07-02-2013

Chapter 12 Security and Reliability of e-Business

Learning Objectives
To understand the reliability and quality considerations related to e-business various e-business security requirements and application security requirements the requirements of a secure e-business infrastructure security strategies for e-business technical measures to build a secure e-business
E-Business

Oxford University Press 2012. All rights reserved.

Oxford University Press 2012. All rights reserved.

E-Business

Introduction
Challenges for e-business posed by Critical transactions Round-the-clock availability Integration with many other systems E-businesses are prone to risks of security breaches as Theft of IP, Viruses Exchange of offensive material, Copyright theft etc.
Oxford University Press 2012. All rights reserved.
E-Business

Need to invest in security initiatives due to Rise in electronic crime and behavior of e-businesses Safeguarding online businesses E-safety - awareness among the users of a system of their access rights and restrictions, and adherence to them E-security - procedures that ensure the security of electronic data and electronic systems
Oxford University Press 2012. All rights reserved.

E-Business security Policy

E-business security policy refers to the guidelines that clearly partition the e-business into two states
Secure state - system is protected from any unauthorized access Non-secure state - system is vulnerable to attacks and no controls are present

E-Business Security Policy

A typical e-business security policy should have Clearly defined objectives and scope Details about the e-security infrastructure Security management programme Clear definitions and policies for privacy, censorship, and accountability Technology and usage guidelines for access controls, firewalls, Internet usage, and use of security technologies Security audit policies and Legal policies
Oxford University Press 2012. All rights reserved.

Security policies must cover all aspects of e-business security such as

Confidentiality Integrity and Availability.
Oxford University Press 2012. All rights reserved.

07-02-2013

E-business Security Framework

E-business security framework needs to consider People-related issues, which include
privacy policies and expectation Internet usage and restriction Trust related expectations

E-Business Security Framework

Technology issues, which include

social issues Internet-related risks Reliability and quality issues Legal, technical, and organizational issues.
Oxford University Press 2012. All rights reserved. Oxford University Press 2012. All rights reserved.
E-Business

Dimensions of e-business security

The major dimensions of e-business security are Integrity Authenticity Non-repudiation Privacy Availability Confidentiality

Integrated Security Mechanism

The integrated security mechanism has two aspects Technological aspects Legal aspects In addition to these, there is Front-end security Back-end security Database, Storage level and Information handling related security Mid-tier security - Trusted OSs, component-based security, and secured data handling
Oxford University Press 2012. All rights reserved.
E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Front end Security

Front end security is provided through
SSL/TLS Firewalls Cryptographic Protocols Web-Based Security Servers Intrusion Detection Systems (IDS) Integrity Verification Tools

Risks, Risk assessment and Risk Analysis

A Preferred approach to Risk analysis 1. Identification and documentation of information assets of the organization, along with the owners of the assets. 2. Ranking of the systems and assets, in terms of the criticality, to the organization. 3. Listing of threats for each of the identified assets 4. Identification of the vulnerabilities for every identified threat 5. Identification of impact of the exploitation of a weakness 6. Checking the probability of an event, resulting in a threat 7. Determining the level of risk that is associated with each of these events.
E-Business

The issues dealt with Frontend Security i. iii. Authentication Availability and ii. Authorization iv. confidentiality

Oxford University Press 2012. All rights reserved.

Oxford University Press 2012. All rights reserved.

E-Business

07-02-2013

Best e-security Practices Guidelines

The International Standards (ISO/IEC 27001), established in October 2005, provide a model for information security management. The motivations to comply with these standards and security certifications are Protecting customer data and information Maintaining data integrity Continuity in case of disaster, and Protecting the organizations reputation.
Oxford University Press 2012. All rights reserved.
E-Business

E-security Basics for Businesses

A business needs to define a trade-off between electronic security / cost, and quality of service / privacy. Policies to establish electronic security for business should consider factors such as Legal framework and its enforcement Electronic security for financial transactions and payment systems Certification standard and established processes for secured transactions Education and training
Oxford University Press 2012. All rights reserved.
E-Business

Legal Framework and Enforcement

The legal framework should comprise laws for Electronic transactions E-commerce Payment systems Cyber crimes Infrastructure enforcement Apart from the legal framework, there is the need for enforcement of law within and across boundaries.
Oxford University Press 2012. All rights reserved.
E-Business

IT Act 2000
Provides legal recognition to e-commerce and other electronic transactions Defines the terms such as access, certifying authority, Computers, as well the use of digital signatures and electronic transactions Deals with electronic records and its usage Specifies the penalties for the breach of confidentiality, privacy and misinterpretation of info. Provides guidelines for digital signatures, digital certificates, and their validity, the power of officers in different scenarios etc.
Oxford University Press 2012. All rights reserved.
E-Business

IT Act 2000 Cont..

IT Act 2000 defines the punishment for Tampering of computer and source documents Hacking of computer systems Publishing obscene information { Appendix 4 provides details on IT Act with reference to e-business } { Source : http://nicca.nic.in/pdf/itact2000.pdf }

Securing e-business Infrastructure

Electronic security for financial transactions and payment systems Security and e-business infrastructure Infrastructure availability

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

07-02-2013

GLB Act
The Gramm-Leach-Bliley (GLB) Act is a comprehensive, federal law for security of financial institutions It is aimed at maintaining integrity, security, and confidentiality to protect the customer information It is composed of several parts, including the Privacy Rule (16 CFR 313) and the Safeguards Rule (16 CFR 314)

Examples of the financial products and services, need to be compliant with GLB Act
Organizations providing or issuing annuities Investment advisory services Credit counseling services Life / health insurance products Tax preparation Personal property and real estate appraisals Selling various types of bonds, or money orders, travelers cheques etc. Credit cards issuing financial organizations Travel agency services provided in connection with financial services Money wiring services Real estate settlement services, and so on.
E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

Objectives of the GLBA Safeguards Rule

Ensuring the security and confidentiality of customer information. Protect against any anticipated threat or hazard to the security or integrity of such information. Protect against unauthorized access to genuine information that is stored at the organization end, in order to save the customers from any type of harm or inconvenience.

Role of IT Security & Policy in GLB Act

Risk assessments Guidelines for secure computer data Educational materials Providing security tools and software Providing support for security issues Security event response Enforcement of the GLBA

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Technical and Remote Access Security Guidelines

Technical and remote access security guidelines can help businesses to secure their computer systems from vulnerability. For example Use of updated antivirus systems, All incoming mails and communications scanned for virus and mal-ware. Regular assessment of all external facing devices A Functional security system, A proper backup System Remote access only if necessary, and through secured VPN Password and access controls for remote access
Oxford University Press 2012. All rights reserved.
E-Business

Network Level Security

Firewalls Safeguarding e-business Information and network security policies Authentication Mechanism Intrusion detection Intrusion handling Network security Anticipating network attacks

Oxford University Press 2012. All rights reserved.

E-Business

07-02-2013

Safeguarding e-business

PKI (Public Key Infrastructure) Functions

PKI is the complete infrastructure for implementing security. A number of functions come under PKI. Those are Issue of certificates by CA Revoking of invalid certificates Storing certificates and providing trust

Oxford University Press 2012. All rights reserved.

E-Business

Oxford University Press 2012. All rights reserved.

E-Business

Ethical, Social, and Political Issues in e-business

Social, ethical, and political issuesseverity and understanding Privacy and information rights Intellectual property rights Ethical Internet Governance Ethical issues and protections

Oxford University Press 2012. All rights reserved.

E-Business