Over a casual dinner with friends, Yesterday Corp. President Tom Sincharge mentioned his companys move to e-commerce.
Id never send money over the Internet, one of his dinner partners said. Who knows whos watching.
Ive been told its all taken care of, Sincharge replied. Even so, he had to admit to himself that he didnt understand the security issues involved.
A few referrals later, he found himself on the phone with Rick Wiggins, senior systems architect at Hudson-based Gateway to Internet Services (GWIS), an Internet service provider and consultant specializing in network configuration and security.
Wiggins agreed that Sincharge was worried about the right issues: how to link his company to a worldwide audience without allowing access to sensitive data by outsiders and certain employees; and how to assure his e-commerce capabilities didnt become someone elses tool for illegal profits.
Fortunately, Wiggins told him, all of these issues are routinely addressed at businesses around the world.
The first step is a secure Web server, such as the Enterprise Server from Netscape Communications Corp. This type of protection is typically offered through a companys Internet Service Provider.
To activate the secured transaction capabilities, Yesterday Corp. also needs to obtain a digital certificate from one of a handful of authoritiesVeriSign Inc. is among the best known. Certificates are granted after proving the server itself is secure and providing documentation that proves, in essence, that the company is legitimate.
Wiggins noted that the digital certificate is only good on the specific server for which it was requested.
When a customer connects to this Web server, the digital certificate is inspected by the customers Web browser to authenticate the Web site, Wiggins says. If the Web site being visited is not identical to the information in the digital certificate, the customer is warned that the site may be misrepresenting itself. Otherwise, he says, the Web browser uses the information ... to negotiate a secure, encrypted session with the Web server.
The encryption is invisible to users at both ends of the transaction and doesnt require any special software.
The entire process of authenticating the Web site and establishing the secure session is handled automatically through the Internet and only adds a few seconds of processing time to the transaction.
Of more concern, Sincharge learned, is preventing access to any sensitive information his company might store on the same server as the Web site.
Because the public can access that server, its conceivable a hacker could access private company information.
There is also the threat of abuse by employees that may have access to the information stored on the Web server, Wiggins says. GWIS recommends encrypting sensitive information stored on the Web server using a public key cryptosystem, such as that developed by RSA Data Security Inc. These systems incorporate a public key, which is used to encrypt information and a private key which is used to decrypt it.
Without the private key, the encrypted information cannot be read. Only employees responsible for processing such information as payroll data or bank transactions would be given the private key. While there is still some risk, Sincharge was encouraged to weigh that against the likelihood of someone trying to make trouble.
Businesses that do extensive e-commerce, such as Amazon.com, might take extra precautions against cyber thievesmost obvious would be to set up dedicated Web servers that dont contain sensitive company information.
But companies such as Yesterday Corp., which plan to use it as a convenience for customers, are more at risk from internal security breachestheir own employees.
Overall, Wiggins says, the cost of security is relatively lowabout $1,300 for the Enterprise Server (whether Windows NT or Unix), plus $495 a year for a maintenance contract.
The digital certificate from VeriSign runs $349 a year (as an indication of the demand, the price has more than doubled in two years), with public key encryption systems available from many consultants as a low-cost add-on.
Equipped with that information, Sincharge followed up with his own consultants, who assured him that these standard measures had been figured into their original proposal.
What I decided, Sincharge summarizes, is that security with computers is like security with our buildings or anything else. The safety devices arent all that expensive or exotic. The real challenge is keeping your own people alert and making sure they are locking the doors, figuratively speaking.
- Evaluate greatest sources of risk: internal vs. external.
- Take ordinary precautions: Password protection; encryption of sensitive information; secured servers
- Evaluate need for higher-level security.
- Build system backups into daily or weekly business routine.
- Never forget to "lock the doors."
- Create internal security policies and enforce them.