Creating An Ecosystem Of Trust

<?xml version="1.0" encoding="UTF-8"?><root available-locales="en_US," default-locale="en_US"><static-content language-id="en_US"><![CDATA[<p>The rapid proliferation of mobile devices and advent of web-based enterprise tools, cloud computing and virtualisation have enabled an instant-on office, where workers can access and modify information regardless of location. While enterprises are attempting to strike a balance between securing and managing growing information volumes while improving business processes and enabling productivity, technology is evolving so rapidly that they are constantly struggling to keep pace. At the centre of this challenge is identity and access protection.<br><br>Accessing information that rests on computer networks has conventionally been managed by means of confidential passwords and centralised authentication databases. Now that applications have shifted to the world of Internet, it has become clear that the use of passwords is no longer protected enough for this medium. With numerous data breaches and increasingly sophisticated methods of stealing passwords, it becomes important that businesses and consumers are confident that the people, networks and devices accessing, modifying or sharing information are verified to be authentic and legitimate.<br><br>The lack of a trusted system of verifying identities poses the following dangers:</p> <ul> <li><strong>Privacy violations, lack of confidentiality, data loss or fraud:</strong> Since transactions are not secure, there's the danger of hackers and other unauthorised users gaining access to sensitive data and exploiting it for malicious purposes or financial gain.</li> <li><strong>Reduced innovation:</strong> Because ecosystem participants don't trust each other, this inhibits the kind of collaboration between members that often leads to innovation.</li> <li><strong>Counterfeit or inauthentic products or services slipping into the distribution chain:</strong> If there's no security mechanism to ensure that everyone in the ecosystem is who or what they say they are, there's the possibility that unauthorised parties could enter into the community and illicitly insert their own products or services into it.</li> <li><strong>Loss of Revenue:</strong> One serious result of the above is that illicit products or services divert revenues from legitimate members of the community.</li> <li><strong>Brand erosion:</strong> It is not only top-line revenues that are at stake. If unauthorised products or services are being delivered to customers or users, and, as is usual in such cases, the quality of those products and services is inferior, the reputation of one or more members of the community can be compromised.</li> </ul> <p>One solution that enables a trusted ecosystem for sharing and collaboration over the internet and other networks is Public Key Infrastructure (PKI). PKI is especially designed to ensure the security and trustworthiness of transactions and identities in three ways: authentication, encryption, and digital signatures.<br><br><img src="/businessworld/system/files/images/Feb_12/IT_environment_lg.jpg" style="vertical-align: middle; margin: 5px;" width="600" height="250"><br><br>Authentication ensures that a person or device is accurately identified. It is achieved by binding public and private keys to user identities through a certificate authority (CA). Each user identity issued by a CA is unique, so that a credential issued that is based on PKI can be trusted.<br><br>Encryption is the process of transforming information so it is unreadable by anyone who doesn't have the designated key. In PKI, encryption protects sensitive information whether data is in transit or at rest. Once a person or device has been accurately identified, the CA issues a digital certificate that binds a public and private key to the user identity. In order to protect data in transit, data is encrypted with the private key of the sender and the public key of the recipient. Data can only be decrypted by the private key of the recipient. The private key is kept private by that individual, and never shared with anyone or sent over the Internet. The public key is stored in a directory as part of a digital certificate. Anyone who wants to send a secure message uses the public key of the recipient to encrypt it. The recipient is the only one who can decrypt it, using his or her private key.<br><br>A digital signature strengthens the integrity and audit potential of electronic transactions. It is created with an algorithm that combines an individual's private key with the electronic document that is being signed. Since only the person who owns the private key can create the digital signature, that signature can be trusted. This can be verified by anyone possessing the public key for that individual.<br><br>There are some steps that enterprises should follow to implement strong authentication across the network and enable confidence among users and partners in the information-driven world:<br><br><strong>Understand the true nature of today's IT usage within the corporate environment:</strong> Enterprises should first be able to identify where their most sensitive information resides, and take a prioritised approach that protects this information at rest and in motion. Increasing consumerization means that there is a tremendous growth in unstructured data - information that does not reside in traditional databases - causing a security challenge. Technology can help discover the most sensitive information in order to protect it. <br><br><strong>Ensure strong authentication for all employees and partners coming into the organisation:</strong> Not only are sales people accessing critical information from outside, but so are field marketing, home-based employees, partners, and many others. Furthermore, employees will be accessing Internet applications from within the network. Strong authentication (Two-Factor Authentication) system works by requiring two simultaneous but independent authentication methods. The first factor involves hardware or software that provides the user with an electronically generated passcode or digital certificate that serves as a unique identifier for a particular user. It is then coupled with the second factor such as a password and together they constitute a strong authentication system for enabling access to critical resources like a corporate network.<br><br><strong>Adopt a layered approach of deployment for the strongest possible authentication</strong>: Layered solutions have been essential for some time in the world of corporate security, and strong authentication is no different. Protective layers for access to enterprise data can include everything from risk-based authentication to fraudulent login detection to one-time passwords and digital certificates for all PCs and laptops inside the organisation. These solutions can be used from anywhere and using any device.<br><br>PKI managed solutions help streamline operations, minimise the risk of fraud and waste and disseminate information more securely. Hence, a robust authentication system can be constructed to solve a number of real-world identity management problems today.<br><br><em>Suhas Prakashkumar is Director of Development at Symantec</em></p>