 |
|
 |
|
 |
 |
||
|
|
|
|
|
|
||
www.ecommerce-guide.com/news/trends/article.php/794531
By Mark Merkow, CCP, CISSP June 29, 2001 This spring, the e-business division of theSoftware and Information Industry Association (SIIA) released a white paper that explores a new method of protecting consumer data and outlines more than a dozen different types of data security threats facing e-business. The 27-page white paper, An Electronic Citadel: A Method for Securing Credit Card and Private Consumer Data in e-Business Sites, focuses on the architecture, processes, and benefits of the citadel method to protect consumer and sensitive e-business data. The paper was written by Tom Arnold, chief technology officer of Cybersource Inc. and chairperson of the Technology Working Group. Cybersource may be familiar to EC Outlook readers from a recent story about their CyberSource Internet Fraud Screen (IFS) Enhanced by Visa 5.0. The intended readers and users of the paper include security experts, chief information officers, chief technology officers, and a broad range of systems-related personnel from administrators to information systems architects. The paper stresses the need to consider information security as a multi-faceted system of interacting components rather than single-point solutions that can't offer the needed protections for sensitive consumer and corporate information. The citadel analogy is used to describe a method for securing Web site data that's in direct contrast to the eggshell model for security where users install a hard outer shell, but leave everything soft and squishy on the inside. A citadel, as the paper describes, was the first use of the defense in depth principle. Citadel defenses in the 18th and 19th centuries were based on geometrical shapes and angles that enabled multiple fields of musket firing to cover all approaches to the innermost stone fortress. "The future of electronic commerce largely rests in the ability of companies to secure consumer and corporate data. The citadel method is a new and extremely strong method of protecting data. SIIA is committed to helping promote new, effective models for data security such as the citadel method and communicating these benefits to customers in the consumer and business markets," said Fred Hoch, director of the e-business division of SIIA. The paper's method and system builds in new layers of defense behind the hard outer shell of firewalls and router protections in e-commerce sites. The following recommended precautions (countermeasures) and practices that supplement the Electronic Citadel include:
With these measures in place, the Electronic Citadel system provides another barrier to attacks, using advanced cryptography and effective cryptographic key management practices. The Electronic Citadel model for both the methods and system specifications for managing cryptographic keys enables the secure storage of sensitive data that can always be validated, but places limits on the retrieval of data to a specific lifetime. The white paper then goes on to describe key processing steps that can take advantage of the system to build in the needed degrees of trust demanded by e-commerce. Processing steps defined include:
The author of the paper hopes that a lively comment period on the paper completes with a reference implementation as a utility class library that anyone may use. It's his intent that his contribution remains in the public domain for good of the Internet and e-business community. Click here to download your own copy of the Electronic Citadel White Paper. |
|
|
Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs 
