Technology Spotlight: GTE CyberTrust

GTE CyberTrust was founded in 1996 after being split off from GTE’s government services unit. Although the company is now primarily an international provider of extranet and e-commerce security solutions for private corporations, it has recently returned to government service.

Last month, Baltimore Technologies (Nasdaq: BALT), a United Kingdom-based provider of e-commerce and enterprise security solutions, announced its intention to acquire the company in a stock deal that could be valued at $150 million (US$). The deal has not yet closed, and although the companies will combine resources, each will continue to produce and market its own security products and services.

In the following interview with the E-Commerce Times, GTE CyberTrust president Peter Hussey discusses the role of digital certificates, the advent of wireless e-commerce, and the issues and pitfalls that face the industry as a whole.

Q How do digital certificates work, and what is their role in security?

A A good analogy would be in the real, non-virtual world, where people do transactions in a store. They usually provide some form of identification and authenticate themselves when doing that transaction. Today, that might take the form of a driver’s license accompanying a credit card, as an example. There’s a picture that the clerk can look at and a face that they hopefully can recognize.

In the virtual world of the Internet, people don’t have that ability to have themselves presented. So, they need something that represents that authentication. A digital certificate is essentially the electronic credential or electronic passport, if you will, that can provide that authentication over the network. In a way, we’re essentially simulating the real world by having a form of identification or authentication.

Digital certificates play a role in that whole mechanism of providing that proof of identity in securing Internet transactions.

Q What can be done to make systems more secure than they are now?

A Your readers will be well aware of the recent news on this topic involving the distributed denial-of-service (DDoS) attacks. Online security has probably received more attention in the last few weeks than it has in the last few years. There’s a lot that can be done, some of which is just good plain enforcement of policies within companies and paying attention to fundamentals of security within organizations of systems and networks. Of course, there’s a whole range of technology and counter-measures and very proactive steps that one can take.

I think it’s very important that organizations have in place a very active security program to protect the information that is, in many cases, an absolutely critical asset. What we find is that organizations sometimes put in technology, such as a firewall, and then become relaxed because they feel that they have taken proper steps to guard against information being accessed improperly on their sites. A firewall or other individual measures are, in fact, only one step that must be taken.

Q What are the most significant security issues facing e-commerce professionals?

A The most significant issue is having in place a really comprehensive security program. I think many organizations take a very piecemeal approach to this. Doing it in a very comprehensive way is what’s so important today. If we think about it in the physical world, we have building security and safes where we store valuable documents or funds and we have a whole security program. We need to have the same thing in the virtual world.

Many organizations, particularly financial services organizations, are very, very advanced in these areas. But, quite frankly, some organizations are not. So, that recognition of the need for and the implementation of a thorough program is the most critical issue.

Q What steps can e-commerce professionals take to improve their security efforts?

A There are very particular steps they can take to implement secure measures for their environment. It starts with assessing the total set of requirements for the organization. Organizations need to assess the risks associated with protecting their information and then have a comprehensive program that starts with the network architecture and moves all the way through the PKI, which is what we would recommend in many cases as part of the infrastructure that needs to be put in place.

As an example, let’s think about a situation where someone is implementing e-commerce systems, and they want to put in place a secure extranet environment to connect one business to multiple businesses. One would want to take into consideration the requirements for the network security and the public key infrastructure that would support those transactions.