Security in E-Business: An Introduction
A central issue in the commercial use of the Internet is security. Surveys state that the economic success of electronic business applications is inhibited because the Internet lacks appropriate security measures. One way to increase the trust of consumers in electronic business applications is to establish a standardized quantification of security. It is important to find a security quantifier – not only to compare systems with one another but also to analyze and design electronic business applications.
An Electronic Business Application (EBA) is a system consisting of a server system (at the merchant’s location), a client system (at the customer’s location), and the transmission way in between, which is assumed to be insecure and un-trusted.
We need to secure our environment so that we can perform things, as we want to get them done. E-terrorism, E-damage, E-security are being the buzzword nowadays in IT world.
Security concerns in E-business have been receiving highest attention both from designers and government. Since, shift is from paper to electronic media and transactions happen from remote and unknown locations, ascertaining the genuine nature of commercial transactions is difficult.
What Is Security?
Security is not a product, nor is IT technology. Security is a process. The process of security consists of many things. It contains preventive control measures and a healthy dose of awareness. It includes disaster recovery and business continuity. Various products and technologies support all of these elements of the process. The process of the security is a state of mind that must permeate a co-operation and its culture to be effective.
If we tell the security community that you have had problem stopping a certain virus we are at the same time also enlightening the hacker’s community. We read their websites and they read ours. Time is the hacker’s strength. Our network has to keep doing what it is doing 24 hours a day, 7 days a week, to maintain our operational capability. The hacker can sit and wait and increase the probability of detection, change strategies.
A hacker targets products of the huge customer base and each successful attack leads to a very high level of damage and provides wide publicity.
General Security Objectives
Traditionally, when talking about data security usually four security objectives are identified: confidentiality, integrity, authenticity, audit ability and availability. To better suit the needs of electronic business with all its legal aspects more security objectives have been identified. The most important one is accountability.
Describes the state in which data is protected from unauthorized disclosure. A loss of confidentiality occurs when the contents of a communication or a file are disclosed. Information should be protected from prying eyes of unauthorized internal users, external hackers and from being intercepted during transmission on communication networks by making it unintelligible to the attacker.
Integrity means that the data has not been altered or destroyed which can be done accidentally (e.g. transmission errors) or with malicious intent (e.g. sabotage). Suitable mechanisms are required to ensure end-to-end message content and copy authentication.
Availability refers to the fact that data and systems can be accessed by authorized persons within an appropriate period of time. Reasons for loss of availability may be attacks or instabilities of the system. The information that is stored or transmitted across communication networks should be available whenever required and to whatever extent as desired within pre-established time constraints.
If the accountability of a system is guaranteed, the participants of a communication activity can be sure that their communication partner is the one he or she claims to be. So the communication partners can be held accountable for their actions.
It should be possible to prevent any person or object from hidden as some other person or object. When a message is received it should therefore be possible to verify whether it has indeed been sent by the person or object claiming to be the originator. Similarly, it should also be possible to ensure that the message is sent to the person or object for whom it was meant. This implies the need for reliable identification of the originator and recipient of data.
Audit data must be recorded in such a way that all specified confidentiality and integrity requirements are met. Implementing a security solution in an Electronic Commerce environment therefore, necessitates a Risk Analysis of the business scenario. All possible threats should be considered and a security requirements policy drawn out from the organization based on a combination of some or all of the services listed above.
The ability to provide proof of the origin or delivery of data is an important aspect of accountability. NR protects the sender against a false denial by the recipient that the data has been received. In other words, a receiver cannot say that he/she never received the data, and the sender cannot say that he/she never sent any data.
Prevent malicious damage.
Prevent accidental damage.
Limit the impact of deletions.
Prevent unauthorized access to locations.
Provide integrity and confidentiality of data.
Provide disaster recovery system.
Network Security Plan
It is very important to create a list of the company’s priorities for a security system. There is no one simple answer to the network security dilemma. Each security solution has clear advantages and disadvantages, and every company’s network has a different list of needs and a different order of priorities.
The top three concerns for an E-business network are the levels of security, simplicity, and cost efficiency. Obviously security, simplicity, and cost efficiency overlap in many areas when used in the context of network security, and that is why a list of priorities is the best way to start a security plan. A successful solution most often uses a combination of both user-based security and traffic-based security to control the network.
Security on web is implemented through a layered system each checking and protecting the flow of information. The layers are the following:
Source and destination relation.
Authorization of individual – password.
Encryption of message for integrity.
Using of public key / private key for unauthorized exposure.
Checking the access to intranet and access to other websites through internet.
Finally but not less important is the physical security to Intranet.
Use of fault tolerant system, disk mirroring, duplicating and use of Raid (Redundant Array of Inexpensive Disks).
Web Server Security
The server that connects your company to the Internet and the Internet to your company is in constant danger. It is important to have a clear idea about what the dangers are surrounding that server and what security measures can be taken to protect it.
Why Web Server Security Is Needed?
The term “hackers” sends a chill down any e-business network administrator’s spine if only because of widely published media stories that surface again and again in the form of computer legends. Although most of the hype can be attributed to paranoia, there is a lot to worry about when it comes to securing Web servers.
Attacks on the Web servers or done for two reasons. The first is that an attack of that sort can give the intruder vital information that can be used in the future to gain access to a private network. The second possible objective behind a Web server attack is to gain access to a private network. The second possible objective behind a Web server attack is to gain access to the Internet interface itself and change the information that is posted on the Internet.
E-mail, especially Internet e-mail, has become a basic communications tool. It is one of the most versatile means of transferring information of almost any kind. Any business application where there is a need to transfer information without the requirement for online lookup can be automated with e-mail. Email is also the easiest architecture to deploy for communications with remote employees, business partners, etc.
However, email is notoriously insecure. It is highly vulnerable to interception, and forgery of e-mail is trivial. Therefore without proper security measures, it is highly inadvisable to transfer sensitive information by e-mail, or to put too much trust on information received via e-mail.
‘Spam’ is one of the most prevalent threats to network integrity on the public Internet. It causes denial of service at the network level, by flooding bandwidth and overloading email hosts. It reduces productivity both of mail administrators and of end users. This is one area where organizations should give thrust while considering email-messaging security.
Virus protection is an important risk factor, that any company should be considered when it will be connecting to the Internet. Thus, many companies are building defenses against the spread of viruses by centralizing the distribution and updating of antivirus software as a responsibility of there is departments. Other companies are outsourcing the virus protection responsibility to their Internet service providers or to telecommunication or security management companies.
Things to Be Emphasized For E-Security
Creating a Security Strategy.
Defenses from Viruses.
Privacy on the Internet.
Security service management.
Verification of Authenticity.
So, if we can follow all these steps then we can make safe and secure our entire business network.
E-business depends on providing customers, partners, and employees with access to information, in a way that is controlled and secure. Managing e-business security is a multifaceted challenge and requires the coordination of business policy and practice with appropriate technology. In addition to deploying standards bases, flexible and interoperable systems, the technology must provide assurance of the security provided in the products.
As technology matures and secure e-business systems are deployed, companies will be better positioned to manage the risks associated with disintermediation of data access. Through this process businesses will enhance their competitive edge while also working to protect critical business infrastructures from malefactors like hackers, disgruntled employees, criminals and corporate spies.
We have to also think about prevention of malicious damages, accidental damages, unauthorized access to locations, provide integrity and confidentiality of data, and for disaster recovery system.
 Amor Daniel, The E-Business (R) evolution, Hewlet–Packard Professional Books – Prentice Hall PTR., New Delhi, 2000.
 Bajaj Kamlesh K. & Nag Debjani, E-Commerce The Cutting Edge of Business, Tata McGraw – Hill Publishing Company Limited. New Delhi, 2003.
 E-Commerce Perspectives from different parts of the World, IT Pro, Nov/Dec 1999, IEEE Publication.
 Elesenpeter Robert C. & Velte Toby J., eBusiness: A Beginner’s Guide, Tata McGraw – Hill Publishing Company Limited, New Delhi, 2001.
 Jawadekar W. S., Management Information System, Tata McGraw – Hill Publishing Company Limited, New Delhi, 2003.
 Kanter Jerome, Managing With Information, Prentice Hall of India Private Limited, New Delhi, 1998.
 O’Brien James A., Management Information System, Galgotia Publications Pvt. Ltd., New Delhi, 1995, 2002.
Journals, Magazines and Reports
 Computer Today 1-15 March, 1-15 April, 16-31August 2001.
 “Electronic Commerce Technologies & Applications” IPAG journal,
 Network Computing 1-15 October 2001.
 Panagariya Arvind, E-Commerce, WTO and Developing Countries, 1999.
 Special Issue of IEEE Communication Magazine on E- Commerce,
 Towards Digital eQuality, US Govt. Working Group on Electronic
Commerce, Second Annual Report, Nov.1999.
Web Sites Visited
NOTE: Add www in the links from 1-9 and http:// in the last link. Thank you.