A GUIDE TO E-commerce Security

Software Magazine, Sept, 1999 by Paul Desmond

Yet another problem is managing revocation lists. Typically, a CA will maintain a database of digital certificates that are no longer valid. When a transaction takes place, the CA will check each certificate against the list and reject any that involve an invalid certificate, similar to the way clerks at retail stores used to check for bad credit card numbers in a book at the register.

Identrus' Donfried says that system provides only a negative validation. "The fact that a certificate does not appear on a certificate revocation list does not tell you that it's valid, just that it hasn't been revoked," he says. Today, he notes that when credit cards are swiped at a register, a transaction is sent to the issuing bank, which responds as to whether the card is valid at that point; that's a positive validation.

Identrus does the same thing for digital certificates. It acts as the "root" CA, issuing certificates to a series of large banks, establishing a credit limit for each one. The banks, in turn, also act as CAs, issuing certificates to smaller banks and other companies, establishing a credit limit for each. As transactions take place, a positive validation is provided by the issuing CA, which assumes responsibility for damages if the certificate is proven to be bad, much like banks cover all but the first $50 of charges on a stolen credit card.

Donfried says this system provides risk management for all parties involved, something that is missing from a PKI system. Identrus makes money by collecting a small fee for every transaction it conducts.

Identrus is offering "something that's necessary for electronic commerce to occur on a broad scale," says a security executive at a large U.S. bank who asked not to be identified. He notes that the American Bankers Association is setting up a similar authentication infrastructure.

Money and People

There are two additional issues to consider when it comes to e-commerce security -- the money needed to do it right, and the people required.

The SANS Institute's Paller says security organizations in general aren't well-funded at most companies, resulting in a lack of person power. "Security is this big, big job and you've got an everyday job on top of it," he says.

Forrester notes that many companies also use the wrong incentives. Often, security teams are evaluated based on the lack of security incidents that occur, which only encourages them to deny access to resources. That is counterproductive when it comes to e-commerce, Forrester argues. A better idea is to tie a security manager's bonuses to the revenue generated and costs deferred by e-commerce and extranet initiatives, giving them incentive to make security invisible to customers and trading partners, yet effective enough to get the job done.

Paul Desmond is East Coast editor for Software Magazine. E-mail him at pdesmond@softwaremag.com.

Pulling It All Together

For companies that don't want to go it alone, there are many service providers looking to help with pieces of the security puzzle.