The 4 tiers of a secure B2B framework

Worried about how to link IT networks with business partners without getting burned? Forrester analyst Usman Sindhu offers a 4-step strategy to ensure trust.

Today's businesses have global operations and numerous trusted partners constantly accessing their corporate resources. Many of these business-to-business (B2B) interactions are evolving beyond the bounded traditional network perimeter, overcoming the sometimes limiting methods of data exchange and communication. And with this evolving nature, security controls need to advance as well -- especially as new access methods emerge to create an entirely new partner ecosystem.

With new challenges ahead, it's useful to recognize the evolution of B2B security architecture in order to understand the future.

Also see "Public-private partnerships: The value of information sharing

In the past, the perimeter was hardened with static controls. This architecture was suitable for static and known communication interfaces, and there wasn't much coordination between the appliances and the application layer.

Today, security controls get past the perimeter to service specific needs. Technologies span from perimeter to core applications, server farms, and databases that harden critical applications and data. The DMZ-based deployment is not replaced, but rather complemented with controls at critical demarcation points for applications and data. The security appliances are more identity-aware as they frequently communicate with backend infrastructure to enforce controls.

In the future, cloud-based services will complement application and data security, with the emergence of application and data controls in the cloud. Technologies such as antimalware, script analysis, URL filtering, IPS and web application firewall in the cloud will be high on the security professional's wish list for securing B2B transactions. At the same time, organizations will look to more distributed enforcement methods that require network and physical technologies to be still on-premises.

Moving forward, many of the traditional controls used to secure B2B interactions won't be adequate as major developments challenge the current security architecture. For example, it's not uncommon to have business transaction and interactions "on the go" with the use of mobile devices and interactive media using Web 2.0 apps. The dynamic nature of this content poses new threats that are specific to application and Web security.

Additionally, today's cloud offerings provide new ways to share applications with B2B partners. It's a compelling option that businesses can't ignore due to its scale, flexibility and cost structure. But as a security professional, it's your job to recognize the security and privacy concerns.

Smart Computing will also challenge today's security architecture. With the onset of Smart Grid and Smart City projects, businesses will have complex and pervasive partner relationships, some nontraditional in nature. This advancement will require security and risk assessment and management as the connected ecosystem increases cyberthreats and data confidentiality demands.

As of yet, little thought has been given to an architecture that will address these key inflection points that are affecting B2B interactions. Forrester has devised four tiers of access control that are essential for secure future B2B interactions:

1. Application Access Control: App control will emerge at the perimeter with IAM integration. When applications and services are hosted via cloud--application access, authorization and authentication become ever more important. Identity and access management (IAM) will play an important role, as it works with entitlement management to define roles, duties and access levels to applications. Another central point to application control is identity federation. Since B2B security relies on this federation, it will be important to control access to the critical resources.

2. Data Access Control: Encryption and endpoint control features are critical. Although there's no concise definition of data access control, I'll essentially define it as the authorization and protection of data when it's being shared with multiple parties. Several technologies will make up this tier, driven by organizations wanting to classify, extract, encrypt, discover and control who accesses the data. It will be necessary to create a policy to enforce rights management at different points in the network.

3. Network Access Control: Fabric access control will define the network tier. B2B interactions rely on tools such as intrusion detection systems, intrusion prevention systems and security information management to mitigate diverse threats. So the fabric access control will enable use of enforcement mechanism at different parts of the network and secure a B2B environment from multiple interfaces.

4. Physical Access Control: Identity-based control will become the new frontier. Customers are increasingly demanding that physical control systems like badges and IP--based cameras become fully integrated with their corporate network and IT security controls. For instance, some organizations will not allow employees who don't badge in at the premises entry point to connect to the corporate network. There is also traction with other physical devices, such as global positioning system (GPS), radio frequency identification (RFID), sensors, and smart cards to provide location--based services that will link the user's identity to the physical systems.

There is no easy solution to B2B security -- it will require multiple technologies at each tier of access control to develop a comprehensive architecture. Your organization would need to define common set of technologies like NAC, antimalware, IPS, DLP, and IAM, can help you implement controls for multiple entry points. And integrate them using APIs like TNC IF--MAP, Open Virtual Format (OVF) and SAML at the physical, network, data, and application tiers.

Usman Sindhu is an analyst at Forrester Research. He serves security and risk professionals focusing on challenges and solutions around network access control (NAC).

SUBSCRIBE! Get the best of CSO delivered to your email inbox.