Security as we perceive it today became a topic of research with the introduction of networked information systems, or networked ISs, in the early 1980s. In the mid-1990s the proliferation of the Internet in the business area exposed security as one of the key factors for successful online business, and the majority of efforts to provide it were focused on technology. However, due to lessons learned during this period, the paradigms have since changed, with increasing emphasis on human factors. It is a fact that security of networked ISs is becoming part of the core processes in all e-business environments. While data is clearly one of the key assets and has to be protected accordingly, ISs have to be highly integrated and open. Appropriate treatment of these contradictory issues is not a trivial task for managers of contemporary intelligent organizations. It requires new approaches, especially in light of new technologies.
Proper management of security in e-business systems requires a holistic methodology that can be viewed on three planes: technology, organization, and legislation (Trček, 2006). ISs security management starts with the identification of threats and threats analysis. A typical approach is based on risk probability and derived damage estimates (Raepple, 2001). Following this, the approach differs according to the plane:
The technological plane takes into account machine-related interactions. This plane is about deployment of appropriate security services that are based on security mechanisms. To become operational, key management issues (i.e., handling of cryptographic algorithms’ keys) have to be resolved. Finally, human-to-machine interactions have to be addressed carefully.
The organizational plane takes human resources management into account. It emphasizes the organizational issues and socio-technical nature of contemporary IS, where various modern methodologies play a central role.
In parallel, it is necessary to address legal issues. Not only national, but also international legislation in this area is becoming increasingly broad and complex. Each and every security policy has to take this into account, especially cryptography regulations, digital signature issues, privacy issues, and intellectual property rights.
Methodological Approaches To E-Business Systems
From the technological point of view, the prevention of threats is achieved by use of security mechanisms and security services (ISO, 1995). Mechanisms include symmetric and asymmetric cryptographic algorithms, for example, AES (Foti, 2001) and RSA (RSA Labs, 2002); one-way hash functions such as SHA-1 (Eastlake & Jones, 2001); and physical mechanisms. For devices with weak processing capabilities like smart-cards, elliptic curve-based systems such as ECDSA (ANSI, 1998) can be used. Regarding physical security, using cryptographic algorithms one can only reduce the amount of data that have to be physically protected, but physical protection cannot be eliminated.
To ensure that a particular public key indeed belongs to the claimed person, a trusted third party called certification authority, or CA, has to be introduced. The CA issues public key certificates that are digitally signed electronic documents, which bind entities to the corresponding public keys (certificates can be verified by CA’s public key). CA also maintains certificate revocation lists, or CRLs. These should be checked every time a certificate is processed in order to ensure that a private/public key is still valid. The de iure and de facto standard for certificate format is X.509 standard (ITU-T, 2000).
By use of security mechanisms, the following security services are implemented:
Key Terms in this Chapter
Business Intelligence: Deployment of (usually artificial intelligence-based) techniques such as online analytical processing (OLAP) and data mining to analyze information in the operational data sources.
Networked Information Systems: An IS that is strongly integrated in a global network. From the technological point of view, the difference between the IS and the global network is blurred; however, it exists from the administrative point of view.
Public Key Infrastructure: The infrastructure capable of supporting the management of public keys able to enable authentication, encryption, integrity, or non-repudiation services.
Security Mechanism: A basis for a security service—using particular security mechanism (e.g., cryptographic algorithm), the security service is implemented.
Wireless Security: Security assurance for communicating information in electro-magnetic media over a distance through a free-space environment.
Security Policy: Documented procedures that focus on the organization’s management of security; it is about information confidentiality, integrity, and availability of resources.
Certification Authority (CA): An authority trusted by one or more users to create and assign public key certificates.
Security Service: A service provided by an entity to ensure adequate security of data or systems.