Raising the Bar on Authentication
For companies looking to be at the forefront of security in the supply chain (and create competitive advantage for themselves in the near term), implementing a compliant system can pay great dividends. The first step is to identify a scenario in which data sharing is or needs to occur with external partners (other disparate business units can work as well in larger organizations). Next, define what information is needed about each individual who will use the system. Typical identity attributes that applications want to "know" before providing access include:
- Organization affiliation
- Business unit affiliation
- Job title and/or job role
- Geographic location
There are two items of interest to note about the list above. First, they seem of such obvious value and use to a relying party application. Second, the individual's name is not listed. The point here is that what is "interesting" about an individual to a supply chain application has everything to do with their role and their organizational affiliation and virtually nothing to do with what is interesting from a human interaction perspective. The individual's name will almost always be captured for purposes of an audit log, but it will not be a factor in identifying or authorizing him or her.
This brings us to a fundamental tenant of security that has been swept under the carpet for a very long time: authenticating someone simply tells me that I'm really talking to "Bob." Authorizing "Bob" means that we need to determine what he can and can't do in our system, and that is a far greater challenge to do in a scalable way.
Authorizing: What It Takes to Secure the 21st Century Supply Chain
The Transglobal Secure Collaboration Programme (www.tscp.org) has spent the last five years working on this very issue. The group began with a simplistic sounding scope: define secure data sharing/collaboration along the entire supply chain, even when it starts with a government customer. It has been a long and winding journey that has counted as its first accomplishment the A&D Public Key Infrastructure (PKI) bridge spun out as CertiPath (www.certipath.com), which equates one identity provider's PKI implementation to another.
More recently the group has completed the first of its target collaborative capabilities (TCC), a set of data schemas, policies and technologies that, when implemented at multiple participants, will provide interoperability for that capability. A secure e-mail implementation that supports high-value data attachments, such as the U.K. Ministry of Defence's restricted information, will be released to the public later this year. A specification on a common approach to identity and data federation is being demonstrated in a technology proof of concept now.
The most important thing about groups like the TSCP is that the supply chain is defining requirements for itself. Companies such as Northrop Grumman, EADS/Airbus and The Boeing Company sit at the same table as the Netherlands and U.K. ministries of defense and the U.S. Department of Defense to hash out exactly what it will take to get to a level of common security commensurate with the value of the data being shared in the supply chain. These tier-one companies and major governments have made substantial investments to bring about this new model and, like most things in A&D, have tested, tested and re-tested the model.
We are still three to four years away from virtually everyone in the supply chain having a single, hardware-based token (likely a smartcard, such as citizens carry in Europe and other parts of the world and that acts as a credit card), but the technology is coming. One day, we'll arrive at work — wherever that may be — and use a single card to gain physical access to the building and perhaps the office. We will sit down and log into the computer and that very well maybe the last time that day we're given an authentication challenge. From that point forward, the user experience will be a very expansive single sign-on effect. The security value though is considerably greater — we will know who "Bob" is and, more importantly, what "Bob" is authorized to do, finally addressing one of the biggest holes in securing critical information across the entire supply chain.