Lesson 5	Security
Objective	Describe the impact of security on e-business.

Security Impact on ebusiness

While corporate presence on the Web has soared, many companies are simply providing information about themselves in the form of annual reports, product catalogs, and service information. They have not begun to provide full-scale transactions for buying and selling online. This restraint is primarily due to concerns about network and transaction security.

Security Concerns and appropriate Technologies:
Security concerns and the tools to address them generally fall into two areas--user authorization and data and transaction security. This table clarifies these concerns.

Area of concern	Explanation
User authorization	This ensures that only valid users and programs have access to resources like user accounts, files, and databases.
Data and transaction security	This ensures internal computers and databases from outside (Internet) access.

Most eBusiness solutions need to realize a high level of security for both areas of concern, and as indicated in the table above, they use a range of technologies to do so. The most important security technologies are:

Firewalls
Encryption
Biometrics
Digital certificates
SSL
Public-key infrastructure (commonly called PKI)

In this security technology, we will explain these technologies in greater detail.

Advantages and Disadvantages of Symmetric-key Cryptography

Advantages of Symmetric-Key Cryptography

Speed and Efficiency: Symmetric-key cryptography is generally faster and more efficient compared to asymmetric-key cryptography because it uses simpler mathematical operations. This makes it ideal for encrypting large amounts of data, which is common in eCommerce transactions.
Lower Computational Overhead: Since symmetric algorithms require less computational power, they are easier to implement on devices with limited processing capabilities. This can be crucial for eCommerce applications where performance and scalability are important.
Simpler Key Management for Small Networks: In small-scale eCommerce systems, managing symmetric keys is simpler because only one key needs to be distributed and maintained between communicating parties, compared to asymmetric cryptography where two keys (public and private) are required.
Security in Controlled Environments: Symmetric encryption provides strong confidentiality in closed environments, such as within a secured enterprise network, where key distribution can be tightly controlled.

Disadvantages of Symmetric-Key Cryptography

Key Distribution Problem: One of the major disadvantages is the challenge of securely distributing the symmetric key to both the sender and receiver. In eCommerce environments, securely transmitting keys across public networks can be a significant risk.
Scalability Issues: As the number of users grows in an eCommerce platform, the number of keys increases exponentially. This leads to complex key management issues, especially in larger systems with many users.
Single Point of Failure: Since the same key is used for both encryption and decryption, if the key is compromised, an attacker can easily decrypt the entire communication. This makes symmetric encryption less secure for highly sensitive eCommerce data transactions.
Lack of Authentication: Symmetric encryption does not inherently provide authentication. It only ensures confidentiality, meaning additional methods (e.g., digital signatures, message authentication codes) are needed to verify the identity of the parties involved in an eCommerce transaction.

In eCommerce security, symmetric-key cryptography is often combined with asymmetric cryptography (in hybrid systems) to leverage the strengths of both methods. For example, asymmetric encryption can be used to securely share the symmetric key, which is then used for faster bulk encryption.

1) Firewalls are critical to an ebusiness solution. A firewall establishes security by defining the services and access permitted to various user. Effectively. it creates a barrier between a corporate network and an external network.

2) Technically, a firewall is software and hardware that allows only external users with specific characteristics to access a protected network or site. It gives users full access to services while granting outsiders access to services only selectively, based on user names and passwords, an Internet IP address, or a domain name.

3) There are various types of firewalls. They include simple logging traffic systems, IP packet screening routers, hardened firewall hosts, and proxy application gateways.

4) Encryption is another way to protect sensitive information. It is designed to secure information that travels over public channels such as copyrighted or confidential data. And it helps to ensure privacy, confidentiality, and integrity, three key requirements of transaction based ebusiness.

5) Two kinds of encryption exist: secret-key encryption and public-key encryption.

6) Secret-key encryption (also known as symmetric key encryption) involves the use of a shared key for encryption by the transmitter and decryption by the receiver.

7) Public-key encryption (also known as asymmetric encryption) uses two keys, — 7) uses two keys, one to encrypt the message and another to decrypt the message. The two keys are mathematically related so that data encrypted with one key can only be decrypted by using the other. This is a more sophisticated form of encryption.

8) Biometrics are a means of using biology and or physiology to identify a user though either thumb prints, eye-scans, or voice recognition. Biometrics are generally used for physical security for highly sensitive for highly sensitive sites.

9) Digital certificates are attachments to electronic messages that are used for security purposes. They are just one of the methods of ensuring the identity of a person or entity in order to guarantee the integrity and to verify the origin of the user/order.

10) (SSL) Secure Socket Layer negotiates point-to-point security between clients and servers. By convention, Web pages that require an SSL connection starts with https: instead of http: While not comprehensive SSL are the most common security device used in ebusiness.

11) PKIs are key security tools for ebusiness. They are internet specific security suites that combine encryption technology software and services. They enable organization to secure online business transactions and communication.

12) PKIs integrate public-key cryptography and digital certificate technology into an organization-wide security infrastructure.

13) PKI services are comprehensive. Their functions include issuing digital certificates to users and servers as well as tools for managing corporate certificates, end user software enrollment control, and the application of encryption for higher security requirements.

Question: What are the main security technologies discussed in this lesson?
Answer: Firewalls; Encryption; Biometrics; Digital certificates; SSL; Public-key infrastructure (PKI) If you would like to view and print out this information on security tools and their function, you may do so by looking at the information below.

Security Tool	How it works
Firewall	A firewall establishes security by defining the services and access permitted to various users. Effectively, it creates a barrier between a corporate network and an external network. Technically, a firewall is software and/or hardware that allows only external users with specific characteristics to access a protected network or site. It gives insiders full access to services while granting outsiders access to services only selectively, based on user names and passwords, an Internet IP address, or a domain name.
Encryption	Encryption is designed to secure information that travels over public channels such as copyrighted or confidential data. It helps to ensure privacy, confidentiality, and integrity. Two kinds of encryption exist: secret-key encryption and public-key encryption: Secret-key encryption (also known as symmetric key encryption) involves the use of a shared key for encryption by the transmitter and decryption by the receiver. Public-key encryption (also known as asymmetric encryption) uses two keys, one to encrypt the message and another to decrypt the message. The two keys are mathematically related so that data encrypted with one key can only be decrypted by using the other.
Biometrics	Biometrics are a means of using biology and/or physiology to identify a user though either thumb prints, eye-scans, or voice recognition. They are generally used for physical security for highly sensitive sites.
Digital certificates	Digital certificates are attachments to electronic messages that are used for security purposes. They are one method of ensuring the identity of a person or entity in order to guarantee the integrity and to verify the origin of the user/order.
SSL	A Secure Sockets Layer (SSL) negotiates point-to-point security between clients and servers. By convention, Web pages that require an SSL connection start with https: instead of http: .
Public-key infrastructure (PKI)	PKIs are Internet-specific security suites that combine encryption technology, software, and services. They enable organizations to secure online business transactions and communication by integrating public-key cryptography and digital certificate technology into an organization-wide security infrastructure.

The next lesson considers the issues to keep in mind when selecting any one of these security tools.