20 likes | 98 Views
Internet Browser. UserID : John Password : *****. Employee. Employee. Augmenting in-house B2B purchasing processes with client-side PKI. The Enterprise. “Before”. Outbound orders. Enterprise Purchasing System (e.g. SAP). Server-only authenticated HTTPS channel.
E N D
Internet Browser UserID: JohnPassword: ***** Employee Employee Augmenting in-house B2B purchasing processes with client-side PKI The Enterprise “Before” Outbound orders Enterprise PurchasingSystem (e.g. SAP) Server-onlyauthenticated HTTPS channel Inbound order-requests in “web-format” “Community defined” security, transport, and message format Weak Authentication Employees create order-requests in interactive sessions with the purchasing system, which keeps a register of permissible products and suppliers. The purchasing system receives and validates incoming order-requests by employees. Often the purchasing process also requires a manager’s attest for an order to become authorized. When an order-request is considered as “ready” by the purchasing-system, it is automatically converted into a purchase-order in a format that the selected supplier “understands”. After this step, the purchase-order is typically archived and eventually sent to the supplier for fulfillment. That is, it is the purchasing system (using the enterprise-wide purchasing rules), that is the actual order submitter, not the employee. A purchase-order is usually identified as coming from the enterprise with the original requester as a reference (in a purchase-order field). The reference may also only be a cost center etc. as purchase orders are not considered as “personal”. Order authorization is thus handled as an entirely internal business of the enterprise, for all but “unusual” or extremely high-value orders. The latter are though very seldom handled by purchasing systems. The Enterprise Internet Browser with “Web Sign” support “After” Outbound orders Enterprise PurchasingSystem (e.g. SAP) Mutuallyauthenticated HTTPS channel Inbound order-requests in “signed web-format” “Community defined” security, transport, and message format + Strong Authentication + Digitally Signed order-requests and authorizations Signature archival The purchasing system essentially does the same things as it did before PKI support was introduced with the addition that requesters’ and attestants’ signatures are stored together with their associated tasks or messages. Note: These signatures stay within the enterprise borders as they are only intended for improving and securing internal processes. Due to this, the interface between buyers and suppliers is unaffected by the introduction of client-side PKI. That is, this part can evolve in its own pace, making migration smother than if all pieces had to be changed in one huge step, and for all involved parties (the “flag day” approach). A.Rundgren,RSA Security, V0.2, 2006