Customers and partners need access to your systems. Roger Sullivan says XML can provide the security to make it happen.
In the current business-to-business (B2B) marketplace, the lines among manufacturer, supplier and customer are blurring. Thanks to advances in information technology and extensible markup language (see boxout, What is XML, below) in particular, suppliers are now able to monitor inventory levels, ship just-in-time goods to manufacturers and reap some significant efficiencies in the process. As disparate organizations begin to act together as a seamless whole, the issue of security rears up. How close is too close?
Many organizations have embraced a firewall mentality: either their customers are allowed 'in' or they are kept 'out.' As more customers are allowed in, they often have access to much more than an organization ever intended. That is why, in a more intimate electronic trading environment, user access must be segregated and isolated.
It is a classic 'push/pull' situation. Organizations are pulling towards each other to achieve efficiencies, but at the same time they must push private data away from each other. The good news is that checks and balances can be built into aggressive B2B business models.
Leverage existing systems
In a new XML-based environment, it makes no sense for one repository to include all trading partner identity and authentication data. The reality is that user identities and information are usually spread across different data bases. The challenge is to link these existing data sources and use the information to create authentication profiles. In this environment, trading solutions must be flexible to accommodate interaction with multiple data sources. That's why companies are turning to XML, security assertions mark-up language (SAML) and the standards being set forth by Liberty Alliance.
Use current business models
Within an organization, people naturally draw upon multiple data sources throughout the course of the day, and sometimes what they pull up on their screens may have no relevance to the transaction at hand. For example, let us say a parts company calls the human resources department of a trading partner to check and see if Joe Smith is employed and authorized to purchase 'Y' amount of components.
The HR representative on the phone may pull up Joe Smith on the computer and access key records about Joe. But that representative has no reason to disclose the fact that Joe recently had an operation and makes $75,000 a year. That is private information and it would not be shared with a vendor.
The same process must be replicated electronically, where XML determines what information or data field can be accessed and released.
Authentication and risk
XML also enables a more equitable balance when it comes to authentication management. For example, an employer gives all the organization's employees access to a credit union. The credit union has a list of employees, but not key information about whether they are currently employed, etc.
The credit union, therefore, is assuming liability for what people do when they come to the credit union's site. If that credit union requires some sort of authentication about the users before they are linked to the site, the responsibility for authenticating them is shared and security is dramatically improved. There's more of a balance. XML and new XML-based standards enable this.
By segregating access and knowing exactly who has access to what, an organization can have a higher degree of confidence that the right information is being disclosed to the right people. Without conducting a security review, no one can be sure who is accessing their systems and changing numbers.
The critical element is security. Organizations unable to guarantee the security of their data will be prevented from participating in new markets and relationships. As in any relationship, the boundaries are critical.
Roger Sullivan is president of Phaos Technology Corp. (www.phaos.com).
Steps to building trust
With XML, an organization can map its internal business practices to the way it interacts with its business partners and move to a truly networked trading environment. In order to realize the promise of XML, organizations must begin looking at the issues of trust in new ways. The following steps will help an organization begin to move to a more networked, trusted, XML-based trading environment.
- Identify relationship supply chain points. Determine which parts of the organization supply and receive critical information. Internal points include accounts payable, human resources, marketing and sales. External points might include various vendors, value-added resellers and professional services.
- Define the kind of information sharing among the various supply points. Look at the range of questions, requests and specific documents that go back and forth among and between the communication points in the course of doing business.
- Determine the different levels of authority/access at each supply point. Information needs to be protected at multiple points as it is shared. Different individuals and organizations require different levels of access. A consultant whose firm has a ten-year track record at an organization would most likely have a different level of access than a new supplier. The director of human resources would have a different kind of information access to accounting files than a field sales person.
- Determine information flow security needs. Now that the information sharing paths are outlined, the need for communication security, data security and authentication must be spelled out. For instance, what data is so sensitive that it should be encrypted before it moves anywhere? Is there an authentication policy or are there tools in place for individuals receiving that data? Is there other data that can be shipped without being encrypted?
- Review current security policies and procedures. Within the organization, there must be clear privacy policies and procedures. Also, trading partners take on an added responsibility in handling others' data. They must ensure that only those with a genuine need to know have access to confidential information. This can only be assured through proper security policies.
- Create/test a trust circle within a controlled environment. A federated trust circle is where two or more organizations or individuals share credentials. These organizations can then link to each other via a common interface or single sign-on capabilities. Using the previous steps as an authentication framework, a trial trust circle could be built among a sales force and the home office.
- Create and pilot the trust circle model with trusted vendors. After the in-house model is up and running, take it 'outside' the organization for a trial and deploy it with a set of trusted vendors.
What is XML?
The specification for eXtensible Markup Language was developed by the W3C.
XML is an abbreviated version of standard generalized markup language (SGML), which is large and complex. It is used for describing every type of document in all the varied areas of human activity.
XML makes it easier for organizations, groups or individuals to create their own customized mark-up tags for exchanging information, as it omits the more complex parts of SGML. So, it is easier to write applications for documents created with XML, and it is easier to understand. It is also more suited for delivery and interoperability over the internet, although it allows for storage and transmission of data off the web too. HTML is one of many XML applications, but the one most frequently found on the internet.