Strategic Planning, F. Kenney, J. Thompson Research Note 7 August 2003 B2B Security Patterns: Finding the Perfect Combination Achieving business-to-business security is a combination of examining internal and trading-partner needs. A key decision on which form of security to use depends on how much each trading partner is willing to spend. Core Topic Application Integration and Middleware: Architectures and Patterns for Software Infrastructure Key Issue How will emerging software infrastructure architectural principles and design patterns best address the requirements of collaborative business-to-business processes? Strategic Planning Assumptions Through 2008, nearly all trading communities will use SSL to meet diverse trading-partner requirements (0.7 probability). Through 2008, 60 percent of all trading communities will use SSL in addition to at least one other security solution (for example, VPN, AS2, ebms or WS-Security) to meet diverse trading-partner requirements (0.8 probability). Diverse trading partners have diverse infrastructures and, thus, diverse security requirements. (Requirements include privacy, identity management, authentication, nonrepudiation and access control.) However, patterns for certain types and combinations of security have emerged within trading communities. These patterns encompass one or more of the following methodologies to secure transactions. These patterns include: The use of proprietary software Relying on standards to secure the data Securing the data by encryption Using virtual private networks (VPNs), leased lines and frame relays Using Secure Sockets Layer (SSL), Secure Hypertext Transport Protocol (S-HTTP) and Web browsers Using Proprietary Software to Secure B2B Networks The use of proprietary standards and protocols, included in most business-to-business (B2B) integration suites such as, Sterling Commerce's Connect:Direct Secure+ or Proginet's Secure Internet File Transfer (SIFT) is prevalent among trading communities in which a low number of trading partners with similar B2B integration infrastructures have monetary and resource investments in proprietary suites (for example, financial institutions using Connect:Enterprise or Connect:Direct). Some distinctions of this pattern are: Gartner Reproduction of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The reader assumes sole responsibility for the selection of these materials to achieve its intended results. The opinions expressed herein are subject to change without notice.
Trading partners use software from the same vendors within the community. Security can be standards-based (not likely), highly proprietary (likely) or hybrid (unlikely). The benefits of using this pattern include having a highly secured and homogeneous trading environment, which reduces the need to support multiple B2B standards. The challenges of using this pattern are: having to implement expensive licensed software and updates; and the cost of entry for new trading partners (which are often reluctant to implement proprietary solutions), which can prohibit growth of the community. Relying on Standards to Secure the Data New and emerging B2B standards, such as Applicability Statement 2 (AS2) and WS-Security, offer a way for trading partners to secure their transactions using solutions that support multiple B2B standards. This pattern can be used whether there are a few trading partners or many trading partners. Vendors such as Cyclone Commerce, IPNet Solutions and isoft provide software that can be deployed by any level or size trading partner. These solutions support most of the common B2B security standards (for example, EDI-INT), and some offer additional B2B integration functionality, such as provisioning, onboarding, community management and Web forms (browserbased technology, hosted by the hub, that enables smaller trading partners to enter, view and retrieve business transactions and documents). Although choosing this approach requires that trading partners agree on a standard, most integration middleware vendors (such as webmethods, Tibco Software, SeeBeyond Technology and Vitria Technology) support multiple standards and can rapidly deploy (via adapters or add-on modules) support for emerging standards, thus providing the trading partner with the capability to support current standards and emerging ones. Some distinctions of this pattern are: Trading partners agree on B2B standards to achieve security, compatibility or both. AS2 functionality is offered in more than 50 suites from 40 different vendors, including btrade, Cyclone Commerce, Global exchange Services, IPNet Solutions and Sterling Commerce. Web services will be secured via the use of multiple standards for example, XML Encryption, XML Digital Signatures, XML Key Management Specification (XKMS) and these standards, as well as others, are currently 7 August 2003 2
supported by some Web services brokers (for example, Flamenco Networks) and are also widely accepted (and in various stages of integration) in identity management products and Web services security tools. The benefits of this pattern are that trading partners have a choice of multiple vendors from which to purchase technology. (In some cases, the software already exists or has an adapter that provides support of the standard, within the infrastructure.) Another benefit is that emerging B2B initiatives and methodologies, such as UCCnet, will heavily rely on established B2B standards (such as AS2). The challenges are that standards are still incomplete and are constantly being updated and appended, causing disruption in interoperability. Version changes and updates in vendor solutions also cause disruption. Securing the Data by Encryption Some trading partners will prefer to encrypt the transaction using digital certificates (examples include VeriSign, Entrust and Baltimore Technologies), signatures and encryption standards (for example, Rivest-Shamir-Adelman) addressing new and upcoming governmental, regional and enterprise regulations regarding privacy. Using encryption allows messages to flow in the open over public networks without being deciphered or changed. Using digital certificates and signature capability offers nonrepudiation benefits as well. Users of this pattern have trading communities the size of which depends of the complexity of an established public-key infrastructure (PKI), or they have existing digital certificates and signatures for e-mail and so on that they wish to reuse. When there is a real need for nonrepudiation, this is a pattern to consider, although some standards that utilize digital certificates for example, AS2 or ebxml Messaging Services (ebms) can be also used. Another benefit besides nonrepudiation is that established internal and external PKI infrastructures can be leveraged and ported into B2B infrastructures. Encryption and decryption present challenges, because they are resource-consuming and are dependent on the specific encrypt/decrypt algorithm and the size and complexity of the transaction. Both third-party management and self-management of certificates (that is, certificate issuance, confirmation and revocation) can quickly become expensive and time-consuming. VPNs, Leased Lines and Frame Relays Secure the "Wire" Before the use of standards and commercialized encryption, securing transactions by transmitting them over VPN (for example, vendors Aventail and Neoteris), leased private lines or frame relays was the most popular way of conducting secure 7 August 2003 3
B2B transactions. This pattern, once common in large trading communities and in communities where trading partners are unwilling or unable to implement any B2B software, is still one of the simplest and most effective ways of securing the transport of B2B transactions between trusted trading partners. Additional security methods, specifically addressing privacy (such as encryption and digital certificates), are needed, because, in this pattern, the emphasis is placed on securing the transport mechanism not the actual destination (that is, "DMZ" or file servers) of the transaction. VPN technology, as well as direct leased lines and frame relays, is expensive, which puts this pattern out of reach for most small and midsize businesses. SSL, S-HTTP and Web Browsers The use of SSL and S-HTTP, in conjunction with Web forms hosted by one trading partner, offers a simple way of securing B2B transactions by securing the transport layer. SSL and S- HTTP are mature protocols that are widely deployed and embedded in all Web browsers. For the end user, the use of browser technology means no installed software and low maintenance and support costs. However, the trading partner hosting the Web forms must dedicate resources to develop and maintain a Web portal and the SSL or S-HTTP servers. Putting the Different Security Solutions in Perspective To date, no single security solution can address the requirements for all categories of trading partners, large and small, and with different levels of IT sophistication. To illustrate the challenge, we have mapped the various security solutions described above against our model for large supply chain communities (see Table 1 and "Business Strategy Drives B2B Connectivity Choices"). 7 August 2003 4
Typical Integration Scenarios for Supply Chain Integration From the Point of View of the Channel Master Table 1 Patterns for B2B Security Most strategic and private Mixed model/ hybrid Least strategic/ public Strategic Importance High Medium Low Relationship Value and Differentiation High Medium Low Level of Trust and Risk High Medium Low Level of Trading-Partner IT Sophistication High Medium Low Number of Trading Partners "On-Boarded" Few Varies Many Willingness to Outsource Low Varies High Focus of Integration Application integration or document exchange Application integration or document exchange Application integration or document exchange Proprietary Security Not a good fit (too complex for most trading partners) Not a good fit (too complex for most trading partners) Standards-Based Security Encryption Security Safe Transport Security (but requires broad (but requires broad (but requires broad if embedded (but requires broad Not a good fit (not likely that many enterprises will use same certificate authority) Not a good fit (not likely that many enterprises will use same transport) SSL Security (but not for highvalue transactions) (but not for highvalue transactions) Source: Gartner Research (July 2003) Although a small, trusted group of trading partners can probably agree to deploy almost any security solution, the challenge is scale-up that is, getting larger numbers of trading partners to agree on the same security standards, certificate authority or transport. Standards-based security is the most promising solution, but it lacks sufficient maturity (specifications are a work in progress) and adoption. SSL, while ubiquitous, does not have the granularity for high-value or high-sensitivity transactions. Through 2008, nearly all trading communities will use SSL to meet diverse trading-partner requirements (0.7 probability). Through 2008, 60 percent of all trading communities will use SSL in addition to at least one other security solution (for example, VPN, AS2, ebms, WS-Security) to meet diverse trading-partner requirements (0.8 probability). 7 August 2003 5
Acronym Key AS2 Applicability Statement 2 B2B business-to-business ebms ebxml Messaging Services ebxml Electronic Business XML PKI public-key infrastructure S-HTTP Secure Hypertext Transport Protocol SIFT Secure Internet File Transfer SSL Secure Sockets Layer VPN virtual private network XKMS XML Key Management Specification XML Extensible Markup Language Bottom Line: Midsize to large trading communities (50 partners or more) and communities with diverse security requirements should consider a combination of two or more business-tobusiness security solutions to secure their transactions for example, virtual private network/secure Sockets Layer, Applicability Statement 2/SSL, or digital certificates/secure Hypertext Transport Protocol. Smaller trading communities or communities with less diverse requirements can choose a security solution that best complements the value of the transactions (for example, digital certificates for high-value transactions or SSL for moderate-value transactions). 7 August 2003 6