Technology Spotlight: E-Commerce Security

Originally a division of Nortel Networks in Ottawa, Canada, Entrust Technologies, Inc. (Nasdaq: ENTU) spun off as a separate international provider of electronic security solutions in December of 1996.

The Plano, Texas-based company has three product lines, including core PKI, toolkits and desktop solutions, and is currently entering the market for secure wireless e-commerce.

In this exclusive interview, the E-Commerce Times discussed e-commerce and security issues with Entrust executive vice president, CTO and co-founder Brian O’Higgins.

Q What are the major security threats to e-commerce?A The big picture is that consumers need to have trust in e-commerce, because they’re going to use it. When we’re doing electronic transactions, we need to make sure they’re secure and that there’s no compromise or breach of information later on. The level of security needs to be appropriate for the transaction. So, what you do for million dollar (US$) transactions will be a lot more than what you do for a one thousand dollar transaction, and so forth. The good news is that there’s technology around to make these transactions perfectly secure.

The best thing known to man, really, in security information, is encryption. You cannot do anything better. That technology can be applied perfectly well in electronic commerce situations.

Q Some critics point out that problems arise once data has been unencrypted and placed on a server. Where should the emphasis be for securing a complete online transaction?A The very best thing you can do is to protect the contents of the transaction — that way the information is encrypted and it stays encrypted when it lives on servers and only the intended recipients have access to that information.

However, what people do now is nowhere near that. Step zero is “do nothing for security,” and just do a standard browser-to-server transaction. Step one is to use the SSL (Secure Socket Layer) Protocol, where you just encrypt the information between the browser and the server. But as you said, the information is in the clear on the server. And when you look at the whole threat, 80 percent of the threat in computer security is insider-related anyway.

It’s not the hacker listening to the information over the wire that’s the issue. It’s someone inside the company that happens to know all the credit card numbers live on that server and they’re all in the clear, versus the hacker that is peeking across random IP addresses, hitting one of these Web servers and discovering credit card files.

So, step one is just turning on SSL to encrypt the traffic between browser and server. But this is where it starts to become an issue. I think a lot of people believe they’re doing something very good by doing that. But the reality is that it’s only slightly better than doing nothing.

Q What does Entrust offer e-commerce professionals?A End-to-end protection. We have technology that is designed to provide security for these transactions. Typically, our technology is used in a higher-end world. Much more of the business-to-business transactions — we’re not in the business-to-consumer space.

Our products are in a product category called public key infrastructure (PKI). That essentially recognizes that you’re going to use public key cryptography as the preferred mechanism to add security to transactions. When you use PKI, you need to manage keys and certificates. PKI enables you to manage the keys and certificates and add security to applications very easily and quickly.

Q What differentiates your products and services from those of other companies in your market space?A There’s a few companies like us that offer products similar to ours, but we were the first to bring this type of product to the market. It goes back about 20 years, and a lot of our work came out of Nortel originally. We spun off and became Entrust as a separate company to get these products out to the market.

What really differentiates us is that we have a total solution for these products. At different levels, we have the appropriate level of security for their transaction. Starting from the very high-end ones that governments and the military and banks — as in “bank-to-bank” — use. Now that electronic commerce is coming down to business-to-business and business-to-consumer, it’s easy for us to package these products in smaller bits so they’re appropriate for the low-end market.

Q A recent report on neural networks began with this quote from a notorious hacker/cracker: “There is no computer system that is impenetrable.” What are your thoughts about that?A There’s no such thing as a secure computer today — and there probably never will be. That’s why you need to put security on the transactions themselves. That means a hacker is always going to get into your machine. But if you protect the sensitive information, it will be encrypted for only certain people so the hacker will not be able to read that information.

Q What do you think about neural networks?A By looking at different alarms and signals that come from different computers, different parts of the network and different attacks that are running out, you can take that, and with artificial intelligence and neural net techniques, make some sense of patterns. You can detect that type of attack and then shut it down early.

That’s acknowledging that you’ll never protect everything 100 percent, so you audit the hell out of all these little events, figure out intelligently what’s happening and take action that’s appropriate. That’s a big growth area for product and technology in the next few years.

Q Some security groups claim they will find security weak spots and make the exploit code publicly available. Is this a public service, or simple “pranksterism?”A In general, if there’s vulnerability, it’s only dangerous if people know about it. The mere fact that you publish anything, in any tiny corner of the Internet, you’ve made that vulnerability much, much worse just by taking that action. That’s just part of how the industry works.

My rule of the Internet is that if anything can happen, it will. If someone finds a vulnerability — no matter what your policy is, or controls you think you have — it will be published. So, if one is found, you need to stop everything and find a solution for it as fast as you can.

Our point of view is that you should get the solution out and make that solution available first, and then the details will be disclosed. That would be the safer way of approaching policy in handling these types of incidents.

Q Those organizations that operate under what they term a policy of “full disclosure” claim that software vendors do not respond to direct notifications. Is there anything to that?A There’s probably a lot of evidence to support that. Some companies have not been very reactive at all. They build mass-market products, and they have a release schedule. They have an attitude like, “don’t bother me until the product’s out, then we can fix the problems.” That’s typically been the stance, and that’s driven people to publish all these holes, and then very quickly a patch appears.

Q Some experts point out that many companies have neglected vital security matters in the name of facing Y2K-related issues. Where should priorities be placed?A Since Y2K is kind of solved, electronic commerce is becoming priority one, and security is fundamental. Computer security is a broad subject, so I’m just focusing on electronic commerce and adding security to the transaction. People are still going to have virus problems and computers will still be broken into, but at least the important information will be secured. So, companies need to put a security infrastructure in place for e-commerce, making their systems much more secure.

Q What other security issues should e-commerce professionals be focusing on?A Privacy, which is technically a different aspect of security. Privacy is information that you don’t want known about yourself available in a public way. But security technology is often used to preserve privacy. You see comments in print — I remember Scott McNealy of Sun saying something like, “In the Internet age, privacy’s gone, get over it.” And very quickly that was a backtracked comment.

Privacy is very important to consumers. Studies have shown that the more aware consumers are of this technology, the more they’re becoming concerned about security and privacy — not less concerned. Consumers do a transaction on one site, and all of a sudden, the next time they log on to the site they get nineteen other offers customized for them and SPAM e-mails start to arrive. Their “data shadow” is moving around the world, and they’re getting worried about that.

Another issue that I’m starting to hear more about, and is especially relevant as we head into the holiday shopping season, involves when customers go through the shopping cart deal and then hit the checkout, entering a credit card number and all that kind of stuff. There are people who have software that will fiddle with the contents of your shopping cart, so you can change the price to zero, for instance.

The checkout counter forgets to do a final check against the database for pricing, and so you’ve bought something for free. So, there are many companies that won’t handle this properly and do the crosscheck. They’ll be screwed.

Merchants that jump into this without thinking it through will probably disappear. But it’s just going to add to the general suspicion about how ready this technology is for primetime — which is unfortunate — but you can put a digital signature across the contents of your shopping cart and that way no one can fiddle with it.

One other background thing worth mentioning is the digital signatures legislation that recently passed. The presence of legislation to make digital signatures legal offers a lot of guidance and tells everyone that it’s the right thing to do. It makes it simpler for people to write their agreements and it helps to accelerate the whole online security industry.

Q What advice can you offer about implementing a security strategy to those who are about to establish an e-commerce operation?A They have to make sure they take care of it — and taking care of it doesn’t mean just getting a Web server certificate and thinking you’re done. That’s where the problem is right now. We’re getting the mad rush to “turn on” e-commerce. So, the average level of sophistication is decreasing.

Q Where do you see Entrust Technologies one year from now?A What we supply is technology that secures transactions. Obviously, e-commerce is a high growth area, so there’s going to be a lot more transactions to secure. Everyone believes that e-commerce is just starting. International Data Corp. (IDC) says that it will be $3.2 trillion by 2003, which is 5 percent of the world’s GNP.

Future transactions will be on different devices, presenting a lot of opportunity [for us] to secure the increasing number of transactions.

Q Entrust has recently moved its products and services into the market for secure wireless e-commerce solutions. Please tell us more about that.A The whole game in e-commerce is about transactions. But it’s going to be the wireless devices [cell phones, PDAs, etc.] that will probably outnumber PCs in very short order. They will be the preferred vehicles for many transactions. There’s a whole series of protocols emerging which parallel the Web browser-to-Web server connection to the Internet.

In this case, it’s the micro browser and something called the WAP (wireless application protocol) server. That’s the gateway between the wireless world and the Internet world. The WAP-ready devices are starting to ship. Entrust will be issuing certificates to add a security infrastructure for all of these wireless transactions.

Q How important is this market to Entrust?A The market is going to be extremely important for us and for anyone in the e-commerce space. Just look at the numbers of cell phones versus the numbers of computers. A lot of transactions, like stock trading and auctions, lend themselves to the wireless concept. The interesting thing is that the PKI is identical, and our main business is selling PKI software and services.

So, in this case it’s just a different piece of terminal equipment which is attached to the PKI. This terminal equipment is very different now. You can’t run the standard toolkits you have for the Windows OS. It’s a totally different game. But we build connectors to PKI, and these connectors do the interface to all the wireless components.

It’s a relatively very small development effort for us, but a whole new set of partners, a whole new language and a whole new set of business rules. But remember that the Entrust roots come from Northern Telecom, or Nortel, so the telephone business is quite familiar to us. We believe that we’re very well positioned to do something significant in this new space.

The Entrust community can be found online at Entrust.com.