When you use the Internet to sell your old golf clubs, you've got two security challenges: making sure that the person you're selling to is trustworthy, and making sure that others don't try to steal your data while you're doing the transaction.
Now imagine that instead of a person selling golf clubs, you're Boeing, and you want to use the Internet to share the plans to a top-secret warplane with one of your business partners.
That's the challenge faced every day by Exostar, the online B2B community that serves the aerospace and defense industries. For more than a decade, Exostar has been linking aerospace companies like Lockheed Martin, BAE, and Rolls Royce with government agencies, allowing them to securely transact purchases and do collaborative projects.
Exostar's collaborative environment provides the infrastructure that allows aerospace companies to work together over the Web, but the question of certifying an individual's identity -- ensuring that they are who they say they are, and that they have the rights to access specific applications and capabilities in the community or on a member company's systems -- has been a tricky one.
Next week, however, Exostar will launch a new capability, the Federated Identity Service, that does the process of "credentialing" on behalf of Exostar's members, ensuring that individuals that attempt to use the systems of the community or its members are who they say they are -- and are authorized to use the systems they are trying to access.
The FIS service will essentially replace many of the security processes that most companies outside the community must do on a bilateral basis with their trading partners. For example, Exostar will verify the location and the identity of an individual who attempts to log on, and ensure that their connection is secure. Exostar's systems will also ensure that the individual has access rights to the applications they are using, as defined by contracts and access privileges defined by its member companies.
Using PKI technology, Exostar also encrypts the communications between the individual and the member company, and dates and timestamps all communications and transactions to ensure that they are authentic and to provide an audit trail for assessors and legal authorities.
With FIS, Exostar resolves many of the security issues faced by supply chains that want to do business online. Back in the heyday of Internet fever, many industries and organizations attempted to build "B2B exchanges" and online communities, using the successful eBay as a model. In the end, however, few succeeded, partly because eBay's trust model was insufficient to secure high-dollar business transactions and collaboration.
"The key for a community like this is to define who you are," says Vijay Takanti, vice president and security program director at Exostar, which serves more than 40,000 companies worldwide. "There has to be a standard for certifying your identity and to verify that I have a contract with you. If you can't do that, all the other capabilities of the community are useless."
In essence, Exostar's PKI certificates allow users to come and go into authorized systems of their trading partners, much as a passport allows a person to be authenticated and tracked in the physical world. The system is significantly cheaper than bilateral exchanges of certificates or multifactor authentication schemes such as smart cards.
"We're linking over 40,000 members, so we can achieve economies of scale that no one company could achieve with its partners," Takanti says. And because Exostar's member are outsourcing the authentication process, they can reduce or eliminate their investment in in-house remote access or "guest access" technologies, such as network access control (NAC), which some companies are attempting to use with their suppliers and trading partners.
There's only one problem with the Exostar service: you have to be a member to use it. That means FIS can only help companies in the aerospace and defense industries, although similar communities are operating in industries such as pharmaceuticals and financial services, Takanti observes.
"For a community of interest, where there's agreement on standards for authentication and credentialing, this model makes great sense. I think we may see it applied in other industries," Takanti says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.