Security in Web-Based Finance

By Veena Gundavelli


As e-business infrastructures extend into finance departments, a new paradigm is emerging-one of sharing financial information digitally across traditional boundaries. In modern finance, buyers, suppliers, financial institutions, logistics providers, regulatory agencies and other service providers can all be connected in a web-based environment. While e-business offers tremendous competitive advantages with increased process efficiency and decreased costs, there is one question e-commerce proponents must answer: How do you ensure the security of these operations against possible fraud, theft or Internet vandalism?


The Internet as a Strategic Tool for Finance Departments
As companies realize the benefits of e-business infrastructure in almost every aspect of supply-chain management, the adoption of e-business as a strategic tool for finance departments is increasing at a rapid rate. By web-enabling the finance processes in accounts receivables and accounts payables, finance departments can be spread across different geographical locations and divisions and can still manage globally consistent processes for improved cash flow efficiency. Collaboration with internal departments over intranets and with trading partners over extranets is helping finance departments to increase their cash flow efficiency irrespective of their geographic location and disparate operating systems. E-billing, electronic invoice presentment and e-payments represent a growing trend: According to a recent report by the Aberdeen Group, it is estimated that about eight billion B-to-B invoices will go online by 2005 and that about $4 trillion will be paid via electronic billing/ invoicing by 2010.

A connected finance world, with seamless integration of A/R-A/P processes and systems across enterprises between buyers, suppliers and trading partners is the next logical step in supply chain evolution-one that is already being adopted in many quarters. But are these companies putting themselves at risk? (See Figure 1.) No Longer Just an IT Issue It is important to understand security implications when you are selecting e-business applications to take your financial process over intranets, extranets and onto the Internet.

In a brick-and-mortar world, companies rely on physical credentials-such as a business license or letter of credit-to prove the identities of employees, customers and partners, and to assure other parties of their ability to consummate a trade. Companies then decide what kind of information and transactions their customers and partners are entitled to access. In the online world, a web-enabled enterprise must be able to reliably identify participants, provide those participants with personalized access to information, authorize their interactions based on solid entitlement data, audit their transactions to ensure non-repudiation and ensure that these interactions can happen globally and around-the-clock.

The concept of financial data security in particular, and any other form of data security in general, can be broken down into three basic components: authentication, authorization and confidentiality. Authentication limits access to information only to the parties desired. Authorization provides access control so that only desired parties can make changes to information. Confidentiality means that the information exchange is encrypted and only the owners of the information can decipher their information when needed. Encryption is the process of altering data to obscure it from being read by anyone other than the intended parties.

What Level of Security Do You Need?
For many finance departments, the initial attempts to capitalize on the Internet focus on the web enablement of internal finance department processes. This low-level strategy gives immediate benefits to finance departments without any major security infrastructure. Most companies have firewalls that protect internal transactions from any potential security breaches. These processes are managed internally, typically happening over dedicated private intranets-in other words, lines that are not connected to the Internet. Intra-company collaboration for finance departments, who share information with their sales, marketing, customer service and other departments, also happens over private lines. Higher degrees of security can be ensured with additional degrees of authentication, authorization and confidentiality within the enterprise infrastructure.

As the use of Internet in finance departments grows to higher levels of e-business, (see Figure 2), a higher degree of security needs to be implemented.


Making Sure Your Applications Are Secure
One of the most popular methods of authentication for internal users is a Domain Name Service (DNS). A DNS stores a list of all valid users onto a server. Unidentified users are not authorized to enter the application. Applications should also have an additional layer of authentication for valid internal users to gain access to information. This can be done by the application managing the identity of the valid users through login names and passwords.

Access control on the modification of information is normally dealt with at the application level. One must ensure that the applications have role-based security built in. For example, with role-based security, no one other than A/R managers could set and modify goals for collectors in an accounts receivable program.

Furthermore, as applications are used over the web, ensuring the privacy of transactions is a must. Microsoft and Netscape web browsers and web servers today come with SSL (Secure Socket Layer) security technologies that have built-in encryption. Encryption protects the data flowing from your browser to other systems from being decipherable to hackers.

It is important that your applications support these leading security technologies to take advantage of the already available features within your web infrastructure. Applications that do not have secure e-business architecture and that are not built for supporting or leveraging network security are serious security risks.


Leave No Backdoors to Your Enterprise
All sorts of businesses and organizations rely on web sites, intranets and extranets to provide access to confidential information and to enable e-commerce. Because much of the information transmitted across the Internet-such as payment data, credit card data or financial information-is private, it is vital to ensure customer and employee confidence and safeguard sensitive information from intrusion online.

Be certain that the servers transmitting and accepting sensitive information with external users-customers, suppliers, trading partners-are outside the firewall in most cases. If it is unavoidable, make sure that the firewall is configured with very strict port access rules. These servers should be security-enabled and perform authentication, control access and encrypt transactions for confidentiality. This is typically done by assigning SSL server IDs. This ensures that the visitors submit their authentication information and are validated for any further online transactions. Once the visitor is validated, thereafter, all the information they receive or send, such as invoices, payment information, etc., is encrypted. SSL IDs also ensure validation with other internal servers through server-to-server authentication.

It is important that your e-business vendors understand the security implications and take responsibility in overall security planning. This is critical for all customer interfacing applications, such customer financials service, e-billing, e-invoicing and e-payments.


Authenticate All of Your Users
Enterprises can determine a user's eligibility to engage in transactions within extranets or exchanges. For companies using Level 3 and Level 4 e-business infrastructures for finance departments, the security risks are higher and have to be managed with more sophisticated security mechanisms than firewalls and anti-virus protection. The risks typically revolve around confirming that the identity of each individual or business entity user is valid and determining the level of application access and transaction level authorization for each user.

In simple terms, this can thought of like international travel. Traveling from country to country requires a passport, which is accepted to authenticate the identity and the citizenship of the bearer because it was attested to by a trusted third party. If the bearer of the passport wants to enter a specific country, that country would typically need to issue the traveler a visa. The issued visa gives the traveler authorization to travel within a specific country.

Digital certificates are the most popular identity tokens used in business-to-business transactions and deliver the most secure type of signature. Digital certificates are created by a third party certification authority such as Verisign and permit electronic relationships inside and outside an organization with consumers, suppliers and business partners. Information Systems (IS) decision makers charged with integrating Internet-enabled linkages with customers, partners and suppliers are selecting digital certificates as a core component for conducting business transactions over the Net. Third-party certification management helps companies leverage the complex and expensive back-end processing systems of the third party certification company while gaining instant security infrastructure for conducting e-business.

New standards of document sharing, such as XML, are capable of assigning digital certificate authentication to full documents or portions of documents as needed. This allows multiple levels of security at the document and application sharing levels.

It is important when selecting or developing your e-business applications to ensure high standards of security identification from all the potential users of your system, both internal and external to your enterprise.

Security is a journey-not a destination. New security "holes" are found in software components all the time, new viruses appear daily and complacent companies are a hacker's dream.

The biggest security problem is not taking a proactive approach! E-business process owners must stay knowledgeable on security aspects and demand technologies that can offer strong security foundation. What do you do to constantly stay in front of the newest vulnerability or latest hacker exploit? Select the right technologies and vendors for your e-business infrastructure that include adequate security blankets, and constantly stay on the top of the vulnerability of information; deliver solutions before someone else make it a problem for you. So, the biggest security problems deal with how you handle security itself.

---

Veena Gundavelli is president and CEO of Emagia Corporation, which makes software to manage the accounts receivables and payables processes. Emagia can be reached at 866-EMAGIA-1 or on the web at www.emagia.com.