Verne Meredith suggests an approach to the risks posed by the wireless environment.

Mobile commerce opens up a vast number of new business opportunities. Users can access and send information from anywhere, at any time. But the convenience of wireless communications comes at a price – lack of security and privacy.

The financial, healthcare and emergency services industries will profit the most from wireless technology and mobile commerce. The immediacy of information is vital to their business and their customers. Yet conducting business over an unsecured wireless channel exposes enterprises to a new world of risks. These market segments have the most to gain and to protect in wireless applications.

These industries will be the first to adopt wireless as a business avenue, and the first to figure out the complexity of a wireless environment. With the rapid development of new wireless applications, hackers trying to break them are already emerging. Security and privacy are vital issues.

Wireless networks can be an eavesdropper's gold mine. Transmitting sensitive data through the air without security measures means that anyone in the vicinity can intercept the data, whether it be e-mail or files. This leaves networks vulnerable to hackers, who can gain access to corporate passwords, log on to servers, or shut the network down entirely.

Even more worrying to a bank or other financial institution, is the liability risk associated with conducting business over the internet or a wireless channel. When monetary transfers or transactions are involved, enterprises need to protect their assets and reduce their liability. Traditionally, liability is lessened by transferring the legal responsibility to the customer via a signed document or receipt. This is very difficult to emulate in the electronic world.

The strong security requirements of a wireless environment must mimic those of the real world. Businesses want to know with whom they are dealing, whether that person is allowed to conduct a transaction, that no one else is listening to their transaction, and that the transaction agreed upon by the two parties cannot be altered or disputed.

For businesses considering m-commerce, user authentication and non-repudiation of transactions will be paramount in order to reduce their liability and risk. A public-key infrastructure (PKI) is the most effective security methodology for mimicking the strong security of the real world.

A PKI secures electronic transactions by replicating well established security principles from the real world. These infrastructures ensure the trust and confidence needed to engage in electronic commerce, enterprise automation, and business-to-business transactions, by incorporating every piece of a business's security system into one centralised, easy-to-manage solution. A PKI supports digital certificates, including encryption, digital signatures, non-repudiation, authentication, key management, and cross-certification.

In the world of the internet, PKIs are an excellent way of enabling electronic commerce - in the world of wireless devices, they are a virtual necessity.

Enforcing security
In order to implement wireless security, you need to consider a number of things, such as a security policy, selecting a security provider or technology, and the cost of implementing and managing the security infrastructure. You must assess your business's requirements by analysing its existing resources and future needs. You can do this comparatively easily with the help of a security consultant, diligent research by your IT department, or by meeting potential PKI vendors

IT professionals must also consider the limits of the wireless environment when designing secure applications. Securing applications on a wireline network is easy. But solutions in the wired world do not convert smoothly into the wireless world, where there are multiple mobile devices, operating systems, browsers, and portals. In order to implement security in the wireless world, you must establish universal intelligence in the device, backend server application, and the application layer.

From a management standpoint, the first step in designing a secure application is to develop a security policy. This is a documented and formal statement of the rules that regulate how your organisation manages, protects, and uses assets. Typically, a corporation conducts a security audit to assess its risks and then uses the findings to design its security policy.

A security policy is probably the most important aspect of a complete security infrastructure. Without it, you will not be able to manage and eliminate the most prolific security breach of all – insider/employee breaches. Not all employee breaches are malicious. Most are due to lack of education in areas such as choosing an impenetrable passcode or knowing what security measures should be taken with network access.

Once a security policy is in place, you can then deduce what level of security is required. For example, if you are simply looking to replace passwords with digital certificates, a certificate server and a couple of administrators may be all that are necessary. However, for the wireless transmission of business contracts and financial transactions where non-repudiation is important, simple certificates may not be sufficient.

The second step is to select a PKI vendor. It is important to remember that a PKI vendor can make or break your deployment project. A good one can help you successfully execute and maintain a full-scale deployment; a bad vendor could mean failure.

Should you outsource?
Your existing resources will affect the types of vendor with whom you concentrate your discussions, as well as scale of PKI implementation. For example, in implementing a PKI, you can choose whether to outsource the Certificate Authority (CA) function, or maintain it in-house. There are pros and cons in each case.

Keeping the CA function in-house is sensible if you plan to issue and manage a large number of digital certificates. If projected revenue from offering secure wireless applications outweighs the costs of implementing a complete wireless infrastructure, including security, then it also makes more sense to do it yourself.

Implementing a complete wireless security infrastructure for in-house management normally costs between £150,000 and £300,000. This does not include the cost of buying certificates at an average of £7 a certificate.

If you think that you are only going to be issuing small numbers of certificates, then it is probably more cost-effective to outsource. However, you then need to decide whether your business is willing to share control over access to your electronic business assets and intellectual property. If you choose to outsource to a third party CA, then it would be in full control of managing the certificates of your customers, and so would have access to your customer base and all associated confidential information. This should not be as big a concern as it may seem, as CAs are trusted parties, but some organisations may not want anyone else to have access to such information.

It is very important to find a CA that supports all of the elements needed for your deployment, supports your needs, and has your trust. Remember that you will be at its mercy for the pricing of certificates.

Outsourcing costs are nominal compared to a complete in-house infrastructure. Initial integration costs will be around £75,000, plus a monthly maintenance fee, plus the cost of certificates.

Whether you are looking to manage your PKI operation in-house or outsource, you have to consider if you have enough qualified staff to evaluate, procure, implement, and manage it and whether you are in a position to hire an expert if needed.

The actual cost of deploying a wireless PKI infrastructure greatly depends on the existing technology you have in place. When extending your applications to wireless, you must consider what hardware you need to purchase, whether your current software and hardware are interoperable with your new application, and whether or not you currently have a sufficient level of security.

The time required to design, develop and deploy a PKI solution is typically a couple of years, with the time from pilot to deployment being three to 12 months.

With the increased exchange of confidential information, users and enterprises will seek more advanced levels of security to protect their intellectual and monetary assets. To get a head start on the competition, you should begin looking at wireless PKI security from the outset. An advanced security solution is imperative: consumers will soon come to expect it.
Verne Meredith is vice president of Sales and Marketing, Diversinet Corp, Tel: 001 416 7562324289, e-mail

OECD Privacy statement generator
Internet research has repeatedly shown that many consumers are reluctant to engage in electronic transactions because of concerns about the privacy of their personal data. Privacy policies and accurate public statements outlining such policies are a vital step towards encouraging trust in electric commerce among visitors to web sites. They can help visitors to make informed choices about entrusting an organisation with personal data.

The OECD Privacy Guidelines represent an international consensus on how best to balance effective privacy protection with the free flow of personal data. Openness is a key principle of the Guidelines, which are flexible and allow for various means of compliance.

To help implement the Guidelines in the electronic world, the OECD has developed the OECD Privacy Policy Statement Generator in co-operation with industry, privacy experts and consumer organisations. The Generator aims to offer guidance on compliance with the Guidelines and to help organisations develop privacy policies and statements for display on their sites.

EC e-security moves
The European Commission has plans to encourage development of a common platform for encryption systems, to ensure interoperability.

Other measures proposed to improve e-security include fighting computer viruses by ensuring more effective sharing of European warning and information systems, a publicity campaign to raise awareness of online security, and help to strengthen cooperation between computer emergency response teams.

Choosing a PKI vendor
You should keep in mind several aspects when assessing a PKI vendor, such as their service level, technology quality, core competency, reputation in the market place, and their partners. All of these are important in deciding whether the vendor is able to support your current and future needs.

  • PKI technology is pretty standard. What is important is a vendor's ability to ensure that the technology is flexible, scalable, and interoperable with the most common networks, applications, and devices. In the complex, ever-evolving proprietary wireless industry, a vendor must offer a solution that works with multiple wireless devices, over multiple networks, and various operating systems. What good is a PKI infrastructure that cannot be used by all of your customers?
  • Your next question should be as to the vendor's core competency. Is it focused solely on wireless PKI technology, or is it dabbling in other technologies or services? A vendor with a strong focus will usually have the most advanced technology and vision for future products. This is important when considering whether the PKI technology will support your future needs.
  • Partner strategy is a consideration that you may not feel is important - but in fact it is. The wireless world is quite complex. Wireless players, including PKI vendors, must work together to ease the cost and effort for businesses deploying wireless technology. PKI is only one component of a secure m-commerce infrastructure. You still need a qualified CA, middleware product to transform your wireline application into wireless, mobile devices that can support your application, and a network over which you can securely conduct m-commerce transactions. A PKI vendor who has established relationships with these middleware vendors, device manufacturers, and network operators can help put you in touch with these professionals. Better yet, some vendors have even gone as far as integrating their PKI technology into partnering products to offer you a pre-packaged solution.
  • It is important to feel comfortable with your vendor, as you will require support as you plan and deploy your PKI.