Trust in me

There are essentially two areas of interest with respect to building a security trust model with selected business partners: the business to business (b2b) and the business to consumer (b2c) environment.

In the b2b environment, companies want to provide partners with access to systems and resources that will allow them to interact with each other. Secure Socket Layer Virtual Private Network (SSL-VPN) technology is currently seen as the platform of choice for this purpose because many such solutions leave no footprint behind on a given users PC once the system has been used. Equally, most of the platforms used to deliver SSL also check the requesting PC for potential security threats (viruses, malware, etc.) prior to establishing the link. However, most companies still struggle with a critical component of the safe access model for trusted partners, namely the use of strong authentication techniques. This is primarily because to most organisations, username and password protection seems adequate and is still free.

Happily, use of token-based authentication in conjunction with partner extranet-style services is becoming increasingly popular (and wise). Like all b2b security environments, organisations need to consider the potential risks that faced and the mitigation of these that can be achieved by through technology (always remembering that the human factor is still often the weakest link).

In the b2c environment, organisations wish to continue to extend relationships with their customers and build loyalty. Consider, financial institutions, many of which are looking at ways to engender greater trust in e-banking environments. Simultaneously, the ever-widening use of DSL internet connectivity has caused service providers (SPs) to seek opportunities to tout higher-value services. Clearly, the SPs and the financial institutions are approaching a similar goal from different angles and, as in the b2b world, the key to success lies in leveraging known identities to build trust.

An internet service provider (ISP) will be able to provide added value services to the customer based on the identity of that customer. Consider a family sharing a single PC: the ISP might want to promote the fact that services such as online gambling are available to the father, while the nine year old daughter should naturally be unable to access such services and should instead have a range of more suitable options available to her.

If the ISPs content delivery partners cannot access authentication information, each purchase of online content or service will result in a different bill for the family. But if the ISP can share its user identification with its partners, it could provide preferential rates to its customers and deliver just one consolidated bill at the end of that period. This is easier for the customer, for the content delivery partners and generates more revenue for the ISP.

Put another way: the wider bandwidth available to us as internet customers is driving the next wave of services and options that we will be presented with. These new services are necessary for the survival and differentiation of SPs because connectivity is becoming increasingly commoditised. We can see proof of this already as consumers ourselves: in the past 12 months, the cost of a DSL connection has more-or-less universally decreased from around 25 per month to around 15 per month, while the available bandwidth has simultaneously increased dramatically. The result: high-quality streaming video services, as well as the other amazing applications weve heard talk of for so long, take a step closer to becoming reality every day.

The virtual enterprise network has arrived, and service-orientated architectures are the ultimate goal. It is this that is driving utility-based, on-demand computing requirements, which in turn necessitate stringent authentication and authorisation mechanisms to ensure freedom from abuse. As a direct consequence, web services, federated identification and authentication, identity and access management and network access control are all merely examples of the kinds of technologies likely to hit critical mass within five years. Businesses of all shapes and sizes need to become familiar with them if they hope to remain competitive because ultimately, it is the whole question of trust on which these things depend.

Do the SPs business partners trust its identification and authentication systems? Does the consumer trust the SP to deliver the right services and bills? The converged world we are approaching makes it inevitable that service-orientated models will come to bear. How quickly they arrive and how widely-spread they will be, only time and technology will tell, but its clear that though security is subordinate to business need, good security is good business.