By Jeff Nigriny
Today supply chains by their very nature require proprietary information to be passed from entity to entity up and down the chain — in the form of product designs, bills of material, financial transactions and more. As the process of bringing products to market increasingly takes place globally, and often with hundreds of partners, the need for secure information sharing across the distributed manufacturing enterprise rises significantly.
A century ago sharing data meant copying the information by hand or perhaps retyping it. The labor intensity and the related costs meant that the need to share the data really had to exist to justify the effort. Mimeographs, photocopiers, fax machines and eventually the Internet turned the information-sharing model of the last century 180 degrees. Today not only is producing unlimited numbers of perfect copies possible, it is virtually effortless to do so and to instantly send the copied information anywhere and to any number of people. Little thought was given to the security ramifications of such capabilities as they evolved; like most parts of the human experience, we had to learn the need to control instant data dissemination the hard way, i.e., only recognizable loss raised the awareness.
Compliance, competition and cost have put data security on the action list for most organizations today. Many companies have implemented security that protects their data adequately and/or bought insurance to transfer risk that would have been more costly to mitigate directly. These actions, while a step in the right direction, unfortunately fall short in the face of today's widely distributed global manufacturing networks.
Tomorrow's challenge — which needs to be addressed today — requires that manufacturers focus outside the four walls of their organizations. If you are a manufacturer, you must determine who in your supply chain is adequately addressing the data risk and, of those who have, how similar is their security stature to your organization's concept of a minimum baseline of protection? And once policy is agreed upon, the real challenges begin: Consider how much time and effort the IT organization puts into making an enterprise's systems work together. Having systems interoperate with partners is even more daunting. It is this reality that is driving an emerging model of supply chain security, one based on enterprise-level authentication and authorization.
How We Got Here
Information security boils down to three actors: the data asset, the owner and some person and/or group with whom the owner wishes to share the data. Focusing on securing the data makes good sense as the first step. So for years companies have worked on making sure that the data, while in transit across a network, was secure. VeriSign and others built entire companies on the success of secure sockets layer (SSL) certificates for Web servers. More recently, with the advent of regulations such as Sarbanes-Oxley in the United States, personal and proprietary information, such as credit card data stored in databases or on backup tapes, must be encrypted, addressing security for "data at rest."
What has been vastly neglected, at least until recently, was the authentication piece, i.e. assurance that "Bob" — the person doing business online — is really Bob.
An example: Consider how credit cards work. When used in a point-of-sale scenario, the card is swiped. That performs only two of the three necessary steps. It validates that the card has not been revoked (for whatever reason, including expiration). And the amount of the transaction is queried against the available credit to see if it will "fit." Where is the authentication in this? At no point did anyone ask if the person who offered the card is the "owner" of the card. The signature collected is only for non-repudiation purposes and is not looked at by the sales representative or the automated grocery checkout machine.
That's not to say that the authentication question has not been tackled for information security in the supply chain; it has, albeit in a suboptimal way. Myriad applications have been created to authenticate each user natively, i.e., each program on a computer or in a network attempts to "know" all its users and recognize them when they ask for access. This has led to countless disparate authentication implementations and even greater numbers of unique — but ultimately redundant — user stores; how many passwords and user IDs do you need to do your job? "Complexity is the enemy of security" is a common mantra amongst security practitioners, but practicing what we preach is easier said than done.
Authentication is only the beginning, however. Moving security strategies ahead may be best facilitated by studying what could be and then taking a more pragmatic look at what is and what was. That initial phase of defining all the possibilities is called a "green field" scenario by some and is critical to reducing the influence of current limitations.
The Art of Information Sharing and the State of IT
Present thinking about supply chain security is often described as a best-case scenario, ready to excuse the obstacles of legacy systems and corporate cultures resistant to change. Fans of Harvard Business School case studies will be familiar with what it takes to tear down those barriers for large, complex organizations: a clear, compelling case for competitive advantage.
The security models and techniques that follow are radical enough to represent disruptive technologies in larger organizations, the key ingredient in creating an opportunity to gain competitive advantage. While it is perhaps unusual to think of IT security as being an area where competitive advantage could occur, that is just part of what makes this new model so disruptive. For the risk averse there is also good news. The new models and techniques have already been widely accepted as the only realistic way to solve the problems of identity, authentication and access control amongst government and industry security organizations alike.
I'm Me, Says Him, Trust Us
A new model that eliminates the current role of applications in performing authentication and holding accounts for each user is being rolled out in pilot projects in the aerospace and defense (A&D) industry with the U.S., U.K. and Netherlands defense agencies. This breakthrough approach is built on one central theme: each employer acts as a source of authority for employees (small to medium enterprises can be handled through a trusted third party acting as a proxy for the employer).
The case for this concept of federated identity can be illustrated by the following example.
The Boeing Company's Future Combat Systems program (FCS) has a very large supply chain and is representative of almost every other large A&D program today. Boeing, to date, has provisioned accounts for each of the individuals at each of their suppliers assigned to the FCS program in the IT systems that support it. When a supplier wants to gain access to that IT system, they access the site, respond to an authentication challenge and are granted or denied access accordingly. While this model correctly gives Boeing control over access (i.e. the authorization decision), there are three major challenges:
1. Boeing acts as the source of authority for the identity of all members of its supply chain despite being in a far worse position to know anything about the individuals compared to their actual employers.
2. If you further consider that a trust relationship exists between Boeing and its suppliers via a contract that was executed in support of the specific program and that the individual would have already logged into his/her home network at their desktop prior to requesting access to the remote Boeing system, the opportunities to reduce redundancies become immediately apparent.
3. Boeing must provision a separate account for each person in the FCS systems. Should an individual forget his/her password or require an update to any personal attributes, Boeing must expend resources to service this request. If something changes in the individual's status with his/her employer for whatever reason, Boeing is dependent on the partner's organization to remember to update Boeing so that access revocation can occur. This last point is one of the largest risks in IT security today throughout the supply chain.
Identity federation provides a solution to all these problems and, when combined with a single strong credential that is leveraged with all partners, eliminates the inherent risk found in today's password-based approach for authentication.
Raising the Bar on Authentication
For companies looking to be at the forefront of security in the supply chain (and create competitive advantage for themselves in the near term), implementing a compliant system can pay great dividends. The first step is to identify a scenario in which data sharing is or needs to occur with external partners (other disparate business units can work as well in larger organizations). Next, define what information is needed about each individual who will use the system. Typical identity attributes that applications want to "know" before providing access include:
- Organization affiliation
- Business unit affiliation
- Job title and/or job role
- Geographic location
There are two items of interest to note about the list above. First, they seem of such obvious value and use to a relying party application. Second, the individual's name is not listed. The point here is that what is "interesting" about an individual to a supply chain application has everything to do with their role and their organizational affiliation and virtually nothing to do with what is interesting from a human interaction perspective. The individual's name will almost always be captured for purposes of an audit log, but it will not be a factor in identifying or authorizing him or her.
This brings us to a fundamental tenant of security that has been swept under the carpet for a very long time: authenticating someone simply tells me that I'm really talking to "Bob." Authorizing "Bob" means that we need to determine what he can and can't do in our system, and that is a far greater challenge to do in a scalable way.
Authorizing: What It Takes to Secure the 21st Century Supply Chain
The Transglobal Secure Collaboration Programme (www.tscp.org) has spent the last five years working on this very issue. The group began with a simplistic sounding scope: define secure data sharing/collaboration along the entire supply chain, even when it starts with a government customer. It has been a long and winding journey that has counted as its first accomplishment the A&D Public Key Infrastructure (PKI) bridge spun out as CertiPath (www.certipath.com), which equates one identity provider's PKI implementation to another.
More recently the group has completed the first of its target collaborative capabilities (TCC), a set of data schemas, policies and technologies that, when implemented at multiple participants, will provide interoperability for that capability. A secure e-mail implementation that supports high-value data attachments, such as the U.K. Ministry of Defence's restricted information, will be released to the public later this year. A specification on a common approach to identity and data federation is being demonstrated in a technology proof of concept now.
The most important thing about groups like the TSCP is that the supply chain is defining requirements for itself. Companies such as Northrop Grumman, EADS/Airbus and The Boeing Company sit at the same table as the Netherlands and U.K. ministries of defense and the U.S. Department of Defense to hash out exactly what it will take to get to a level of common security commensurate with the value of the data being shared in the supply chain. These tier-one companies and major governments have made substantial investments to bring about this new model and, like most things in A&D, have tested, tested and re-tested the model.
We are still three to four years away from virtually everyone in the supply chain having a single, hardware-based token (likely a smartcard, such as citizens carry in Europe and other parts of the world and that acts as a credit card), but the technology is coming. One day, we'll arrive at work — wherever that may be — and use a single card to gain physical access to the building and perhaps the office. We will sit down and log into the computer and that very well maybe the last time that day we're given an authentication challenge. From that point forward, the user experience will be a very expansive single sign-on effect. The security value though is considerably greater — we will know who "Bob" is and, more importantly, what "Bob" is authorized to do, finally addressing one of the biggest holes in securing critical information across the entire supply chain.
About the Author: Jeff Nigriny is outreach director for the Transglobal Secure Collaboration Programme and chief security officer for Exostar. He can be reached at firstname.lastname@example.org.