Fundamental Building Blocks for Security Interoperability in e-Business

Introduction

Emerging ICT technologies are modifying processes and communication between the players in the business world. Nowadays, consumers use the Internet to establish a relationship with an enterprise. The internal functioning of enterprises is changing. ICT plays an important role in the communication between the enterprise and its different partners and suppliers. ICT support the activities of the enterprise in all these cases, with the goal to improve the functioning and create the value for the enterprise and its partners. Take for example the travel agency scenario presented in the Trust Management chapter of this book (Costante et al, 2011), also shown in Figure 1. Alice books her holidays from the comfort of her living room using an on-line travel agency. The travel agency web site collects multiple offers from different flight, hotel and rent-a-car companies and presents them to Alice. Alice makes a selection and pays online using her credit card. Booking, payment, and all transactions between the parents in this scenario are supported by ICT.

Figure 1.

Travel agency scenario, where different entities have to securely interact with each other

e-Business introduces important security challenges. Traditional security issues which include, data confidentiality, integrity, availability as well as authentication, authorization and non-repudiation become even more important in the highly distributed setting of e-Business. For example in the abovementioned scenario, the payment transaction needs to be secured. The confidentiality of personal data Alice provides, which is shared with a number of parties, needs to be protected. The enterprises that collect this data need to comply with data protection legislation (e.g. European Directive 95/46 (European Directive 95/46, 1995)), which means that among the rest the data should be disclosed only to authorized users and be used for the specified purpose. The business partners have to be authenticated and the travel agency service needs to be reliable i.e. Alice would need a guarantee that she is talking with a genuine and not a fake service which may steal her credit information. Traditional security mechanisms, such as encryption, digital signatures, different authentication methods and access control play an important role in fulfilling the above mentioned requirements. However, highly distributed e-Business systems require also advance security mechanisms that can provide end-to-end security. These include policy-based security mechanisms as well as technologies such as digital and enterprise rights management.

Next to the need for adequate security mechanisms that can protect the data in an end-to-end manner, it is of utmost importance to ensure interoperability of the security mechanisms deployed in e-Business systems. In the abovementioned scenario, the travel agency system has to dynamically contact different business entities based on the search criteria of Alice. These entities consist of flight providers, hotel providers, car rental service providers. In addition the travel agency system would need to interact with the Visa^TM or MasterCard^TM service providers which are needed to process Alice payments.

In this scenario, the most prominent security issues are:

• 1.

  Reliability and trustworthiness of communicating entities;

• 2.

  Authenticity of the communicating entities;

• 3.

  Authenticity of the person who is placing the order;

• 4.

  Confidentiality and integrity of the information that is sent over the Internet and shared with different entities; and

• 5.

  Non-repudiation of a sender and receiver.