Wired And Wireless Worlds Need To Tie Security Knot
E-commerce applications are taking on a new dimension as emerging wireless technologies promise to offer greater access to corporate networks and the Internet. Today, mobile phones and hand-held devices can be used to access a wide variety of e-commerce applications such as online banking or stock brokering. These devices hold the promise of making it easier for employees, trading partners and customers to access e-mail, enterprise resource planning and other applications on corporate intranets from anywhere, at anytime.
Because of concerns over security, most of today's wireless applications involve only low-value or no-value transactions. In response, the new wireless world is moving to create a security infrastructure capable of offering the kinds of protections available today on the wired Internet. This, in turn, has prompted activity in various groups to develop the technologies and standards to make wireless access pervasive and secure.
But unless wireless devices can interoperate with the huge installed base of existing security protocols in the wired world, and quickly, e-commerce and the potential reach of the Internet will suffer.
The security issues surrounding wireless devices are essentially the same as those of the current wired infrastructure which relies on the ability to establish privacy, authenticity and nonrepudiation between parties. It is essential, therefore, that the wired and wireless worlds interoperate. Without this commonality, it will be more difficult to establish privacy and authenticity, and most importantly, nonrepudiation. While interoperability may seem to be common sense, it is not necessarily the case today.
One of the earliest efforts to evaluate the advantages of transferring data seamlessly between the wired and wireless worlds was undertaken by the WAP Forum, and one its first steps in extending the benefits of the Internet to wireless devices was creating the Wireless Application Protocol, or WAP. Although WAP was not developed specifically to resolve security issues, the WAP Forum built security into its specifications from the beginning, and has enhanced security with each subsequent WAP release.
Now the WAP Forum stands poised at a critical juncture on its path to fully merge the wired and wireless worlds. With WAP 2.0 on the horizon, the WAP Forum is proposing a critical modification to WAP's standard security protocol, Wireless Transport Layer Security (WTLS), so it will interoperate with the current wired Internet standard protocol, Transport Layer Security (TLS), which is based on SSL. Today, the two protocols already accomplish essentially the same thing, and making them interoperable will eliminate the need for WAP gateways to handle the translation between wired and wireless security protocols.
It is this last point – elimination of translation of security protocols from WTLS to SSL at the gateway – that makes the next version of WAP so critical and at the same time contentious. The real issue with WAP today is over who owns the trusted relationship with the customer. To work in a WAP environment today, trusted information must be pushed out to the WAP gateway because wireless devices cannot access or deliver user information stored on back-end machines via Internet protocols without first being translated at the gateway. Because security protocol translation is necessary, it is now the WAP gateways which must be trusted. Most likely, this gateway is owned by the wireless service provider, not the e-commerce provider or enterprise, and this places the wireless provider in the very powerful and profitable position as the broker of trust for all users. Wireless service providers are understandably reluctant to give this up any time soon.
But in the paper-based and wired Internet worlds, banks and financial institutions historically have played the role of trust broker. They are very reluctant to relinquish this role as they move their services online to consumers with wireless devices.
Clearly, it's time for all parties involved to resolve the gateway translation issue and adopt interoperable security standards. Compatibility between security infrastructures is paramount, and the WAP Forum must move quickly before it is too late. NTT DoCoMo's i-mode, for example, employs a security infrastructure based on the existing Internet standard, SSL, and in its markets is already achieving broad acceptance as a channel for wireless applications.
Compatible security protocols would allow all enterprises and e-commerce providers to more easily extend their existing security infrastructures to the wireless world, and ultimately enable them to be their own brokers of trust. Enabling enterprises to be their own brokers of trust will accelerate the deployment of exciting new applications, eliminate a potential inhibitor to the adoption of wireless technology and ensure end-to-end security. Done quickly, the wireless Internet could grow exponentially and far exceed the size of the current wired Internet, and that's good for everyone.
Wired and wireless secure e-commerce applications are just starting to be piloted and deployed. Organizations are starting to realize that to execute high-value transactions online, wired or wireless, they need an industrial-strength security infrastructure to support them, and that this security must be built into applications from the beginning. Obviously, creating interoperable security options before this deployment proceeds too far will be a necessity to the adoption of wireless technology and be more cost-effective, too.
Wireless security products should be in support of convergence of both the wired and wireless worlds. Any enterprise investing in a security infrastructure needs to ask if the security products they are purchasing are extensible to handle both their wired and wireless security needs. Assuming the translation issue is resolved, compatibility will also apply to certificate authorities, registration authorities and other PKI components that must be capable of handling both wired and wireless certificates, or at the very least the vendor must provide assurances they will in future versions.
Secure mobile applications will succeed only if interoperable security infrastructures can be developed that will service both the new generation of wireless applications and the existing wired world. To accomplish this, the industry needs to work together rapidly to advance current wireless protocols and standards to be seamless with the wired world.
# # #