CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Will the Web ever be secure?

IBM's software boss Steve Mills explains why the computer industry's pursuit of this enterprise security grail--however noble--is bound to end in disappointment.

    If you lived your life according to what you read about crime in the daily papers, you wouldn't get out of bed in the morning. The same is true of much of what we're seeing about Web security.

    Web insecurity is news--Web security isn't.

    Online commerce is the fastest growing marketplace on earth, but you wouldn't think the Web was so great after reading about Web security. One recent report says credit card fraud is now 12 times higher online than in stores, while another report pegs online fraud at four times the old-fashioned kind. No matter how you slice it, that's fearsome--until you realize that the Web is driving double-digit sales growth, and online fraud still accounts for less than 1.2 cents out of every dollar spent online.

    Managing Web security presents a huge challenge, but it's manageable.

    All technologies have risks that need to be managed against their business impact. The job of the IT professional is identifying and then minimizing this risk in a way that allows us to introduce new technologies that drive business performance.

    Another common error is imagining that security was bulletproof before the Web started to take over. Fifteen years ago, business was conducted largely by phone and physical transaction, and criminals found ways to tap phones, overhear conversations and steal physical data. No IT security system in the world is stronger than its weakest link, which is the human being.

    The real issue today is maximizing the effectiveness of Web technology as we reduce risk.
    The real issue today is maximizing the effectiveness of Web technology as we reduce risk. This is happening to a greater degree than most people realize. In any Web transaction, business needs to manage several challenges. The enterprise needs to identify who its users are, what they should be allowed to do, and what policies will drive business decisions. These policies, for example, have to define the rights of different types of users--customers, employees, suppliers and business partners.

    As we build greater enterprise security, this added protection must integrate easily across the business. For example, as employees enter and leave the business, IT administrators need to be able to update online access rights without also having to recode multiple applications for each employee.

    With employee turnover rates approaching 100 percent in some industries, it's so costly and complex to manage security across diverse systems and applications that many employees have access rights to corporate systems they shouldn't have because these rights are outdated. In fact, 20 percent of corporate system accounts belong to employees who haven't worked for the company for five years or longer.

    Ease-of-use, flexibility and economy also need to be built into the way we manage Web commerce risk. Today, the customer is asked to provide several layers of information for authentication: an I.D., password, credit card number, and possibly other identifying information like the customer's date of birth or Zip code. If this information checks out with the credit card company and the business, the customer is allowed to complete the transaction.

    Retailers and credit card companies are working on additional layers of protection to weed out the bad guys, but the limiting factor is ease of use. These protections shouldn't make online shopping so onerous that nobody will want to do it.

    Another common error is imagining that security was bulletproof before the Web started to take over.
    Of course, it's possible for criminals to obtain information online, just as they can forge credit cards and obtain credit card numbers to make illegal purchases in-store and thru call centers. And you don't have to come up with a valid I.D. or password to make an illegal physical purchase.

    The next step in improving online security may be biometrics, which identifies users based on their physical characteristics. We use biometrics to a degree now with digital photos of users on driver's licenses and credit cards. The Internet will allow us to digitize additional physical characteristics--for example, using a finger or palm print or retinal scan.

    As we improve biometrics, the test of this technology will be its cost effectiveness, along with how it squares with equally important business imperatives like protecting consumer privacy and trust.

    So will Internet security ever be fully guaranteed? Based on where we've been and where we're headed, we have every right to expect the Web to become increasingly secure as security continues to enable, rather than strangle, business performance.