What is an appropriate level of security?

Protecting the security and privacy of information exchanged is absolutely critical to the success of Web based services. At VillageMall we have a challenge: how do we design a security framework that is: (a) simple; (b) deployable within our client community; and (c) meets the privacy requirements of all involved parties? 

So what are the questions? 

• Who am I? This question deals directly with how an individual's identity is managed, and what types of information define that identity. This question applies equally to VillageMall applications and computers as it does to actual people. When it comes to doing business online, the information that defines who you are is critical. Your ability to control how that information is used, who is allowed to access that information, and where that information is stored is an absolute requirement. It must also be pointed out that a single individual may actually have multiple digital identities that reflect various roles that the individual plays. For example, I have both an VillageMall employee identity and a Visa consumer identity. It is up to me whether or not I want these identities to be linked together.
• How can I control what you know about me? There are going to be times when you need to know something about me in order to complete some task that I have asked you to do for me. For example, if I ask you to supply goods to me, you need to know my delivery address. You don't, however, need to know how my birthday or the names of my children. The point is: there are certain things that you need to know and certain things that you don't need to know. At the same time, I need to be able to control exactly how you are allowed to use the information that I do give you. For example, I'd be giving you my address for the sole purpose of you delivering goods to  my house, not so you can send me advertisements once a week.
• How can I prove who I am? With the rise in use of digital identities, the potential for identity theft grows. The ability to prove that I really am who I say I am is key. In the "real world," we prove our identity by providing authentication information such as drivers licence, credit cards, etc., issued to us by parties we do business with. Those parties validate our credentials and issue tokens, that can be used to authenticate us. In the digital world, digital certificates issued by certificate authorities can be seen as providing the same authentication information. It should be noted that some cards also provide identification or Personal information, such as a drivers licence, while others purely provide authentication information, such as credit cards ( a unique card number, but no personal information). You should carefully consider what type of digital information you require to carry out  your business activities. There is a growing tendency to collect more personal information than is required to carry out the business transaction. If unsure always ask why the information is being collected, if there is no valid reason, simply select another provider that understands your requirements..
• Am I allowed to access the services that you offer? Just because a service provider is offering services, doesn't mean I'm allowed to use them.
• How do we negotiate my ability to access the services you offer? If I can't access your services currently, how can we come to some arrangement so that I am allowed to access them, and under what terms am I allowed to access them?
• How do we know whether or not we can trust each other? Establishing trust relationships online is a problem that,  has well established groundwork, but there is still much to do be done. I can only trust you if both of us share a technology and business framework for that trust.
• How can I protect myself against identity theft and fraud? The ability to monitor, audit and change the use of one's digital identity and personal information is critical. DO NOT in any circumstance provide your biometric material or information to any service provider!. Biometric material by definition cannot be changed, and hence you are likely to suffer from identity theft, based on the low compromise threshold needed by the most common forms of biometric technologies. Based on these two facts we believe biometrics is a  totally inappropriate form of authentication for Web Based services.
• How can we protect the integrity of our transactions? Encryption, digital signatures, reliable messaging, and access control all play a key role in ensuring that when you and I do business, that business maintains its confidentiality and integrity. I need to make sure that when I order 10 boxes of widgets, I don't end up being forced to buy 100 box of widgets because I can't prove that I only ordered 10. This is a classic problem in e-business and has been the driving force for many VillageMall technology investments.
• Who can I trust to provide answers to these questions? A very important question. In reality this is not just a technology issue. Trust is a social and personal issue, and fundamentally trust is only established over time.  In the Web services arena, the information defines your digital identity must always be under your exclusive control. You should not allow any organisation to hold your identity information in any circumstance, as an example would you give your physical signature to an organisation to use for you?. While this may seem obvious, there are several organisations that are trying to do just this; examples are  Certification Authorities, and Microsoft's Hailstorm services, Microsoft (whether you trust them to do so or not) will be the third party that defines how and where your personal information is stored and what mechanisms will be defined to protect and manage that information. Selecting providers whom you already have established relationships with is wise; but one must be careful not to get locked into a situation where the service provider controls more about how your information is managed than you do. Integration into your existing policy and security infrastructures should be encouraged, if not demanded.
• Who determines the right level of security? The answer to the question: who will be harmed by a loss (or unauthorised access) of data or information? Only the person actually sustaining a loss (and hence has a realisable risk) can determine what level of security is appropriate. Before giving up your personal information, ensure that a service provider can provide the level of security that you require, also it is equally valid for a service provider to insist on a level of security before providing information to you ( such as digital content etc).
• What is the right level of security? The answer is, there is no single right level, this is really a risk management question. How much (in money, time, and effort) am I prepared to exert in order to protect my information?  Recognising this result can be the first part of any answer, at VillageMall we offer a scaleable set of solution that can be matched against the assessed risk. Additionally this question is equally applicable to the service provider as well as the client.

For additional information about "what is appropriate security for your company" contact VillageMall