The new reality of supply chain security
Updated: April 4, 2006
By Erik Schoeniger
As supply chain connections proliferate, supply chain security is a growing concern. Here
are some ideas about how to protect your business.
In summary:
| • | First, conduct a cost-benefit analysis for each area of supply chain security
investment. |
| • | Evaluate your risk among the five critical supply chain security layers: Physical,
network, host, application, and data. |
| • | Look for network encryption, identity validation, and data protection capabilities
in third-party software. |
| • | Be careful about supply chain security enhancements in any customizations to your
system; Microsoft .NET can help. |
| • | Don't underestimate the importance of collaborating with your supply chain
partners on a security plan. |
Not many years ago, electronic data interchange (EDI) was the only option for trading
partners who wanted to conduct e-commerce. For midsize companies, it was an expensive
supply chain security solution—although a necessary one if you wanted to do business with
large enterprises. But because EDI typically involved a one-to-one connection over a
private, value-added network with little or no human intervention, it was straightforward
to apply supply chain security enhancements.
Today, midsize businesses find themselves sharing information and conducting
electronic transactions with organizations throughout the supply network, from suppliers
to manufacturers to distributors to retailers. They're integrating systems with companies
both large and small, and they're setting up Web-based portals to manage supply chain
activities.
Increasingly, supply chain connections face a wide variety of threats, from the
corruption of data to the loss of trade secrets to the theft of customer information.
There are even cases in which criminals have intercepted and altered electronic manifests
to divert shipments. That places a premium on security enhancements.
"You need authentication of the users and systems that will access your environment.
You need authorization to specify what they can and cannot access. And you need protection
of the network links that connect those users and systems," says Robert Anderson, vice
president of small and midsize business applications for Gartner based in Atlanta, Ga.
"And you need to do that not for just one partner, but for multiple partners with
differing security profiles."
Examine your processes and needs
Supply chain security enhancements begin with a risk analysis of current processes to
determine how these processes will be affected by electronic connections (if, for example,
you're purchasing a supply chain management system for the first time or adding
functionality). "If there's a risk that users can make fraudulent procurement purchases,
automating that process will only make it easier for perpetrators," says Aaron Turner,
senior security strategist for Microsoft. So you may need to modify business processes
before automating and adding security enhancements. To help you develop and implement a
security risk management program, Microsoft offers a Security Risk Management Guide.
One approach is to evaluate security risks on the basis of the five defense-in-depth layers of security controls: Physical,
network, host, application, and data. Ask yourself key questions about your security needs
at each layer: Will the supply chain system require a dedicated server? Will the server be
exposed to the Internet? Who will manage those Internet-facing connections? How will
transactions be safeguarded?
Likewise, conduct a cost-benefit analysis of planned security investments. "You
wouldn't spend a million dollars to protect assets worth only a dollar," Turner says. To
help you identify your security requirements, check out Microsoft's Security
Assessment Tool, specially designed for companies with fewer than 1,000
employees.
Evaluate software with security in mind
Once you've evaluated your business security needs, look for a supply chain solution
that delivers these controls:
| • | Network encryption By applying protections above
the data-link level but below the application level, network encryption can use
existing network services and applications. Network encryption is generally handled
through Secure Sockets Layer (SSL), but IP Security (IPSec) can be used for
large-scale systems. |
| • | Data protection Covering transactions both in
transit and in storage, this control helps to ensure data integrity and reduces the
risk of fraud. |
| • | Identity validation Certificates are effective
for validating the identity of both users and systems. Smart cards can store users'
certificates, while the Microsoft Windows Server operating system Active Directory
service can manage certificates for systems. |
You might also invest in intrusion or anomaly detection, which inspects network
traffic for unusual behavior that might indicate misuse. Popular intrusion detection
systems include Cisco Secure IDS, eTrust Intrusion Detection, and BlackIce
Defender.
Be sure you can audit and log transactions from end to end. "Government regulations
will increasingly be a factor in supply chain connections," Anderson notes. "You'll have a
legal liability to audit transactions," Anderson says, "and keep a record of who had
access to which systems and data."
Full-featured supply chain systems such as Microsoft's supply chain management applications incorporate
many of these protection mechanisms. This is one advantage that packaged applications have
over custom-built solutions. Legacy and custom applications leave all the security
requirements up to the IT professionals to implement and manage.
Plus, some experts believe there's an additional benefit to enterprise resource
planning (ERP) and supply chain management (SCM) systems that includes core business
functions. Processes such as procurement, manufacturing, and logistics should be in the
same system to minimize the need for interfaces to external systems, according to Richard
Bonnor, a supply chain specialist for Microsoft partner Tectura Corp., based in
Copenhagen, Denmark. "To the extent you can use a single packaged solution for all supply
chain and manufacturing processes, you can avoid complexity and achieve a higher level of
security [enhancements]," Bonnor explains.
Minimize your risk in custom development
Beyond installing and connecting supply chain systems, midsize companies are
increasingly building supplier portals to provide visibility into their operations. Such
portals often involve customization, which can also require customized security controls.
"There's often a lot of customization of portal views and access levels," Anderson points
out. "In these cases, you may need to purchase or develop [the appropriate] security
mechanisms."
Supply chain applications developed using the Microsoft .NET Framework can be readily
configured to improve security enhancements. For example, you can take advantage of the
Web Services Security (WS-Security) protocol for message authentication, confidentiality,
and integrity; and it's more efficient than what is provided through SSL. WS-Security
accommodates a wide variety of security models and encryption technologies.
Microsoft XML Developer Center offers the latest techniques for helping to
ensure the integrity of XML data; while Microsoft TechNet Security Center provides guides for improving security and
operating database and messaging systems.
Involve partners
Midsize businesses are often at the crossroads of multiple supply chains. You might
need to connect with or provide visibility to suppliers, vendors, manufacturers, logistics
providers, and retailers. If you're a distributor, you're probably providing services to
organizations throughout the supply network. Supply chain security enhancement requires
coordination among all these parties. "Draw in your trading partners so that security
becomes a joint endeavor and decisions are made in a way that gives everyone the
opportunity to participate," Anderson says.
Provide partners with clear guidance about your security requirements. And make sure
they have an opportunity to provide feedback or bring up concerns. Have them complete a
security questionnaire that enables you to evaluate their security profile and document
who will be authorized to access what resources. Even better, ask your partners to submit
to a third-party security audit. Finally, consider having your lawyers craft a contract or
memo of understanding regarding the security policies for supply chain connections.
Ultimately, security enhancements must be driven by policy. "Security policy needs to
be clearly documented and communicated to everyone involved," Turner says. Focus on what
you can realistically monitor and enforce, and develop a detailed response plan.
Then practice. "We have customers who call Microsoft after a security incident seeking
assistance," Turner relates. "They tell us that they have a response plan, but no one took
the time to make sure it could be implemented."
Finally, keep an eye on the future. "When developing security policies and procedures
for your supply chain systems, don't just focus on the current state and time," Anderson
concludes. "What will your customers need? Where are government regulations heading? You
need security mechanisms in place to meet your needs today. But you also need your
security policy to be flexible enough to support your business in the future."
Eric Schoeniger is a Philadelphia-based writer and a contributor
to the Microsoft Midsize Business Center.
