Beyond the Password

Tackling the challenge of data security for the global supply chain

September 10, 2007

By Jeff Nigriny

Today supply chains by their very nature require proprietary information to be passed from entity to entity up and down the chain — in the form of product designs, bills of material, financial transactions and more. As the process of bringing products to market increasingly takes place globally, and often with hundreds of partners, the need for secure information sharing across the distributed manufacturing enterprise rises significantly.

A century ago sharing data meant copying the information by hand or perhaps retyping it. The labor intensity and the related costs meant that the need to share the data really had to exist to justify the effort. Mimeographs, photocopiers, fax machines and eventually the Internet turned the information-sharing model of the last century 180 degrees. Today not only is producing unlimited numbers of perfect copies possible, it is virtually effortless to do so and to instantly send the copied information anywhere and to any number of people. Little thought was given to the security ramifications of such capabilities as they evolved; like most parts of the human experience, we had to learn the need to control instant data dissemination the hard way, i.e., only recognizable loss raised the awareness.

Compliance, competition and cost have put data security on the action list for most organizations today. Many companies have implemented security that protects their data adequately and/or bought insurance to transfer risk that would have been more costly to mitigate directly. These actions, while a step in the right direction, unfortunately fall short in the face of today's widely distributed global manufacturing networks.

Tomorrow's challenge — which needs to be addressed today — requires that manufacturers focus outside the four walls of their organizations. If you are a manufacturer, you must determine who in your supply chain is adequately addressing the data risk and, of those who have, how similar is their security stature to your organization's concept of a minimum baseline of protection? And once policy is agreed upon, the real challenges begin: Consider how much time and effort the IT organization puts into making an enterprise's systems work together. Having systems interoperate with partners is even more daunting. It is this reality that is driving an emerging model of supply chain security, one based on enterprise-level authentication and authorization.

How We Got Here

Information security boils down to three actors: the data asset, the owner and some person and/or group with whom the owner wishes to share the data. Focusing on securing the data makes good sense as the first step. So for years companies have worked on making sure that the data, while in transit across a network, was secure. VeriSign and others built entire companies on the success of secure sockets layer (SSL) certificates for Web servers. More recently, with the advent of regulations such as Sarbanes-Oxley in the United States, personal and proprietary information, such as credit card data stored in databases or on backup tapes, must be encrypted, addressing security for "data at rest."

What has been vastly neglected, at least until recently, was the authentication piece, i.e. assurance that "Bob" — the person doing business online — is really Bob.

An example: Consider how credit cards work. When used in a point-of-sale scenario, the card is swiped. That performs only two of the three necessary steps. It validates that the card has not been revoked (for whatever reason, including expiration). And the amount of the transaction is queried against the available credit to see if it will "fit." Where is the authentication in this? At no point did anyone ask if the person who offered the card is the "owner" of the card. The signature collected is only for non-repudiation purposes and is not looked at by the sales representative or the automated grocery checkout machine.

That's not to say that the authentication question has not been tackled for information security in the supply chain; it has, albeit in a suboptimal way. Myriad applications have been created to authenticate each user natively, i.e., each program on a computer or in a network attempts to "know" all its users and recognize them when they ask for access. This has led to countless disparate authentication implementations and even greater numbers of unique — but ultimately redundant — user stores; how many passwords and user IDs do you need to do your job? "Complexity is the enemy of security" is a common mantra amongst security practitioners, but practicing what we preach is easier said than done.

Authentication is only the beginning, however. Moving security strategies ahead may be best facilitated by studying what could be and then taking a more pragmatic look at what is and what was. That initial phase of defining all the possibilities is called a "green field" scenario by some and is critical to reducing the influence of current limitations.

The Art of Information Sharing and the State of IT

Present thinking about supply chain security is often described as a best-case scenario, ready to excuse the obstacles of legacy systems and corporate cultures resistant to change. Fans of Harvard Business School case studies will be familiar with what it takes to tear down those barriers for large, complex organizations: a clear, compelling case for competitive advantage.

The security models and techniques that follow are radical enough to represent disruptive technologies in larger organizations, the key ingredient in creating an opportunity to gain competitive advantage. While it is perhaps unusual to think of IT security as being an area where competitive advantage could occur, that is just part of what makes this new model so disruptive. For the risk averse there is also good news. The new models and techniques have already been widely accepted as the only realistic way to solve the problems of identity, authentication and access control amongst government and industry security organizations alike.

I'm Me, Says Him, Trust Us

A new model that eliminates the current role of applications in performing authentication and holding accounts for each user is being rolled out in pilot projects in the aerospace and defense (A&D) industry with the U.S., U.K. and Netherlands defense agencies. This breakthrough approach is built on one central theme: each employer acts as a source of authority for employees (small to medium enterprises can be handled through a trusted third party acting as a proxy for the employer).

The case for this concept of federated identity can be illustrated by the following example.

The Boeing Company's Future Combat Systems program (FCS) has a very large supply chain and is representative of almost every other large A&D program today. Boeing, to date, has provisioned accounts for each of the individuals at each of their suppliers assigned to the FCS program in the IT systems that support it. When a supplier wants to gain access to that IT system, they access the site, respond to an authentication challenge and are granted or denied access accordingly. While this model correctly gives Boeing control over access (i.e. the authorization decision), there are three major challenges:

1. Boeing acts as the source of authority for the identity of all members of its supply chain despite being in a far worse position to know anything about the individuals compared to their actual employers.

2. If you further consider that a trust relationship exists between Boeing and its suppliers via a contract that was executed in support of the specific program and that the individual would have already logged into his/her home network at their desktop prior to requesting access to the remote Boeing system, the opportunities to reduce redundancies become immediately apparent.

3. Boeing must provision a separate account for each person in the FCS systems. Should an individual forget his/her password or require an update to any personal attributes, Boeing must expend resources to service this request. If something changes in the individual's status with his/her employer for whatever reason, Boeing is dependent on the partner's organization to remember to update Boeing so that access revocation can occur. This last point is one of the largest risks in IT security today throughout the supply chain.

Identity federation provides a solution to all these problems and, when combined with a single strong credential that is leveraged with all partners, eliminates the inherent risk found in today's password-based approach for authentication.

¬

Raising the Bar on Authentication

For companies looking to be at the forefront of security in the supply chain (and create competitive advantage for themselves in the near term), implementing a compliant system can pay great dividends. The first step is to identify a scenario in which data sharing is or needs to occur with external partners (other disparate business units can work as well in larger organizations). Next, define what information is needed about each individual who will use the system. Typical identity attributes that applications want to "know" before providing access include:

  • Organization affiliation
  • Business unit affiliation
  • Job title and/or job role
  • Citizenship
  • Geographic location

There are two items of interest to note about the list above. First, they seem of such obvious value and use to a relying party application. Second, the individual's name is not listed. The point here is that what is "interesting" about an individual to a supply chain application has everything to do with their role and their organizational affiliation and virtually nothing to do with what is interesting from a human interaction perspective. The individual's name will almost always be captured for purposes of an audit log, but it will not be a factor in identifying or authorizing him or her.

This brings us to a fundamental tenant of security that has been swept under the carpet for a very long time: authenticating someone simply tells me that I'm really talking to "Bob." Authorizing "Bob" means that we need to determine what he can and can't do in our system, and that is a far greater challenge to do in a scalable way.

Authorizing: What It Takes to Secure the 21st Century Supply Chain

The Transglobal Secure Collaboration Programme (www.tscp.org) has spent the last five years working on this very issue. The group began with a simplistic sounding scope: define secure data sharing/collaboration along the entire supply chain, even when it starts with a government customer. It has been a long and winding journey that has counted as its first accomplishment the A&D Public Key Infrastructure (PKI) bridge spun out as CertiPath (www.certipath.com), which equates one identity provider's PKI implementation to another.

More recently the group has completed the first of its target collaborative capabilities (TCC), a set of data schemas, policies and technologies that, when implemented at multiple participants, will provide interoperability for that capability. A secure e-mail implementation that supports high-value data attachments, such as the U.K. Ministry of Defence's restricted information, will be released to the public later this year. A specification on a common approach to identity and data federation is being demonstrated in a technology proof of concept now.

The most important thing about groups like the TSCP is that the supply chain is defining requirements for itself. Companies such as Northrop Grumman, EADS/Airbus and The Boeing Company sit at the same table as the Netherlands and U.K. ministries of defense and the U.S. Department of Defense to hash out exactly what it will take to get to a level of common security commensurate with the value of the data being shared in the supply chain. These tier-one companies and major governments have made substantial investments to bring about this new model and, like most things in A&D, have tested, tested and re-tested the model.

We are still three to four years away from virtually everyone in the supply chain having a single, hardware-based token (likely a smartcard, such as citizens carry in Europe and other parts of the world and that acts as a credit card), but the technology is coming. One day, we'll arrive at work — wherever that may be — and use a single card to gain physical access to the building and perhaps the office. We will sit down and log into the computer and that very well maybe the last time that day we're given an authentication challenge. From that point forward, the user experience will be a very expansive single sign-on effect. The security value though is considerably greater — we will know who "Bob" is and, more importantly, what "Bob" is authorized to do, finally addressing one of the biggest holes in securing critical information across the entire supply chain.

About the Author: Jeff Nigriny is outreach director for the Transglobal Secure Collaboration Programme and chief security officer for Exostar. He can be reached at [email protected].

Recommended
Women In Supply Chain Vertical Color
Nominations Close June 7 for 2024 Women in Supply Chain Award
This award recognizes female supply chain leaders and executives whose accomplishments set a foundation for women in all levels of a company’s supply chain network. Submissions close June 7!
April 1, 2024
Adobe Stock 323829328
Alexis Asks: The Surge of E-Commerce Shipping
Managing editor Alexis Mizell-Pleasant asks industry experts about various topics developing in the supply chain field. Strategies that implement efficiency enhancing tools will be the ones to keep up in the coming years.
April 12, 2024
Adobe Stock 207220202
SCN Summit: State of the Supply Chain
June 4, 2024
Register
Register now to hear from experts about the State of Today’s Supply Chains through topics revolve around Warehouse Automation, Generative AI, Automation, Electrification, Company Culture and more.
Latest
Adobe Stock 373927171
Cleo's Business Commitment Monitoring for Logistics
This solution offers actionable data and proactive response solution designed to ensure that logistics companies’ business commitments are never missed.
April 15, 2024
Adobe Stock 413459012
Prophet.ai for Supply Chain Intelligence
his module utilizes AI to eliminate the guesswork associated with New Product Introduction (NPI) and Last Time Buy (LTB), allowing for much sharper decisions and better savings on service parts spend.
April 12, 2024
Adobe Stock 364177684
ECI Software Solutions Announces Quality Management Solution
ECI Software Solutions announces that its job shop product, JobBOSS2, now integrates uniPoint to deliver advanced quality management and enhanced customer service.
April 12, 2024
Adobe Stock 589591429 (1)
Sayari Launches New Supply Chain Mapping Solution
Sayari launches Sayari Map, a supply chain mapping and risk screening solution aimed at enhancing visibility into complex global supply chains.
April 10, 2024
Adobe Stock 357875609
Economy Overtakes Supply Chain Challenges as Innovation Roadblocks
Report finds respondents expect to slowly close the door on pandemic-related product development challenges, namely material shortages and supply chain disruption.
April 10, 2024
Adobe Stock 575340550
Tower Cold Chain Launches Live Tracking and Monitoring
Tower Cold Chain unveils live tracking feature in collaboration with ELPRO to enhance Tower's advanced passive temperature-controlled containers, offering customers near real-time insights into their shipments.
April 9, 2024
Adobe Stock 202513980
Panasonic Connect Highlights New Automated Manufacturing Solution
Panasonic Connect North America introduces new NPM-GH Pick-and-Place machine. The robotic surface-mount technology is the latest addition to Panasonic Connect’s autonomous factory lineup.
April 9, 2024
Adobe Stock 364357187 (1)
Dow Jones Risk & Compliance Deploys Generative AI to Transform Due Diligence
Dow Jones Integrity Check is a fully automated solution that goes beyond screening to identify risks and red flags from thousands of data sources.
April 9, 2024
Adobe Stock 498287166
Implementing PLI Proves Vital in Sustainable Product Design
A Makersite study reveals over half of organizations’ sustainability efforts are driven by regulations despite the benefits from adopting more sustainable product lifecycle intelligence (PLI).
April 8, 2024
Adobe Stock 123832218
LogiNext Transforms Driver Well-being and Operational Efficiency
The introduction of this feature is aimed at enhancing the financial well-being of drivers worldwide while ensuring maximum operational efficiency for the organizations.
April 8, 2024
Adobe Stock 479718287
Acquisition Broadens Stord's DTC and B2B Fulfillment Capabilities
By integrating ProPack's extensive network and expertise, Stord expands its reach and capabilities, further enhancing its logistics infrastructure and services to its customers.
April 5, 2024
Lexx500 Demo #1
Scalable Mobile Robot Conveyancing Technology in the U.S.
With its Lexx500 autonomous mobile robot and LexxFleet, the fleet management system, LexxPluss aims to solve problems by creating sustainability through the use of automation and other technologies.
April 5, 2024
Flow Visualization Mockup
Log-hub 4.1 Update Elevates Supply Chain Optimization Features
Log-hub announces the release of Log-hub 4.1, marking a significant advancement in its mission to empower businesses with transformative tools for operational excellence.
April 3, 2024
Adobe Stock 231617101
While 68% of Consumers Lack Loyalty to Fintech Brands, Rewards Can Help
Tillo releases its "Bridging the Loyalty Gap: Consumer Insights for Fintech Engagement and Growth" study, unveiling that 68% of consumers feel no loyalty to fintech companies at this time.
April 3, 2024
Adobe Stock 260955661
Netstock Launches Excess Redistribution to Help Optimize Inventory
Excess Redistribution analyzes an organization’s existing and forecasted stock, enabling planners to intelligently relocate and rebalance supply to best meet demand and free up working capital.
April 2, 2024
360mod
380 Modular Vision Tunnel Expands the Capabilities of Logistics Operations
Cognex Corporation introduces the 380 Modular Vision Tunnel, a new addition to the Modular Vision Tunnel portfolio.
March 27, 2024
Adobe Stock 751070517
77% of Consumers Will Abandon Retailers After a Failed Big and Bulky Delivery
This report discusses how the 'big and bulky' retail landscape has undergone unparalleled transformations in recent years due to shifts in consumer behavior.
March 27, 2024
Adobe Stock 402917884
NMFTA’s Digital LTL Council Announces eBOL 2.1
The latest update to the established electronic bill of lading (eBOL) standard was created by the Council in response to industry feedback.
March 26, 2024
Adobe Stock 232882056
BeyondTrucks Launches New Fuel Transport Solution with Inventory Monitoring Feature
The BeyondTrucks solution digitizes and centralizes all inventory readings from various customers in one place, allowing for real-time monitoring, order point reevaluation and automated order generation.
March 26, 2024
Adobe Stock 331250904
Study Finds 94% of Manufacturers Expect to Maintain or Expand Their Workforce
This year’s State of Smart Manufacturing Report reveals a focus on harnessing new and emerging technologies to build resiliency, improve quality, maximize workforce potential and drive sustainable growth.
March 26, 2024
Adobe Stock 386084355
Digital River Unveils eCompass Tool to Optimize Strategic Growth
Acting as the central command center for strategic growth, eCompass gives brands smarter, faster decision-making capabilities, right at their fingertips.
March 26, 2024
Adobe Stock 560466427
RELEX Advances Gen AI Capabilities to Unlock Faster Data-driven Decision Making
This evolution from RELEX-GPT to Rebot marks a significant advancement, offering users even more powerful and intuitive tools for optimizing their supply chain and retail operations.
March 25, 2024
Adobe Stock 321999244 (1)
LocusHub Engine Offers Insightful, AI-Powered Warehouse Intelligence
LocusHub, an integral component of the LocusOne platform, harnesses advanced analytics, artificial intelligence (AI) and machine learning.
March 25, 2024
Adobe Stock 480305078 (2)
Pramac and BlueBotics Launch Line of ANT Driven Mobile Robots
Pramac and BlueBotics partner, which sees BlueBotics providing ANT navigation technology and fleet management software for Pramac’s new line of X-ACT mobile logistics robots.
March 25, 2024