Memorandum by Check Point Software Technologies
Ltd
INTRODUCTION
Check Point welcome the opportunity to submit evidence
to the House of Lords inquiry into e-Commerce and believe that
this could not come at a more appropriate time. Internet security
in Europe is provided by a number of fragmented vendors in their
local markets. To achieve a consistent solution to Internet security
Check Point recommend a pan-European common technical standard
to meet the demands from the growing number of industries that
operate on a pan-European basis. European Union plans to scrap
restrictions on the export of encryption technologies amongst
its Member States and to other countries may well result in this
development.
Who are Check Point?
Check Point provides software products for securing
the Internet, leading the world market for firewalls or network
gatekeepers with a 32 per cent market share. The company currently
trades on NASDAQ at a market capitalisation of around $14 billion.
Check Point is at present one of the most profitable Internet
companies in the world with a net income in 1999 of $95.7 million
from revenues of $219 million. After the recent hacker attacks
on a variety of Internet sites Check Point responded by unveiling
a defence system against these denial-of-service attacks. In March
this system won the support of leading ISP providers including
BT's Concert and GTE Internet working of the US.
We believe that as companies increasingly move
towards conducting their business online they should feel as comfortable
conducting this virtual business as they do in a bricks and mortar
environment. Our aim is to assist them in doing this and believe
that key will be the ability to manage trust in the online environment.
What needs to be done to create confidence and
to stimulate e-commerce?
One of the key challenges facing the EU if it
is to compete globally as a region is to build confidence in the
Internet by setting a pan-European standard for Internet security.
According to a recent DTI report 60 per cent of UK companies connected
to the Internet have suffered a security breach within the past
two years. This is likely to continue as more and more European
businesses put their key functions online. Check Point believe
that the EU should lead a consumer education programme on the
importance of Internet security given that an Internet connection
opens up corporate networks to the world.
What can Government do about it?
Regulation flies in the face of the approach
that industry has been championing. But organisations report that
a security breach can cost between £20k and sometimes in
excess of £100k. It is not a matter that can be dismissed
out of hand. Given that secure systems will stimulate growth whereas
high profile failures will damage confidence in the new economy,
Government needs to encourage businesses to have the appropriate
systems in place and to make sure that industry abides by interoperability
standards. For large corporates and SMEs to conduct their business
on the Internet and have peace of mind it is essential that their
security policies meet the following basic minimum requirements.
These requirements should form the basis of a "vanilla"
pan-European standard in Internet security.
Data protection
Any e-commerce business or any other data communication
across a public network such as the Internet needs to ensure adequate
data protection to prevent the data being intercepted and read.
The data itself may have a high asset value and/or reveal private
or price sensitive company information.
Protection can be achieved by the use of encryption.
The strength of encryption however needs to be such that the:
cost required to break it is greater
than the value of the encrypted data; and
time required to break it is longer
than the time the encrypted data must remain secret.
Access control
Access control is required to ensure that only
those expressly permitted to gain access to or through organisations
perimeter defence to an application server is granted, all other
"must" be denied.
When providing remote access, there must also
be sufficient and robust auditing and logging procedures in place
to provide evidence as to whom, when and where users have gained
or attempted to gain access.
Authentication
Even though a remote user has gained access
to an application this does not necessarily ensure the person
is who they say they are. This can only be done with any degree
of assurance by providing authentication. By implementing a PKI
(Public Key Infrastructure) whereby digital certificates are used,
it is possible to authenticate a user but we can also ensure non-repudiation,
digital certificates will sign the document and if modified, will
be invalid. (PKI is a system of digital signatures that allows
e-mail and Internet users to verify their identity, communicate
securely and carry out transactions through the use of encryption
keys. These digital signatures are created using highly complex
encryption algorithms.)
The solution is in technology
For these technical issues to be provided in
a consistent manner a pan-European standard for security must
be created, rolled-out and abided by. This would allow users of
e-business applications to have a degree of assurance and confidence
that a minimum level of security and protection has been implemented.
Whilst
Check Point acknowledge that there has been some
progress in this area with the TrustUK hallmark and more recently
an initiative with the Post Office and the Chamber of Commerce
our concern is that these initiatives are fragmented and there
is a low awareness among consumers.
Check Point believe that the following two things
could make a real difference and ask this inquiry to give them
their consideration.
1. Pan-European Standard in Internet Security
The EU should take the lead in establishing
an international standard in security which takes account of the
three key factors listed above (Data protection, Access control,
Authentication). This should be given the same accreditation weighting
as other international standards eg ISO9000.
2. An Internet Security Education programme
An International Standard will not achieve its
desired goal without a suitable education programme which explains
its purpose and benefits. The European Union should take the lead
in this regard through its national assemblies.
Small and Medium-Sized Enterprises
With regard to the inquiry's interest in SMEs,
the reality is that securing an Internet connection will often
come down to question of cost. We believe that it is imperative
that Internet security is made not only understandable but also
affordable. The perception currently is that proper security is
the last thing an SME's IT budget will get spent on. Currently
only the "blue chips" give security the priority it
deserves (and by no means all of them); this undoubtedly provides
them with a significant competitive advantage.
Companies like Check Point need to start to
produce security products that have the clear aim of providing
SMEs with quality security at a price that is not prohibitive.
Not only will this have the added benefit of facilitating the
economic development of a key business sector but will also go
some way towards our wider aim of helping to solve the problem
of managing trust in the online environment. National treasuries
may like to consider tax breaks for SMEs of a certain size who
secure their networks effectively.
Conclusion
Effective security measures are the essential
element for enduring and sustainable confidence in the new economy.
When the business community gets security right they will begin
to reap the considerable commercial benefits the Internet has
to offer. The biggest challenge is educating the business audience
into placing the appropriate value on Internet security and then
encouraging them to make appropriate decisions about which systems
suit them best. Small and medium-sized enterprises are particularly
vulnerable to this, as they do not necessarily have the in-house
expertise to evaluate their own security systems. In our experience
it is also unlikely that they will have bought them in the first
place which exposes them to reputational and commercial danger.
12 June 2000
|