Outsource Magazine

This article originally appeared in Outsource Magazine Issue #23 Spring 2011

The level of understanding of what actually constitutes a secure application (or indeed a website) is starting to improve.  An important phrase is “non-repudiation” – so what does this mean?  It means that the application or website that is being accessed knows who is connecting to it.  This can be in the form of a certificate, which is loaded onto the computer identifying an authorised user. It could be a biometric dongle, or can take the form of a client-side generated token linked to a smart card or banker’s card.  All of these devices ensure that there is an encrypted tunnel from the hardware you are using to the server-based application.  The average bit encryption is 128kb. Never trust an internet site that is just HTTPS without client-side certification.  Packets can be “sniffed” and you could, at worst, be diverted to a fake or spoof site that can capture your personal or credit card details, or even worse, if it is your own corporate site, important company information.

On-demand software and outsourcing has an obligation to ensure that user’s data is secure and there is true non-repudiation.  Access to business data should be as secure as online banking.

Now let’s take a look at internal security procedures, i.e. within a business.  You can have the most secure application access in the world, but most corporate security breaches happen within what is deemed to be a secure zone.  This is usually caused by lack of process and controls within a business.  Employees share passwords, leave hard copies of secure documentation on their desk overnight or take home print outs and dispose of used data in a dustbin!  Believe me: it does happen. The other common security breach is for staff to download data over a secure medium and then email it outside the organisation… You can have secure access to a building, and an encrypted tunnel to your network and all applications, but if someone takes that data and emails it outside the organisation you have a breach.

I hope that we are starting to understand that security starts from within organisations, and we need to teach staff to understand basic principles of security, use online secure document storage systems to exchange data, or set up your own.  There are many excellent open-source content management systems that are free; you have access to the source code and can control security in line with your company policy.

There are some new products on the market that provide guaranteed non-repudiation whilst at the same time creating a single sign on environment.  

A USB device can now contain a biometric add-on.  The user simply has to plug the USB into any computer and swipe their finger.  

This will then generate a 256k tunnel to the designated server side network.  This could be a bank, online credit cards or an employee’s HR portal - indeed it could be all of these sites.  

The beauty is that the connection is hardware-neutral, doubles the normal encryption rate and automates the set-up of single sign-on.  Very cool!

There are many myths about what is secure!  When you outsource you need to understand these principles.