These patterns include: The use of proprietary software

Similar documents
Web Services Take Root in Banks and With Asset Managers

Should You Use Liberty or Passport for Digital Identities?

Firewall and IP Virtual Private Network Equipment: Worldwide, 2002 (Executive Summary) Executive Summary

Four Partial Solutions for Remote Network Access

Mesh Networking Principles

Best Practices for Deploying Web Services via Integration

Technologies for Securing the Networked Supply Chain. Alex Deacon Advanced Products and Research Group VeriSign, Inc.

Prediction: Multimodal transaction processing will emerge

Database Design Tool Magic Quadrant 2H02

NGN: Carriers and Vendors Must Take Security Seriously

Predicts 2004: The Future of Windows Server

Management Update: Storage Management TCO Considerations

Can you wait until 2010?

Enterprise Data Architecture: Why, What and How

IBM's WebSphere Integration Offer Signals Long-Term Plan

Controlled Medical Vocabulary in the CPR Generations

Building Better Interfaces: HL7 Conformance Profiles

Europe Wants Security Software, Despite Tight Budgets (Executive Summary) Executive Summary

FICON Drives Fibre Channel Security

COM R. Schulte

Events Will Transform Application Servers

Worldwide 2002 Security Software Market and Vendor Shares (Executive Summary) Executive Summary

Vertical Market Trends: Western Europe, (Executive Summary) Executive Summary

COM I. Keene, B. Hafner

Management Update: Wireless LAN Predictions for 2004

DISRUPTIVE TECHNOLOGIES IN THE DATACENTER

NGN: Enterprise IP Telephony

SOHO and Residential Routers: Worldwide Market Share and Forecast, (Executive Summary) Executive Summary

Integration With the Business Modeler

Worldwide Workstation Shipments Rebound in Third Quarter

Web Services, ebxml and XML Security

Central and Eastern Europe: Premises Switching Equipment Market Share, 2002 (Executive Summary) Executive Summary

Finding Pure-Play Midtier ESPs: A Two-Step Process

CIO Update: Security Platforms Will Transform the Network Security Arena

Ending the Confusion About Software- Defined Networking: A Taxonomy

zapnote Analyst: Jason Bloomberg

The Clinical Data Repository Provides CPR's Foundation

Overview. SSL Cryptography Overview CHAPTER 1

Asia/Pacific: Systems Consolidation, Hype or Reality?

2018 Trends in Hosting & Cloud Managed Services

COM F. Troni, L. Fiering

Spam Filtering Works Better With a Management Policy

China: User Perceptions and Plans for PCs and PDAs in 2003

IT Services' IP Telephony-Related Growth Remains Strong Through 2007 (Executive Summary) Executive Summary

Strong Security Elements for IoT Manufacturing

QUANTUM SAFE PKI TRANSITIONS

zapnote PARASOFT Briefing Date: June 13, 2002 Analyst: Jason Bloomberg

The Emerging Role of a CDN in Facilitating Secure Cloud Deployments

CERTIFICATE POLICY CIGNA PKI Certificates

PKI is Alive and Well: The Symantec Managed PKI Service

Market Scope. Magic Quadrant Methodology

TN3270 AND TN5250 INTERNET STANDARDS

CISCO IT DEPARTMENT DEPLOYS INNOVATIVE CISCO APPLICATION- ORIENTED NETWORKING SOLUTION

Predicts 2004: Enterprise Service Buses Are Taking Off

Global Telecommunications Market Take, 1Q03 (Executive Summary) Executive Summary

Super-Peer Architectures for Distributed Computing

IT Services: Identifying the Addressable Markets for Telecom Operators (Executive Summary) Executive Summary

4Q02 Update: Disk Storage Forecast Scenarios,

ISV Support Is Key When Choosing a Server Operating System

Change & Configuration Management Market

Configuring SSL CHAPTER

NetIQ's VoIP Management Products

Managing SSL Security in Multi-Server Environments

Trends in Fixed Public Network Services: Austria, (Executive Summary) Executive Summary

Configuring SSL. SSL Overview CHAPTER

DBMS Software Market Forecast, (Executive Summary) Executive Summary

Hardware Decisions for Embedded Systems Design in Asia/Pacific

Select Q&A, QA A. Hallawell, M. Grey. Anti-spam Architecture Choices. Firewall. Appliance or Licensed Software. SMTP Relay

Overview and Benefits of SEEBURGER AS2 Spokes. Trading Partner Integration Using SEEBURGER'S BIS:AS2 Spoke

Open Source Cloud Platforms: OpenStack

Nortel Networks Optivity Policy Services

User Survey Analysis: Next Steps for Server Virtualization in the Midmarket

Intranets and Virtual Private Networks (VPNs)

Warfare and business applications

Optimize Your Broadband WAN

Open Source Cloud Platforms: OpenStack

Midsize Business Voice Service Spending Steady for 2003

Huawei: China's Leading Equipment Vendor Returns to Growth

Configuring SSL. SSL Overview CHAPTER

Semiconductor Market for Data Processing: Asia/Pacific, 3Q03

Sistemi ICT per il Business Networking

OpenService NerveCenter Event Correlation Network Management

Trends in Fixed Public Network Services: Finland, (Executive Summary) Executive Summary

Get Ready for the Revival of Large Data Centers

This is a preview - click here to buy the full publication TECHNICAL REPORT. Part 101: General guidelines

Public-key Infrastructure Options and choices

Implementing Secure Socket Layer

Wireless Local Loop: Cellular in Waiting? (Executive Summary) Executive Summary

zapnote INTELLIGENCE WITH XML SPYS August, 2001 Analyst: Ronald Schmelzer

NGN: The Evolution of Wireless Networks

A Foxit Software Company White Paper

Management Update: Information Security Risk Best Practices

NEXT-GENERATION DATACENTER MANAGEMENT

Performance/Throughput

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

GLOBAL PKI TRENDS STUDY

COLOCATION AND THE ART OF RAPID-EXECUTION TRADING. Examining Low Latency, Colocation and Proximity Hosting

Gartner Client Operating Systems Surveys and Polls: Enterprises Plan Early, but Slow, Move to Windows 7

Action Recommendation for 2004

Oracle Mission Critical Support Platform. General. Installation. Troubleshooting. Inventory and Discovery. Frequently Asked Questions Release 2.

Transcription:

Strategic Planning, F. Kenney, J. Thompson Research Note 7 August 2003 B2B Security Patterns: Finding the Perfect Combination Achieving business-to-business security is a combination of examining internal and trading-partner needs. A key decision on which form of security to use depends on how much each trading partner is willing to spend. Core Topic Application Integration and Middleware: Architectures and Patterns for Software Infrastructure Key Issue How will emerging software infrastructure architectural principles and design patterns best address the requirements of collaborative business-to-business processes? Strategic Planning Assumptions Through 2008, nearly all trading communities will use SSL to meet diverse trading-partner requirements (0.7 probability). Through 2008, 60 percent of all trading communities will use SSL in addition to at least one other security solution (for example, VPN, AS2, ebms or WS-Security) to meet diverse trading-partner requirements (0.8 probability). Diverse trading partners have diverse infrastructures and, thus, diverse security requirements. (Requirements include privacy, identity management, authentication, nonrepudiation and access control.) However, patterns for certain types and combinations of security have emerged within trading communities. These patterns encompass one or more of the following methodologies to secure transactions. These patterns include: The use of proprietary software Relying on standards to secure the data Securing the data by encryption Using virtual private networks (VPNs), leased lines and frame relays Using Secure Sockets Layer (SSL), Secure Hypertext Transport Protocol (S-HTTP) and Web browsers Using Proprietary Software to Secure B2B Networks The use of proprietary standards and protocols, included in most business-to-business (B2B) integration suites such as, Sterling Commerce's Connect:Direct Secure+ or Proginet's Secure Internet File Transfer (SIFT) is prevalent among trading communities in which a low number of trading partners with similar B2B integration infrastructures have monetary and resource investments in proprietary suites (for example, financial institutions using Connect:Enterprise or Connect:Direct). Some distinctions of this pattern are: Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.

Trading partners use software from the same vendors within the community. Security can be standards-based (not likely), highly proprietary (likely) or hybrid (unlikely). The benefits of using this pattern include having a highly secured and homogeneous trading environment, which reduces the need to support multiple B2B standards. The challenges of using this pattern are: having to implement expensive licensed software and updates; and the cost of entry for new trading partners (which are often reluctant to implement proprietary solutions), which can prohibit growth of the community. Relying on Standards to Secure the Data New and emerging B2B standards, such as Applicability Statement 2 (AS2) and WS-Security, offer a way for trading partners to secure their transactions using solutions that support multiple B2B standards. This pattern can be used whether there are a few trading partners or many trading partners. Vendors such as Cyclone Commerce, IPNet Solutions and isoft provide software that can be deployed by any level or size trading partner. These solutions support most of the common B2B security standards (for example, EDI-INT), and some offer additional B2B integration functionality, such as provisioning, onboarding, community management and Web forms (browserbased technology, hosted by the hub, that enables smaller trading partners to enter, view and retrieve business transactions and documents). Although choosing this approach requires that trading partners agree on a standard, most integration middleware vendors (such as webmethods, Tibco Software, SeeBeyond Technology and Vitria Technology) support multiple standards and can rapidly deploy (via adapters or add-on modules) support for emerging standards, thus providing the trading partner with the capability to support current standards and emerging ones. Some distinctions of this pattern are: Trading partners agree on B2B standards to achieve security, compatibility or both. AS2 functionality is offered in more than 50 suites from 40 different vendors, including btrade, Cyclone Commerce, Global exchange Services, IPNet Solutions and Sterling Commerce. Web services will be secured via the use of multiple standards for example, XML Encryption, XML Digital Signatures, XML Key Management Specification (XKMS) and these standards, as well as others, are currently 7 August 2003 2

supported by some Web services brokers (for example, Flamenco Networks) and are also widely accepted (and in various stages of integration) in identity management products and Web services security tools. The benefits of this pattern are that trading partners have a choice of multiple vendors from which to purchase technology. (In some cases, the software already exists or has an adapter that provides support of the standard, within the infrastructure.) Another benefit is that emerging B2B initiatives and methodologies, such as UCCnet, will heavily rely on established B2B standards (such as AS2). The challenges are that standards are still incomplete and are constantly being updated and appended, causing disruption in interoperability. Version changes and updates in vendor solutions also cause disruption. Securing the Data by Encryption Some trading partners will prefer to encrypt the transaction using digital certificates (examples include VeriSign, Entrust and Baltimore Technologies), signatures and encryption standards (for example, Rivest-Shamir-Adelman) addressing new and upcoming governmental, regional and enterprise regulations regarding privacy. Using encryption allows messages to flow in the open over public networks without being deciphered or changed. Using digital certificates and signature capability offers nonrepudiation benefits as well. Users of this pattern have trading communities the size of which depends of the complexity of an established public-key infrastructure (PKI), or they have existing digital certificates and signatures for e-mail and so on that they wish to reuse. When there is a real need for nonrepudiation, this is a pattern to consider, although some standards that utilize digital certificates for example, AS2 or ebxml Messaging Services (ebms) can be also used. Another benefit besides nonrepudiation is that established internal and external PKI infrastructures can be leveraged and ported into B2B infrastructures. Encryption and decryption present challenges, because they are resource-consuming and are dependent on the specific encrypt/decrypt algorithm and the size and complexity of the transaction. Both third-party management and self-management of certificates (that is, certificate issuance, confirmation and revocation) can quickly become expensive and time-consuming. VPNs, Leased Lines and Frame Relays Secure the "Wire" Before the use of standards and commercialized encryption, securing transactions by transmitting them over VPN (for example, vendors Aventail and Neoteris), leased private lines or frame relays was the most popular way of conducting secure 7 August 2003 3

B2B transactions. This pattern, once common in large trading communities and in communities where trading partners are unwilling or unable to implement any B2B software, is still one of the simplest and most effective ways of securing the transport of B2B transactions between trusted trading partners. Additional security methods, specifically addressing privacy (such as encryption and digital certificates), are needed, because, in this pattern, the emphasis is placed on securing the transport mechanism not the actual destination (that is, "DMZ" or file servers) of the transaction. VPN technology, as well as direct leased lines and frame relays, is expensive, which puts this pattern out of reach for most small and midsize businesses. SSL, S-HTTP and Web Browsers The use of SSL and S-HTTP, in conjunction with Web forms hosted by one trading partner, offers a simple way of securing B2B transactions by securing the transport layer. SSL and S- HTTP are mature protocols that are widely deployed and embedded in all Web browsers. For the end user, the use of browser technology means no installed software and low maintenance and support costs. However, the trading partner hosting the Web forms must dedicate resources to develop and maintain a Web portal and the SSL or S-HTTP servers. Putting the Different Security Solutions in Perspective To date, no single security solution can address the requirements for all categories of trading partners, large and small, and with different levels of IT sophistication. To illustrate the challenge, we have mapped the various security solutions described above against our model for large supply chain communities (see Table 1 and "Business Strategy Drives B2B Connectivity Choices"). 7 August 2003 4

Typical Integration Scenarios for Supply Chain Integration From the Point of View of the Channel Master Table 1 Patterns for B2B Security Most strategic and private Mixed model/ hybrid Least strategic/ public Strategic Importance High Medium Low Relationship Value and Differentiation High Medium Low Level of Trust and Risk High Medium Low Level of Trading-Partner IT Sophistication High Medium Low Number of Trading Partners "On-Boarded" Few Varies Many Willingness to Outsource Low Varies High Focus of Integration Application integration or document exchange Application integration or document exchange Application integration or document exchange Proprietary Security Not a good fit (too complex for most trading partners) Not a good fit (too complex for most trading partners) Standards-Based Security Encryption Security Safe Transport Security (but requires broad (but requires broad (but requires broad if embedded (but requires broad Not a good fit (not likely that many enterprises will use same certificate authority) Not a good fit (not likely that many enterprises will use same transport) SSL Security (but not for highvalue transactions) (but not for highvalue transactions) Source: Gartner Research (July 2003) Although a small, trusted group of trading partners can probably agree to deploy almost any security solution, the challenge is scale-up that is, getting larger numbers of trading partners to agree on the same security standards, certificate authority or transport. Standards-based security is the most promising solution, but it lacks sufficient maturity (specifications are a work in progress) and adoption. SSL, while ubiquitous, does not have the granularity for high-value or high-sensitivity transactions. Through 2008, nearly all trading communities will use SSL to meet diverse trading-partner requirements (0.7 probability). Through 2008, 60 percent of all trading communities will use SSL in addition to at least one other security solution (for example, VPN, AS2, ebms, WS-Security) to meet diverse trading-partner requirements (0.8 probability). 7 August 2003 5

Acronym Key AS2 Applicability Statement 2 B2B business-to-business ebms ebxml Messaging Services ebxml Electronic Business XML PKI public-key infrastructure S-HTTP Secure Hypertext Transport Protocol SIFT Secure Internet File Transfer SSL Secure Sockets Layer VPN virtual private network XKMS XML Key Management Specification XML Extensible Markup Language Bottom Line: Midsize to large trading communities (50 partners or more) and communities with diverse security requirements should consider a combination of two or more business-tobusiness security solutions to secure their transactions for example, virtual private network/secure Sockets Layer, Applicability Statement 2/SSL, or digital certificates/secure Hypertext Transport Protocol. Smaller trading communities or communities with less diverse requirements can choose a security solution that best complements the value of the transactions (for example, digital certificates for high-value transactions or SSL for moderate-value transactions). 7 August 2003 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback