The Supply Chain Matters blog highlights the critical importance of cyber-attack and information securing defenses, and for developing outside-in strategies for augmented identity and information security management. This commentary is the second of a series of market education focused on B2B Business Networks, the first being the importance of seamless interoperability.


Situational Perspective

Included in our Ferrari Consulting and Research Group’s 2019 Predictions for Industry and Global Chains (Available for complimentary downloading in this website’s Research Center), we were compelled to predict that cyber-risk and information security safeguarding are now a mandatory requirement for any business supply chain, and especially B2B networks. The need stems from both inevitable risk, and from increasing mandates from stockholders, boards and C-Suite executives who rightfully are now more attuned to the consequences of such attacks.  Supply Chain Technology

A survey among 12,000 executives sponsored by The World Economic Forum identified cyber-attacks and data fraud as two of the top-five global risks in terms of likelihood. The sophistication of hackers or state-sponsored cyber thieves have substantially increased as-well, with multiple national security experts now indicating that threat incidents are going to get worse before getting better. Among the key takeaways of a 2018 Verizon Data Breach Investigations Report was that most cyber-attacks emanate from compromised user credentials. In the specific area of manufacturing-related industries, state-affiliated attacks accounted for more than half of attacks, with cyber-espionage as the second highest threat. Motivations centered on acquiring an edge on advanced technology or an access to another specific target.

Many of such cyber-attacks indeed stem from bad actors who overwhelmingly prefer to gain access from either an inactive internal employee account or of a supplier, partner or services provider that was given access to either an individual application, operational Edge system or broader B2B network, that did not practice active security measures. Often, many inactive accounts are not de-provisioned.

Another concern is the now growing number of digital login identifiers that includes people as well as physical things. With more and more Internet-of-Things (IoT) enabled processes under development, the latter will have to be administered with active multi-layer login and information access capabilities. The ‘Identity of Things’ is an area gaining significant importance in today’s business environment as companies look to strengthen the security of connected devices across digital ecosystems.


Two Approaches

Often, IT security and cross-functional efforts directed at information and data security have taken an inside-out approach, with the primary emphasis being securing internal systems and information flows from external attacks. An inside-out approach can be managed through individual applications or various internal IT network administration access practices.

Increasingly, ongoing incidents now point to more looming threats from outside-in based attacks, namely bad actors probing vulnerability points or falsification opportunities within broader B2B networks, including those that connect multiple suppliers and trading partners. Outside-in may well be the more concerning threat because it allows hackers far broader opportunities to acquire valuable or sensitive information from many organizations, or from back door entry. Ongoing cyber threat incidents now reinforce a need for in-depth, continuous monitoring of supply and demand network participants from the time a partner is vetted and throughout the business relationship. Outside-in threats are harder to address, but not so today given newer technology and process learning.


Specific Capability Example

In June of 2017, Enterprise Information and B2B Networks provider OpenText announced the acquisition of Covisint Corporation, an automotive industry focused Cloud platform providing digital connectivity of business processes and Internet of Things (IoT) enabled processes.

In the year since that acquisition, OpenText’s Business Network teams have been able to leverage one of the more strategic capabilities developed over many years by Covisint, that being what is termed as Identity and Access Management (IAM).

In recent briefings, we discovered that Covisint has been addressing tiered identity management capabilities for over fifteen years, principally because automotive B2B networks, from their first inception, required centralized management of tens to hundreds of thousands of individual login credentials from across the supplier ecosystem.

Automotive OEM’s were further super-sensitive to protecting proprietary product and process design information. The approach taken was multiple-tiered security, including both login as well access administration, namely what applications or systems any particular user is allowed to access at a given time. OpenText Covisint manages well over 31 million identities and provisions and governs over 100,000 supplier connections. The Covisint enabled B2B Automotive Exchange, for example, provides an access platform for more than 650,000 supplier users to over 800 applications utilizing only one identity. Perhaps even more impressive, this complex and large identity and access ecosystem is managed by only two administrators.

Additionally, with the increased use of in-vehicle electronic sensors and operational management devices, auto makers have the opportunity to remotely monitor vehicle operational data. When the largest automotive OEM in North America wanted to scale the company’s in-vehicle connected driver services, program managers turned to the IAM capabilities developed by Covisint, but now for consumer identity and access management (CIAM, also referred to as B2C) as a business enabler as well as for network security administration. Connected driver user security credentials helped to broaden consumer access not only to individual IoT enabled vehicle operating data, but access to dealer service and parts networks. In turn, the OEMs administrators can remotely verify vehicle owner or operator security credentials in real-time.

Increasingly, the OpenText Business Network teams will be further leveraging multi-layer IAM capabilities to better secure broader B2B or B2C process management areas involving IoT focused messaging, identity relationship management, ecosystem management and system access.


Reader Takeaway

While in the short-term, cyber-attacks may well be inevitable, ensure that your business has risk mitigation plans and actions that address outside-in threats. When evaluating current B2B and consumer network threats, look for and seek multi-layer defenses in system logins and in individual role-based access to specific information.

Finally, when evaluating network platform providers, ensure that multi-layer security is evident, along with augmented AI machine-learning capabilities that can automatically identify breeches or unusual login access.



Bob Ferrari

© Copyright 2019, The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.