Chris Greyling, business development executive at Commerce Centre, examines the implications business-to-business (B2B) e-commerce holds for information security.
Business-to-business (B2B) e-commerce has presented companies with an interesting paradox. By opening an electronic door into its business for partners, customers, and suppliers, a company can create a wealth of opportunities to save time and money, tap into new markets, and build closer relationships with its strategic business partners.
On the other hand, this would-be e-business exposes itself a host of new risks and dangers by opening access to its systems and business up to a wide world of companies and people, not all of whom are necessarily friendly. That means that information security in the B2B world is as - if not more - important it is in the business-to-consumer e-commerce arena.
Security in the B2B world operates on at least two levels. Firstly, a company may hold a wealth of proprietary information in its enterprises systems that certain business partners are allowed to access, but which needs to be kept from competitors or certain customers. Imagine, for example, the consequences of customer A drilling into your pricing database only to discover that customer B receives a 20% discount on all its orders with you. Or even worse, a company who is a customer of yours on one level, but a competitor on another, gaining access to the pricing strategies you use with all your best customers.
Secondly, there is the issue of securing financial information and transactions from external attackers. The consequences of hackers gaining access to the sort of financial data transferred between companies in a B2B relationship are too frightening to contemplate.
This means that the security layer between trading partners in the B2B world needs to be of the strength of the systems used in the banking environment.
Who can you trust?
Companies that wish to safeguard their proprietary information from the prying eyes of trading partners and hackers would do well to take up the Intel mantra: "Only the paranoid survive." To put it bluntly, there is no such thing as a business partner in who in you can place 100% of your trust when it comes to information security.
In the first instance, a B2B information chain is only as strong as its weakest link. Any security your company may put in place is useless if your business partners have not placed the same emphasis on keeping external hackers out of their systems. Once a hacker has gained access to a partner`s systems, it becomes easy for him to launch a full-out attack on your business without needing to crack your own servers or network.
Secondly, many of the companies that participate in the B2B exchanges and trading hubs as may compete with your business, and are therefore striving to put you out of business. You need a way of providing different layers of access to different trading partners.
To address this need, companies can take a two-tiered approach to B2B. On the one hand, companies can participate in broad industry marketplaces, which offer secure financial transactions and access to an unlimited pool of potential partners and suppliers. This does not preclude them from establishing closed B2B communities for companies that they wish to share information with that is not for general consumption.
The good news is that the technology for securing B2B transactions is here. Indeed, many of these security technologies - such as firewalls, encryption and digital certificates - have reached the status of commodities.
There is a host of options to choose from - ranging from encryption and digital certificates technologies such as public key infrastructure (PKI) and secure socket layer (SSL) through to physical devices such as smartcards and digital tokens on laptops.
Still, there are some technical issues that you need to bear in mind as you move into the world of B2B. For example, the ports most commonly used in B2B transactions are two of the biggest security risks listed - Port 80 and 443 allow outside HTTP and SSL TCP access to a Web server and are listed as "ports to disable" by the security body, the SANS Institute. Balancing the need to keep the bad guys out while making life as easy as possible for the good guys presents a significant technical challenge.
Negligence and ignorance
The information security problems that arise most often are related to the human factor - negligence or ignorance - rather than to technical issues. Security policies go a long way to addressing these issues: they force your own staff to comply with a set of procedures and address some of the most common security failures. These include staff using simple, easy-to-guess passwords, or handing out passwords to telephone callers. Security policies also alert IT staff to what can and can`t be done.
The complexity in B2B arises in matching up the security systems and procedures of one company with those of another. Parties involved in B2B relationships need to have consistent levels of access control and security to ensure that they can communicate safely.
For partners who plan to link up for trading over the Internet, examining each other`s written security policies is a good starting point. When forming partnerships, it is wise to examine the other party`s security framework to ensure that its security meet`s your company`s standards. Don`t even think of partnering with organisations that do not meet your requirements for information security.
Luckily, standards are evolving for security in B2B environments, and give organisations starting point for defining security parameters for B2B initiatives. This will ease matching up with B2B partners over the `Net.
Groups such as the Center for Internet Security (CIS), are working to define and champion the common, auditable security procedures and technologies that companies should put in place for doing business with one another over the Internet.
This six-member group carries a lot of clout from its participants, which include Visa, AT&T, the SANS Institute and NASA. The British Standard 7799 is another framework for security that is worth looking at.
Partners
Information security is one of the most vexing IT problems companies in SA face today. Not only are information security experts hard to find they are expensive to hire and retain. Add that skills problem to the complexity of the technology and procedures involved in information security, and there is a recipe for disaster.
The solution to this problem that makes sense for most companies is to look towards a third-party technology partner that understands the business of building secure platforms for business-to-business commerce on the Internet. Such a service provider - called an Internet Information Broker Service - acts as a bridge between the systems and technologies in use by various members of the business community and shields the participants from the complexity and risks inherent in maintaining their own security. It plays a critical role in ensuring that all participants in an electronic trading community embrace the same standards, procedures and technologies for information security and takes the technical risks involved in securing a B2B hub.
Apart from insulating all the trading partners in the community from security risks, the broker provides a wealth of value-added services such as translating data and protocols on the fly to allow the different systems in use at the various companies to communicate seamlessly with one another.
A rigorous tendering process is essential to ensure that the broker meets all of your security requirements. During this process, you should closely examine the technologies and procedures the broker has put in place for your protection. Visa`s security standards - which will form the basis of the CIS standards - provide a useful set of benchmarks.
Visa`s 10 requirements for its merchants specify that they must install a firewall, keep software up-to-date with patches, encrypt stored and transmitted data, use regularly updated antivirus software and restrict employee access to sensitive data. The requirements also set out standards for the assignment of IDs and passwords, and call for security systems to be regularly tested.
Also, ensure that everyone involved - the broker, your company, and your partners - have contingency plans in place that detail the actions that are taken when one of the links in the B2B initiative face attack. All parties need to have sound relationships with each other so that they can work together to beat off any attacks from external hackers.
This can save a great deal of time, money and embarrassment for all involved, as well as prevent the hacker from getting to deep into the system.
A watertight service level agreement (SLA) with appropriate penalties will go some way to giving an organisation that signs up with a third party B2B service provider peace of mind.
While an SLA cannot undo the damage done to your business by a malicious hacker or a partner stumbling across the pricing you are offering one of its competitors, it clearly defines the responsibility of each party in the event of a security disaster. This can help to cut down on the added aggravation of legal tussles as everyone affected by the security breach tries to find someone to blame in the aftermath of a successful hacking attempt.
Share
