eSecurity Infrastructures: Reflections and Lessons

In view of many eSecurity projects launched by banks & governments to secure their online services and organizations to secure remote access-control/ information assets, lets pause a little to reflect on key lessons in the last 10 years. Much of the lessons I will summarize below come from experiences within the Nordics, but hopefully are generic enough to be relevant across geographies.

Having worked in range of eSecurity projects since 1999,  I can think of five key lessons:

• Recognize two key segments: While “schemes-segments” are driven by heterogeneity (diversity in behaviors of citizens, merchants, SMEs) and governance, the enterprise environments are more closed-knit and controlled, driven by their Corporate IT. While scheme-solutions are driven by the industry players (verticals, public sector, or collaborative model) for the markets, the “non-scheme” enterprise eSecurity is directly driven by the markets more directly. Usability and security are also perceived rather differently in these two segments, so are the notions of compromise, control and security requirements. In other words there is no industry “buffer” and the business risks are more variable (needing close monitoring/ management) in the non-scheme segments.

• Understand customer’s customer: The commercial success of eSecurity infrastructures depends on the usage volume from mass market, businesses and applications. The key user segments for eSecurity are the issuers of ID-credentials, relying parties (merchants) and users (citizens, employees, business users) of these credentials. In other words, the customer value chain extends well beyond your direct customer and the eSecurity infrastructure will not succeed unless your customer’s customers are happy using them. So make sure to ask your customer early on about their end customers and use cases. This enquiry lies at the heart of serving “successful ecosystems and full value chain”.

• Package with complementary services: Strong service ecosystems can be built by packaging eSecurity with range of other applications, which in turn have their own value chains. Packaging eSecurity with invoice management, portals, banking, payments, CRM-systems. smart-cards (national-ID cards, bank-cards, driver licenses, access-cards) will embed eSecurity in new value-chains and verticals, helping its market outreach.

• Move from securing content to context: Success of eSecurity solutions will be steadily challenged by the steadily evolving (deteriorating) security environment surrounding online services. Incorporation of new delivery channels (smart-cards, SIM, mobile phones, PC) have strong impact on electronic contexts. The “mission security” must evolve to secure not just the existing services, but the relevant contexts around them, which over time become more hostile (thanks to innovations in ID-thefts, hacking and misuse). The emergence of anti-fraud (for e-identities, signatures), forensics, monitoring with predictive analyses confirm the subtle evolution from securing the e-contents to securing the e-context.

• Take your own medicine: Suppliers of trustworthy eSecurity solutions must use them for own securing their applications internally and services offered externally. This greatly helps in a priori understanding of practical implementation challenges (as well as benefits), before reaching out to customers and partners. Any number of testing in labs will not give you the taste of live solutions. Such internal implementations add to company’s own deployment expertise and even bring (some) scale economies into the total business case as other business units that eventually use (or package) eSecurity will end up sharing a part of eSecurity infrastructure costs – which is not bad. From Nets’ own history, I recall that we established the very first PKI to secure our own financial applications and trained our staff on practical issues - well before offering the Norwegian BankID solution (the winner of 2006 EEMA Excellence Award in Europe).

The emerging consumerazation of corporate IT services, increasing use of public-clouds for global delivery models and interaction between social ecosystems and traditional industry solutions will increasingly challenge our traditional understanding of segments and behavior.

Succeeding with eSecurity solutions will require a strong understanding of IT-Services, focus on “trustworthiness” (hence take your own medicine) and knowledge of customers (and their customers). Finally, make sure you taste your own medicine before commercializing them as this will bring trustworthiness to your organization and offerings.