Old security models inadequate for ebusiness

The traditional approach to security adopted by many companies is outdated and will leave firms vulnerable as they enter the ebusiness market, a leading technology consultancy has warned.

In its report E-Business Security: New Directions and Successful Strategies, Ovum argues that the traditional hierarchy of trust adopted by organisations does not fit the ebusiness model, meaning that access channels, such as mobile devices, could pose a major security threat.

Graham Titterington, senior Ovum analyst and lead author of the report, said: "The old security model tends to rely on perimeter security - protecting the outer boundaries of the organisation. But that is based on a hierarchy of trust which places 'internal' users at the top and 'external' users at the bottom. An approach designed to keep people out of systems is no longer adequate.

"This is plainly wrong for ebusinesses which need to allow customers and suppliers into the heart of their systems."

Another flaw of the perimeter approach is that it does not distinguish between different applications and systems, which may have radically different security needs according to how mission-critical or sensitive their contents are, said Titterington.

Mobile devices, such as smartphones and mobile PCs, have too many vulnerabilities today to be afforded high levels of trust, even if the users themselves can be trusted.

"There is no standardised security infrastructure in the form of end-to-end protocols. It is too easy to steal or tamper with the devices, and digital keys are stored at gateways rather than on the device," said Titterington.

"Companies should restrict their access rights until at least 2001, when there are better prospects of a standardised security infrastructure."

Ovum's recommends "ubiquitous security", where security measures are applied flexibly to specific parts of the ebusiness environment. This relies on access control measures to grant user access selectively, depending on the level of trust placed in the user and the access device used.

Different applications would be afforded different levels of protection, according to how mission-critical or sensitive they were judged to be.