How B2B Gateways Affect Corporate Information Security
by David Walling - CTO of nuBridges - Wednesday, 13 August 2008.
Absolute risks
  • Capability: How effectively will the gateway handle the functions most important to your operation? How well will it conform to your enterprise’s published performance standards?
  • Platform support: How efficient will the technology be within your hardware/operating system environment? Is it certified to meet your corporate production requirements?
  • Compliance: If you must comply with corporate or industry regulations—HIPAA, GLB, Sarbanes-Oxley, and PCI, for example—does the system meet those standards and support timely, efficient compliance reporting?
Relative risks

Relative risk factors relate to the cost of acquiring, installing, operating and maintaining the system. The right gateway choice for your company is the one that delivers the most value per dollar compared to 1.) other options in the marketplace; and 2.) the importance of the following factors within your operation:
  • Performance: Better-performing systems consume less CPU, disk and memory resources. They are typically a better long-term buy for two more reasons: corporate traffic almost always increases rather than decreases, and a robust gateway can reduce (or redistribute) overall loads so your existing infrastructure can accommodate more traffic.
  • Reliability: By definition, gateways are expected to be highly available. How well will the system scale in large, clustered implementations? How quickly can it recover from exceptional conditions, including component failure?
  • Ease of implementation: The more quickly the gateway can be installed and put into production, the better the odds for rapid adoption and support by the enterprise.
  • Ease of use: The most vocal proponents (or critics) of any system are usually the people responsible for its day-to-day operation. Usability promotes user adoption and delivers tangible benefits such as fewer input errors and faster, more effective reporting. From an operations standpoint, a system that can be readily modified and reconfigured requires shorter maintenance windows.
Typical stages of corporate information security

The fundamentals of securing corporate data don’t change. At the most basic level, they boil down to restricting access, applying safety measures to the data itself, and making duplicates in case the original is lost or corrupted.

The operational context for these fundamentals, however, is constantly evolving. Most enterprises go through four stages of integrating information security into their core business processes.

Stage #1: The Fortress

At this stage, the enterprise protects data by building a wall around it. Information within this fortress is not encrypted, and the data transfer mechanisms aren’t necessarily secure. Protection consists of restricting physical access to campuses and data centers and requiring passwords for log-in. Database passwords are often left at default values or are widely known and rarely changed, since all the data is "internal" anyway. In this scenario, the safety of all data is essentially equivalent and completely dependent on physical safeguards. Security is not intrinsic to either the data or business process.

Stage #2: The Private Line

At this stage, the company embraces the "private line" or "secure tunnel" for inter-enterprise data exchange. This link is secure, but no assumptions are made about protection beyond the link, and a breach in the link will expose all in-transit data. Business processes at either end of the link expect data in its native format. Security is not intrinsic to either the data or business processes.

Stage #3: Security Off the Wire

The third evolutionary stage infuses protection higher in the protocol stack. The application-layer software encrypts data using features within a broader software suite, or through a separate security product integrated into the overall business information process. Data transformation for the sake of security is only applied when necessary.

This stage takes security "off the wire" and allows the use of non-dedicated (but intrinsically less secure) networks like the Internet. Data protection may be oriented toward the document itself, treating each discrete document as an independently secured message, or toward the session layer (SSL and TLS). In the latter case, security parameters are established between two end-points and applied to one or more discrete documents passing over the session.

At this stage, data protection is disengaged from the lower, physical or data-link layers. This takes the safety burden off the network’s shoulders. But engaging security at the application layer makes information safety beholden to the prerogatives of the business process. Disparate applications may provide different, and possibly wholly incompatible, data security schemes. These differences make secure data transfer between heterogeneous systems across a public network a formidable integration challenge.

Stage #4: The B2B Gateway

At this stage the corporation recognizes the value of a single subsystem for reliable, interoperable, secure data transfer over relatively low-cost public networks. Within the centralized architecture, all applications conform to the corporate security policy. Adaptive gateway interfaces make application integration relatively simple. Ongoing gateway operations can be easily monitored and exceptional conditions reported immediately.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th