Fundamental Building Blocks for Security Interoperability in e-Business

Fundamental Building Blocks for Security Interoperability in e-Business

Muhammad Asim (Philips Electronics, The Netherlands) and Milan Petkovic (Philips Electronics, The Netherlands & Eindhoven University of Technology, The Netherlands)
DOI: 10.4018/978-1-4666-0146-8.ch013
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

The e-business concept goes beyond traditional electronic enterprise systems that are typically owned and controlled by one company. In e-business systems the data is exchanged in a distributed environment where different components and systems are owned and controlled by different companies. This introduces two main challenges: (1) there is a need for adequate security mechanisms that can protect the data in an end-to-end manner (2) the security mechanisms deployed in e-Business systems must be interoperable to ensure that they work with the security mechanism of others’ systems. This chapter makes an overview of security mechanisms applicable to e-Business, as well as relevant security standards. The chapter also gives an outlook on novel approaches to e-Business security.
Chapter Preview
Top

Introduction

Emerging ICT technologies are modifying processes and communication between the players in the business world. Nowadays, consumers use the Internet to establish a relationship with an enterprise. The internal functioning of enterprises is changing. ICT plays an important role in the communication between the enterprise and its different partners and suppliers. ICT support the activities of the enterprise in all these cases, with the goal to improve the functioning and create the value for the enterprise and its partners. Take for example the travel agency scenario presented in the Trust Management chapter of this book (Costante et al, 2011), also shown in Figure 1. Alice books her holidays from the comfort of her living room using an on-line travel agency. The travel agency web site collects multiple offers from different flight, hotel and rent-a-car companies and presents them to Alice. Alice makes a selection and pays online using her credit card. Booking, payment, and all transactions between the parents in this scenario are supported by ICT.

Figure 1.

Travel agency scenario, where different entities have to securely interact with each other

e-Business introduces important security challenges. Traditional security issues which include, data confidentiality, integrity, availability as well as authentication, authorization and non-repudiation become even more important in the highly distributed setting of e-Business. For example in the abovementioned scenario, the payment transaction needs to be secured. The confidentiality of personal data Alice provides, which is shared with a number of parties, needs to be protected. The enterprises that collect this data need to comply with data protection legislation (e.g. European Directive 95/46 (European Directive 95/46, 1995)), which means that among the rest the data should be disclosed only to authorized users and be used for the specified purpose. The business partners have to be authenticated and the travel agency service needs to be reliable i.e. Alice would need a guarantee that she is talking with a genuine and not a fake service which may steal her credit information. Traditional security mechanisms, such as encryption, digital signatures, different authentication methods and access control play an important role in fulfilling the above mentioned requirements. However, highly distributed e-Business systems require also advance security mechanisms that can provide end-to-end security. These include policy-based security mechanisms as well as technologies such as digital and enterprise rights management.

Next to the need for adequate security mechanisms that can protect the data in an end-to-end manner, it is of utmost importance to ensure interoperability of the security mechanisms deployed in e-Business systems. In the abovementioned scenario, the travel agency system has to dynamically contact different business entities based on the search criteria of Alice. These entities consist of flight providers, hotel providers, car rental service providers. In addition the travel agency system would need to interact with the VisaTM or MasterCardTM service providers which are needed to process Alice payments.

In this scenario, the most prominent security issues are: 1) reliability and trustworthiness of communicating entities; 2) authenticity of the communicating entities; 3) authenticity of the person who is placing the order; 4) confidentiality and integrity of the information that is sent over the Internet and shared with different entities; and 5) non-repudiation of a sender and receiver. To address the abovementioned security issues, the entities need to deploy security mechanisms such as encryption, authentication, signing, access control etc. However, the entities have to understand each other security mechanisms and semantics associated with them. All involved entities have to use only the standardized mechanisms the semantics of which are clear to all involved entities. For example in order to have a secure point-to-point communication channel, the entities involved in the communication could use the Transport Layer Security standard. Before establishing secure communication channel, the entities go through a negotiation phase where they determine the authenticity of the communicating entities through X.509 v3 certificates, determine the security mechanisms that are supported by communicating entities, and exchange keys for the secure communication channel.

Key Terms in this Chapter

Interoperability: is a property referring to the ability of different systems to work together (e.g. the ability of systems or components to exchange the data and provide services to and accept services from other systems).

Data Integrity: The detection of the unauthorized or improper modification of the information assets.

Audit Trail: A record of access attempts and resource usage to verify enforcement of business, data integrity, security, and access-control rules.

Access Control: The process of controlling every request to a system and determining, based on specified rules, whether the request should be granted or denied.

Authentication: The act of establishing or confirming that someone or something is authentic, that claims made by or about the subject are true.

Complete Chapter List

Search this Book:
Reset