InformationWeek

ovisint LLC officials have to make two promises to potential clients of the auto industry E-marketplace before those customers will consider joining. "Before they'll even talk to me about my applications, I have to prove I have a 24-by-7 environment," says Covisint chief technology officer and senior VP of technology Kevin Vasconi. "I have to show that I'm not going to share their data with competitors and give them a really high guarantee that no 16-year-old kid is going to hack into our system."

That's no easy job for the Ford-General Motors-DaimlerChrysler-led exchange that ultimately hopes to encompass some 30,000 auto-industry suppliers. Neither the auto-industry giants nor their suppliers want sensitive information, such as price margins, inventories, or order histories, to be made available to certain other parties. And while Covisint won't say how many times hackers have tried to crack its systems, if its experience is similar to most other E-businesses, its systems are scanned for vulnerabilities on a daily basis.

To surmount these problems, Covisint has a security team that protects its marketplace applications and users' data. "In lots of organizations, there's security everywhere, but here it's a specific group," says information security lead David Miller. "We're in charge of how to manage root ID and administrative passwords, and we have an extensive confidentiality policy to deal with encryption levels, how to determine whether data is publicly available, how digital certificates are managed, and retention policies."

That's critical. Data about a company's margins that's inadvertently exposed to competitors or buyers on an exchange could be used to "squeeze the price [of an item] down to the last penny," says Joe Duffy, PricewaterhouseCoopers' technology competency leader.

"Anytime you start talking about a transaction over the Net, customers want to know how secure their data is going to be," says Brad Miller, director of professional services for MarketWare, a budding public marketplace that brings together buyers and sellers of IT equipment. "At the bare minimum, there has to be some kind of authentication that keeps Company B from accessing Company A's information." For now, he says that Secure Sockets Layer, the popular Internet protocol in which the server sends its public key to the browser and the browser responds with a random secret key for that session, is enough security for most E-marketplace customers.

Both Brad and David Miller say users also want to be assured that their sensitive data is protected from hackers behind firewalls and a secure architecture. Covisint and MarketWare have set up demilitarized zones--barriers between the Internet and the marketplace's intranet that hold a firewall and proxy server. That firewall connects to an external firewall, at the marketplace's hosting company, for example, for extra security.

MarketWare chose to secure its operations with CyBiz Inc.'s CyBiz Marketplace software. According to MarketWare's Miller, CyBiz takes care of user authentication, supports SSL, username permissions, and is firewall friendly for those "paranoid" customers who wish to connect to the marketplace via a virtual private network. "We only have one of those," Miller jokes.

Despite the risks, many marketplaces still rely primarily on user names and passwords for user access. Mohan Kaul, director general of the Commonwealth Business Council Marketplace, doesn't plan on becoming a security breach headline by relying on those security measures alone. The marketplace represents 54 countries affiliated with Great Britain who wish to conduct business with members of E-markets within, or that serve, Commonwealth nations.

CBCmarketplace.com, which went live last month, is improving security in two ways. It's using digital certificates issued by KPMG PIK Solutions, the Australian division of KPMG Consulting. Digital certificates are issued by trusted third parties after verifying that a public key belongs to a particular owner. But they're not infallible--just last month, certificate authority VeriSign Inc. issued certificates to someone who claimed to be an employee of Microsoft but wasn't (see "VeriSign Authenticates Hacker As Microsoft Employee," March 26, 2001). That's why CBCmarketplace is also checking references with third parties, such as trade associations, before allowing a party entrance into the trading community.