A Framework For Information Security In Ebusiness

Published Date: 02 Nov 2017

Abstract

Internet was not designed for commercial purposes; hence, the original purpose of internet is not to handle secure transactions. Management of information security is of high priority because in the new economy, information is critical both as input and output. In contrast, the Internet, which is the primary medium for conducting e-business, is by design an open non-secure medium. This paper first present the all possible security issues that may be faced during business on internet. Then it presents the six stage framework for ensuring e-business security. Linking computers together means that you can access other people's data, but it inevitably follows that this allows others to access data on your own system. Until such time as individual computers or networks are linked together they resemble `islands' of electronic data. Security on a data island is simple: reassuringly firm borders trap all unauthorized entrants. However, when you build bridges by creating a network link this approach on its own is inadequate. When a computer connects to the Internet, it loses its island status by compromising the integrity of its `borders’. The six step framework discussed in this paper will help to secure information at each level during transmission to its final destination.

Keywords: Confidentiality, e-Business, Information, Security, Trust, Threats, Vulnerability

Introduction

The Internet [11] represents an insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as phishing. Different methods have been used to protect the transfer of data, including encryption. Whereas the original purpose of the Internet [9] was to move files among computers, to enable easy remote access to computers, and to build redundancy into the distributed system that it is, its use for commercial purposes has grown tremendously since the development of the World Wide Web. Simplicity and ease of use were the prime motivation for designing the Internet. Security, both for the Internet and the Web came as a later development, almost an afterthought. Users may [1] be responsible for number of vulnerabilities that lead to serious security breaches because they uses they software without complete knowledge about them.

In new economy, information is very critical, so high security is required. Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. It is a general term that can be used regardless of the form the data may take. The new economic realities place even greater demands on security. Financially-driven security threats are on the rise. Workforce turnover puts sensitive information at risk. Business productivity tools can become unproductive when they expose corporate data to theft, loss, slowdown, infection, or leakage. With increased [7] demand for mobility and teleworking, the network perimeter is disappearing. Clearly, business resources still need protection—yet security budgets are being squeezed. Businesses require affordable solutions without sacrificing security or performance.

This paper is in two parts. The first part presents an outline of the significance and impact of information security for e-business with emphasis on the security threats and potential losses that could arise from those vulnerabilities. E-business security is analyzed as consisting of seven dimensions: confidentiality, integrity, availability, legitimate use, auditing, privacy and non-repudiation. The consequence of each type of security breach is discussed and various technological solutions are presented. In the second part of the paper, it is argued that the security is needed at ever level of transmission. Therefore we advocate a framework to provide security to e-business. The primary proposition of this paper is that effective e-business security decisions have to be part of an overall corporate information security and risk management policy. We propose a six-step sequential decision making process as a system for e-business security management. We show that e-business security risk lends itself quite naturally to well-established risk assessment, risk analysis, and risk management methodologies and strategies. The paper concludes that the proposed approach makes the problem amenable to market pricing of the e-business security risk and enables risk transfer, hedging and/or insurance solutions to be applied in the management of information security.

Importance of corporate information security

Information security [4][5] is a business issue, not just a technology issue. The reason organizations want to protect information should be for sound business purposes. Corporate knowledge and data are arguably the most important assets of any organization. Corporations must ensure the confidentiality, integrity and availability of their data. It is very easy in today’s internet world to breach security accidental or intentional. Hence small effort can lead a large loss to organization. This is a major challenge to businesses that want to take advantage of the current information technology.

According [2] to InformationWeek Research's Global Information Security Survey conducted in June, 2000, nearly three-quarters of information security professionals regard security as a top priority, up from 56% two years ago. Those in banking, health care, finance, and telecommunications rate information security as the highest business priority, with retailers a little less concerned. In every sector, security is regarded as a key business driver.

Common Security Threats to e-Business Security

Integrity

It refers to the ability to ensure that information being displayed on a Web site or transmitted or received over the Internet, has not been altered in any way by an unauthorized party. Information or data may be intercepted or modified when it travelled across number of networks before reaching its final destination. This modification could be the work of a hacker, network administrator, disgruntled employee, government agents or corporate business intelligence gatherer; it could also be unintentional.

A secure [13] system ensures that the data it contains is valid. Data integrity means that data is protected from deletion and corruption, both while it resides within the database, and whiles it is being transmitted over the network. Integrity has several aspects:

System and object privileges control access to application tables and system commands, so that only authorized users can change data.

Referential integrity is the ability to maintain valid relationships between values in the database, according to rules that have been defined.

A database must be protected against viruses designed to corrupt the data.

The network traffic must be protected from deletion, corruption, and eavesdropping.

A Business [6] Week/Harris Poll found that over forty percent of online shoppers were very concerned over the use of personal information, and 57% wanted some sort of laws regulating how personal information is collected and used [Harris Poll 2000]. Similarly, Culnan [2000] argued that privacy concerns were a critical reason why people do not go online and provide false information online.

Non- repudiation

It refers to the ability to ensure that e -commerce participants do not deny (I.e., repudiate) their online actions. Non-repudiation is the concept of ensuring that a contract, especially one agreed to via the Internet, cannot later be denied by one of the parties involved. In regard to digital security, non-repudiation means that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively. In other words, non-repudiation is the ability for a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified.

During [8] the last decade open networks, above all the Internet, have known an impressive growth. As a consequence, new security issues, like non-repudiation have to be considered. Repudiation is de_ned as the denial of an entity of having participated in all or part of a communication

Confidentiality

It refers to the ability to ensure that messages and data are available only to those who are authorized to view them. Confidentiality involves making information accessible to only authorized parties, or restricting information access to unauthorized parties. To maintain confidentiality for information in e-business, an organization have to prevent information to be accessed or viewed by unauthorized person.

The ethical [3]duty of confidentiality is defined by the British Medical Association as `the principle of keeping secure and secret from others, information given by or about an individual in the course of a professional relationship' . In the UK the legal duty of confidentiality is underpinned by the Data Protection Act (1998), regulating the processing of information (`data') that could lead to the identification of individuals--including its collection, storage, and disclosure . To ensure the protection of confidentiality in an electronic environment the General Medical Council (GMC) recommends that doctors should :

Make appropriate security arrangements for the storage and transmission of personal information.

Obtain and record professional advice given prior to connecting to a network.

Ensure that equipment, such as computers, is in a secure area.

Note that Internet e-mail can be intercepted.

Privacy

It refers to the ability to ensure the use of information about oneself. `Privacy' is a vaguely defined [3][12] term that, in an online context, includes the right of an individual to:

Determine what information is collected about them and how it is used. Sometimes we are not aware what data are being collected about us (e.g. via `cookies' on a Web site--see Glossary) or how it may be used. Registering with a Web site (i.e. giving your name, e-mail address, medical registration number, etc.), for example, may enable that site to keep track of what you--a readily identifiable individual--view or spend online. Such information could be passed on to third parties. Some sites publish `privacy policies' in an attempt to inform users and reduce the chances of patients or healthcare professionals placing their privacy at risk.

Access information held about them and know that it is accurate and safe.

Anonymity (e.g. not having your Web-browsing habits tracked).

Send and receive e-mail messages or other data (e.g. credit card numbers) that will not be intercepted or read by persons other than the intended recipient(s). Encryption (discussed below) is one way of ensuring this.

The

Auditing

From [2] an accounting perspective, auditing is the process of officially examining accounts. Similarly, in an e-business security context, auditing is the process of examining transactions. Trust is enhanced [10] if users can be assured that transactions can be traced from origin to completion. If there is a discrepancy or dispute, it will be possible to work back through each step in the process to determine where the problem occurred and, probably, who is responsible. Order confirmation, receipts, sales slips, etc. are examples of documents that enable traceability.   In a well-secured system, it should be possible to trace and recreate transactions, including every subcomponent, after they are done. An effective auditing system should be able to produce records of users, activities, applications used, system settings that have been varied, etc., together with time stamps so that complete transactions can be reconstructed. 

Availability

It refers to the ability to ensure that an e-commerce site continues to function as intended. Availability means that systems, data, and other resources are usable when needed despite subsystem outages and environmental disruptions. Lack of availability is essentially loss of use. A secure system makes data available to authorized users, without delay. Denial-of-service (DoS) attacks are attempts to block authorized users' ability to access and use the system when needed. The most commonly known cause of availability problems is Denial of Service (DoS) attacks even though there are other common causes such as outages, network issues, or host problems. The goal is to ensure that system components provide continuous service by preventing failures that could result from accidents or attacks. System availability [13] has following number of aspects with their description:

Resistance:

A secure system must be designed to fend off situations, or deliberate attacks, which might put it out of commission. For example, there must be facilities within the database to prohibit runaway queries. User profiles must be in place to define and limit the resources any given user may consume. In this way the system can be protected against users consuming too much memory or too many processes (whether maliciously or innocently), lest others be prevented from doing their work.

Scalability:

System performance must remain adequate regardless of the number of users or processes demanding service.

Flexibility:

Administrators must have adequate means of managing the user population. They might do this by using a directory, for example.

Ease of: Use

The security implementation itself must not diminish the ability of valid users to get their work done.

Identification, Authentica-tion and Authorization (Legitimate use)

Legitimate [2] use has three components : identification, authentication and authorization .Identification involves a process of a user positively identifying itself (human or machine) to the host (server) that it wishes to conduct a transaction with. The most common method for establishing identity is by means of username and password. The response to identification is authentication. Without authentication, it is possible for the system to be accessed by an impersonator. Authentication usually requires the entity that presents its identity to confirm it may be password or PIN something the client has (e.g. a smart card, identity card) or something the client is (biometrics: finger print or retinal scan).

Once an entity is certified as uniquely identified, the next step in establishing legitimate use is to ensure that the entity’s activities within the system are limited to what it has the right to do. This may include access to files, manipulation of data, changing system settings, etc. A secured system will establish very well defined authorization policy together with a means of detecting unauthorized activity.

Understanding the Many Dimensions of e-Business Security

In an Internet environment [13], the risks to valuable and sensitive data are greater than ever before. Figure-1 presents an overview of the complex computing environment which your data security solution must encompass

You must protect databases and the servers on which they reside; you must administer and protect the rights of internal database users; and you must guarantee the confidentiality of e-commerce customers as they access your database. With the Internet continually growing, the threat to data traveling over the network increases exponentially. To protect all the elements of complex computing systems, you must address security issues in many dimensions, as outlined in figure.

One of the problems of the current e-business security implementation is that components of e-business infrastructure tend to be looked at individually and separately for security purposes. The current common "security policy" implemented by most e-businesses runs like this: assemble a catalogue of threats and vulnerabilities and then shop for technology tools that alleviate those concerns. Security solutions are targeted at counteracting specific groups of threats and vulnerabilities. However, what is needed are comprehensive solutions that will produce peace of mind to the business and trust and confidence in customers and partners.

PROPOSED FRAMEWORK

A typical three-tier e-business architecture comprises the client, web and commerce servers, and database servers.  A systematic implementation of e-business security must ensure that each of these components is secure. This requires security policy, tool or technology and implementation at three levels: network security, system level security and transaction level security. For that purpose a six-stage security management strategy is proposed:

Step 1: Analyze the security issues and risks in business over internet.

During analyzing the security issues ,Some basic security questions that must be answered are:

What components are most critical but vulnerable?

What information is confidential and needs to be protected?

How will confidentiality be ensured?

What authentication system should be used?

What intrusion detection systems should be installed?

Who has authority and responsibility for installing and configuring critical e-business infrastructure?

What plans need to be in place to ensure continuity or minimum disruption of service?

Step 2: Identify and rank the risks based on threats, vulnerabilities and cost .

Risk Assessment is based on identifying threats, vulnerabilities and cost. Threat is simply the probability of an attack . Vulnerability is 1 minus system effectiveness (which is a number less than 1). That means 100% system effectiveness will produce zero risk. Cost of disruption is a measure of what it costs to restore the system to full function plus any loss of revenue that may occur during the disruption period. One way to mitigate this cost is to build in redundancies.

Step 3: Devise e-business security solution (policy, tool or technology )accordingly.

After identifying the risk, it is time to design or develop a security solution ,the best security solution is security policy for risk management. According to the type of security issue. Security tool or technology can be devised , .A security solution should have the following characteristics:

The solution (policy, tool or technology) must be clear and concise

It must be easy to implement

The policy must have built-in incentives to motivate compliance

Compliance must be verifiable and enforceable 

Systems must have good control for legitimate use: access, authentication, and authorization

There must be regular backup of all critical data

There must be a disaster recovery and business continuity plan

Step 4: Implement security solution to all components of 3-tier e-business architecture .

Security solution must be implemented to all the components of e-business architecture. It is necessary to secure all the components at each level. Data or information should not loss accidental or intentional at any level. Each component has to be addressed with a view to implementing a complete e-business secure infrastructure. Notable elements in that strategy will include cryptography, PKI and digital signature technology.

Step 5: Establish an effective monitoring and feedback system.

Implementing effective e-business security is a dynamic process. The technology is changing very fast and so are the threats and vulnerabilities. Creating a security and risk management culture is a slow process. It is necessary to establish an effective monitoring and feedback system in order to determine the required changes and improvements.

Step 6: Revise and enforce security system according to challenges.

e-Business security solution must be flexible enough. As information technology is growing day by day so security have to face a number of challenges. Flexible security system will allow to revise or modify itself according to the challenges.

Conclusion

Day to day challenges to information security cannot be ignored. In today’s networked world the purely technological approach is not sufficient to conduct secure e-business between companies and their clients with confidence. The development and improvement of technologies have brought successful towards e-business. High technologies have attracted people misuse the technologies such as hackers and cybercrime which they can access to e-business privacy easily. Thus, e-business companies should build trust and using security during the business transaction. To provide value to the customers through service and goods provided, research found that companies should build up trust and security to protect their customers. Confidentiality is the necessity between company and client. Security is required when information transmits across trusted or untrusted networks. The proposed framework will help to solve the security issue step by step using the six stages. Two conditions are necessary for this new approach to become effective: First an organization must understand the different security issues and risks at different levels and apply solution at each level.Second the security solution must be modifiable according to the new challenges.