The Uses of Basic Cryptography in My Organization - Essay Example

summarize the uses of basic cryptography in your organization. You will want to find out such things as whether you use checksums, disk encryption, VPNs (virtual private networks), link encryption and SSL for your Web site. Find out who's responsible for these tools Information and Computer Technology has facilitated countless aspects of the business process and has automated numerous work tasks. Its adoption by organisations and its subsequent integration into the business process have proven invaluable. At the same time, however, it has led to countless security issues and, as a rule of thumb, has imposed the imperatives of adopting cryptographic techniques and technologies by organisations who engage in any form of online commerce or which have an online presence. My organisation is not an exception to this rule and conversations with the IT department head affirmed the use of cryptographic technologies, even as it established that they were hardly a foolproof defence against unauthorised access. Cryptography is used for the protection of all data stored on the organisation's networks and servers. As explained by Juels (2003) cryptography involves the encryption of data or their rendition into secret, indecipherable code, for the explicit prevention of their interpretation and use if they are accessed without the proper authorization. Not only is it integral for the protection of company-related data but, within the context of e-business and e-commerce, imperative for the concealment of information relating to customer payment transactions and credit card details. The purpose of encryption, as defined in the preceding paragraph, is the protection of data as it is transmitted across networks. As Oliva et al. (2004) explain, when data is being transmitted across networks, it runs the risk of being intercepted or captured by a third party. If it is encrypted, however, not only is the risk of interception substantially reduced but, more importantly, if intercepted, the deciphering of the data in question is extremely difficult. In other words, if data transmitted over networks is intercepted, the fact that it is encrypted protects it both against tampering and modification, and its subsequent exploitation by the interceptor. Accordingly, and as Matsuura (2006) confirms, the imperatives of exploiting data encryption techniques are inarguable and that any organisation which fails to do so is, to all intents and purposes, acting both irresponsibly and carelessly. The IT department director confirmed the use of data encryption technologies. As he noted, whether as regards data stored on the organisation's networks or those transmitted across networks, all are encrypted. The decryption of data was initially enabled through passwords but, a number of incidents proved this an unreliable decryption method. As the IT director noted, while many security systems are designed in such a way that the entire security of the website depends upon secret passwords, the fact is that the password system is riddled with shortcomings. The first deficiency the password system has is that it requires precise recollection of secret information. If the user makes the smallest of errors when entering that secret information, authentication fails. Unfortunately, however, precise recall is not a strong human characteristic and this fact immediately conflicts with the requirements of password-secured systems. As a means of bypassing this limitation, people tend to pick and use very simple passwords which can easily be broken by password cracker programmes. Even when people bear in mind the dangers that such programs pose to the security of their passwords, they make the popular mistake of writing their passwords down and hiding them in an easily locatable place by their computer. Those sites which force users to periodically change their passwords for added security have not succeeded in resolving these problems but, rather, increased the need of people to write down their passwords. Additionally, as the number of password protected sites expands, a single user may be a member of several sites that require username and password authentication. As a means of coping with the requirement to memorize even more passwords and usernames, a user may devise similar, or identical usernames and passwords for all those sites, comprising the security of several at the same time. Yet another shortcoming of passwords is that users do sometimes voluntarily share their passwords with others, or innocently give them out to an unauthorized person, thus compromising the security upon which the system depends. Passwords may also be compromised by the fact that some companies can be derelict in cancelling those assigned to former employees. Upon its confrontation with precisely such an incident, the IT director informed me that the company cancelled the password system and installed thumbprint systems instead. This was facilitated by the fact that only four top-level company executives had access to the password/system in question. In direct relation to the encryption systems used for online payments via the company's e-business website, the IT director informed me that the company had earlier used the SET method but had now abandoned it entirely in favour of the SSL system. As Keenan (2000) explains, Secure Socket Layer (SSL) is a protocol that Netscape created. In brief, it enables the establishment of a secure connection between web servers and web clients. Generally speaking, SSL employs the public key cryptology system as a means of ensuring data security during a transmission process. In addition, within the context of the SSL session, both client and server create a unique session key which will be used for the encryption of sensitive data during SSL data exchange process. In comparison, Secure Electronic Transaction (SET) refers to a credit card payment system developed by Visa and MasterCard as a means of ensuring security of data during online payment/financial transactions. Similar to SSL, it is primarily dependant on cryptology technique with the primary difference here being the use of the e-wallet in which are stored credit card numbers and digital certificate. Considering Keenan's (2000) defence of both as secure systems, I did not understand why the company abandoned the one in favour of the other and, indeed, the IT director did not seem to have an answer. According to the IT director, apart from standard message origin authentication systems, provided by the company's email system manager and provider, this was the extent of the encryption techniques employed by the company. When asked if he believed them sufficient, the IT director said that they were not but that more advanced and thorough encryption methods were currently being reviewed for possible implementation. References Kienan, B. (2000) Small Business Solutions for E-Commerce. Nevada: Microsoft Publishing. Matsuura, J.H. (2006) Security, Rights and Liabilities in E-Commerce. New York: Artech House. Olvia, L. (2004) E-Commerce Solutions: Advice from the Experts. New York: Cybertech Publishing. Read More