Electronic Commerce -- Net Security

Vendors and businesses work to make the Internet safer for commerce

By Kate Maddox

When the web design team at Southwest Airlines decided it wanted to let customers buy tickets through the company's World Wide Web site, it had a tough time selling senior management on the idea.

"They were concerned that we'd be exposing corporate data, and that we'd potentially be exposing our customers' credit-card numbers," says Steve Taylor, systems engineer at Southwest Airlines and a lead developer of the Dallas company's Web site (http://www.iflyswa.com), which was launched in March 1995.

Exposure: Southwest Airlines' management was concerned that doing business on the Web could put corporate data and customers' credit-card numbers at risk, Taylor says.

However, after educating senior management about security technology, Taylor and his group were given the OK to begin selling tickets on the site in April. They've been processing more orders than expected ever since, he says-though he declined to reveal how many.

The key issues facing Southwest Airlines and other companies evaluating electronic commerce on the Web, according to corporate users and industry watchers, are overcoming all the hype about security threats and integrating existing technologies into their Internet efforts.

"All the tools you need to conduct safe transactions over the Internet are available today," says Michael Zboray, VP for information security strategies at Gartner Group Inc., an IT advisory firm in Stamford, Conn. These tools include a strong system for user identification and authentication, a mechanism to create a confidential channel between the user and the corporation's Web server, and a secure environment on which to run the server software, Zboray says. "It doesn't mean everyone is capable of putting together the parts and using them," he adds. "I believe the major server vendors will figure this out."

Big business: Southwest Airlines says it has processed more Web-site orders than expected.

One server vendor that's taken a lead in the security arena is Hewlett-Packard, which is aiming to provide high-level, end-to-end security solutions for Internet and intranet environments with its Praesidium product line, unveiled at Internet World in April. "When we're talking about security, no one size fits all," says Sean Leonard, security product manager at HP. The company introduced the Praesidium Authorization Server in April, and in September will announce Virtual Vault technology, which will work with the authorization server to provide secure online transactions by allowing only very specialized commands to pass through a trusted gateway.

Beta tester Security First Network Bank has been using Virtual Vault with the Praesidium Authorization Server to conduct online banking at its Web site (http://www.sfnb.com). With access privileges strictly defined, users are authorized to look only at certain information, such as checking or savings account data. "When running Web server software on top of Virtual Vault, it's possible a hacker could exploit security weaknesses in the Web server software," says HP's Leonard. "If the application fails, the attacker will be confined into a compartment and will be denied access to the company's private network."

Safeguarding Data

As companies let more users-including customers, clients, and other third parties-into their private networks via the Web, the issue of security takes on even greater importance. Southwest solved the problem on the client end with encryption technology developed by RSA Data Security Inc. and provided with the Netscape Commerce Server, which hosts the site. To protect corporate data residing on Objects Store Database Server software running on HP 9000 servers, Southwest uses a CyberGuard firewall together with a Cisco Systems screening router to let in authorized users.

Nonetheless, "it's certainly possible to be malicious within the application," says Taylor, pointing to ticket purchases made with stolen credit cards as an example. "Security is going around and closing all the doors." To that end, the company has built controls into its Web application that monitor user activity, including limits and checks on transactions.

This end-to-end approach to security is what's driving alliances between major security players, such as a proposed merger between RDA Data Security and security software provider Security Dynamics Technologies Inc., and spawning new security consulting services at traditional systems integrators. Consulting firm KPMG International, for example, is rolling out new services to provide a comprehensive approach to enterprisewide network security. "A lot of people are doing it piecemeal because, like LANs, the Internet has grown up so rapidly," says Alan Witty, a senior manager in the information risk management practice at KPMG.

While these services are geared more toward private intranets than public electronic commerce applications, the line between the two is blurring. "There's no point being secure on the Internet if your corporate networks are not secure," says Dean Adams, manager of security and electronic commerce at the Open Group, a Berkshire, England, organization that resulted from a merger of X/Open and the Open Software Foundation.

The Open Group is working on three security fronts: securing the operating platform through its newly released Baseline Security '96 standard; securing communications services through its Secure Communications Services standard, which is an extension to its Generic Security Service-API specification; and securing trade over the Internet through the development of a public key infrastructure.

The trade effort involves standardizing certain components used in the public key/private key encryption process on which many electronic commerce security solutions are based. "More important than [data] integrity and confidentiality is to provide proof that will stand up in a court of law," Adams says. "If you can't provide [legal] proof of who was involved in the transaction, "you won't be able to use the Internet for real trading."

Careful: Security First National Bank limits access tightly to keep hackers away from corporate data.

The Open Group is working to develop standards for certificates, which are used to verify the holders of keys, protocols for shipping keys, and a federated directory of keys. It has the support of many security developers. "Our technology depends on the existence of a public key infrastructure,'' says Allan Schiffman, chief technical officer at Terisa Systems Inc. in Los Altos, Calif., which develops communications security tools for America Online, IBM, Netscape, and other Web developers.

While the establishment of a public key infrastructure is an important development that should solidify electronic commerce, a more immediate impact is likely to be made in the implementation by merchants, banks, software developers, and other electronic commerce players of MasterCard International Inc.'s and Visa International Inc.'s Secure Electronic Transactions (SET) specification. A revised version of SET was released in late June, and it is on track to be rolled out by year's end. "I believe the difference in the quality of security will be dramatic,'' says Gartner's Zboray.

Meanwhile, other companies continue to implement new security systems. The Massachusetts Registry of Motor Vehicles on July 22 rolled out a service on its Web site that lets users pay traffic fines or renew automobile registrations online, using a security service from Internet access provider BBN Planet Corp. in Cambridge, Mass.

"We set it up so there's no information we're giving the customer that they haven't given us," says Larry McConnell, director of information services at the Massachusetts RMV. "We're trying to avoid people using us for their evening's entertainment."

Net security is much stronger than it has been, and even tougher security systems are on the way. The industry is betting that they will be good enough to let commerce blossom on the Net.

Copyright (c) 1996 CMP Media Inc.