We are publishing E-Commerce security market research information which allows an insight into this industry which has tremendously developed over the last few years. This information is based on private research and cannot be comprehensive in its entirety. However, we are trying to focus on the European market and to give an accurate picture of how European companies are performing in this market. We will focus on the commercial security sector, therefore ignoring the government and military security segment.
Pls feel free to send your feedback to bw@wildhaber.com 

This first article allows an overview over the development of the IT security market until today. In future issues, we will address specific topics around the items which you will find in this report.In this article, we will give an overview over the market, players and products. In future articles, we will focus on different aspects of the security markets:

General market development

• The Swiss E-Commerce Security industry.
• PKI products
• The wireless security market
• Hot security startups
• Professional Services Market

For additional research articles see www.itrustsolutions.ch

Structure of the E-Commerce Security Market

History
When hackers attacked several popular we sites in the beginning of 2000, the topic of IT security started several discussions amongst the press and in the executive boards of many companies. Until the late 80's, IT security was a topic only known to a bunch of specialists, mainly coming out of the military field. Originally, only organisations with very sensitive data considered to install security measures on a physical level (processing centres with physical access control, perimeter security). In the 90's, specialised industries started to be concerned about data security as computer networks were used to connect sites all over the world. In the banking industry, hardware based encryption became a standard. In the late 90's, more and more flexibility was requests by the market and the old and inflexible link encryption schemes started to become less attractive. In the B2B industry, EDIFACT became the standard for exchanging data. Security messages were specified which were the predecessors of today's B2B E-Commerce security concepts. Already in these days, IPSEC (Ipv6) was becoming a discussion topic. Around 1997, the first E-banking solutions came out offering SSL based encryption, with special proxy solutions for banks outside the US, as SSL 128bit encryption was not available to consumers. Until today, SSL is the most widely used protocol and will dominate the E-Commerce market for a while. Since then, the security market has developed marketwise, but the good technical solutions are not yet available (see standards).
Traditionally, European security markets follow special rules. Many of the European security companies came out of the military sector, mainly focusing on Hardware based security. Most of these companies have not succeeded in transforming their business models to the world of E-Business. Sensitivity for security related questions has always been high. Especially in the financial sector, companies have always tried to build their own security systems, preferring national security companies. Security outsourcing is generally not in favour due to legal responsibilities. This situation has only slightly changed.

Products overview
IT security is defined by the terms:

• Availability
• Confidentiality
• Integrity

The corresponding security mechanisms are: encryption, access control, logging, authentication. In addition to the classic security functions like access control, in E-Commerce security, the major security mechanisms are based on cryptographic protocols.
The market can be segmented technically and by product. Technically, the different products can be categorised according to their position in the layered communication model (e.g. OSI & TCP/IP).

Crypto based security

Lower layer security (Link, Network) is the domain of traditional hardware based security. Above technical security protocols, special security layers have been created. IP security (Version 6) will be integrated into network devices. VPN solutions are based on the IP specific security protocols like ISAKMP which will be standard in most of today's routers. This includes encryption and integrity services. Authentication on a technical level can also be accomplished. The best known of this security protocols on the web is SSL, a standard for encrypting and authenticating client/server sessions. SSL is mostly software based.
Application security is needed when legal relevance is important for the transaction. As soon as value of proof or non repudiation play an important role, there is no alternative to application security. This includes a whole set of E-commerce infrastructures, basically known as PKI (public key infrastructures). In the wireless world, similar protocols have been developed.


Standards
Standardisation is THE critical issue in IT security. Openness and security do not necessarily match, or to be more accurate, they are true opponents. To communicate securely in an open way is the crucial question which needs to be answered. In a world, where one can still be lucky if technology somehow works at last, security adds an additional complexity, which, if not absolutely tends to be avoided by everyone. In addition, the standards defined by the IETF and other standard bodies are barely more than a set of recommendations which allow a hundred different ways of how to implement. It does not mean that when you get a system with PKCS #13 specified smart card interface that every smartcard which is PKCS #13 compliant will work, in the opposite, most probably it will not work. This is the main reason why people are not yet communicating securely. Current implementations requite a stable infrastructure which allows for a trusted key management and the necessary provisions for availability.


Consulting
The services industry has first profited from the security needs by big financial corporations and government. In the early 90's, several concepts where developed of how to implement security in large enterprises or organisations. Unfortunately, most of the concepts could not be realised because of a lack of products available. For certain solutions, products included sophisticated security features, including comprehensive PKI concept. However, until this very day, no supplier has achieved to open their system to become the de facto standard for enterprise security systems.


Legal situation
Due to new security mechanisms and the replacement of traditional procedures like the handwritten signature, legal rules must be reformed to make efficient use of these new technologies. The EU has started several initiatives to support E-commerce and the corresponding security. Data privacy regulation will cause major discussion between the EU countries and the US, despite current data privacy agreements. Existing laws have not yet been modified to reflect this change.


Market development
The E-Commerce security market still grows moderately. Current studies predict an annual growth of 32% until 2003 in the general security field and 62% in the PKI area (Source Datamonitor, published in Red Herring, April 2000, p. 68/70).