Are You Secure?

June 30, 1999

Rupert Kendrick, LL.M.,Comp.BCS., non-practising solicitor, reviews some of the technology and securityissues they will need to address.


According to the Computer Security Institute,1cybercrime is up by 16% over 1997 figures. Potential losses from intellectualproperty theft from corporate enterprises exceed $250 billion dollars annually.2The ‘preferred’ crimes are theft of proprietary information,telecommunications fraud and financial fraud.3 Theperpetrators are insiders with up to 80% of computer crime being committed fromthis source.4


At the same time, worldwide Internet commerce is expected to generate annualrevenues of nearly $500,000, by the year 2002.5 Onemillion people in the United Kingdom became Internet users in the third quarterof 1998, with 80,000 joining every day. It is axiomatic therefore thatelectronic commerce, both business-to-consumer and business-to-business islikely to grow rapidly.


The ability to provide goods and services electronically has benefits bothfor consumer and business-to-business transactions. For instance, the cost of aconventional travel reservation has been put at $10, whereas online the cost isput at $2.


Issues


Business-to-business electronic trading can enhance revenues through newchannels and personalise customer lifecycle, while, at the same time, leading tolower general and administrative expenses, lower marketing expenses, alsolowering the cost of goods and services.


In competition are thousands of hackers, the number of whom is said to bedoubling each year. It becomes essential, therefore, for enterprises to developa security policy. This is especially so in the case of law firms deliveringservices electronically where confidentiality and privacy are paramount.


The essential issues are


  • to identify the information assets of the enterprise in need of protection
  • to install secure entry points
  • to identify the connection process and then educate the users concerned.

Business Model


The development of electronic business promises (or threatens) to change theconventional business model. The transition from bricks and mortar is underwayto be replaced by the network economy.


The conventional model is introspective, less responsive to the market, assetand people intensive, with multi-layered management. The new model offers costand management advantages, repositioning the customer/client as a partner,opening new markets, offering a lean structure, with fewer people and directaccess to management by customers/clients. The new forces will change theconventional approaches, destroying and recreating value chains both internallyand externally.


Electronic commerce has been defined as ‘business transactions that arecarried out electronically for improving the efficiency and effectiveness ofbusiness processes’.


The issues surrounding electronic commerce involve generally (butparticularly for lawyers), confidentiality and anonymity; authenticity andintegrity; non-repudiation, followed by access control.


Connected to these are the consequential questions of liability and privacy.


The question arises as to how to achieve the degree of security within theenvironment in which law firms provide their services. Information securityrequirements ideally will incorporate:


  • Internet firewalls
  • enhanced user authentication
  • access control
  • cryptography
  • logging reporting and alerting
  • consolidated authentication and a single sign-on
  • certification
  • physical security.

PKI


One solution is the establishment of a Public Key Infrastructure (PKI). Ithas been suggested that this is ‘probably the most critical enterprisesecurity investment that a company will make in the next three years’.


PKI allows for a point of entry for administering security for bothelectronic business and internal applications, and can provide a broadlyapplicable infrastructure that can enable new business processes that reducecosts and enhance customer/client service.


The PKI structure comprises a Certification Authority, linked to subsidiaryregistration authorities, themselves accountable to users. The registrationauthority is responsible for registration, checking credentials, requesting acertificate from the certification authority and ensuring the correct data issupplied. The certification authority approves the request, creates and signsthe certificate, sends it to the registration authority and places thecertificate in the public directory.


PKIs may be open (to all), closed to specific customers /clients, orrestricted to a specific membership. This operation needs underpinning byprotocols or guidelines.


A certification policy may be defined as ‘a named set of rules thatindicates the applicability of a certificate to a particular community and/orclass of application with common security requirements’. Its importance liesin defining the extent to which a relying party can trust a certificate for aparticular purpose.


A certification practice statement is ‘a statement of the practices that aCertification Authority employs in issuing certificates’. Its value lies inestablishing the trustworthiness of the activities in respect of the issue ofcertificates in accordance with agreed policies.


A PKI can support single sign-on procedures, with access controlled by an‘electronic passport’ together with global secure e-mail, withconfidentiality secured by electronic signature and can therefore provide thefoundation for electronic commerce, through electronic forms and the conduct ofelectronic transactions.


What is a PKI? First, there must be in existence a certificate as alreadydescribed. This will state the name, serial number, period of validityrevocation information, the public key, name of the issuing authority and theCertification Authority’s digital signature.


The lifecycle of a key will begin with its generation and the issue of thecertificate. The key will be validated, used and expire on a due date to bereplaced or updated.


Principles


There are three major principles governing a PKI:


  • for every public key and certificate, there is an equally important private key
  • no public-key pair can live forever – key pairs must be updated over time
  • building security in silos creates hidden costs, involving inconsistent behaviour across platforms and applications.

It is essential that the infrastructure also serves the users’ desktops –revocation of a certificate, for example, is useless without checking that thistakes place on the user’s desktop. Further, the PKI must be both secure andtrustworthy and be seamless across different applications, ie one set of keysand certificates across applications and platforms. Without this, eachapplication will have its own security system, there will be individualevaluations for each application, there will be separate key pairs andcertificates, inconsistent or incomplete implementations and costlyadministration.


Implementation


Implementation will involve a number of separate stages. First, there must bean awareness, which can be raised through presentations, seminars, workshops,etc.


There follows a process of establishing a vision, involving dedicatedworkshops, an exploration of the challenges and future direction of theenterprise and training programmes with a high degree of interaction.


Next, the enterprise must focus itself by mapping out a detailed businessstrategy for itself, defining its requirements, its Certification PracticeStatement, its certificate policies and its architecture.


The project develops by defining functional and technical specifications,selecting hardware and software packages and proceeding to construction andinstallation.


Finally, after a successful pilot, a full-scale implementation of theelectronic commerce solution follows.



Endnotes


1. Computer Security Institute (CSI 3/4/98).


2. American Society for Industrial Security online 5/10/98.


3. CSI 3/4/98.


4. Infoworld 4/2/98.


5. IDOLink.


6. Entrust Technologies Seminar – 9 March 1999.


Government Interest


In 1997, the then government issued a consultation paper on the proposal tolicense trusted third parties (TTPs) to provide encryption services. SinceJanuary 1999, this service has been publicly provided by the Royal Mail.


The Post Office regards the key requirements as:


  • providing services that cannot be repudiated, with proof of strongly authenticated origin
  • the provision of confidentiality, ensuring messages are read only by those intended
  • the provision of integrity, the message contents being unaltered and access control only for those authorised.

Its PKI, comprises two parts – private and public; and two pairs –signing and sealing. The sealing key ensures confidentiality, while the signingkey ensures only the sender can have signed the message.


The awareness of the benefits is explained in terms of the potential use inthe value chain, the external focus it provides to the enterprise and theindependence it gives to the enterprise. In terms of security, an informationsecurity management policy has been devised, involving personnel securitystandards, operational security standards, and access control standards. Thebusiness continuity process involved secure transit and back-up of off-sitematerial and a general back-up and restore plan.


The Post Office claims to have a potentially unique breadth of attributes tobe the leading TTP, with its large repository of trust, its 19,000 retailoutlets, its established relationship with United Kingdom citizens and manycountries globally, and its reputation for independence.


Evidence of the arrival of electronic commerce is found in the part beingplayed by the government. Nigel Hickson of the DTI 6regards the government’s role as fourfold: facilitator; legislator; user; andinternational forum. He says the government prefers self-regulation inelectronic commerce, but considers that some issues require a legislativeapproach ‘with a light touch’. It is interesting to learn how the governmentforesees its involvement with the future of electronic commerce.


It foresees the use of information technology both internally and for thedelivery of services. By March 2001, it aims for 90% of goods to be procuredelectronically; and by the end of the year 2002, it anticipates that 25% ofgovernment services will be accessible electronically.


Legislation


The Secure Electronic Commerce Bill has the objectives of encouraging thetake-up of electronic commerce, facilitating electronic government andmaintaining the law enforcement capabilities of the government. Broadly, at thetime of writing, the Bill contains provisions for:


  • powers in respect of ‘electronic writing’
  • legal recognition of electronic signatures
  • a voluntary licensing regime for cryptographic service providers
  • legal access powers to encryption keys.

The Bill has been the subject of a consultation paper for which the closingdate was 3 April last and legislation is envisaged to be in force by March 2000.


With information security (or information protection) becoming ever moreimportant, a revised BS 7799 (the Standard for Information Security) isanticipated with a view to an ISO standard in 2000. The c.cure standard,developed by industry and facilitating BS7799 accreditation, is now up andrunning.


There are also international developments. EU Directives governing electronicsignatures and electronic signatures address issues of legal recognition,minimum standards and third country provision. The OECD is working on issues ofauthentication and privacy and the UN is trying to devise uniform rules onelectronic signatures.


It is not difficult to see that the software to provide the PKI that islikely to be required in the world of electronic commerce will be much indemand. One market leader in this field is Entrust Technologies who offer aproduct that seems to solve most, if not all, of the PKI problems. Their productoffers: single log-on and sign-on; secure e-mail; virtual private network andfirewalls; secure electronic forms; smart cards; custom applications; anddesktop and database security.


Lawyer Interest


The provision of legal services is based upon the confidence of the clientand the integrity of the lawyer. The removal of either will cause thelawyer-client relationship to founder.


The fundamental shift, from paper-based legal services to the supply ofconfidential services electronically, radically challenges the conventionalapproach to these two factors. The new medium of communication renders oldmethods of preserving confidentiality obsolete, exposing confidentialcommunications to potential fraud, interference or interception.


Electronic business necessitates sending sensitive information acrossnetworks which may be shared between employees, clients, contractors andunauthorised third parties.


Electronic communications and e-business comprise different elements. Bytheir nature, the transactions are invariably time-critical, the sums involvedare frequently considerable, the range of the transaction is frequently globaland the cost-efficiency of the exercise is often crucial.


For lawyers, the critical success factor in preserving the lawyer-clientrelationship is how far transactional information can be protected fromcompromise and the extent to which confidence can be maintained. As commerce andindustry address, then embrace, e-business, so lawyers will have to follow –because commerce and industry represent a significant proportion of lawyers’clientele. When all is said and done, it is a matter of performing obligationsto the firm’s clients.


The essential requisite is the attraction and retention of client confidence– confidence that confidentiality will be maintained and remain incapable ofbreach. In communicating with clients, lawyers must establish trust –particularly the clients’ personal trust, in the professional. Onlycommunications protected in the most secure manner will be consistent with theestablishment of such a degree of trust.


Mastery of the conduct of e-business in a secure environment emerges as acritical tool for the effective provision of legal services in the digital age.


From the precise issue of client obligation arises a broader issue – thatof marketing. Law firms offering secure services electronically will beperceived as forward-thinking and progressive. In terms of marketing, it islikely that when ‘pitching’ for instructions, law firms will be assessed bypotential clients on the competence of the provision of their legal serviceelectronically.


A law firm’s competitive approach is thrown into focus – not only interms of competing with other law firms, but also in terms of improving thebusiness model of the practice discussed earlier.


There is evidence that in the next few years, knowledge and information willbecome (if they are not already) a law firm’s most valuable asset. The key tothe survival of many firms will be the ability to manage this knowledge andinformation in a secure environment in which clients in particular, and thoseinterfacing with the firm in general, are secure.


Law firms failing to address the issues that electronic legal services raisedo their clients a disservice and, of course, ultimately, do themselves adisservice too.


Endnotes


1. Computer Security Institute (CSI 3/4/98).


2. American Society for Industrial Security online 5/10/98.


3. CSI 3/4/98.


4. Infoworld 4/2/98.


5. IDOLink.


6. Entrust Technologies Seminar – 9 March 1999.