Just 12 months ago, “dot.coms” were the coolest thing on the block. Now many of the former investor darlings have “dot.bombed”, attention has switched to the more traditional market players who are embracing the new economy as a necessary ingredient for future success. None more so than the utilities sector, where there are clear signs that e-business initiatives are seeking to unlock value and build real business credibility.
In the utilities sector, the potential for e-business is unparalleled, given the significant changes resulting from liberalization. At a time when regulatory pressures and the dynamics of openly competitive markets are squeezing utility margins, e-business offers companies genuine opportunities to streamline processes, cut costs and grow customer revenue streams. We need only look at the e-market initiatives in Europe – the ScottishPower/Endesa led project and the Achilles consortium – to see examples of how real investments are being made to turn these opportunities into tangible cash benefits.
Concept alone is not enough
Getting real about e-business means making e-business work for your organization, your suppliers and your customers. Misjudging e-business strategy could leave existing players little better off than the flawed dot.coms. Building rigour and trust into e-business processes is vital to using e-business successfully.
Simply embracing e-business will not guarantee future success. High profile publicity of e-business problems has demonstrated that concept alone is not enough. In a recent report by PriceWaterhouseCoopers, gas, electricity and water companies put security and data confidentiality at the top of a list of barriers affecting the development of e-business. The concerns are not exclusive to this sector. In other sectors, secure systems were identified as the most significant obstacle to dealing with new suppliers online, according to a recent PriceWaterhouseCoopers survey of 415 companies across Europe.
These concerns are significant among all companies – those with and without experience. Security and data confidentiality are fundamental to building e-business transactions that are deemed trustworthy by trading partners. This trust is an essential lubricant of e-business.
Fact or fiction?
Figure 1. Digital signatures provide message integrity
How much of this is based on real concerns and how much is paranoia, fuelled by e-business cynics? Undoubtedly there has been some over-exposure of issues in the public arena, but we must also put this in the context of a very different business environment which is emerging as the e-revolution gathers pace. The basic elements of doing business – the things that we took for granted in our regular business dealings – have been pulled from under our feet in the “new economy”.
For example, we used to know who we were dealing with when negotiating a new contract. We would speak on the phone, meet, and have the time to check that they were who they said they were. For established customers and suppliers, we would have few concerns that someone else was pretending to be them, or deliberately intercepting confidential information. We did not have to worry about the details of orders being changed while they were in the post. We felt confident that contracts and orders could not be repudiated as they carried the signature of the authorized signatory.
Many of the certainties and the ways in which we built trust into our commercial operations seem to be disappearing. In an e-business transaction the personal contact will be absent; everything will be done in real time at the click of a mouse using a desktop PC or WAP phone and an Internet connection. We may not be building long-term business relationships in the same way any more. Our business encounters may be fleeting one-off transactions in dynamic ever-changing e-marketplaces, where we do not have such a long period of time to instil trust as we used to.
Figure 2. Encryption of data makes it confidential, but provides little comfort over authentication and integrity
So we have to find new ways of building trust in the new economy. After all, in the B2B arena alone, there is a lot at stake. Some estimates state that savings of as much as 10-15 per cent can be derived from e-procurement in a total estimated global market of $2.3 trillion/annum. This means that the process of getting the basics in place is essential if organizations are to successfully share in this prize.
In the new economy, being able to demonstrate to customers and partners that you have rigorously tackled security, privacy and resilience issues for e-tailing and e-procurement is vital.
Looking to technology
Inevitably the search for trust is driving us towards technological solutions. Organizations have traditionally relied on user identifications and passwords to give them security. But these are only the key to the front door – the key which gives users access to the application. They do not guarantee the security of the transaction itself. Encryption of transaction data is also thought to be a remedy, but that too, does not fulfil all the requirements for trust. It may make the data confidential, but it provides little, if no comfort over authentication, integrity and non-repudiation.
Public key infrastructure
Many leading organizations are implementing security solutions based on public key infrastructure technology, as it is widely recognized as the most cost effective and comprehensive way in which to satisfy all the essential security requirements of e-business. Public key infrastructure is a proven technology that can provide a digital identity, in the form of a digital certificate, for all the parties involved in e-business.
Figure 3. Public key infrastructure architecture
In a public key infrastructure, entities are equipped to communicate securely with each other. An entity could be a specific person, an organization, or a computer system such as a Web server application or a firewall. Each entity will have a cryptographic key ‘pair’. Each key pair comprises a ‘public’ and a ‘secret’ key, either of which may be used to encrypt (scramble) data, the object being to protect the data by restricting access to authorized entities. A fundamental feature of public key cryptography is that data encrypted with the public key can be decrypted only with the secret key and vice versa.
As an example, let’s say that ‘Alice’ and ‘Bob’ wish to communicate securely. Their public keys will be held in a publicly accessible public key ‘directory’. They will keep their secret keys themselves and no one else will have access to them. As Alice wants to send encrypted data to Bob, she encrypts the data with Bob’s public key. This means that only Bob’s secret key can be used to decrypt the data, so only Bob can read it. To ‘sign’ a message (i.e. to apply a digital signature), Alice would encrypt the message with her secret key. Now, anyone receiving the message could check Alice’s digital signature by decrypting the message with Alice’s public key. This proves that Alice had sent the message, so Bob knows where the message came from, and it also means that Alice should not be able to deny that she had sent the message.
In a public key infrastructure, the public keys are held in a public key directory, in theory at least, to be easily available to anyone. This ease of access brings with it one small problem. A person intent on committing a fraud could replace Bob’s public key with his own. So, when Alice used what she thought was Bob’s key to encrypt a message to him, she would unknowingly be using the fraudulent key, so the fraudster could intercept the data. The fraudster would decrypt Alice’s message with the fraudster’s secret key, re-encrypt the message using Bob’s real public key and send it on to Bob. Alice and Bob would be unaware that the message had been read by an unauthorized third party.
In a public key infrastructure, this problem can be overcome by introducing another party into the public key infrastructure chain – a Certification Authority. A Certification Authority “signs” or “certifies” public keys and then places the certified public keys, i.e. the certificates, in the directory, thus ensuring their validity. This means that any party to a transaction should be able to confirm that the certificates presented to it are valid and be certain that the certificates it presents in turn are similarly recognized.
Trusted third party
But to be truly robust in the context of e-business, the organization providing the Certification Authority services must be independent of the parties involved in the business transaction. This is where the concept of the trusted third party comes into play, namely a party that is independent of the transaction process and who is at the same time trusted by both parties to the transaction.
The need for trusted third parties will become more pressing as the trend for outsourcing IT, and the global trend towards total electronic communication in all business relationships continues to accelerate. As the use of the Internet increases, electronic business communication is no longer restricted to communication within an organization. Moving beyond basic e-mail communication, business partners are increasingly allowing access to each others’ systems in order to streamline business operations. We need only think of the explosion in electronic communications as procurement, industrial customer contracts and energy trading move to Web-enabled systems and even highly sensitive information related to merger and acquisition deals starts to be exchanged via extranets. All these factors add to the complexity of, and the need for, effective security solutions, ideally provided by a trusted third party.
Doing it yourself
Building a public key infrastructure requires heavy investment funds, highly skilled resources and time. For an organization to offer public key infrastructure services as a trusted third party, it must have not only the financial strength and the combination of technical and management experience, but also have global reach and be able to demonstrate its independence. For many organizations, this will simply be too costly to do themselves. Outsourcing to an established, trustworthy player who is able to spread the costs across a wider business population will be the most effective option.
In response to this, Pricewaterhouse-Coopers has recently launched its own trusted third party service, beTRUSTed, leveraging its global coverage and its unique branding as a provider of independent assurance to the business community. Conforming to all relevant industry standards and best practices regarding physical security and procedural security, the service uses market-leading public key infrastructure products while remaining technology neutral and offering choice and interoperability. It can be scaled to suit any desired level of performance. It has been designed to create the essential conditions for the proliferation of confident e-business relationships.
For power companies already under intense margin and regulatory pressures, the business case for an outsourced trusted third party service is compelling. The need to move quickly on e-business is also growing in intensity, but organizations cannot afford to cut corners when it comes to the basics.
In PricewaterhouseCoopers’ survey of utilities in the UK, it was found that undoubtedly some of the main internal hurdles hampering the execution of a robust e-business strategy are security concerns, underpinned by an internal culture of low trust and a fear of disruption to normal operations caused by implementing new technology.
Whether launching initiatives involving e-procurement, e-markets and electronic energy trading platforms or implementing highly sensitive information-sharing applications, power companies will ignore the need for a robust and independent trusted third party at their peril.
Utilities must not lose sight of the fact that e-business is not just about technology. It’s fundamentally about changing behaviours to achieve a new scale of benefits, and technology is both a driver and enabler of that change. The revolution has forced us to rethink some of the things we took for granted when doing business – essential things which all add up to “trust” – and we need to go back to basics on this.
Services such as beTRUSTed offer a strong platform for e-business, but it is just a foundation block. This type of technology does not replace the need for a well drawn business strategy, but it is certainly going to make a difference to customers, suppliers and stakeholders as companies get to grips with e-business.
Back to basics in e-business
Authentication: how do you know that the person on the other end of the transaction is who they say they are and that they are someone you want to deal with?
Confidentiality: how do you make sure that no-one is “tapping into” your online communications, whether they be for procurement orders, energy trades or details of your latest acquisition targets?
Integrity: how do you know that an e-order of 1000 valves does not become 100 000 valves by the time it is received?
Non-repudiation: how can you ensure that an online contract cannot be repudiated causing loss to yourself or your contractors?