About Us | Search | FAQ | Contact Us
Banking on security
Public paranoia has persistently dogged the banking industry's attempts to make a popular success of online banking. Similar mistrust of electronic commerce is hampering other valuable commercial Internet activities. At first glance, some of these concerns appear to be well founded. In recent months the UK press has been full of stories covering incidents that seem to indicate online banking and other online business transaction-based services still have some way to go before they can be trusted by customers. However, are we getting the whole picture?
Whilst computer security is nothing new, the open and anonymous nature of the public Internet has magnified the threat and has created potential barriers to e-business growth. A recent survey by the analyst firm IDC estimated that the total value of the e-commerce transactions in the UK would only amount to half its potential, £3 billion instead of £6 billion, for the year 2000, primarily because of concerns regarding security.
Whilst the openness of the Internet is one of its greatest strengths, allowing companies to communicate directly with customers and suppliers, it is also the greatest potential weakness, exposing corporations as never before. Without a rock solid foundation to e-security, one that can scale and grow as the business demands, huge gains could remain unrealized.
The task of making an online banking service a secure one is complex. Online banking operations must not only ensure that all communications are confidential, but must also be able to control access and verify the identity of all parties involved. Without such a comprehensive infrastructure vital data and applications are vulnerable to compromise; whether from outside or from within.
At one level, online security is actually very good indeed. All Web browsers worth their salt are endowed with the SSL (secure sockets layer) security protocol that makes practically impossible the already difficult real-time challenge of someone spying on you while you are transferring money, paying bills or buying things online.
SSL and the emerging Public Key Infrastructures (PKI), now being spearheaded by such organizations as Identrus, are based on public key cryptography. Public key cryptography provides a means of creating on-line relationships between people or organizations. By establishing a means of locking or 'encrypting' information using two keys rather than one, an element of trust can be established; one key is used to lock the padlock the other is the only key that will unlock the padlock. This pair of keys binds the participants together and creates a relationship.
This technique can be applied directly to the world of e-business where there is a need to establish many 'one to one' relationships around a single point. For instance an online bank may use a pair of keys where the bank has one secret key and the bank's customers share the same common or public key. This allows the bank to establish a confidential relationship with each customer but prevents intruders or indeed other customers from eavesdropping on individual interactions and transactions.
While public key cryptography can solve many of the security issues of e-business it is not foolproof. Two major challenges need to be overcome if it is to deliver real benefits. Firstly an organization must guard against the threat that someone other than the online bank may gain access to the single private key. Possession of this private key would enable an intruder to unlock everyone's padlock, destroy confidentiality and in certain circumstances allow an imposter to pose as a legitimate banking operation. The other issue is speed.
At a basic level customers expect Internet-based services to be up and running and fully available 24 hours a day, 365 days a year. They also expect web pages to be served without any noticeable delay. Unfortunately the computational load required by SSL encryption can cripple even the fastest secure web server, resulting in disgruntled users and lost revenue. So while encryption may enhance protection of online services there can be an unacceptable price to pay in the service offered to customers.
The solution is hardware acceleration, fast becoming an essential for web services with frequent SSL secured browser sessions. Without hardware acceleration, up to 90 percent of the computing power of your web server could be tied up by encryption calculations. Hardware acceleration such as the nFast range from nCipher can reduce this load to as little as 30 percent, ensuring the browsing experience of users isn't punctuated by long waits for responses.
Protecting the private key from compromise is more fundamental. A high level of security is required not only by secure web servers that are processing high volumes of traffic but also by servers that handle low volume, high value transactions. As with a physical lock, if the key is left in an obvious place it makes the lock easy to break. Equally, it is essential that only the people with authority to do so use the key. If either fails the whole infrastructure is compromised.
The requirements for a robust and scalable security infrastructure will depend to a large degree on the value of the information you are protecting, the cost of replacing it should the information be lost or destroyed and the potential damage to your customer relationships. The level of private key protection required within the system can only be determined by conducting a thorough risk analysis. When the impact of a security breech is not critical, the level of key protection offered by off the shelf web server software may be considered acceptable, particularly if the keys are frequently regenerated, replaced and adequately backed up.
However, when protection is business critical there is a need to go beyond pure software based solutions. It is easy to assume that the key, a very small piece of data, is safe when stored within the vast data filing system of a web server but this is not the case. Although the keys may be encrypted and safely stored on the hard drive, during cryptographic operation they must be decrypted and loaded into memory 'in the clear', making them vulnerable to attack. Dr Adi Shamir and Dr Nicko van Someren of nCipher have successfully demonstrated the risk of a 'key finding attack'.
Taking advantage of secure hardware for key storage is rapidly becoming accepted as an essential component of robust e-business infrastructures. Physically separating the keys from the server in a hardware device adds a new dimension to the overall system, providing the most effective security against key finding threats. This enhanced level of security is at the core of nCipher's range of hardware security modules where vulnerable private keys are generated and managed in the device ensuring keys never appear "in the clear".
For businesses that have established their brand value on trust, this capability is essential as they seek to generate competitive advantage in the on-line world. For the leading Finnish online broker, eQ Online, the management of private keys inside a dedicated hardware environment underpins its new service, enabling its customers to trade stocks on the Helsinki Stock Exchange from a mobile phone. nCipher hardware integrates with PKI software developed by Sonera SmartTrust to reduce security risks.
From a security perspective, e-business success requires companies to tackle a number of serious issues at the same time. Firstly to implement a level of protection that is appropriate to what is at risk. It is also vital that secure transactions can be delivered whenever a customer demands at the speed they demand. Finally it is important that any security infrastructure can cope with the explosion in demand that comes from e-business success. The challenge is to scale whilst maintaining a sufficient level of security and maintaining an acceptable level of service.
Many commentators have stated that the highest risk to companies in the world of e-business is the risk of success. Organizations need the freedom to be able to capitalize on the openness and opportunities presented by e-business without compromising the value inherent in their business. Damage that is immediate and quantifiable may be bad enough, as in the case of direct financial loss but when a compromise damages trust the consequences can be severe if not irreparable. Establishing and maintaining trust is essential to the success of e-business.
|Home | About Us | Search | FAQ | Contact Us|