That's not to say that the authentication question has not been tackled for information security in the supply chain; it has, albeit in a suboptimal way. Myriad applications have been created to authenticate each user natively, i.e., each program on a computer or in a network attempts to "know" all its users and recognize them when they ask for access. This has led to countless disparate authentication implementations and even greater numbers of unique — but ultimately redundant — user stores; how many passwords and user IDs do you need to do your job? "Complexity is the enemy of security" is a common mantra amongst security practitioners, but practicing what we preach is easier said than done.
Authentication is only the beginning, however. Moving security strategies ahead may be best facilitated by studying what could be and then taking a more pragmatic look at what is and what was. That initial phase of defining all the possibilities is called a "green field" scenario by some and is critical to reducing the influence of current limitations.
The Art of Information Sharing and the State of IT
Present thinking about supply chain security is often described as a best-case scenario, ready to excuse the obstacles of legacy systems and corporate cultures resistant to change. Fans of Harvard Business School case studies will be familiar with what it takes to tear down those barriers for large, complex organizations: a clear, compelling case for competitive advantage.
The security models and techniques that follow are radical enough to represent disruptive technologies in larger organizations, the key ingredient in creating an opportunity to gain competitive advantage. While it is perhaps unusual to think of IT security as being an area where competitive advantage could occur, that is just part of what makes this new model so disruptive. For the risk averse there is also good news. The new models and techniques have already been widely accepted as the only realistic way to solve the problems of identity, authentication and access control amongst government and industry security organizations alike.
I'm Me, Says Him, Trust Us
A new model that eliminates the current role of applications in performing authentication and holding accounts for each user is being rolled out in pilot projects in the aerospace and defense (A&D) industry with the U.S., U.K. and Netherlands defense agencies. This breakthrough approach is built on one central theme: each employer acts as a source of authority for employees (small to medium enterprises can be handled through a trusted third party acting as a proxy for the employer).
The case for this concept of federated identity can be illustrated by the following example.
The Boeing Company's Future Combat Systems program (FCS) has a very large supply chain and is representative of almost every other large A&D program today. Boeing, to date, has provisioned accounts for each of the individuals at each of their suppliers assigned to the FCS program in the IT systems that support it. When a supplier wants to gain access to that IT system, they access the site, respond to an authentication challenge and are granted or denied access accordingly. While this model correctly gives Boeing control over access (i.e. the authorization decision), there are three major challenges:
1. Boeing acts as the source of authority for the identity of all members of its supply chain despite being in a far worse position to know anything about the individuals compared to their actual employers.
2. If you further consider that a trust relationship exists between Boeing and its suppliers via a contract that was executed in support of the specific program and that the individual would have already logged into his/her home network at their desktop prior to requesting access to the remote Boeing system, the opportunities to reduce redundancies become immediately apparent.
3. Boeing must provision a separate account for each person in the FCS systems. Should an individual forget his/her password or require an update to any personal attributes, Boeing must expend resources to service this request. If something changes in the individual's status with his/her employer for whatever reason, Boeing is dependent on the partner's organization to remember to update Boeing so that access revocation can occur. This last point is one of the largest risks in IT security today throughout the supply chain.
Identity federation provides a solution to all these problems and, when combined with a single strong credential that is leveraged with all partners, eliminates the inherent risk found in today's password-based approach for authentication.