The visibility of the government's See (Secure Electronic Environment) project should help private-sector companies become aware of the need for security and particularly public key infrastructure, says Stephen Wilson, security specialist at PricewaterhouseCoopers in Sydney.
The first phase of See, secure email, limited itself to a digital certificate for each agency, pleading difficulties over archiving. But government, Wilson says, will have to bite the bullet on individual certificates for the second phase of the project, currently under way with PWC as prime contractor. Every individual will have a separate set of applications he/she is authorised to use, so individual certification is the only way to go.
The other cornerstone of secure access in New Zealand is Land Information NZ’s Landonline project. “This is probably the major business-to-government project in this part of the world.”
At the same time, the passage of the Electronic Transactions Bill will mean businesses are more confident of venturing into B2B electronic commerce.
But this poses the risk of being left short of expert knowledge, particularly in the key technology of public-key infrastructure (PKI), Wilson says.
There are not a great number of knowledgeable PKI professionals in Australasia, he says. Moreover, the technology and its practitioners are still maturing out of the defence mindset in which PKI was nurtured. Defence is concerned with keeping people out, Wilson says. “Security today is about letting people in – facilitating the entry of authenticated people and their access to the applications and data they are authorised to use in their work.”
This difference in outlook further reduces the number of truly effective people, Wilson says. He might be expected to say that, he concedes, since PWC offers outsourced help in designing and implementing PKI, but impartial evidence backs him up, he says. An IDC report on PKI shows that of the $US100m PKI market in the US, half is spent on managed PKI services, and half goes on products for in-house implementation. Within three years, IDC forecasts, this balance will have changed to 75/25 in favour of outsourcing.
PWC has branded its security and risk-analysis offerings under the name Betrusted, mutual trust among people being the ultimate objective of risk management in electronic communication, Wilson says.
PKI will inevitably be the core authentication and authorisation technology in future security systems, he says.
“The alternatives are to keep all your traffic on a private network, to beef up physical security, or to have paper confirmation of transactions. A number of these techniques will get through, but if you want to go paperless, PKI is the answer.”
New Zealand is up with the play on technology, but behind on the law, he says, with the ETB still going through Parliament. The country cannot be seen as truly in “catch-up” mode, however, with two such major reference sites as Landonline and See.
PWC produced its first separate e-business risk management forecast earlier this month. This 300-page document deals mostly with the business drivers behind authentication, authorisation and non-repudiation (the ability to show an electronic document is genuine and was sent by the person purported to have sent it), and explains the technologies behind these safeguards.
PWC has includes discussion of these topics in its massive annual “Technology Forecast” – the latest edition will be published later this month – “but this is the first time we have found risk technologies such a big sector as to demand a separate volume”.
The other side of the security coin is privacy, Wilson says. Here too, law seems unprepared for sudden emergence of issues, particularly outside technical questions of communications security. A few months ago, reservations were raised in Australia over the use of individuals' health information after it was collected through a secure network. Australia's Privacy Commissioner "had to suddenly drop everything to deal with that one matter", Wilson says.
Then there are situations where, for example, an employee has breached security, and his/her identity has not been firmly established. "Say you think it's one of 10 people. In tracing the one guilty party, you have to be very careful about how you might invade the privacy of the other nine."