Securing the B2B Dial Tone

Gartner IT Security Summit 2005 Frank Kenney 6–8 June 2005

Marriott Wardman Park Hotel Washington, District of Columbia

Strategic Imperative: Design and build a comprehensive B2B integration environment before embarking on a fully automated B2B environment.

Hype & Confusion

Infrastructure

Standards

Evolving Technologies

„ AS2 and AS3 adoption „ Various XML standards

„ Web services „ EDI and VANs

6

Pa

th t

o S

ucc

ess

Vendors

Organization

„ Internal and external ownership

5

3

4

2

1

Sidestepping the Potholes —

Challenges to B2B Security

„ Partner and gov’t mandates

„ Perceived benefits

Whenever a new business-to-business (B2B) specification is announced, companies typically react negatively. Most B2B interactions involve facilitating the creation and movement of money. Money is closely tied to revenue, and revenue is what drives business. That being said, it's no surprise that most companies react to new standards with a certain degree of pessimism — no one wants to interrupt an infrastructure so closely tied to revenue. In some cases, as with Applicability Standard 2 (AS2), companies have seen a tremendous benefit from leveraging the Internet. In others, such as Electronic Business XML (ebXML), the market has not yet seen the promised benefits of that standard. In any event, expect vendors and the media to hype new standards that are supposed to dramatically change and have a positive effect on the way you do business.

Client Issues

1. How will B2B gateways enable flexible, manageable, secure connections among trading partners?

2. Which emerging B2B security standards and technologies should organizations adopt and implement, and when?

3. Which vendors, technology and products provide this functionality, and who will eventually lead the market?

This presentation defines the requirements of a robust B2B gateway, discusses some of the emerging B2B standards such as ebMS and AS2, and talks about the continued importance of file transfer protocol and the new emphasis on managed file transfer. We look at Gartner’s MarketScope for managed file transfer, as well as the B2B gateway providers Magic Quadrant.

B2B Gateway — Logical Architecture*

* Can be implemented within one product, or in several products

Trading Partner Management Optional Transformation Adaptive Interface

Management and BAM

Secure Communications Workflow

Trading

Partners

Internal

Systems

Although some B2B gateways contain functionality rivaling the capabilities of some integration and application platform suites, the following requirements are considered essential to the architecture of the B2B gateway:

Trading partner management — includes tools to provision new and established partners, and test and activate the

connections.

Secure communications — addresses the multiple layers of security, including securing the physical connection by

encrypting the "wire," securing the data via encryption (for example, digital certificates and standards such as PGP) and access control — either from an external mechanism (such as LDAP, Active Directory, EAM tool) or an internal one. The B2B gateway should also support a variety of popular and traditional B2B standards and protocols.

Workflow — the B2B gateway must provide the user with a way to define processes in the gateway based on trading partner

profiles and other business rules and requirements. An environment to model processes is optimal, and if the user defines processes in a larger context (such as BPM, which includes processes for integration outside of the gateway), then the gateway's workflow application should be able to absorb and execute these processes.

Repositories, data warehouses and tools that are used to rationalize contained data — Business intelligence analytics can

provide visibility into trends and scoreboards and provide forecasting information.

Client Issue: How will B2B gateways enable flexible, manageable, secure connections among trading partners?

The B2B Gateway:

Consolidating Communications

Distributed

Consolidated

vs.

B2B Gateway

B2B Gateway

Organizations and their business partners are looking at the entry and exit points in their IT infrastructures that are used to exchange business messages and transactions with trading communities and partners. These include EDI translators, integration broker suites, Web portals, file transfer applications and, in some cases, e-mail servers. Customer relationship management (CRM) applications with B2B functionality will also be directed into a larger B2B communications consolidation. Transaction delivery network (TDN) software specialists, such as Inovis/IPNet Solutions and iSoft, are developing solutions that address trading partner management (TPM) and secure transport, such as Applicability Statement 2 (AS2) and ebXML messaging services. However, larger integration suite vendors, such as IBM, Sterling Commerce, Tibco and webMethods, are integrating their application-to-application (A2A) integration middleware capabilities with their TDN software solutions.

Businesses that are driven by industry, regional and self-mandated regulations, such as the U.S. Health Insurance Portability and Accountability Act, the U.S. Public Company Accounting Reform and Investor Protection Act of 2002 (the Sarbanes-Oxley Act) and Six Sigma, are moving toward centralizing their B2B operations. This will force most integration middleware vendors to re-examine their B2B capabilities, increase investment in B2B research and development, and remarket and package their B2B solutions.

Strategic Planning Assumption: By 2007, 60 percent of businesses will use a B2B gateway to centralize B2B communications, compared to 10 percent in 2004 (0.7 probability).

Strategic Imperative: Look for opportunities to redeploy your B2B gateways with your operational B2B environments.

Security at Both Ends:

Operational and Commerce-Driven

ERP,

SCM

Adapter

Integration Suite

App.

App.

Operational

Commerce-Driven

Operational B2B and commerce-driven B2B integration bear a close resemblance to each other. The

requirements involved in the connection and transmission of data are often identical to the requirements for the interactions between trading partners. (It can be argued that these business and application service providers are trading partners.) Because of this resemblance, vendors of one form of integration can target the other market as well. IT organizations can take advantage of this versatility to cost-effectively expand their infrastructure to encompass other duties. The B2B gateway can be used to manage the relationship with application service providers by easing the provisioning and profile creation/management processes, offering multiple technologies and mechanisms for security and providing business process control. Operational B2B integration is used when a company and its service providers exchange data associated with the resources, applications and processes that enable a company to function (for example, in managing employees or facilities). Commerce-driven B2B integration is used when a company and its partners exchange data associated with the buying, selling or trading of goods and services.

The

Never-Ending-Multiple-Choice Security Question

„

AS2

AS3

ebXML

X.509

PGP

FTP

Web services

"If you want to continue

to do business with us,

you must support …"

Trading partner mandates are a hard part of any B2B relationship. It is a challenge that many companies face, and however mitigated — via the use of a centralized B2B gateway — it takes some understanding of the mandate, the associated technologies, standards and specifications to build a successful relationship. Some of these make sense and can provide great value to both parties. Others are more selfish and are implemented solely to benefit the larger organizations. If you are a larger business partner with leverage in your supply chain, be cautious of draconian mandates to adhere to new solutions. The result can vary from the slightly disgruntled business partners who will investigate the value of continuing a relationship to a number of business partners who threaten mass defections. If you are the partner with this "leverage," then rely on technologies such as B2B gateways to help you meet these mandates.

Client Issues: Which emerging B2B security standards and technologies should organizations adopt and implement, and when?

Strategic Imperative: While desirable to primarily support one or two B2B technologies or standards, leverage B2B gateways to meet any and all partner mandates.

Applicability Standard 2 (AS2)

Guaranteed

delivery via

receipts

Security via

encryption

Nonrepudiation

via encryption

AS1 and AS2 are about more than EDI. AS1 is used to send digitally encrypted messages over e-mail protocols. AS2 expands this by enabling businesses to use HTTP and S/HTTP. The Internet is always on, and using a simple, but highly-effective system of digitally signed receipts, makes using the Internet for the transportation of messages safe and reliable. Driven by larger partner mandates, most notably Wal-Mart, AS2 has become

erroneously synonymous with EDI over the Internet. Although this is one AS2 scenario, AS2 is heavily used by VANs as a replacement for their traditional, asynchronous modems and leased lines. However, trading partners aren’t just using AS2 for EDI transactions. They are being used for UCCnet transmissions. Where there is prior consensus on file format, we have seen AS2 for the movement of flat files and proprietary formats.

Strategic Planning Assumption: Through 2008, 40 percent of companies using leased lines or frame relays will use one of the three ASX specifications to replace those transport

Applicability Standard 3 (AS3)

Guaranteed

delivery via

receipts

Security Via

Encryption

Nonrepudiation

via encryption

Acknowledgement

= FTP Server

Stop/restart

via server

AS3 is a new B2B standard that brings interoperability to data transfers using file transfer protocol (FTP), much in the same way that AS1 and AS2 brought interoperability to data transfers using Simple Mail Transfer Protocol (SMTP) and HTTP, respectively. When products are purchased for AS3, these products generally come with some capabilities to collect, reconcile, and store the receipts and acknowledgements from the file transfer. Dependent on the technology focus of the vendor, additional management functionality, such as audit ability, business intelligence and analytics, trading partner management and support for other integration transport protocols, may be available. AS3 deployments, much like any other B2B protocol deployment, should rely on these best practices: 1) AS3 should be included in the overall B2B gateway strategy; taking advantage of their trading partner management, workflow and adaptive capabilities. 2) Regardless of marketing messages about certified interoperability, plan on testing every trading partner for firewall challenges and FTP connectivity. The AS3 solution should allow for testing and activation. 3) AS3, much like AS2, will be built into most integration products. Inquire whether AS3 capability is available or will be available from your B2B solution provider. The value of AS3 is that it offers guaranteed delivery for FTP-based B2B interactions, which previously had only been possible with proprietary managed file transfer solutions.

Strategic Planning Assumption: By 2007, 95 percent of all B2B gateways will support AS3 (0.8 probability).

Public Key Infrastructure (PKI):

PGP and Digital Certificates

Plain Text

Recipient's

Private Key

"buy 2,000 shares"

Sending a Confidential Message

Plain Text

Cipher Text

Recipient's

Public Key

"buy 2,000 shares"

"d4@d(86tg8P[d5s"

Private

Half

Public

Half

Decryption

Encryption

By far, the most-common scenario when using pretty good privacy (PGP), secure socket layer (SSL) and X.509 for B2B is when these technologies are deployed with FTP. Companies using FTP with PGP deployments can license PGP separately, license it as part of a managed file transfer solution or use an external provider. After the initial keys are exchanged, FTP communications happen over commonly used port 21. Key management can become a logistical challenge as the community grows; however, in most cases, it is also provided by the product providing the PGP support. Because of the simplicity in deploying, this remains the most-popular way to secure data for an FTP transmission. Management via the nonrepudiation provided by encryption/decryption exists as well. Companies using FTP with X.509 deployments can license their own digital certificate infrastructure (a very intensive and expensive approach that is usually only considered by companies with larger digital signature needs), license it as part of a managed file transfer solution or use an external certificate management provider. Because of the centralized nature of PKI, before digital certificates are exchanged, polices regarding the issuing, expiration and revocation of certificates must be agreed on. Management via the nonrepudiation provided by encryption/decryption exists as well.

Strategic Planning Assumption: Through 2008, 60 percent of all trading communities will use a combination of FTP and PGP or X.509 to meet diverse trading partner requirements (0.8

Managed File Transfer (MFT) —

Not Just FTP

Mgmt. Console

GUI

Command line

Callable API

Process

prioritization

Guaranteed

delivery

Mail boxing

TPM

„

Auto session retry

„

Broadcast

Data compression

Firewall

navigation

TCP/IP

MA series

SNA

BSC

X.25

Asynch.

Telnet

PGP

X.509

and more!

From its inception as part of TCP/IP in 1980, the FTP has been used extensively by companies to quickly move large data not only within the organization, but outside to external trading partners. But FTP on its own does not contain any facility for securing or managing its payload, nor the carrying network. Today, companies continue to dedicate countless resources on building and maintaining complex integration infrastructures with integration suites and application platform suites. For data or file transfer, these resources focus primarily on approaches that transport transactional structured documents such as XML or EDI messages. In many cases, these

companies use unsecured FTP to transport large batches of data, both structured and unstructured. Managed file transfer software enables companies to automate, compress, restart, secure, log, analyze and audit the transfer of data from one endpoint to another. These applications support the movement over HTTP, SMTP, FTP, X.25, SNA, MQSeries, BSC and Asynch connections, securing these connections with proprietary encryption, digital certificates, PGP, SSL or VPN. Although files of any sizes can be managed, MFT solutions are optimized for the movement of very large, flat files (IDOC, WAV, TIFF, spreadsheets) or files containing unstructured data such as text files. Compression, encryption, and workflow modelers and engines are included in most solutions. Strategic Planning Assumption: Through 2008, 60 percent of all trading communities will use a combination of FTP and PGP or X.509 to meet diverse trading partner requirements (0.8

Managed File Transfer Isn’t Just

About Security

Secure

Communications

Repository With Auditing and

Logging

Management

Workflow

Managed File Transfer Suite

Taxonomy

Managed file transfer (MFT) suites help companies control all aspects of the movement of data (frequently, but not limited to, large bulk data) between any two entities. MFT suites must have the following functionality:

Secure Communications: This entails a collection of commonly used protocols and technologies used for

transporting and ensuring the authentication, privacy, nonrepudiation and authorization of data between two or more entities.

Management: This is the ability to monitor and control the data (regardless of size) throughout the file transfer. Integration functionality: Adapters or exposed application programming interfaces.

Compression

Additional security technologies for server deployments in the DMZ and firewall navigation.

Strategic Planning Assumption: By 2006, 30 percent of companies with “homegrown” file transfer solutions will replace at least 50 percent of those solutions with MFT suites (0.7 probability).

Strategic Imperative: Deploy the implementation of management that provides the most value, keeping in mind that it is likely that each implementation alternative may be deployed

somewhere in the infrastructure.

Web Services Security:

More Than Standards

Proxy Hosted Identity Server Security Console SNMP

Agents Advantages Disadvantages

„Require per-Web services node „Potential platform resource impact „Leverage infrastructure „No extra hop processing

Methods: SOAP engine plug-in, NSAPI/ISAPI filter, Servlet redirection

„Single point of failure

„Additional hop — processing delays

„Supports many Web services nodes

„.NET and J2EE support

Methods: Stand-alone server; client-side proxies available for debugging, etc.

„No "active" capabilities

„Cannot see intra-node sessions

„Supports many Web services nodes

„No impact to service performance

Methods: Attaches to network device (switch, etc.) Gateway XML Policies Stats Security Infrastructure

Vendors seeking to provide tools for the security of Web services typically choose one or more of the following form factors: hosted agent, proxy server or gateway. The hosted agent approach involves usually hooking into a SOAP engine, a servlet filter or NSAPI/ISAPI Web server filter. The advantage with this approach is that it leverages the infrastructure (no new servers) and reduces the potential latency by not interposing another "hop" between source and destination. The downside is that configuration complexity increases with having to deploy an agent on each server, and there can be issues with the impact on platform processing. The proxy approach places a server in between the communicating Web services. The benefits with this include the fact that typically only a few servers (sometimes only one) are needed to provide the security interception, and it doesn't consume any cycles on the Web services production platform. It has its downside, however, because it adds another potential point of failure in the transaction data stream, as well as results in latency delay. Finally, an option that has become popular particularly with appliance vendors, such as Reactivity, Layer 7, Data Power and Sarvega, is a network approach similar to that of a "gateway." Like the proxy, a well-chosen placement may provide high visibility and of course does not consume many production platform cycles (in the case of an appliance its usually none). The downside is determining the right granularity for the amount of gateways and the placement of gateways. Additionally, many of the vendors in this place continue to have viability issues.

Mature Vendors in an Immature Market:

Managed File Transfer MarketScope

Strong Positive Positive Promising Caution Strong Negative

ASG (Allen Systems Group) Axway (Sopra)

Click Commerce (bTrade) CommerceQuest Computer Associates Cyclone Commerce iSoft Proginet Sterling Commerce Tumbleweed (Valicert)

Although most MFT solutions are mature and have exceptional management and security functionality, end users are mostly unaware of the offerings in this market. Homegrown solutions using command line interfaces, job schedulers and extraction transformation and loading (ETL) tools are commonly used, although many users often acknowledge the limitations of these tools when applied in an integration file transfer context. This will change as companies aggressively document and secure their processes and data. Axway and Sterling Commerce are building this functionality into their integration suites. Their competitors in that market will look to partner or acquire to provide a combined, tightly integrated solution with both MFT functionality and overall integration functionality to the market. Proginet actively promotes its fully exposed API and ease of integration with

business applications and integration middleware as a key product differentiator. Still, this market has momentum, and its growth will accelerate with future mandates and regulations aimed at audibility and accountability, as well as emerging standards, such as AS3. Our outlook for this market is promising.

Client Issue: Which vendors, technology and products, provide this functionality, and who will eventually lead the market?

Strategic Planning Assumption: By 2007, 90 percent of all B2B gateways will have the

necessary transformation and mapping capabilities for most EDI and XML B2B interactions (0.8 probability).

Horizontal Axis

(Completeness of Vision):

• Business activity and event management • Adaptive technologies

• Transformation

• Openness and standards compliance

Vertical Axis (Ability to Execute):

• Corporate viability

• Financial and management commitment • Pricing

• Installations (past plus recent) • Support

• Geographic reach • Partnerships

• Professional services

B2B Gateway Provider

Magic Quadrant Criteria

Completeness of Vision Visionaries Niche Players Challengers Leaders Ability to Execute

Each vendor has been positioned in one of four quadrants: Leaders, Visionaries, Challengers or Niche Players. We have assigned heavier weights to various criteria to accurately reflect the challenges that exist in a common scenario consistent among companies regardless of geographic location. Buyers in this scenario struggle with the challenges of provisioning and managing multiple trading partners and communicating with these partners in a secure manageable way. Additionally, buyers have generally become more concerned with vendor commitment to the B2B gateway market. Much in the same way older EDI translation products (some as mature as fifteen years) are still very much in use, companies tend to be more restrictive and conservative regarding B2B infrastructure and strategy and future migration scenarios. As a result, we have placed a stronger emphasis on criteria such as “trading partner management,” “secure communications” and “financial and management commitment.” For example, a vendor such as Cyclone Commerce, that only sells B2B gateway technology, will generally rate higher on “financial and management commitment” than a vendor with multiple offerings that dedicates most of its resources to other markets.

Strategic Planning Assumption: Through 2008, 60 percent of companies that are buying B2B gateways will purchase stand-alone ones (0.7 probability).

Magic Quadrant for B2B Gateway

Providers, 2Q05

(From " Magic Quadrant for B2B Gateway Providers, 2Q05," 15 April 2005) Axway Click Commerce Cyclone Inovis iSoft Sterling Commerce IBM iWay Software Microsoft SeeBeyond Seeburger Tibco webMethods Oracle GXS Challengers Leaders

Niche Players Visionaries

Completeness of Vision

As of March 2005

Ability to Execute

A vendor is included in Gartner’s Magic Quadrant for B2B Gateway Providers if it offers the ability to: • Be sold and deployed as a stand-alone application (separate SKU) with trading partner management (TPM),

security, management and adapters that allow users to consolidate and effectively manage all aspects of B2B interactions.

• Be deployed heterogeneously with third-party applications, middleware or operating systems.

• Allow users the option of using two or more B2B protocols and security mechanisms to connect to multiple trading partners. (e.g., stand-alone AS2 solutions or custom adapters that only allow connections to one application or trading partner, were not considered in this evaluation).

These vendors have at least $10 million dollars in annual revenue. (In some instances, vendors not meeting this particular criterion, but having a substantial impact on this market have been included.) When briefed by the major integration and application platform suite vendors that also compete in this space, each of them articulated a consistent, focused strategy of exploiting B2B gateways to manage exchanged data and processes, and create recurring sales opportunities for integration suites and APS vendors. The presence of their B2B gateways in a company’s infrastructure could presumably create vendor presence and vendor opportunity to sell larger,

more-Experian Overview

„

Global leader in providing information solutions to

organizations and consumers

– Provides information, decision-making solutions and processing services

– Helps organizations find, develop and manage profitable customer relationships

– Helps consumers to understand, manage and protect their personal information and assets

– Has more than 40,000 clients across diverse industries „

Subsidiary of GUS plc

– Headquarters in Nottingham, U.K. and Costa Mesa, California – 13,000 employees in more than 60 countries

Experian’s Business

North America databases

– More than 65 terabytes of data. „

Credit information

– Approximately 215 million U.S. consumers – More than 15 million U.S. businesses „

Demographic information

– On approximately 215 million consumers – In 110 million living units across the U.S. „

Address information

– For more than 20 billion promotional mail pieces – To more than 100 million households every year

Enterprise File Transfer at Experian

„

Receive/process more than 65,000 pieces of

physical media each month

„

Transmit batch files via FTP

–

Excess of 4 Terabytes monthly

–

With more than 5,000 trading partners monthly

„

Transmit batch files via proprietary legacy

methods

–

Excess of 5 Terabytes monthly

The Triggering Event:

Competitor Was Hacked

August 2003

– Competitor was hacked – Through a single FTP

server

– Outside its firewall „

July 2004

– Another FTP hack

– 8.2 gigabytes of sensitive consumer information downloaded

Experian needed to take proactive steps to ensure the

highest levels of file transfer security and reliability.

Experian needed to take proactive steps to ensure the

Experian needed to take proactive steps to ensure the

highest levels of file transfer security and reliability.

Single Sign On

Authentication/Access Control

Three-Tier Secure File Transfer Architecture

Using Tumbleweed

E-mail Server

E-mail Notifications and Receipts Internet Lo ad B a la n c in g Lo ad B a la n c in g Security Gateway Enterprise Firewall Event Management Gateway Enterprise Firewall Internal Firewall Data Management Gateway Mainframe Legacy Systems Internal Network ST Edge ST Edge ST Event Proxy Lo ad B a la n c in g ST Event Proxy ST Server ST Server sFTP FTPS HTTPS

Recommendations

• B2B drives revenue — approach dramatic changes cautiously.

• Examine trading partner profiles and processes. Document, centralize and reuse when possible. • Use B2B gateways to maintain flexibility with your trading partners.

• FTP is a reality of integration — look for ways to manage it.

• B2B functionality is built into most products today. Establish your own criteria, and weigh the products and vendors based on those standards.

This is the end of this presentation. Click any

where to continue.