Insight: e-business security - Hack Attack.

Any one unauthorised individual attempting to gain access to the heart of the new beTRUSTed offices had better forget it. The technology behind the security in its building makes Fort Knox look like a public library.

The office headquarters, officially known as a high-security data centre, flatters to deceive. On the outside it is a non-descript building on a business park in Feltham, lying on the doorstep of the world’s busiest airport, Heathrow.

Take a step inside, and the entity suddenly transforms itself into what could be described as a set from a science fiction movie.

However, this building is no fake, it is the real thing. Star Trek fans would love the interior of this building as the futuristic security equipment, which has been painstakingly constructed over the last 12 months, comes to light.

The ‘replicated ultra-secure centre’ is essentially split into two halves.

One is open to the majority of staff, while the other is only accessible to a handful of senior employees such as members of the operations team – and certainly not to nosey journalists.

The two halves are then split further into pods labelled ‘areas’. Amazingly some of these are insulated with copper between the floors, while area three is essentially a room completely insulated outside by a copper box.

The metal protects the datacentre from unwanted radiation, which may interfere with customer information stored within.

When the company – which thinks of itself as an e-commerce security integrator for the Global 200 organisations – moved into the building last May, it had to gain permission from the business park owners, before completely gutting the premises in a bid to tailor the building for its needs.

Normally data storage buildings are situated in bunkers in the ground to protect them from magnetic forces. But to create the same insurance in this building, all the doors are sealed with compressed air, every window in the building is made from Tempus screened glass. Added to that, all of the windows are protected by a mesh screening, which consists of the same insulating properties as copper.

Big Brother is certainly present, as cameras are located in all parts of the building. To ensure only the correct members of staff are allowed into the correct areas, such as the data storage centre itself, hand biometric readers are fitted by specific doors.

To enter through these doors staff must punch a code into a computer on the wall before placing their hand on a reading machine, to see if their prints match up with those on file. If not, they won’t get in.

As if that wasn’t enough, it has been calculated it would take the equivalent of several thousands of pounds of pressure to force open the doors. Staff need a pass to enter areas, while weight sensors can tell whether the person entering is legitimate.

The operation is never closed, and staff work one of three eight-hour shifts a day. BeTRUSTED provides a 24-hour helpdesk and follows the same protocols established for military and diplomatic operations.

There are also a raft of fail safes in place. These include file protectors and fire-proof rooms. There is also enough electricity in company generators to maintain normal service for four hours in the event of power failures.

Water-cooled humidifiers are also installed around the building to absorb the heat from the mainframes. The premises are patrolled by full-time security staff.

The UK building – which has enough space to hold 50 million digital signatures – was based on a sister office situated in Columbia, Maryland in the US, while the company headquarters is situated in Sydney, Australia.

But despite the distraction of the undeniably impressive hi-tech surrounds, there is some serious business going on inside the building.

PwC – the only Big Five firm with an operation of this magnitude – will have spent $100m on the beTRUSTed facility by the end of this financial year, but the longer-term aim is for this e-security arm to begin paying for itself. The reason for the hi-tech surroundings is simple. If anyone gains access to customer information stored on files, the operation becomes benign. What the company has been created to do is store customer information, which will allow businesses to conduct confidential transactions safely.

BeTRUSTed joint CEO John Bromfield, said: ‘We have 140 people working in the building while another 1,000 consultants work in the main practice with an additional 2,500 integration consultants. The world is going e, but in order for e to work, there needs to be trust. That can only come from secure transactions. We believe the PwC partnership is perfect because accountants have traditionally been in the trust business.’

One of the attractions for the subsidiary is PKI protocol which is stored in the centre and allows it to provide legally verifiable digital signatures.

This means complete certainty for an individual’s transaction. Organisations can overcome e-commerce security challenges such as authentication, data integrity and privacy. There is a hot debate emerging as to whether digital certificates are a more efficient way of identifying users online than passwords.

Public key technology and digital certificates are more expensive than traditional password systems. Most e-businesses have been authenticated by user name or account number and a secret password.

For the purposes of establishing confidential communications over the internet, with reasonable identification of an account holder, passwords have been adopted for internet banking and retail e-commerce. However Katherine D’Urso, beTRUSTed chief marketing officer, questions whether passwords are secure enough for high value B2B transactions. She says: ‘A shortcoming of the passwords is that they only authenticate the beginning of a session on the web and not the individual messages sent on the session.’

She adds: ‘Basically passwords do not provide any signature on the transactions themselves. After the fact, the true origin of any message has to be inferred from computer audit logs, usually with no guarantee of their integrity or even continuity. The complexity of all this circumstantial evidence undermines the legal clarity of the business transaction.’

Digital certificates are not a ‘one size fits all’ solution, but there does appear to be a global move away from passwords towards certificates in high-risk e-businesss such as online healthcare and corporate banking.

Risk managers and internal auditors value digital certificates for precise document authentication, with greater legal certainty and lower cost of disputes. Another aspect of the company is beTRUSTed third party services – a flexible, technology neutral service, which allows customers to choose ‘best-of-breed’ products from soft and hardware providers that build individual e-security needs.

As the needs of the company evolve, beTRUSTed solutions may preserve technology choices into the future, ensuring customers stay abreast of developments and innovations, without costly hardware and software investments.

The operation is a mark of how far accountancy firms are willing to go to increase customer services.

Bromfield, adds: ‘Everything we have done has been taken to the highest standard. We have split up the only software in the world that can break our codes. To counter this we visited a Swiss nuclear bunker buried beneath a mountain and split up the formula.

‘Some pieces were left in the bunker, guarded by the Swiss military, while others were deposited in safety boxes in banks around the world. This is international control gone to the highest level. In fact it has gone mad.’

For more on the e-security business go to www.betrusted.com

KEY TO SECURE BUSINESS

The biggest barrier to internet transactions and e-business in general has traditionally been lack of trust – the fact companies and individuals could not be certain who was on the other end of their transactions.

This has inspired the launch of beTRUSTed to protect customers’ B2B worries.

BeTRUSTed uses what is known as PKI (public key infrastructure) expertise and certification authority services. PKI describes the management process of technologies, standards and controls needed to manage certification.

The company also offers consulting and integration services through the Big Five firm. Each person using PKI has a public key and a private key.

The public one is available to other parties, but the private key is never shared. It remains with its owner in the form of an electronic device stored on a computer, mobile phone or as a smartcard. A password or PIN number is used to ensure someone who picks up a misplaced smartcard or device cannot make a transaction in the sender’s name. The development aims to enable organisations to be certain whenever they need to conduct sensitive transactions in a networked environment.

Whenever a transaction occurs the sender digitally signs the message with their private key. The receiver can then unlock the signature with the sender’s public key. Meanwhile, digital certificates contain a personal mathematical code used with software such as email or special purpose business packages.

The key allows the user to create a one-off digital signature for any document, message or transaction. They authenticate the person as a trusted and real world identity and the transaction can then be completed. The benefits of using digital signatures and PKI include the fact that all businesses can increase and speed up transactions and services they are able to offer over the web.