Skip to main navigation Skip to content Skip to footer links
 

How do e-security technologies work?

Conducting business online requires sending information safely between people and companies. When you send information over the Internet (for example, paying a bill via an online banking site or sending an email to a prospective client), there are four basic security principles you should always consider:

  • Authenticity - "How do I know who sent me this?" For most online transactions, businesses will want to know that the person conducting the transaction is who they claim to be. For example, only authorised signatories should be able to access a business bank account.
  • Security - "How do I know this hasn't been tampered with?" Businesses must be confident that transaction details and other valuable commercial information will not be accessible to anyone other than those involved in the transaction. For example, when using online banking, transaction details should not be able to be intercepted.
  • Non-repudiation - "How do I know they won't deny sending this?" Businesses need certainty that a transaction conducted over the Internet is irrevocable, and that the person who conducted the transaction will not be able to deny later that the transaction took place. For example, transfers of money between bank accounts must be accurately recorded.
  • Privacy and confidentiality - "How do I know no-one else will see this?" All businesses have an obligation to ensure that confidential customer data remains private, and that customers have control over how that information is used. As of December 2001, businesses with a turnover of greater than $3 million must comply with new Federal privacy legislation to protect customers' personal information.

There are many e-security technologies available, and each addresses these four principles in different ways. When choosing between them, you will need to consider how important each of those principles is for your planned business activity. In many cases, one technology solution will cover more than one of these areas. For instance, if a transaction has been made securely, then it should not be possible for privacy to be violated either. Not all these problems can be solved with technology alone. For instance, to ensure customer privacy it is essential for businesses to have a well-thought-out privacy policy. Similarly, you will need to implement an email security policy if you want to ensure that all employees are sending messages securely.

Authentication technologies

Business is built around trust and relationships. For these to work, customers and businesses need to be sure of who they are dealing with. In the physical world, we confirm (or authenticate) people's identities using physical information. For instance, we might recognise a person's face or their voice. If we receive a letter from a business, we will typically check to ensure the letterhead and signature are correct.

Physical checks are not possible on the Internet, so we must rely on other means to confirm identity and that the information we send and receive is not being tampered with.

Most authentication technologies rely on a combination of one or more of the following elements:

  • Something you know, such as a password or PIN;
  • Something you possess, such as a smart card or access key; and
  • Something you are - a unique physical quality, such as your fingerprint or iris (an area collectively known as biometrics).

A familiar form of electronic authentication is the use of passwords to restrict access to PCs or computer networks. A bank PIN is another use of a password, in this instance combined with a secure access device (the card you insert into the automatic teller machine). Biometric systems are rather less common, but have become more affordable in recent years.

Most e-security systems suitable for small businesses rely on password systems. Enhanced options for authenticating identities and communications include:

  • Encryption systems provide a means of sending data in encrypted or secure form between different Internet locations. Secure Sockets Layer (SSL) technology is often used for online shopping applications. When used on shopping sites, SSL is , for example, usually represented by a padlock icon that appears at the bottom of your web browser screen.
  • Public key infrastructure (PKI), which uses digital signature certificates to authenticate individuals and companies. This technology is being widely adopted by government agencies for online transactions. A simpler version, Pretty Good Privacy (PGP), is often used for emails.
  • Virtual private networks (VPNs), which are used by large businesses to allow remote employees to securely connect to central computer networks via the Internet, for example. If you are a small company but supply to larger businesses, you may find you are required to join or transact over their VPN.
  • Secure managed services, where security applications (which could include any or all of the above examples) are outsourced to an external provider. Here, service level agreements may be an issue to consider (also see below).

The workings of these different technologies are explained briefly below. A comparison of what they offer and a discussion of how to use them more effectively in your business can be found in the 'E-security Technology Overview' at the end of this guide.

Secure access (password authentication)

In password authentication systems, each user of a site or computer is assigned a unique username and password. If the correct password is entered, access to a site or service is granted; if not, access is denied. Passwords are widely implemented in many software packages, but offer only a relatively low level of security.

Password-only systems are generally regarded as being an inadequate form of security for most e-commerce activities. However, they still have a role to play in applications where the need for security is not high and costs must be kept to a minimum.

A very common form of authentication used by banks to secure access to their systems is the use of passwords combined with a security token. Security tokens are physical tokens which have a unique or randomly generated number or password. The combination of passwords and tokens is often called two factor authentication.

Secure connections (SSL)

Secure Sockets Layer (SSL) combines a basic password system with extra security for website access. Once a website verifies that a username and password match up, it creates a secure connection for exchanging confidential information.

SSL is designed to prevent anyone except the intended recipient of the message from being able to read it. It is often used by websites to sell products and services. (SSL is discussed in more detail in the section 'How can I conduct secure transactions online?')

Secure interconnection (PKI)

Public key infrastructure (PKI) is used by government agencies and banks for secure transactions. For instance, the Australian Tax Office (ATO) uses it for handling quarterly Business Activity Statements (BAS) and tax returns. In 2000/2001, 280,000 people used PKI to submit their tax returns electronically.

PKI makes use of a system known as public key cryptography, combined with carefully documented policies, to ensure that transactions are authentic and secure. Public key cryptography uses two keys to scramble and decipher messages. One key is known as a 'public key' and is widely distributed. The other is called a 'private key' and is held secretly by an individual. Messages are protected by scrambling them with the public key of the recipient. Computer algorithms ensure that only the private key held by the person you are mailing can decrypt or unscramble the message. The larger the key files involved, the higher the level of security.

In a PKI system, certificates and keys are issued by Certification Authorities (CAs) under defined guidelines, which ensures a high level of reliability. For greater security, the access keys used by these systems can be stored on security devices such as smart cards or hardware tokens (see the 'E-Security Technology Overview' at the end of this guide for more details). Sometimes, biometric identifiers (such as fingerprints) are also included to add another level of protection. This provides for a very strong level of assurance and would be used for high-value transactions.

PKI in action

Bob, the manager of XYZ Car Parts, wants to lodge his Business Activity Statement via the Internet. To enable this process, the ATO issues Bob with special software for this task, which includes the security 'keys' described below.

1. A signing key. This key is unique to Bob's business and enables the ATO to verify that Bob is really the person who has sent the BAS when it arrives. It consists of two corresponding keys: a private key, which Bob keeps, and a public key, which the ATO keeps to check Bob's messages.

2. A confidentiality key. This enables the ATO to verify that the information contained in the BAS has not been tampered with on its way from XYZ to the ATO. Like the signing key, it also consists of two corresponding keys: a public key, which the ATO issues to everyone wishing to send messages to the ATO, and a private key, which the ATO keeps to 'unlock' the messages received.

Once Bob has prepared his BAS for sending, he signs the message with his private signing key, encrypts the message with the public confidentiality key provided by the ATO, and sends the message via the Internet.

The ATO receives Bob's message, decrypts the message with the ATO's private confidentiality key and uses Bob's public signing key to check that Bob was the person who signed the message. The ATO then knows that:

  • The message genuinely came from Bob;
  • Bob cannot deny sending it; and
  • The message has not been altered from the time Bob signed it.

While this example uses the ATO, the same process could be used by any business that wanted to carry out secure transactions.  However, the keys might not be issued directly by that business; they could come from a trusted third party such as a certification authority. 

It is important that Bob is the only person who can sign his message to the ATO, just as he is the only person who can create his real-life signature on paper. To ensure this, he must keep his private signing key secret.



Secure personal connection (PGP)

Pretty Good Privacy (PGP) is a popular security option for individuals. Like PKI, it uses public key encryption. However, unlike PKI, it allows users to generate their own public and private keys. This makes it cheaper and easier to implement, but does not offer the same reassurance as a certificate issued by an independent third party.

Secure networking (VPNs)

Virtual private networks (VPNs) use advanced encryption and 'tunnelling' technologies to enable businesses to establish secure private connections between their corporate networks and third-party networks such as the Internet. VPNs allow mobile workers and businesses with multiple office sites to communicate securely at high speeds. They offer one of the highest levels of network and Internet security, but may be an expensive solution for smaller businesses.

Diagram - Paper vs Electronic transactions

Secure managed services

Many small businesses choose to outsource their information technology requirements so they can concentrate on their main business objectives. This approach can be successfully extended to security, especially if an outside company is used to host your business website. Outsourced e-security services are often referred to as secure managed services, and are usually provided for a fixed monthly fee. Secure managed services can also be an effective way of implementing technologies such as firewalls and anti-virus packages (discussed in the section 'How can I deal with other e-security threats?').

The main benefit of secure managed services is that small and medium sized companies do not need to invest heavily in e-security technologies or training. However, the business is still responsible for ensuring e-security is adequate. Any arrangement with a secure managed services provider should be based on a well-developed Service Level Agreement (SLA) that outlines the quality and type of service required and includes penalties for failure to deliver.

E-security and the real world

While e-security authentication processes may seem new and confusing, they have equivalents in the traditional business world. The diagram above shows how processes in the paper world relate to equivalent processes in the electronic world.

It is also worth noting that online authentication can be much more efficient than traditional processes. For instance, when a business receives a purchase order by fax, they will typically fulfil that order in the belief that the sender of the fax is actually who they claim to be. While a check of the letterhead or signature might be made, these elements can easily be forged. As well, the person who appears to have signed a fax may later dispute having done so, and it may be hard to prove that they did. This scenario is much less likely when electronic authentication is used, especially if both parties use PKI.

At the same time, the use of online systems can promote efficiency. Companies can save valuable time because data does not have to be re-entered from a fax to their computer system. The risk of incorrect data entry is also reduced.

The pyramid of authentication technologies

Choosing the right option

Obviously, not every business needs to invest in every available e-security technology. The level of e-security required will depend on how extensively you wish to take advantage of Internet technologies, and how much you are prepared to spend. The Pyramid of Authentication Technologies (above) shows the trade-offs in security and popularity in the main systems on offer.

Conclusion

There are many solutions available to help introduce e-security to your business. Basic systems such as passwords are low cost and easy to implement, but don't provide the same degree of security as more elaborate systems such as PKI. Your business is likely to need a mixture of solutions. For instance, you might use password protection for most internal business requirements, and PKI to lodge financial documents with your bank and government authorities.

How to make it happen

There are more details on how to implement some of these solutions in the 'E-Security Technology Overview' at the end of this guide. However, whatever solution you choose, you may decide to get an expert e-security consultant to help you implement it.

Where to go online

For more information Capability Directory of Electronic Authentication Technologies - http://www.aeema.asn.au/neac

The Defence Signals Directorate plays a key role in the protection of Australian official communications and information systems and has established the Australasian Information Security Evaluation Program.

E-security products are listed on the Evaluated Products List - http://www.dsd.gov.au/infosec/

If you are searching the Web on this topic, try the following search terms: - e-security, authentication, PKI, PGP, SSL.

  • Document ID: 19743 |
  • Last modified: 6 February 2008, 10:50am