Technology enables. Business process delivers the security outcomes.
It's late on a Friday afternoon. It's been a bad week. The phone rings. "I need you to do something for me now," says the voice at the end of the phone. "Something" is going to take until after 6pm, and you want to go home.
"You have got to be joking," you answer.
"Do you know who you are talking to?" says the voice.
"No," you say.
"I'm the CEO," is the indignant reply.
"Do you know who you are talking to?" you ask.
"No," says the CEO. "Thank goodness," you say, hanging up and getting out of there as quickly as possible.
What is wrong with this picture? There is a lack of communication and trust. If you had known it was the CEO in the first place, the conversation may have gone a lot differently. Our business systems today, particularly in government and in larger businesses, often will indicate who is at the other end of the phone (through caller line identification systems). But what if it was not really the CEO at the end of the line, simply someone using the CEO's phone and providing incorrect information?
The risk of not knowing who is at the other end of the line, or not knowing if a message is genuine, increases as more and more information is shared and business is transacted online. The more important the data being exchanged online, the more critical it is to know who is sending and receiving it, and that it has not been tampered with in the process.
The Commonwealth government has recognised this, and has given authentication and security a high priority. The levels of authentication and security will vary with the nature of the data. Authentication can be as simple as a password. Or as sophisticated as public key infrastructure (PKI), the highest level of "non-intrusive" authentication.
The Australian government has been a leader in the development of PKI. It has developed the "Gatekeeper strategy" to encourage confidence in the online economy and to ensure trust between transacting parties. It has also developed a digital certificate specification for business-to-government transactions called the ABN-DSC (Australian Business Number - Digital Signature Certificate). The innovation here is that a single certificate can be used to deal with any government agency. The alternative is to have a different certificate for dealing with different departments and agencies. This latter approach is likely to create complexity and confusion for Australian business, particularly small businesses.
Recently, the FedLink system was released to provide agencies with data security to "protected" level. There is a great deal of work in progress to provide higher levels of security for electronic data transfer.
Importantly, these developments have created a significant amount of learning. While the technical learning has been important, the critical element has been the importance of effective business processes - the technology is a tool to improve trust and security but the point of failure still lies largely in personal and management systems. Giving away your password, handing over a smartcard or simply allowing someone to impersonate you to collect a classified document will undermine technological safeguards.
Put simply: technology enables; business process delivers the security outcomes.
John Rimmer is CEO of the National Office for the Information Economy, a federal government agency. More information on the issues in this article can be found at: www.noie.gov.au.