Old security models inadequate for ebusiness

[InfoSec News <isn () C4I ORG>]

http://www.vnunet.com/News/1103325

John Leyden
Thursday 15 June 2000

The traditional approach to security adopted by many companies is
outdated and will leave firms vulnerable as they enter the ebusiness
market, a leading technology consultancy has warned.

In its report E-Business Security: New Directions and Successful
Strategies, Ovum argues that the traditional hierarchy of trust
adopted by organisations does not fit the ebusiness model, meaning
that access channels, such as mobile devices, could pose a major
security threat.

Graham Titterington, senior Ovum analyst and lead author of the
report, said: "The old security model tends to rely on perimeter
security - protecting the outer boundaries of the organisation. But
that is based on a hierarchy of trust which places 'internal' users at
the top and 'external' users at the bottom. An approach designed to
keep people out of systems is no longer adequate.

"This is plainly wrong for ebusinesses which need to allow customers
and suppliers into the heart of their systems."

Another flaw of the perimeter approach is that it does not distinguish
between different applications and systems, which may have radically
different security needs according to how mission-critical or
sensitive their contents are, said Titterington.

Mobile devices, such as smartphones and mobile PCs, have too many
vulnerabilities today to be afforded high levels of trust, even if the
users themselves can be trusted.

"There is no standardised security infrastructure in the form of
end-to-end protocols. It is too easy to steal or tamper with the
devices, and digital keys are stored at gateways rather than on the
device," said Titterington.

"Companies should restrict their access rights until at least 2001,
when there are better prospects of a standardised security
infrastructure."

Ovum's recommends "ubiquitous security", where security measures are
applied flexibly to specific parts of the ebusiness environment. This
relies on access control measures to grant user access selectively,
depending on the level of trust placed in the user and the access
device used.

Different applications would be afforded different levels of
protection, according to how mission-critical or sensitive they were
judged to be.

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".