ECOMMERCE

1
ECOMMERCE

SECURITY
2
Who Are We?

• KPMG Risk And Advisory Services
• Manage risk in automated and financial systems
• Understand risks consistent with business need
• Evaluate mitigation measures consistent with
  business need
• Recommend controls and solutions consistent with
  business need

3
eCommerce... Why?

• Lower Cost

• Increased Efficiency

• Speed to Market

• Increased Security (huh??)

• More Diverse Customer Base

• Improved Customer Service

• Creates New Services

• Physical Size and Location Don't Matter

4
eCommerce
High Profile Examples
Amazon.com - The Internets largest virtual
bookstore Security First National Bank - The
first original virtual bank eTrade - An online
stock broker at reduced prices Wall Street
Journal Interactive - An online version of the
WSJ
5
eCommerce
Emerging eCommerce Examples
Digital Content Peer-to-Peer (starting with
Napster) Apples iTunes Music Store, Mobile
eCommerce - Vending (and other) machine
purchases Using cell phone of other specialized
token or smart card (Europe), Master Card -
August 28, 2003 - MasterCard International today
unveiled MasterCard SideCard, the stylish new
payment card which features a modified design
small enough to fit on a key ring. MicroPayments
Allows Web Surfers a method to make small
Purchases (under 1) for tidbits of on-line
content.
6
Are Internet (and other) security issues
over-hyped?

• YES
• But....there are valid concerns

7
Risks!
Traditional Risks
8
Risks!
Somewhat Recent Past Intrusions
9
Risks!
Current Incidents
10
Risks!
Future Risks

• Dramatic growth in B-B, B-C, and B-E
• Internet terminals in stores, airports, bars
• Self-Checkout stands

In Short-
Anything that contains personal information Such
as a magnetic strip on a card

• Driver's License
• Credit Card
• ATM Card
• Medical Provider Cards

11
Where is the threat coming from?
MY NETWORK
12
Business to Consumer Risks
Web Server

• RISKS
• Intercepted transmission
• Denial of service
• Network intrusion

Remote Users accessing EC application over the
Internet
13
Business to Business Risks
Firewall
Firewall
Internal Network
Internal Network
Internet

• RISKS
• Loss of availability
• Cant confirm transmission received
• Eavesdropping

14

Potential Business Impact

• Public Embarrassment / Image
• Compromised Confidential Information
• Compromised Integrity Of Information
• Disruption of Services (System / Network Outages)
• Fraud or Theft of Services
• Financial Liability
• Criminal Liability Under State or Federal Laws

15
How Do You Implement Adequate Security?
16
Security methodology

• Proper security must provide the appropriate
  assurance that in any transaction
• Both parties are identified and authenticated
• Both parties can only perform the actions they
  are supposed to
• The transaction information is correct/unaltered
• The transaction is kept confidential
• There is proof the transaction occurred
  (no-repudiation)

17
Security methodology

• These assurances provide

• Identification

• Authentication

• Authorization

A Secure Solution

• Confidentiality

• Integrity

• Non-Repudiation

18
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

19
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

20
Firewall Solutions

• Functions of a Firewall
• Between a trusted and untrusted network
• Controls traffic based on service, source,
  destination, user ID
• Deny everything that is not specifically allowed

21
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

22
Strong Authentication

• What you know, what you have, what you are (where
  you are?)
• Uses two of the above
• Several main types
• Time based tokens
• Challenge response
• Public key (client side certificates)
• Smart card based

23
Leading Authentication Examples

• IDs Passwords
• Benefits Users are comfortable
• Risks Easily compromised or cracked!
• Digital Certificates
• Benefits Can be invisible to the user
• Risks Require infrastructure, trust hierarchy
• Smartcards
• Benefits Strong link back to specific user
• Risks Deploying readers, inconvenient for user

24
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

25
Security Architecture
The Transaction Model
Entity One (Business a.k.a. Bank of David)
Entity Two (User a.k.a. Fred)
26
Security Architecture
The Transaction Model Authentication Services
Application Server
Web Server
Firewall
Entity One (Business a.k.a. Bank of David)
End User PC
Entity Two (User a.k.a. Fred)
27
Security Architecture
The Transaction Model Cryptography Services
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Entity One (Business a.k.a. Bank of David)
Internet
End User PC
Entity Two (User a.k.a. Fred)
28
Security Architecture
The Transaction Model Putting it Together
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Public Key Storage
Entity One (Business a.k.a. Bank of David)
Internet
End User PC
Entity Two (User a.k.a. Fred)
29
Security Architecture
The Transaction Model Putting it Together
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Public Key Storage
Entity One (Business a.k.a. Bank of David)
End User PC
Entity Two (User a.k.a. Fred)
30
Security Architecture
The Transaction Model
Authentication Client
Authentication Server
Application Server
Web Server
Firewall
Public Key Storage
Entity One (Business a.k.a. Bank of David)
End User PC
Entity Two (User a.k.a. Fred)
31
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

32
Secure Protocols

• S-HTTP
• security enhanced version of the HTTP protocol
• wraps entire message in a secure envelope
• SSL
• secures the channel with session keys
• provides data encryption, server and client
• authentication in version 3
• SET
• provides authentication and encryption for credit
• card transactions

33
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

34
Virtual Private Networks

• Encrypted tunnel
• Varying levels of trust
• Multiple business applications

Internet
35
The EC Security Toolkit

• Firewalls
• Strong authentication
• Public key technology
• Secure Protocols
• Virtual Private Networks
• General system security

36
Traditional Security

• Host security
• Secure applications / programming
• Network security / partitioning
• Physical security
• Policies, procedures, guidelines, standards

37
Some Common Mistakes

• Waiting too late to consider security
• Dont analyze business risks
• Give security to junior member on team
• Pick a solution when you dont understand the
  technology
• Ignore operating system level security
• Thinking IDs and passwords are enough

38
Legislative Considerations

• SB 1386
• HIPAA
• Graham Leach Bliley

39
SB 1386 - Breach Notification Law

• Any agency or entity that owns or licenses
  computerized data that includes personal
  information
• shall disclose any breach of the security of the
  system following discovery or notification of the
  breach in the security of the data
• to any  resident of California whose unencrypted
  personal information was, or is reasonably
  believed to have been, acquired by an
  unauthorized person

40
SB1386 - Personal Information Defined

• individual's first name or first initial and last
  name in combination with any one or more of the
  following data elements, when either thename or
  the data elements are not encrypted

• Social security number
• Driver's license number or California
  Identification Card number.
• Account number, credit or debit card number, in
  combination with any required security code,
  access code, or password that would permit access
  to an individual's financial account

41
SB1386 - Penalties

• 1798.84
• (a) Any customer injured by a violation of this
  title may institute a civil action to recover
  damages.
• (b) Any business that violates, proposes to
  violate, or has violated this title may be
  enjoined.
• (c) The rights and remedies available under this
  section are cumulative to each other and to any
  other rights and remedies available under law.

42
Legislative Considerations

• SB 1386
• HIPAA
• Graham Leach Bliley

43
Health Information Portability and Accountability
Act

• HIPAA requires the development of comprehensive
  security programs to protect healthcare data.
• Public Law 104-191, August 21, 1996
• Amends Internal Revenue Service Code of 1986
• Guarantees Health Coverage When Job Changes
• Intended to Reduce Fraud and Abuse
  (Medicare/Medicaid)
• Preempts State Laws Unless More Stringent

44
HIPAA Summary

• Administrative Simplification - Establishes
  national standards for
• Electronic (EDI) transactions
• Identifiers such as provider, payer and employer
  and
• Improved efficiency of processing health care
  information.
• Privacy - Protect patient data from inappropriate
  disclosure or use.
• Require consent to use protected health
  information for treatment, payment and operations
  for healthcare
• Allow health information to be disclosed without
  patient authorization for certain purposes (such
  as research, public health and oversight) but
  only under defined circumstances
• Require written authorization for use and
  disclosure of health information for other
  purposes
• Create a set of fair information practices to
  inform patients how their information is used and
  disclosed, ensure they have access to information
  about them and
• Security - Establish safeguards around patient
  information systems preventing unauthorized
  access.
• Administrative procedures
• Physical safeguards
• Technical security mechanisms, including
  processes used to prevent unauthorized access to
  data transmitted over a communications network.

45
Legislative Controls and Remedies

• SB 1386
• HIPAA
• Gramm-Leach Bliley

46
GLB Summary

• In 1999 Congress enacted the Gramm-Leach-Bliley
  Act (GLB), significantly revising the way in
  which the financial services industry is
  regulated. GLB includes measures to protect the
  privacy of personal nonpublic information
  collected and used by financial service
  providers.
• Notice to customers by the firm of its policies
  and practices regarding nonpublic information
• Permission for customers to "Opt Out" of
  disclosure by the firm of information to certain
  nonaffiliated third parties
• Limitations on disclosure by the firm to third
  parties, and various exceptions to the
  limitations and
• Review and maintenance of safeguards to maintain
  the security of customer information.

47
Closing Comments

• Good security solutions are available the key is
  applying them
• Public perception will change over time
• Need to focus on business risks

48
THE END