Who is out there?

The point is that electronic commerce brings new risks. Like any other risk, they can be managed, but only with due care. Security can be a key cause for concern, and here we will explore the role of an increasingly important component of security policy, digital certificates.

When online, digital certificates say who you are. Certificates are warps of software, and fairly clever bits of technology at that. More importantly for the user, and in line with security procedures in general, a certain rigour of methodology is required for them to be effective. Their attraction though is that rather than merely adding to the corporate security headache, users of certificates are actually finding that they resonate with the online opportunity.

This is some claim. And to be convinced of it requires taking a step back and thinking about the nature of online security in general.

The shape of security

Consider, for example, the trend to outsource non-core business functions. Printing and postage was one thing, but now businesses routinely outsource human resources functions and accounts. Even customer services are no longer considered sacrosanct.

The result is a value chain that is becoming increasingly extended, with relationships across it predominantly managed electronically. In such situations, the damage security breaches might cause is at best embarrassing and potentially devastating.

Companies also operate in an increasingly complex legal environment. Data on employees, partners and customers must not only be protected for commercial reasons, but also to comply with the law. Further, with increasingly sophisticated products being exchanged online, such as financial services, the ability to provide rigorous audit trials is essential.

Part of the effort here is to do with technology, but methodology is possibly even more important, demanding coherent and consistently applied security policies.

Security also takes the shape of intangible threats, notably to brand. Online, the value of the brand is overwhelmingly to do with trust, perhaps even more than visibility. Record labels, for example, have become very sensitive to bogus web sites purporting to distribute their music with diminished quality, for fear that it will erode their reputation.

Providing security thus far has to a degree been managed with a number of technologies and practices. Firewalls and passwords are the obvious examples. It is, however, authentication that has frequently been the missing link to date. It is authentication that digital certificates provide.

Certificated authenticity

Certificates will find diverse and varied application, but the core feature they bring to be exploited is simply put. It is authentication. Whenever users need to know with whom they are dealing online, certificates are the key.

Obvious examples immediately spring to mind. Consider the authentication of web sites - that is, guarantees that the site belongs to whomever it says it belongs. The point here is that what was true in the early days of the Net geeks, when, as the saying goes, no-one knew you're a dog online, still holds. Then it was part of the fun. Now it is a serious liability.

Consider a parallel from the physical world. Devices from magnetic strip cards to whole ATMs have been forged to fool both customer and business alike. If it was worth the forger's while going to those lengths, then simply setting up a web site will certainly prove attractive, without appropriate security – which is where certificates come in.

It is not only transactional systems that are vulnerable in this way. The stuff of the Internet is information itself, from weather reports to market sensitive data. The latter is an interesting example, since with the explosive growth of online trading, markets have already been adversely affected by false information being erroneously distributed over the Internet.

Some of this has come from bogus web sites. Online traders, for one, need to know where the information they are accessing comes from – that it is from a bona fide, trustworthy web site, in particular. This will be achieved with certificates.

However, the application of certificates suggests more positive uses too, and this is where the opportunity comes in. Consider the tremendous commercial interest in the web for customising services and targeting audiences. Certificates provide very precise information about who it is that is surfing any particular web site.

If it is a regular customer, what they see can be presented on-the-fly for them, whether it be offers that suit their purchasing profile or the presentation of the bill that is overdue. Cross-selling, customised price regimes and regular re-ordering services are all facilitated with a certificate infrastructure.

Certificates will also tackle what is rapidly becoming the online equivalent of the call centre queue, the bane of remembering your latest password. In order to secure against the limitations of current password systems, banks, for example, typically ask customers to change their password once a month. They may also insist that passwords are counter-intuitive, in order to avoid them being guessed, though also making them even more difficult to remember.

Users who forget passwords and then jam helpdesks are already costing companies significant amounts of money too. Certificates will simultaneously overcome these hurdles, reduce costs, and provide far better security.

Why act now?

The astute reader might be saying to themselves, certainly I can see the case for certificates in the future, but, apart from perhaps a few special cases, why spend on certificates now? One immediate answer is that the actual outlay is minimal compared to even the low costs of a typical e-business project. For certain applications, say when an email is proof enough of who you are, certificates can be automated online.

It must also be borne in mind that there are hidden costs in regular management and updating of passwords and PIN numbers. For more demanding uses, such as guarantees that a web site belongs to the brand, managed services, when a trusted third party sets up the initial authentication procedures and distribution of certificates, will prove adequate.

Even in the most complicated situations, such as banks going online and requiring authentication to be built for secure access to many internal systems, the work done here will find replication elsewhere.

The savvy reader might ask whether certificates are here to stay, being a relatively recent arrival on the security scene. With as much confidence as any online issue, the answer is yes. The major players certainly believe so, from the big IT companies to the international banking community.

Further, doing it now, even if e-business seems a bit of a sideshow, will reap benefits in the future. Going online is about building credibility with the customer, which is why businesses as diverse as florists and fund managers find value in certificates.

Ultimately, going online is about exploring and developing a new business model. The act of setting up certificates provides a good discipline at the start of this process notably in demanding that a holistic view be taken. But for the future too, certificates provide part of a firm, customer-focused foundation upon which services can be developed.

The online channel is proving immensely attractive in a wide range of commercial settings. Typically it can undercut costs associated with paper-based distribution services by a factor of one hundred. But as the channel develops, it is becoming clear that the missing piece of the puzzle is authentication. By post, you know who will get it. By telephone, you know who is on the end of the line. By the Internet, it could be anyone out there, but for certificates.