Is SSL Enough For B2B Transactions?

The e-business revolution has taken off, and companies are looking to provide the most secure and efficient e-commerce capabilities.

Companies looking to become proficient ine-commerce want the best new technologies that bring them closer to their customers and make supplier interactions more efficient.

Imagine orders coming in through the Internet, bills of lading being sent out to suppliers, making a business a holistic well-oiled machine while increasing profits, solidifying customer relationships and managing suppliers.

That’s what it’s all about.

Many organizations put up a Web page and start selling product. This is straightforward and low risk when selling directly to consumers. The risk is borne when credit companies become part of the transaction.

Yet, it’s the business-to-business (B2B) aspects that are most interesting, profitable and efficient, taking large orders from strategic customers and ordering from suppliers online without human intervention to waste time or make errors.

The need for supply chains to minimize inventory and reduce cycle times becomes important when doing online business. However, this involves access to a company’s most confidential and proprietary data — the data that drives business.

If a company makes computer chips, for example, it would be great if customers could access the company’s systems and project orders for the number of chips they need next month.

Then the company’s ERP systems could crank the numbers, smoothing the manufacturing process, procuring the raw materials and finally providing an availability date to the customer. This process results in a high quality of service, which forms an allegiance between the customer and the computer chip company, preventing the customer from going somewhere else to do business.

Secure Environment

But what happens if a customer gains access to order data that isn’t their own? What if suppliers can determine how much a company is ordering from them and their competition, and at what prices?

These are some of the significant risks involved when conducting business on the Internet and this is why creating a secure environment for all online transactions is essential for successful business-to-business electronic commerce.

Most of today’s security investments are for secure connections, security implemented at the network layer. Using encryption ensures the data cannot be snooped in transit and this is done with a few server certificates, and SSL on the Web servers.

After ensuring that the company’s firewall is tightly configured and implementing some intrusion detection software to prevent against hacking, companies feel that their network borders are fortified and executives sleep well.

Unfortunately, securing the network borders is not enough.

Secure connections only partially secure transactions and SSL only secures the connection to the Web server. There are no methods to secure real time access to manufacturing, logistical, financial and knowledge management systems. Questions and doubts arise. Companies wonder if the Intranet is safe? What about the application, are the right parties getting in? Is there an audit trail to keep record of who is accessing data and when?

Conducting online business requires more sophisticated security than a secure connection provided by SSL. Companies must make the jump to secure transactions. And the key to secure transactions is the digital signature.

Public Key Infrastructure

Public key cryptography powers SSL. Yet, SSL only scratches the surface of what Public Key Infrastructure (PKI) can do.

The ability to “sign” a document (or transaction) electronically using a digital certificate (which acts as an electronic passport) enables safe, secure e-business.

Strategically, using this capability allows an organization to validate the identity of a party accessing critical data while also ensuring that a binding transaction took place. All of this is done by leveraging digital signatures.

Yet, in order to take advantage of these functions, applications must become PKI-ready.

However, applications are unable to use digital certificates for authentication, encryption, integrity or non-repudiation. This additional level of security must be implemented into the application using a toolkit to integrate the right security functions at the right time, ensuring the proper signature is added to a transaction or the right data is encrypted to prevent hacking.

Or the security can be integrated into the application using an enabling technology, such as Public Key Enabler Software, which integrates digital certificate services into enterprise ERP, human resources and knowledge management applications.

Or not. Due to the fact that custom PKI integration is costly and time consuming, many companies probably won’t do anything. Instead, they will take the risk, relying on the secure connection to keep proprietary data safe. The choice is left to the individual company and since the business benefits far outweigh the risks, many companies will choose to open up the data.

But the question must be asked: Is SSL enough?