Security and the Internet : for better... without the worst?



Paul -André Pays is the incorporator and Development manager of Edelweb, a company specialized in the consulting, expert valuation and security of X Net networks and its applications.
Edelweb, a ON-X Consulting's subsidiary, upstream carries out surveys on security and, downstream, "security assessments" (i.e. inventories of fixtures, audits, tests, advice and follow-ups), then proposes corrective measures.

Véronique Anger: Do The problems relative to networks'security still act as a brake upon the Internet expansion inside companies; and upon the development of these very same companies onto the Internet?
Paul-André Pays: Companies must actually adopt new technologies to remain competitive. Indeed, it would be suicidal for a company's development to ignore the importance of the use of the Internet.
Companies' competitiveness is so dependent on the Internet that the problems relative to networks'security (particularly of the Internet) do not act as a brake today. Besides, there are several effective solutions.
When you deal with security, you have to distinguish several fields:
- The security of premises, facilities, stocks, ...In this case, well-proven technical means are needed (i.e. alarm systems, entry badges, reinforced doors...).
- The security of Information Systems (IS), especially of front servers (i.e. web site access, e-mail box, ...). This security system is based on technical means and procedures. Solutions may be expensive, but they do not present companies with any particular problem.
- Transactions'safety (i.e. transfers of data, e-commerce, ...). It consists in "certifying", or authenticating, dating and assuring companies of the reliability and the integrity (and even confidentiality) of these transactions, in case of doubtful exchanges.
This aspect is to disappear thanks to attestations of digital signatures , which are legally valid before the courts ( Digital signatures are legally recognized and non-material documents as well). But I wish that this solution was more frequent.
In my opinion, "security" is rather an ambiguous term and may be confused sometimes with "confidentiality". Many people confuse "the networks and computer systems Security" with "transactions' certification", as well as "confidentiality" with "integrity". The important thing is not to "encode" data but to certify them (to be sure that collected information comes from the interrogated databases, for example) and ensure they can be found easily (thanks to signatures, hour and date stamping, ...).
- Commercial Security (e-commerce) which aims at making the parties confident of each other. There are technical solutions, regulations and contracts as well.
Paradoxically, e-commerce customers had better not use these so called "safety"devices (and especially in case of BtoC*). Indeed, as a seller's commitment is quite limited, it is quite difficult to prove his/her liability ( Are you sure delivery dates will be met ? Do delivered goods correspond to their descriptions?). Conversely, as a customer has signed nothing, he/she can easily contest the transaction. These are telesales and e-commerce drawbacks!
When customers have chosen to append their digital signatures, they have to see to it that e-retailers commit themselves to offering both quality products and services. If not, a customer might be liable for his/her own payments, his/her signature being an irrefutable proof...

VA: What is the present situation ? What are the principal risks, and which solutions do you propose to companies to avoid them?
PAP: Answers depend on the type of security. Considerable improvements have been made for IS (Information Systems) in terms of active, preventive and dissuasive security (both inside companies and as regards interfaces of communication with the outside world). The available technical means and products are efficient.
Total security is, of couse, impossible, but the residual risk level is quite acceptable.
On the other hand, companies do not really realize the danger and some providers of security services are not very good ...
Manufacturers and software producers (Internet explorer, Microsoft Outlook, Netscape, Windows, Mac OS, ...), which are always looking for new market shares, make products with faults easy to "pirate". Their one concern is to attract more and more users to increase their securities. It's a kind of race for competitivity, which consists in entering the market first by launching quite vulnerable products.
With the boom in web technologies which is followed suit by computer applications (including e-mails and e-commerce), products are not of good quality and platforms as well. Who, today, would agree to buy products that do not resist either crash tests or test beds ? Giving as a pretext economic progress, market dynamism, transformations due to the information society, computer consumers agree to pay for poor-quality products, which met low safety standards. Even integrators propose unacceptable solutions to this problem.
With massive web development, this problem has become still more crucial. The attacks on Yahoo in february and the "I love you" virus have confirmed the trend ... While certain powerful companise make pressure on suppliers to be provided with incomplete versions (without videos for instance), it would be sufficient to encourage consumers to demand producers better quality products.
Meanwhile, all the versions delivered by default (Outlook, Explorer, Netscape,...) should be controlled and secured automatically.
There are tools, technical means and regulations available to protect transactions. Organizational changes are the very thing to do. In the case in point, key-words are "digitizing, certifying and authenticity", which can be translated into digital signatures and compulsory authentifications.
Some service providers think it necessary(or want to convince their clients) to use intricate and costly device. But you can find cheaper efficient systems.
Thanks to Public Key Infrastructures (PKI ) or Digital Certificate Infrastructures, "out-house" connections and in-house applications can be both controlled and protected.
Finally, progress in commercial trade is needed to restore confidence and good-quality services. Laws, regulations and contracts have to be adapted to changes (digital signature's legal acceptance is an example).
Furthermore, "quality service" labels and "safety"stamps are to be created. Edelweb is working with Véritas on a plan for computer safety stamps.
Whatever sector is concerned, security must be a permanent state of mind, which required frequent controls and adaptations and therefore a specific budget. The safety policy is not limited to the setting up of a firewall, antivirus and some procedures. This safety policy does not represent a selective investment. It has to be a long-term investment integrated into an overall strategy.
I think that the technical and structural aspects of security are not the real problems. According to me, the main issue is a lack of "good" practices.

VA : A few months ago, several attaks occured against big providers. Do you think that such attacks constitute real or non problems ?
PAP : It is quite simple to block services. It consists in completely jamming up one target web site by inundating it with connections. It can be compared with the big blockades organised by long-distance lorry drivers on main roads, or with post office workers'actions to paralyse a Service. Such actions are always difficult to prevent. But there are some deterrent solutions to improve protection.
The solution consists in analising the web traffic so as to detect problems quickly and then immediately alarm security managers. Several attacks have been planned to give the alert. Even though these attacks are hard to prevent, subsequent damage could be limited and the service maintained. This quite deterrent system (especially because you can be tracked) has to be used appropriataly. Above all, collected information will be protected against illegal use. But paranoia must be avoided : excessive safety measures ( in "big brothers'" way) could, of course, be eventually dangerous. But such abuses are odd; indeed, this kind of surveillance would be too costly!

* Business to Consumer

For further information about EDELWEB : http://www.edelweb.fr