The Enterprise Internet Browser Outbound orders “B ef or e” Augmenting in-house B 2 B purchasing processes with client-side PKI Server-only authenticated HTTPS channel User. ID: John Password: ***** Employee Enterprise Purchasing System (e. g. SAP) Inbound order-requests in “web-format” “Community defined” security, transport, and message format Weak Authentication “A fte r” Employees create order-requests in interactive sessions with the purchasing system, which keeps a register of permissible products and suppliers. The purchasing system receives and validates incoming order-requests by employees. Often the purchasing process also requires a manager’s attest for an order to become authorized. When an order-request is considered as “ready” by the purchasing-system, it is automatically converted into a purchase-order in a format the selected supplier “understands”. After this step, the purchase-order is typically archived and eventually sent to the supplier for fulfillment. That is, it is the purchasing system (using the enterprise-wide purchasing rules), that is the actual order submitter, not the employee. A purchase-order is usually identified as coming from the enterprise with the original requester as a reference (in a purchase-order field). The reference may also only be a cost center etc. as purchase orders are not considered as “personal”. Order authorization is thus handled as an entirely internal business of the enterprise, for all but “unusual” or extremely high-value orders. The latter are though very seldom handled by purchasing systems. Internet Browser with “Web Sign” support The Enterprise Outbound orders Mutually authenticated HTTPS channel Employee Enterprise Purchasing System (e. g. SAP) Inbound order-requests in “signed web-format” + Strong Authentication + Digitally Signed order-requests and authorizations “Community defined” security, transport, and message format Signature archival The purchasing system essentially does the same things as it did before PKI support was introduced with the addition that requesters’ and attestants’ signatures are stored together with their associated tasks or messages. Note: These signatures stay within the enterprise borders as they are only intended for improving and securing internal processes. Due to this, the interface between buyers and suppliers is unaffected by the introduction of client-side PKI. That is, this part can evolve in its own pace, making migration smother than if all pieces had to be changed in one huge step, and for all involved parties (the “flag day” approach). A. Rundgren, RSA Security, V 0. 2, 2006
Скачать презентацию The Enterprise Internet Browser Outbound orders B ef
e0caebe123c01e6b2cdb69b92cf63a9e.ppt