E-commerce security: Sticky issues

Should an IT manager's bonus be tied to how well security works on the e-commerce site? Learn about this controversial proposal in the final installment of this security series.

By Paul Desmond

PKI refers to a set of technologies that provides strong authentication for e-commerce sites where customers are routinely placing orders worth tens of thousands of dollars or more.

One sticky issue is integrating the PKI components with existing applications that have to play along and be able to accept digital certificates. David Remnitz, CEO of IFsec, LLC, a security consulting firm in New York, says PKI vendors are taking steps to open up their systems, providing APIs or agents that foster integration with Web servers and large back-end applications like SAP and PeopleSoft. "We find PKIs are becoming fairly open in terms of their APIs, so writing to them is certainly time-consuming but absolutely doable," he says.
In this article, you’ll learn about the challenges of integrating PKI components. We'll also take a look at a controversial proposal: Tying a security manager’s bonus to job performance. Previous articles in the series included:“A guide to e-commerce security”“Policing the perimeter”“E-commerce security: Authorization angst”This content originally appeared in the September issue of Wiesner Publishing’s Software Magazine and appears on TechRepublic under a special arrangement with the publisher.
Where to store a user's private key is another issue. If it's stored on a PC at work, that means the user will need a different key for a laptop and potentially a home PC. Rainbow Technologies says it's feasible that digital certificates could be stored on its iKey, enabling users to carry a single certificate with them. Some suggest smart cards can serve the same purpose.

Yet another problem is managing revocation lists. Typically, a CA will maintain a database of digital certificates that are no longer valid. When a transaction takes place, the CA will check each certificate against the list and reject any that involve an invalid certificate, similar to the way clerks at retail stores used to check for bad credit card numbers in a book at the register.

Paul Donfried, chief marketing officer at Identrus, a New York-based company that is developing a PKI service, says that system provides only a negative validation. "The fact that a certificate does not appear on a certificate revocation list does not tell you that it's valid, just that it hasn't been revoked," he says. Today, he notes that when credit cards are swiped at a register, a transaction is sent to the issuing bank, which responds as to whether the card is valid at that point; that's a positive validation.

Identrus does the same thing for digital certificates. It acts as the "root" CA, issuing certificates to a series of large banks, establishing a credit limit for each one. The banks, in turn, also act as CAs, issuing certificates to smaller banks and other companies, establishing a credit limit for each. As transactions take place, a positive validation is provided by the issuing CA, which assumes responsibility for damages if the certificate is proven to be bad, much as banks cover all but the first $50 of charges on a stolen credit card.

Donfried says this system provides risk management for all parties involved, something that is missing from a PKI system. Identrus makes money by collecting a small fee for every transaction it conducts.

Identrus is offering "something that's necessary for electronic commerce to occur on a broad scale," says a security executive at a large U.S. bank, who asked not to be identified. He notes that the American Bankers Association is setting up a similar authentication infrastructure.

Money and people
There are two additional issues to consider when it comes to e-commerce security—the money needed to do it right, and the people required.

Alan Paller, president of The SANS Institute , a cooperative research and education organization that focuses on security, says security organizations in general aren't well-funded at most companies, resulting in a lack of person power. "Security is this big, big job, and you've got an everyday job on top of it," he says.

Forrester notes that many companies also use the wrong incentives. Often, security teams are evaluated based on the lack of security incidents that occur, which only encourages them to deny access to resources. That is counterproductive when it comes to e-commerce, Forrester argues.

A better idea is to tie a security manager's bonuses to the revenue generated and costs deferred by e-commerce and extranet initiatives, giving them incentive to make security invisible to customers and trading partners, yet effective enough to get the job done.
Is this a good idea or an invitation to disaster? What’s the best way to reward security managers and measure their job performance? Post a note below or drop us a line.

Editor's Picks