Why Web Server Security Is Needed? |
| E-terrorism, E-damage, E-security are being the | | | | The term “hackers” sends a |
| buzzword nowadays in IT world. | | | | chill down any e-business network administrator’s |
| Security concerns in E-business have been receiving | | | | spine if only because of widely published media stories |
| highest attention both from designers and government. | | | | that surface again and again in the form of computer |
| Since, shift is from paper to electronic media and | | | | legends. Although most of the hype can be attributed |
| transactions happen from remote and unknown | | | | to paranoia, there is a lot to worry about when it |
| locations, ascertaining the genuine nature of | | | | comes to securing Web servers. |
| commercial transactions is difficult. | | | | Attacks on the Web servers or done |
| | | | | for two reasons. The first is that an attack of that sort |
| What Is Security? | | | | can give the intruder vital information that can be used |
| Security is not a product, nor is IT | | | | in the future to gain access to a private network. The |
| technology. Security is a process. The process of | | | | second possible objective behind a Web server attack |
| security consists of many things. It contains preventive | | | | is to gain access to a private network. The second |
| control measures and a healthy dose of awareness. It | | | | possible objective behind a Web server attack is to |
| includes disaster recovery and business continuity. | | | | gain access to the Internet interface itself and change |
| Various products and technologies support all of these | | | | the information that is posted on the Internet. |
| elements of the process. The process of the security | | | | |
| is a state of mind that must permeate a co-operation | | | | |
| and its culture to be effective. | | | | E-mail Security |
| If we tell the security community that | | | | Introduction |
| you have had problem stopping a certain virus we are | | | | E-mail, especially Internet e-mail, has become a basic |
| at the same time also enlightening the hacker’s | | | | communications tool. It is one of the most versatile |
| community. We read their websites and they read | | | | means of transferring information of almost any kind. |
| ours. Time is the hacker’s strength. Our network | | | | Any business application where there is a need to |
| has to keep doing what it is doing 24 hours a day, 7 | | | | transfer information without the requirement for online |
| days a week, to maintain our operational capability. | | | | lookup can be automated with e-mail. Email is also the |
| The hacker can sit and wait and increase the | | | | easiest architecture to deploy for communications with |
| probability of detection, change strategies. | | | | remote employees, business partners, etc. |
| A hacker targets products of the huge customer base | | | | However, email is notoriously insecure. It is highly |
| and each successful attack leads to a very high level | | | | vulnerable to interception, and forgery of e-mail is trivial. |
| of damage and provides wide publicity. | | | | Therefore without proper security measures, it is highly |
| | | | | inadvisable to transfer sensitive information by e-mail, |
| General Security Objectives | | | | or to put too much trust on information received via |
| Traditionally, when talking about data | | | | e-mail. |
| security usually four security objectives are identified: | | | | ‘Spam’ is one of the most prevalent threats to |
| confidentiality, integrity, authenticity, audit ability and | | | | network integrity on the public Internet. It causes denial |
| availability. To better suit the needs of electronic | | | | of service at the network level, by flooding bandwidth |
| business with all its legal aspects more security | | | | and overloading email hosts. It reduces productivity |
| objectives have been identified. The most important | | | | both of mail administrators and of end users. This is |
| one is accountability. | | | | one area where organizations should give thrust while |
| | | | | considering email-messaging security. |
| Confidentiality | | | | |
| Describes the state in which data is | | | | Virus Defenses |
| protected from unauthorized disclosure. A loss of | | | | Virus protection is an important risk factor, that any |
| confidentiality occurs when the contents of a | | | | company should be considered when it will be |
| communication or a file are disclosed. Information | | | | connecting to the Internet. Thus, many companies are |
| should be protected from prying eyes of unauthorized | | | | building defenses against the spread of viruses by |
| internal users, external hackers and from being | | | | centralizing the distribution and updating of antivirus |
| intercepted during transmission on communication | | | | software as a responsibility of there is departments. |
| networks by making it unintelligible to the attacker. | | | | Other companies are outsourcing the virus protection |
| | | | | responsibility to their Internet service providers or to |
| Integrity | | | | telecommunication or security management |
| Integrity means that the data has not | | | | companies. |
| been altered or destroyed which can be done | | | | |
| accidentally (e.g. transmission errors) or with malicious | | | | Things to Be Emphasized For E-Security |
| intent (e.g. sabotage). Suitable mechanisms are | | | | |
| required to ensure end-to-end message content and | | | | Creating a Security Strategy. |
| copy authentication. | | | | Cryptographic Tools. |
| | | | | Cyber terrorism. |
| Availability | | | | Defenses from Viruses. |
| Availability refers to the fact that data | | | | Firewall Systems. |
| and systems can be accessed by authorized persons | | | | Privacy on the Internet. |
| within an appropriate period of time. Reasons for loss | | | | Security service management. |
| of availability may be attacks or instabilities of the | | | | Verification of Authenticity. |
| system. The information that is stored or transmitted | | | | |
| across communication networks should be available | | | | So, if we can follow all these |
| whenever required and to whatever extent as desired | | | | steps then we can make safe and secure our entire |
| within pre-established time constraints. | | | | business network. |
| | | | | |
| Accountability | | | | SUMMARY |
| If the accountability of a system is | | | | |
| guaranteed, the participants of a communication | | | | E-business depends on providing customers, partners, |
| activity can be sure that their communication partner is | | | | and employees with access to information, in a way |
| the one he or she claims to be. So the communication | | | | that is controlled and secure. Managing e-business |
| partners can be held accountable for their actions. | | | | security is a multifaceted challenge and requires the |
| | | | | coordination of business policy and practice with |
| Authenticity | | | | appropriate technology. In addition to deploying |
| It should be possible to prevent any | | | | standards bases, flexible and interoperable systems, |
| person or object from hidden as some other person | | | | the technology must provide assurance of the security |
| or object. When a message is received it should | | | | provided in the products. |
| therefore be possible to verify whether it has indeed | | | | |
| been sent by the person or object claiming to be the | | | | As technology matures and secure e-business |
| originator. Similarly, it should also be possible to ensure | | | | systems are deployed, companies will be better |
| that the message is sent to the person or object for | | | | positioned to manage the risks associated with |
| whom it was meant. This implies the need for reliable | | | | disintermediation of data access. Through this process |
| identification of the originator and recipient of data. | | | | businesses will enhance their competitive edge while |
| | | | | also working to protect critical business infrastructures |
| Audit ability | | | | from malefactors like hackers, disgruntled employees, |
| Audit data must be recorded in such | | | | criminals and corporate spies. |
| a way that all specified confidentiality and integrity | | | | |
| requirements are met. Implementing a security solution | | | | We have to also think about prevention of malicious |
| in an Electronic Commerce environment therefore, | | | | damages, accidental damages, unauthorized access to |
| necessitates a Risk Analysis of the business scenario. | | | | locations, provide integrity and confidentiality of data, |
| All possible threats should be considered and a | | | | and for disaster recovery system. |
| security requirements policy drawn out from the | | | | |
| organization based on a combination of some or all of | | | | REFERENCES |
| the services listed above. | | | | |
| Non-Repudiation (NR) | | | | Books |
| The ability to provide proof of the | | | | [1] Amor Daniel, The E-Business (R) evolution, |
| origin or delivery of data is an important aspect of | | | | Hewlet–Packard Professional Books – Prentice |
| accountability. NR protects the sender against a false | | | | Hall PTR., New Delhi, 2000. |
| denial by the recipient that the data has been received. | | | | [2] Bajaj Kamlesh K. & Nag Debjani, |
| In other words, a receiver cannot say that he/she | | | | E-Commerce The Cutting Edge of Business, Tata |
| never received the data, and the sender cannot say | | | | McGraw - Hill Publishing Company Limited. New Delhi, |
| that he/she never sent any data. | | | | 2003. |
| | | | | [3] E-Commerce Perspectives from different |
| Security Goals | | | | parts of the World, IT Pro, Nov/Dec 1999, IEEE |
| | | | | Publication. |
| Prevent malicious damage. | | | | [4] Elesenpeter Robert C. & Velte Toby |
| Prevent accidental damage. | | | | J., eBusiness: A Beginner’s Guide, Tata McGraw - |
| Limit the impact of deletions. | | | | Hill Publishing Company Limited, New Delhi, 2001. |
| Prevent unauthorized access to locations. | | | | [5] Jawadekar W. S., Management |
| Provide integrity and confidentiality of data. | | | | Information System, Tata McGraw - Hill Publishing |
| Provide disaster recovery system. | | | | Company Limited, New Delhi, 2003. |
| | | | | [6] Kanter Jerome, Managing With Information, |
| Network Security Plan | | | | Prentice Hall of India Private Limited, New Delhi, 1998. |
| It is very important to create a list of | | | | [7] O’Brien James A., Management |
| the company’s priorities for a security system. | | | | Information System, Galgotia Publications Pvt. Ltd., New |
| There is no one simple answer to the network | | | | Delhi, 1995, 2002. |
| security dilemma. Each security solution has clear | | | | |
| advantages and disadvantages, and every | | | | Journals, Magazines and Reports |
| company’s network has a different list of needs | | | | |
| and a different order of priorities. | | | | [1] Computer Today 1-15 March, 1-15 April, |
| The top three concerns for an | | | | 16-31August 2001. |
| E-business network are the levels of security, simplicity, | | | | [2] "Electronic Commerce Technologies |
| and cost efficiency. Obviously security, simplicity, and | | | | & Applications" IPAG journal, |
| cost efficiency overlap in many areas when used in | | | | Nov-Dec 1999. |
| the context of network security, and that is why a list | | | | [3] Network Computing 1-15 October 2001. |
| of priorities is the best way to start a security plan. A | | | | [4] Panagariya Arvind, E-Commerce, WTO |
| successful solution most often uses a combination of | | | | and Developing Countries, 1999. |
| both user-based security and traffic-based security to | | | | [5] Special Issue of IEEE Communication |
| control the network. | | | | Magazine on E- Commerce, |
| | | | | September, 1999. |
| Security on web is implemented through a layered | | | | [6] Towards Digital eQuality, US Govt. |
| system each checking and protecting the flow of | | | | Working Group on Electronic |
| information. The layers are the following: | | | | Commerce, Second Annual Report, |
| | | | | Nov.1999. |
| Source and destination relation. | | | | Web Sites Visited |
| Authorization of individual – password. | | | | 1. 2. cert.org |
| Authentication. | | | | 3. 4. 5. loc.gov |
| Encryption of message for integrity. | | | | 6. 7. 8. 9. xforce.iss.net |
| Using of public key / private key for | | | | 10. csrc.nist.gov/nissc/1998/proceedings/paperD13. |
| unauthorized exposure. | | | | |