The new reality of supply chain security
Updated: April 4, 2006
By Erik Schoeniger
As supply chain connections proliferate, supply chain security is a growing concern. Here are some ideas about how to protect your business.
In summary:
| • | First, conduct a cost-benefit analysis for each area of supply chain security investment. |
| • | Evaluate your risk among the five critical supply chain security layers: Physical, network, host, application, and data. |
| • | Look for network encryption, identity validation, and data protection capabilities in third-party software. |
| • | Be careful about supply chain security enhancements in any customizations to your system; Microsoft .NET can help. |
| • | Don't underestimate the importance of collaborating with your supply chain partners on a security plan. |
Not many years ago, electronic data interchange (EDI) was the only option for trading partners who wanted to conduct e-commerce. For midsize companies, it was an expensive supply chain security solution—although a necessary one if you wanted to do business with large enterprises. But because EDI typically involved a one-to-one connection over a private, value-added network with little or no human intervention, it was straightforward to apply supply chain security enhancements.
Today, midsize businesses find themselves sharing information and conducting electronic transactions with organizations throughout the supply network, from suppliers to manufacturers to distributors to retailers. They're integrating systems with companies both large and small, and they're setting up Web-based portals to manage supply chain activities.
Increasingly, supply chain connections face a wide variety of threats, from the corruption of data to the loss of trade secrets to the theft of customer information. There are even cases in which criminals have intercepted and altered electronic manifests to divert shipments. That places a premium on security enhancements.
"You need authentication of the users and systems that will access your environment. You need authorization to specify what they can and cannot access. And you need protection of the network links that connect those users and systems," says Robert Anderson, vice president of small and midsize business applications for Gartner based in Atlanta, Ga. "And you need to do that not for just one partner, but for multiple partners with differing security profiles."
Examine your processes and needs
Supply chain security enhancements begin with a risk analysis of current processes to determine how these processes will be affected by electronic connections (if, for example, you're purchasing a supply chain management system for the first time or adding functionality). "If there's a risk that users can make fraudulent procurement purchases, automating that process will only make it easier for perpetrators," says Aaron Turner, senior security strategist for Microsoft. So you may need to modify business processes before automating and adding security enhancements. To help you develop and implement a security risk management program, Microsoft offers a Security Risk Management Guide.
One approach is to evaluate security risks on the basis of the five defense-in-depth layers of security controls: Physical, network, host, application, and data. Ask yourself key questions about your security needs at each layer: Will the supply chain system require a dedicated server? Will the server be exposed to the Internet? Who will manage those Internet-facing connections? How will transactions be safeguarded?
Likewise, conduct a cost-benefit analysis of planned security investments. "You wouldn't spend a million dollars to protect assets worth only a dollar," Turner says. To help you identify your security requirements, check out Microsoft's Security Assessment Tool, specially designed for companies with fewer than 1,000 employees.
Evaluate software with security in mind
Once you've evaluated your business security needs, look for a supply chain solution that delivers these controls:
| • | Network encryption By applying protections above the data-link level but below the application level, network encryption can use existing network services and applications. Network encryption is generally handled through Secure Sockets Layer (SSL), but IP Security (IPSec) can be used for large-scale systems. |
| • | Data protection Covering transactions both in transit and in storage, this control helps to ensure data integrity and reduces the risk of fraud. |
| • | Identity validation Certificates are effective for validating the identity of both users and systems. Smart cards can store users' certificates, while the Microsoft Windows Server operating system Active Directory service can manage certificates for systems. |
You might also invest in intrusion or anomaly detection, which inspects network traffic for unusual behavior that might indicate misuse. Popular intrusion detection systems include Cisco Secure IDS, eTrust Intrusion Detection, and BlackIce Defender.
Be sure you can audit and log transactions from end to end. "Government regulations will increasingly be a factor in supply chain connections," Anderson notes. "You'll have a legal liability to audit transactions," Anderson says, "and keep a record of who had access to which systems and data."
Full-featured supply chain systems such as Microsoft's supply chain management applications incorporate many of these protection mechanisms. This is one advantage that packaged applications have over custom-built solutions. Legacy and custom applications leave all the security requirements up to the IT professionals to implement and manage.
Plus, some experts believe there's an additional benefit to enterprise resource planning (ERP) and supply chain management (SCM) systems that includes core business functions. Processes such as procurement, manufacturing, and logistics should be in the same system to minimize the need for interfaces to external systems, according to Richard Bonnor, a supply chain specialist for Microsoft partner Tectura Corp., based in Copenhagen, Denmark. "To the extent you can use a single packaged solution for all supply chain and manufacturing processes, you can avoid complexity and achieve a higher level of security [enhancements]," Bonnor explains.
Minimize your risk in custom development
Beyond installing and connecting supply chain systems, midsize companies are increasingly building supplier portals to provide visibility into their operations. Such portals often involve customization, which can also require customized security controls. "There's often a lot of customization of portal views and access levels," Anderson points out. "In these cases, you may need to purchase or develop [the appropriate] security mechanisms."
Supply chain applications developed using the Microsoft .NET Framework can be readily configured to improve security enhancements. For example, you can take advantage of the Web Services Security (WS-Security) protocol for message authentication, confidentiality, and integrity; and it's more efficient than what is provided through SSL. WS-Security accommodates a wide variety of security models and encryption technologies.
Microsoft XML Developer Center offers the latest techniques for helping to ensure the integrity of XML data; while Microsoft TechNet Security Center provides guides for improving security and operating database and messaging systems.
Involve partners
Midsize businesses are often at the crossroads of multiple supply chains. You might need to connect with or provide visibility to suppliers, vendors, manufacturers, logistics providers, and retailers. If you're a distributor, you're probably providing services to organizations throughout the supply network. Supply chain security enhancement requires coordination among all these parties. "Draw in your trading partners so that security becomes a joint endeavor and decisions are made in a way that gives everyone the opportunity to participate," Anderson says.
Provide partners with clear guidance about your security requirements. And make sure they have an opportunity to provide feedback or bring up concerns. Have them complete a security questionnaire that enables you to evaluate their security profile and document who will be authorized to access what resources. Even better, ask your partners to submit to a third-party security audit. Finally, consider having your lawyers craft a contract or memo of understanding regarding the security policies for supply chain connections.
Ultimately, security enhancements must be driven by policy. "Security policy needs to be clearly documented and communicated to everyone involved," Turner says. Focus on what you can realistically monitor and enforce, and develop a detailed response plan.
Then practice. "We have customers who call Microsoft after a security incident seeking assistance," Turner relates. "They tell us that they have a response plan, but no one took the time to make sure it could be implemented."
Finally, keep an eye on the future. "When developing security policies and procedures for your supply chain systems, don't just focus on the current state and time," Anderson concludes. "What will your customers need? Where are government regulations heading? You need security mechanisms in place to meet your needs today. But you also need your security policy to be flexible enough to support your business in the future."
Eric Schoeniger is a Philadelphia-based writer and a contributor to the Microsoft Midsize Business Center.
