InformationWeek

If an E-market wrongly issues digital certificates to a company or employee that falsely represented itself, the result could be disastrous. Not only could private information seep into the wrong hands, but thieves could pull off fraudulent orders or receive payment for goods that don't exist, Kaul says.

Depending on the activities a marketplace engages in, things could even get dangerous. Says Bart Verbruggen, IT manager for ChemResult, a chemicals E-marketplace, "For us, security is deathly important." He's not exaggerating. If hackers with terrorist agendas got their hands on chemicals used for making bombs--with a false digital certificate, or by changing an order's ship-to address--lives could be lost.

With those risks in mind, ChemResult has opted to outsource its security. IBM hosts the E-market and manages its firewalls and intrusion detection systems. For transaction security, SSL Web server digital certificates, site authentication, user authentication, and transaction audit trails, ChemResult turned to beTrusted.

"We started looking at all of the ways a hacker or crook could get in or other violations could take place," says Geoff Grabow, chief technology officer at beTrusted, which provides PKI and certification authority services in conjunction with PricewaterhouseCoopers. PKI's vulnerabilities lie with its root key. So beTrusted decided to break the root key into 19 separate pieces. Each is owned by a different beTrusted partner, and each is locked in one of 19 bank vaults.

BeTrusted's highest certificate, a class 3, is issued only during a face-to-face meeting; applicants must bring along identification such as a passport. "The information, including photo, are kept on file after the certificate is issued. We have very strict controls that leave a paper trail," Grabow says.

With these precautions, ChemResult believes that it's taken the prudent route to assuring suppliers that transactions will be secure. Handing the job over to experts leaves ChemResult better positioned to grow and manage its marketplace, which was launched last fall. "We don't want to do everything ourselves. We're chemical experts, not information security experts. We want to focus on building a successful marketplace," Verbruggen says.

Companies are also trying to ensure the security of their E-marketplaces by breaking into them themselves. Take Covisint, which routinely conducts periodic "ethical hacks" to ensure tight security. "It scares executives to death," says David Miller, but it's the only way to uncover potential vulnerabilities within the E-market. You can't build an Internet system that has bulletproof security, just like you can't build a house that has bullet-proof security--unless you don't put in windows, Miller says.

Bottom line, says Vasconi, is that "Covisint takes security extremely seriously. We don't do one ethical hack and never another again. From our standpoint, it's a hurdle we have to cross before we can sell products."

And what about dealing with the real hackers? "We watch everything they do," says David Miller. "Now we know where to put the trip wires. We also know who you are and where you are, and we'll send that data to the FBI."