Web-based commerce: Don't be insecure
Electronic data interchange and supply chain integration
Published: March 30, 2006
By Lauren Gibbons Paul
A midsize manufacturer and a midsize retailer tackle supply chain integration - the evolving requirements of securing electronic transactions with partners, suppliers, and customers—and the move away from traditional electronic data interchange (EDI).
In summary:
| • | Increasingly, companies are opting for Web-based EDI, which can be as secure as traditional EDI but without the transaction fees. |
| • | Beyond technology, security in supply chain integration is also about deciding which information to keep private and which processes to change to protect sensitive company data. |
With just 140 employees, Globe Electric Company Inc. is not a huge company. But the maker of lighting and electrical products does business with the true giants of retail, including Wal-Mart and Home Depot. And when these titans lay down the law about electronic collaboration, their suppliers—including Globe Electric—comply.
"In today's world, you just have to do this. It's mandatory," says Peter Daley, director of information technology for Globe Electric in Montreal, Canada. Customers charge Globe Electric steep penalties for any non-electronic or noncompliant transactions.
So, the question is not whether to process orders electronically but how to do so securely. Traditional electronic data interchange, or EDI, in which a value-added network (VAN) service provider hosts and secures transactions on a private network, was secure but costly. Now, companies have the option of bypassing the VAN and moving to a Web-based EDI solution, which is inherently less secure but less expensive as well.
Manufacturer moves to Web-based EDI
The death of EDI has been greatly exaggerated. Globe Electric has been receiving electronic purchase orders from its biggest customers through a traditional EDI network for six years, with VANs providing airtight security. Large companies are not about to uproot the systems that have provided a reliable, efficient, and secure conduit for transactions for decades.
In fact, EDI is still the most widely used form of automated business-to-business (B2B) interaction in industries such as retail and manufacturing, according to Forrester Research. "EDI has not gone away. We're seeing 12- to 14-percent annual increases in our customers' EDI traffic," says Bill Knapp, president of vSync, Inc., a provider of EDI and shipping compliance solutions for Microsoft Dynamics GP (formerly Microsoft Business Solutions–Great Plains).
But EDI is changing with the times. The rise of Web-based commerce and new standards such as Applicability Statement 2 (AS2) from the Internet Engineering Task Force have weakened VANs' stronghold on the EDI market. AS2 holds the promise of allowing EDI documents to move securely over the Web without the need to pay per-transaction fees.
"We'll go to AS2 as much as we can," says Daley. "Otherwise, as the supplier, we have to pay the fees for both sides of the transaction." He and Globe's senior management are satisfied that AS2, which employs encryption to protect data, will provide more than adequate security. "We take security very seriously," he says.
Globe Electric uses vSync software as well as the iSoft Commerce Suite AS2 connectivity solution from iSoft Corp. in Dallas, Texas. vSync's technology incorporates security and compliance of EDI transactions for midsize consumer packaged goods manufacturers and distributors, while iSoft maintains the security of EDI data transmitted over the Internet.
The data is encrypted (ensuring its privacy), authenticated (through digital signatures to verify user identity), integrity-checked (to prove it was not corrupted in transport), and protected against repudiation (by retaining a signed receipt). Similarly to Globe Electric, most suppliers that rely on EDI will move to AS2 once their large customers permit it because the savings in not having to pay transaction fees can be substantial (VAN fees can run as much as 70 cents per transaction).
A coffee retailer's aim to keep competitive information private
At Minneapolis, Minn.-based Caribou Coffee Company, Inc., security concerns are high on management's radar screen. Henry Stein, vice president of sales and business development for the $200-million, 410-store chain, worries that information relating to new products, expansion plans, or the identity of business partners could fall into the wrong hands. "We don't want someone to know where we're about to open our next store or anything related to products and recipes," he says. Caribou requires partners to sign a nondisclosure agreement before exchanging data and transactions.
Similarly to Globe Electric, Caribou has big-name customers, including Sam's Club and Target, which send purchase orders electronically by way of traditional EDI, although Stein hopes that by this summer they will give the green light for Web-based EDI. "We're EDI-compliant for 60 to 70 percent of our transaction sets," he says. "That is driven by our customers."
Caribou's customers do, however, facilitate some Web-based supply chain processes, such as portals, where Stein can pore over sales and point-of-sale (POS) data in order to predict demand. "Target provides us information almost in real time," says Stein. Target's vendor site is password-protected, and only Stein and one other person at Caribou are allowed to access the data.
No matter what technology is deployed, Stein takes extra measures to protect sensitive data. When Caribou orders electronically from its own suppliers through traditional EDI, it is careful not to disclose data that could be considered competitive. For example, Caribou buys millions of plastic cups annually from Solo but does not have the orders shipped directly to the company's stores. "We'll hold products in inventory rather than disclose exact locations," Stein says. This strategy protects the locations of Caribou's planned new shops.
When it comes to dealing with their own suppliers, midsize companies such as Globe Electric and Caribou have a bit more latitude. For example, Globe Electric collaborates with the third-party logistics providers that ship its products around the world. In those transactions, Globe can mandate the use of particular technologies, such as 128-bit encryption, to ensure the security and integrity of the messages.
Daley has seen a lot of changes in the 17 years he's been in the business. One thing he's sure of: Security is only increasing in importance. "Five years ago, you could have survived with a less secure environment and not worry too much about it," he says. "But with all the data and transactions being exchanged today, that's not possible anymore."
|
|
When moving from a traditional VAN to Web-based EDI, make sure you have all these aspects of security covered: | • | Privacy of the data is ensured by encrypting all messages transferred between business partners so that only the intended recipient can open it. | | • | Authentication through digital signatures assures both sender and recipient of the other party's identity. | | • | Integrity of the message is established by including a Message Integrity Check (MIC, or hash) in the receipt returned to the sender, which is also signed. | | • | Nonrepudiation of the message is established by retaining the signed receipt, which can be shown to have been created by the recipient of a message. |
|
Lauren Gibbons Paul is a Waban, Mass.-based writer and a contributor to the Microsoft Midsize Business Center.
