366
A Practical Guide to Security Assessments
ARCHITECTURE
8. What is the method of connection between the company and the B2B
partner and what security measures are in place to ensure that the con-
nection is secure? If information is sent across the Internet, how is it
secured?
Guidance:
At one time, EDI was the primary way that B2B transactions
were performed. These transactions were secured via the use of a Value
Added Network (VAN). Today, the Internet is leveraged for B2B transac-
tions. Virtual Private Networks (VPNs) and other security architectures are
used to secure the transactions. In this question, we are concerned with en-
suring that the transmittal of information from one business partner to an-
other is secure. This question should give rise to doing a detailed review of
the transaction process flow and the architecture to ensure that the trans-
mittal of data is secure. Ideally, security should have been considered up
front during the initial architecture design phase as redesigning can be-
come expensive and cause a service disruption. Some architecture-related
issues to consider are:
•
Encryption of information during transport —
Appropriate levels of
encryption should be used based on the nature of the connection and
the sensitivity of the information being transmitted.
•
Digital certificates —
Trading partners should agree on architecture
details related to encryption and signing. This will enable the senders
and receivers to authenticate the trading partner.
•
Authentication —
Reasonable authentication measures should be used
based on the nature of the B2B relationship. Where very sensitive
information is being accessed, strong authentication measures should
be considered.
Risk:
The risk associated with insecure transmittal of data varies based on
the nature of the data being transmitted. If sensitive information, such as
competitive pricing information or customer-related information, is not se-
cured during transmission, a risk exists that sensitive information may be
compromised and get into the wrong hands.
Client Response:
9. How are network perimeter security issues handled — i.e., how does the
company ensure that the network traffic from the business partner is
legitimate? How is B2B traffic authenticated?
AU1706_book.fm Page 366 Tuesday, August 17, 2004 11:02 AM