Messaging in the Millennium:
Support for Secure Electronic Commerce
(Originally published in Messaging Magazine, March/April 1999)

By Helen R. Hammond, Blue Cube Strategic, LLC,
and Mary V. Fisher, ARINC, Incorporated

Messaging will be the supporting mechanism for secure electronic business processing. That’s what we discerned when we recently gathered information from 20 large enterprises about their intentions for implementing secure electronic commerce. In our research, we interviewed representative companies in banking, securities, insurance, health care, government, automotive, and manufacturing. The responses to our in-depth discussions with well-placed contacts at these top companies portray an interesting picture of the emergence of secure business-oriented electronic commerce.

We learned that more than 80% of the companies have already begun projects to address some part of information security. Predominately, these projects focus on internal business processes. A few enterprises have investigated security issues related to engaging in business activities with companies outside their enterprise. Introducing secure e-mail is their initial approach for implementing programs focused on external activities.

Employee authorization for access to applications and data, implemented over corporate intranets, is the predominate program for internal business processes. Companies expect that once this approach is settled internally, then the means for secure external access to corporate data, such as for customers and suppliers, will become available. Single user sign-on is repeated by the companies as their most important need for external access solutions. By inference, the single sign-on will likely be an authenticating method of user sign-on.

Secure passwords were mentioned most frequently as the means for ensuring that users of systems were authenticated. Public key cryptosystems were not ranked highest in the arsenal of current security mechanisms. However, more and more, it is evident that public key systems will be needed to ensure both authentication and authorization by internal and external users. This leaves the need for a Public Key Infrastructure (PKI) in a state of limbo. The PKI, consisting of overarching policies, trust models, and the supporting hardware and software platforms, is a high value investment. So the PKI will only emerge as rapidly as does the demand for public key cryptosystems from major enterprises.

Our respondents clearly understand the importance of their legacy systems. Large data center systems, encompassing both transactional processes and databases, will not be replaced or superceded. Electronic commerce with external access must be made to work within the present environment. However, by introducing external access to their legacy systems, they understand that security will become a major concern. Here is what we learned about how these companies view secure electronic commerce within their legacy environments.

• The strongest security approaches, such as public key systems, will be used only for the most notably important transactions.

• Today, major corporate databases are not enabled to benefit from public key solutions.

• Companies do not have broad knowledge of how business to business electronic commerce in a secure mode fully functions. This explains their cautiousness in moving forward.

• The economics of implementing large-scale secure electronic commerce programs is daunting. Initial steps will be small and low cost.

Timing
Companies told us that their first step would be to learn the basics of secure electronic commerce within their own enterprise before venturing into an open relationship with others. Then, as they continue to implement an open electronic commerce environment, they will work with others inside their own industry. Internal business processes are being selected first and enabled for secure transactional processing. Significantly, many of these use e-mail as the method for introducing networked access to internal data or processing.

Once the internal solution is understood, the plans are to mimic that method for an external purpose. In the next year, almost 75% of the companies in our survey will address one or more internal processes with secure messaging and electronic commerce solutions.

Because of the focus on internal approaches first, we do not expect significant effort toward implementing external approaches until next year. Thus, major efforts to integrate and interoperate between major vertical industries will not be on the roadmap until much later.

In analyzing our research, we identified a preference for evolving to an end state of open electronic commerce. There was no preference for superceding any current business or technical approach. The expectation of those we interviewed was that their enterprise would "fit" a solution into their current environment, as standards and software solutions became widespread in their industry. We see this slow growth approach contributing to our prediction of the timing for fully implementing business to business commerce.

Standards
The need for interoperable standardization is acknowledged. However, individual companies will argue strongly for their own approach or selected standard, asserting that it is best for their vertical industry. We found in many of our interviews that there is a significant amount of this presumption of "rightness."  Particularly in the area of security models, it seems that once an enterprise has selected a security vendor, and embraced that vendor’s standard implementation, the enterprise then begins to advocate for that standard throughout the community. Sometimes, two companies within the same industry, each selecting a different vendor’s approach, advocate against each other. It can then become a case of "dueling vendors" within the industry.

Architecture
Our contacts told us that they believe middleware solutions will become the means for moving into secure electronic commerce. The expected architecture is a server and software that resides in front of transactional processing servers and corporate databases. The middleware software and the transactional server will interoperate with e-mail, e-forms, and Web browsers, as well as with supporting PKI components, as the enterprise begins to engage in external electronic commerce. In this way the enterprise can ease into broader electronic commerce at its own pace and with a managed cost approach.

Approaches and Actions
We think it is exciting that the companies we interviewed would soon be trying various means to engage in electronic business processes. However, we discovered that many of them have only a basic understanding of how to address opening their enterprises to external activities, with the accompanying need for security. In the absence of clear and broad knowledge within their companies on how to make it all work, they adopt a conservative manner. In many cases they choose to "wait and see" rather than to strategically position themselves. The wait and see approach will probably serve most of them well, so long as they take some initial small and cost effective steps. We discovered most of them planning to do just that.

The business and technical requirements will emerge quickly as companies engage in more and more electronic cooperation with their customers and suppliers. The expectation is that a vertical industry will begin to experience a growing amount of electronic business-to-business activity. Then the accompanying tension of how to secure their internal data and business processes from the effects of unwanted or unexpected activity will arise. Companies within an industry will select security solutions to support their enterprises. The process of selection will come about less by analytical foresight and more by successful responses emerging over time. Thus evolution occurs, with companies selecting security components one by one. Once beyond the initial selection steps, the process is likely to become self selecting because each new choice will be reinforced by how well it fits within the whole solution that has evolved up until that point.

Blueprint for Engaging in Secure EC
It is useful to repeat that our research leads us to believe that an enterprise will address a need for electronic commerce by starting with internal business processes. In some cases this may involve reengineering of a selected process to make it compatible with an electronic commerce solution. Or, the enterprise may introduce a form of "middleware", such as using a messaging system, to initiate the solution. For example, employees at remote locations will start to send electronic travel vouchers to a central accounting location. To do this, the company might create an e-form version of the travel voucher, and allow the end user to fill it in and send it as an attachment to an e-mail. Another example is field service technician, signing on through a Web browser to access customer configuration data.

Here’s another example. If a company internally chooses to permit an employee to securely verify benefit balances, and introduces an intranet with a browser linked by messaging to the benefits or finance databases, the resulting architecture will quickly become a learning field for a similar browser-initiated query from a customer. So there is a likelihood that suppliers will be offered a browser and messaging-based solution for sending queries about inventory or order status to the enterprise. One of our respondents is experimenting with this approach now. The important thing is that the enterprise is learning its lessons about what works and what doesn’t from an internal view of business processing. Thus, when the enterprise looks outward and decides to extend electronic processing to suppliers or customers, we believe their preference will be for an architecture that mimics what worked well internally. In Figure 1 we show the general architecture that we believe will emerge when large enterprises open their legacy systems to electronic commerce.

Implications
It is clear that large enterprises are going to leverage the advantages of electronic means for engaging in commerce with one another. Our research shows that companies are taking steps to begin the process of enabling access to their business applications, but there remains a concern about how fast to proceed. There is also a concern about how best to open their internal business applications to external processes, including electronic commerce. Users, vendors, and providers of messaging and Internet services all need to be conscious of how this unfolds. We offer here our suggestions for moving into the millennium with workable secure electronic commerce solutions.

Users
User companies need to put programs together to begin cautiously but certainly to implement secure access to corporate processes and data. Start with employees. Introduce networked business applications by using messaging servers and Web servers. Address security by moving from the simple to the complex. Plan to build up to the strongest security solutions, so you can learn lessons along the way about what works within your enterprise and what is being used by others in your industry. Keep the end in mind but go step by step. Open your enterprise for business to business networking in the same way, slowly. Move from simple to complex activities. Work within your industry for a common understanding of appropriate mechanisms in support of secure commerce.

Vendors
Vendors should focus on immediate solutions that work. Monolithic, high cost implementations are not likely to catch on quickly. But keep in mind that each step should be moving on a path to a fully functional secure solution. Message-based capabilities seem ideal for moving in small steps. There are quite a number of adequate security capabilities within messaging systems. These can be implemented one by one to improve the process as it evolves. By the time strong security methods are required, the foundation will be in place and the users will be comfortable with advancing to the more complex administrative and usage issues of public key systems.

Vendors can also benefit by being accepted first within an industry. Companies will advocate on behalf of a solution that works well for them. By helping an industry move more quickly and credibly to de facto standards, the vendor benefits.

Keep in mind that companies want to do both—keep their current enterprise systems and databases and engage in open electronic commerce. Middleware solutions that permit an enterprise to bridge between legacy systems and the open access of electronic commerce need to be developed. Vendors must keep the solution easy to understand and administer. We think messaging software and server vendors will benefit greatly by meeting these needs.

Security solutions vendors must find ways to educate and enlighten user companies about their products. The perceived complexity of public key systems can be overcome through education, training, and expanded usage. Vendors with an interest in seeing PKI emerge can benefit from making public key systems seem friendlier and easier to understand. The PKI will not emerge faster than the users choose to implement public key systems.

Messaging and Internet Service Providers
Providers of messaging and Internet services need to look closely at how users will architect their electronic commerce environments. We think there are multiple service provider opportunities emerging. Support of the middleware environment is one example. Establishing a secure community of interest which can be both open and closed is another. Rules-based access and single sign-on methods hosted by a messaging service provider on behalf of an enterprise is also a possibility.

When vertical industries start to interoperate among themselves, the messaging and Internet service providers will benefit if they can bridge the gap of interoperability between industries. It is unlikely that implementations of standards in support of secure electronic commerce will be identical among all industries. This means the service providers need to have a foot inside each vertical industry, and then build a bridge from one to the other.

We also think that messaging and service providers can benefit if they find a method for simplifying the entire electronic commerce process for the users. The emergence of messaging outsourcing is one example of a simple way for an enterprise to have a fully functioning system without having to address the growth and expansion concerns. If messaging and Internet service providers offer an electronic commerce service that is easy to understand, easy to use, and easy to budget, companies are likely to find it attractive.

In Conclusion
Our research reinforces the value of messaging systems in support of secure electronic commerce. Major companies in most vertical industries are likely to spend the next year preparing for a step-by-step approach to allowing business-to-business electronic commerce to take place. The emphasis will be on securing their internal data and transactional processes. The inherent security of messaging systems lends support to an approach that incorporates these into the architecture of evolving solution. MM

Back to Table of Contents