August 2002 Mfg.Trust
Mfg.Trust is a monthly feature of the
NCMS InfraGard Manufacturing Industry Association
Infrastructure assurance for manufacturers
Powered by NCMS.
This month – An Overview of Trust Management Systems
New tools enable federated trust management systems for e-business
Accompanying Resource Page for this Story
Editor's Preface:
In any market transaction there is temptation to not deliver on the agreement for some unilateral gain.
This month, guest author Fred Champlain brings that topic into focus and explains some of the newest tools and buzz words that you’ll need to know to succeed in business. Fred does a great job of taking the mystery out of XML, SOAP, web services, “federated trust” and Project Liberty. He backs this up with a great set of links on the resources page. We’re sure you will appreciate his clarity and insight.
These powerful ideas are coming our way. Now is the time to acquire a familiarity with the basics, and know where to look for more detail.
John Sheridan (johns@ncms.org )
AN OVERVIEW OF TRUST MANAGEMENT SYSTEMS
Introduction
“Trust” has always been a primal theme of society – from the earliest tribes of nomads to multinational strategic treaties, trust has always been a governing force. The underpinnings of trust in information technology are based on similar complex factors, as is social trust – reliability, predictability, integrity, and the ability to tolerate risk. Trust management and the associated management of risk are key business processes for enterprises that can greatly impact the value of organizations. This article will look at the technology of trust in e-business, and present an overview of the security technologies that are emerging to support trusted B2B commerce.
Trust and Information Technology
Since the emergence of electronic business-to-business (B2B) commerce between trading partners in a supply chain in the early 1970’s, the challenge of how to abide by existing trust relationships between businesses has become increasingly complex. Supply chain integration beyond the boundaries of enterprise continues to evolve, placing strong demands for continuous improvements in the integration of information technologies both internally within an enterprise and externally between trading partners.
The introduction of e-business using the Internet and web technologies in the 1990’s has added a business-to-consumer (B2C) component into the challenges of operating within the tenants of business relationships. As business processes become increasingly attuned to the customer, there has been a building awareness of privacy and confidentiality issues for both individuals and businesses that have further heightened interest in the meaning of “trust” in a digital world.
Trust and E-Business
The use of the Internet for e-business is increasingly common as companies strive to reduce their level of “trading friction”, becoming more attractive to do business with and lowering their overall operational costs. A new class of business software applications has emerged – web services – a new breed of applications that are built to interoperate using flexible and scalable architectures based on Internet technologies.
Web services represent the next-generation business applications, providing a new approach to integrating information and knowledge between companies. Unlike most business applications, web services are rooted in powerful paradigms for conducting transactions in an open and public environment. As a result, web services stress existing models of e-business trust and existing security technologies.
In response to this stress, several new security frameworks and technologies have been developed and are now emerging in the commercial marketplace. We’ll return to web services in a moment, after putting a foundation in place.
Components of Trust Management
Trust in an e-business context is implemented using information security technologies. A trust management system manages security between organizations, including user identities, cross-organizational authentications, access control authorizations, auditing capabilities, and administrative management. By sharing these functions between trading partners, trust management systems are effectively sophisticated single sign-on (SSO) systems that provide several factors of trustworthy business transactions: authentication of transaction participants, confidentiality and integrity of transactions, and non-refutability of transactions.
The challenge for companies conducting e-business is to find ways of ensuring that existing business trust between trading partners is preserved and supported by information technology. In order to provide interoperability between enterprises, a trust management system must be based on a shared set of common definitions for security profiles, messages, rules, and workflows.
A trust management system is comprised of several functional building blocks:
Identity Management – Identity management provides a means of managing user identities and account information. Profiles may contain a wide range of information about a user including personal information, encrypted passwords, biometric data, financial information, organization roles, as well as historical information. A trust management system intrinsically provides the ability to manage identities and associated privacy requirements between organizations.
Authentication – Each identity must be authenticated prior to being allowed to conduct e-business. In a federated trust management system, the organization that owns the identity (i.e. user) is responsible for validating and proving the accurate identity of the user. The strongest authentication systems are based on digital certificates and biometric security devices using a Public Key Infrastructure (PKI).
Authorization – Access to authorized services and resources is controlled using security policies. Policies are represented by rules that are dynamically interpreted by trust management systems to decide whether an identity is authorized to access a restricted service or protected resource. The process of decision-making is defined by process workflows ranging from simple rules to complex decision evaluations.
Accounting – Accountability for all security events is central to a trust management system, ensuring the ability to record information about security events such as attempts to bypass application security mechanisms, network intrusion attempts, and data integrity protection.
Administration – Support for the operational monitoring and management, including provisioning and configuration management necessary to keep the trust management system functional is vital to the reliability of a trust management system.
Implementing trust between trading partners requires the ability to share information from each of these building blocks – resulting in the need for a common means of representing identities, and a mutual framework for authenticating and authorizing users.
Federation
A new theme in recent trust frameworks is the concept of “federation”. Federation describes a design architecture for trust management systems that take a distributed, loosely coupled yet highly connected approach to how identity and security information is stored and shared. Unlike a centrally controlled system, a federated system scales widely and allows each trading partner to retain exclusive management control of it’s users and associated trust relationships. Within a federated trust management system, each organization is responsible for authenticating and validating it’s users – and similarly trusting that their trading partners have done likewise. This allows each trading partner on an independent basis to maintain appropriate levels of security desired by each organization.
E-Business Messages
The drive towards using the Internet for e-business has resulting in the creation of new core technologies to facilitate communications between trading partners. Similar to the evolution of data coding formats established for EDI transactions, tools for securely sending e-business transactions has rapidly occurred in the past few years. The underlying structures of these tools have been designed with extensibility and flexibility as primary goals.
Central to e-business is the concept of an electronic document – a package of information transferred between trading partners, typically representing one of a variety of business transactions such as a purchase order, order confirmation, order status, etc. – any of a myriad of supply chain and procurement transactions. The definition of these documents and transactional messages along with the associated workflow of transactions is what directly enables business processes to occur via e-business.
Schemas for e-business documents have become standardized in several industries. These documents are exchanged by web services via messages sent between trading partners and are typically processed by order management, supply chain, and customer relationship management systems.
Security Messages
The most prominent and significant enabling technology developed to support e-business is the eXtensible Markup Language, more commonly known as “XML”. A fundamental component in the plethora of new e-business technologies, XML is used to create text documents that can be exchanged between trading partners. XML by itself however is simply an alphabet, and alone cannot represent the structure of a message or document.
XML is used in conjunction with the Simple Object Access Protocol (SOAP) to construct meaningful messages. SOAP defines the structure of a particular message and gives meaning to the message. SOAP is rapidly becoming the defacto means of exchanging e-business messages between trading partners.
XML and SOAP are used together to address the needs for a federated trust management system. A web services security framework dubbed SAML – Security Assertion Markup Language – has been developed and is at the core of several new trust management frameworks. SAML provides for the sharing of security credentials and access controls between multiple organizations, acting as a lingua franca to provide a means for securing the backbone of trust management systems.
Now we can appreciate the promise of web services. A web service is any piece of software that makes itself available over the Internet and uses a standardized XML messaging system (see links below for reference). XML is used to encode all communications to a web service. For example, a client invokes a web service by sending an XML message, and then waits for a corresponding XML response. Because all communication is in XML, web services are not tied to any one operating system or programming language. Thus, web services are a powerful tool for trust management among disparate systems.
Trust Management Initiatives
Several efforts are underway by leading vendors such as Microsoft, IBM, Sun, Netegrity, and Verisign to create trust management frameworks. As e-business security remains a top concern of enterprises, these initiatives are moving forward rapidly.
SAML – SAML is a framework for the federated authentication and authorization information, based on the use of XML messages. SAML is quickly becoming a cornerstone for several trust management system implementations.
WS-Security – IBM, Microsoft, and Verisign have created WS-Security to provide a comprehensive end-to-end trust management system framework for web services. WS-Security has been designed to accommodate existing security technology to provide enterprises a cost-effective means of leveraging their current systems. WS-Security uses SAML as a core messaging protocol.
Microsoft TrustBridge – Microsoft has announced a strategy for their .NET web services architecture to support security relationships between multiple companies. TrustBridge is focused on enabling enterprises to create a cross-company mesh of trust using Microsoft application platforms as well as integrating with non-Microsoft servers. The architecture of TrustBridge is anticipated to be based on WS-Security.
Project Liberty – Sun Microsystems along with over 50 partners including AOL, Sprint, Cingular, United Airlines and General Motors have developed a framework for federated identity management and authentication using SAML. Functions provided for include the ability to create linkage between user accounts across multiple systems for a user using a single identity. Project Liberty is initially aimed at B2C applications.
Conclusion
Despite the recent crashes of the “.com” industry and the failures of several B2C online businesses, B2B e-business remains a growing and critical function for most companies. The importance of trust management systems and its impact on the evolution of supply chain management is creating a continuous demand for increasingly complex information security technologies. Management of supplier relationships will continue to press the limits of security technology with an ever-demanding stream of requirements for providing effective implementation of business trust. Organizations must ensure their e-business investments remain viable and secure in the future by the use of trust management systems.
LINKS:
XML Trust Center: http://www.xmltrustcenter.org/index.htm
Top Ten FAQ for Web Services
http://www.oreillynet.com/pub/a/webservices/2002/02/12/webservicefaqs.html
For a technical discussion of trust: http://ccs.mit.edu/dell/trustmgt.pdf
Project Liberty: http://www.projectliberty.org/
If you liked Mfg.Trust, please forward it to a colleague in your company!
For questions, comments, or for NCMS Alliance Partners to request their own FREE subscription to Mfg.Trust, send e-mail to johns@ncms.org
To unsubscribe please send a blank e-mail message to listmanager@ncms.org with the subject line "unsubscribe mfgtrust".
| Please check out these related sites | ||
|
|
|
|
|
Copyright 2004 |
||
