By Jeff Nigriny
Today supply chains by their very nature require proprietary information to be passed from entity to entity up and down the chain — in the form of product designs, bills of material, financial transactions and more. As the process of bringing products to market increasingly takes place globally, and often with hundreds of partners, the need for secure information sharing across the distributed manufacturing enterprise rises significantly.
A century ago sharing data meant copying the information by hand or perhaps retyping it. The labor intensity and the related costs meant that the need to share the data really had to exist to justify the effort. Mimeographs, photocopiers, fax machines and eventually the Internet turned the information-sharing model of the last century 180 degrees. Today not only is producing unlimited numbers of perfect copies possible, it is virtually effortless to do so and to instantly send the copied information anywhere and to any number of people. Little thought was given to the security ramifications of such capabilities as they evolved; like most parts of the human experience, we had to learn the need to control instant data dissemination the hard way, i.e., only recognizable loss raised the awareness.
Compliance, competition and cost have put data security on the action list for most organizations today. Many companies have implemented security that protects their data adequately and/or bought insurance to transfer risk that would have been more costly to mitigate directly. These actions, while a step in the right direction, unfortunately fall short in the face of today's widely distributed global manufacturing networks.
Tomorrow's challenge — which needs to be addressed today — requires that manufacturers focus outside the four walls of their organizations. If you are a manufacturer, you must determine who in your supply chain is adequately addressing the data risk and, of those who have, how similar is their security stature to your organization's concept of a minimum baseline of protection? And once policy is agreed upon, the real challenges begin: Consider how much time and effort the IT organization puts into making an enterprise's systems work together. Having systems interoperate with partners is even more daunting. It is this reality that is driving an emerging model of supply chain security, one based on enterprise-level authentication and authorization.
How We Got Here
Information security boils down to three actors: the data asset, the owner and some person and/or group with whom the owner wishes to share the data. Focusing on securing the data makes good sense as the first step. So for years companies have worked on making sure that the data, while in transit across a network, was secure. VeriSign and others built entire companies on the success of secure sockets layer (SSL) certificates for Web servers. More recently, with the advent of regulations such as Sarbanes-Oxley in the United States, personal and proprietary information, such as credit card data stored in databases or on backup tapes, must be encrypted, addressing security for "data at rest."
What has been vastly neglected, at least until recently, was the authentication piece, i.e. assurance that "Bob" — the person doing business online — is really Bob.
An example: Consider how credit cards work. When used in a point-of-sale scenario, the card is swiped. That performs only two of the three necessary steps. It validates that the card has not been revoked (for whatever reason, including expiration). And the amount of the transaction is queried against the available credit to see if it will "fit." Where is the authentication in this? At no point did anyone ask if the person who offered the card is the "owner" of the card. The signature collected is only for non-repudiation purposes and is not looked at by the sales representative or the automated grocery checkout machine.