ACTA UNIVERSITATIS LODZIENSIS FOLIA OECONOM ICA 157, 2002
Kazim ierz K rupa’
INTEGRATED SY STEM S’ ARCHITECTURES
A N D SECURITY INSTRUM ENTS
C o rp o ra te p o r ta l is a n im p o rta n t e le m e n t o f c o m p a n ie s ' in te g r a te d o p e ra tin g sy ste m a rch itectu re. T he p o r ta l is re q u ir e d to e x e c u te its ta sk s in e ffe c tiv e a n d sa fe m a n n er. D a ta e n co d in g , in d iv id u a l a c c e ss keys, sc o rin g a p p lic a tio n s a n d m a n y o th e r s p e c ia l in s tru m e n ts a re u tilise d to a c h ie v e th is goal.
Selected architectures o f integrated operating system s and tasks o f inform ation portals
New econom y requires active business units should interact and com m unicate directly to other partners in the specific business chain. Precise custom er-reorientation is also expected, which results in fundam ental change to the process o f adding value. With its increasing worth the inform ation has becom e an independent value in the e-business. It is im portant then to integrate precisely all inform ation systems, which could be helpful in getting custom er s satisfaction (CRM , PRM ) and receiving strategic signals that enable „to take the jum p forward on the m arket”. W hile creating the architecture o f such system s we can use ready models describing their structure, 01 the m ethods of construction o f inform ation m odules, or sophisticated com puter piogram s. Such program s m ake it possible to develop the applications for lebuilding current process m odels and to „conquer” selected m arket segm ent. C om plete reengineering o f business processes is effectively supported by the architectures o f integrated inform ation systems: (CIM OSA (Open System A rchitecture for C om puter Integrated M anufacturing), GRAI (G raphes de R esultats et A ctivites Interrelies), GIM (GRAI Integrated M ethodology), PERE (P uidue Enterprise Reference A rchitecture), GERAM (G eneralized Enterprise Reference A rchitecture and M ethodology), IFIP (Inform ation System M ethodology), SOM sem antic object m odelling Ferstla and Sinza, ISA (Inform ation System
University Rzeszów, 35 959 Rzeszów, ul. Rejtana 16 С, tel. (0 prefiks) 17 27 61 347, E-mail: kkrupa@ pf.pl
A rchitecture Kromer) or the ARIS (A rchitecture o f Integrated Inform ation S ystem s) 1 [7, 8, 9,14] m ethod, which is very popular in Poland. Frequently, the inform ation portal is the main com ponent2 o f „new ” inform ation system of a New Econom y com pany. Portals are tools providing free access to necessary data and inform ation. Generally, based on criterion of
CF.BI Complete e'OiiMiic-ss Integration T ISM (T otal In fo rm a tio n S ecurity M an a g e m e n t) A B I (Network Siiciy) PIK - e n co d in g a lg o rith m s <£_---Tele. information network IPSEC Transmission of signals SSL TLS
D etails lev els o f e -b u sin ess safety strateg y
H igh Sm al
L ev el o f d e ta ils given in so lu tio n s use o f IT toolsl
L ev el I
Level III
Sm all H igh
Figure 1 Securities pyramid e-business Source: Own elaborate
destination, one can distinguish open portals and dedicated (them atic) ones. Besides portals can be grouped on the basis o f their tasks: general-use portals4,
See in w ww.ls-Scheer.de/produkte.htm l Created with the help o f selected methodology.
G eneral-use portals allow (upon definition) quick, centralized and integrated access to the mechanisms o f searching data in any databases, e-mail and news.
vortals4, corporate portals (Enterprise Inform ation Portal-EIP). EIP com bines the most im portant features of all types of portals with problem s access to corporate applications and databases. In the newest concepts it is also integrated with workflow and intelligent tools.
Typical classic task o f the corporate portal is providing single-site control o f inform ation flow, especially:
r opportunity to classify and search objects,
r easy defining the authorisation for getting data and inform ation, ť tools for data transm ission to shared repositories,
> uniform on-line access to selected information,
r opportunity to provide data to data processing O LA P-class instrum ents, r scalability, flexibility, „ecological” way of getting inform ation4.
ГГ tools to create corporate portals develop in frenetic pace. T heir new expected capabilities are: personalised inform ation, effective integration with business partners, sophisticated autom atic assurance o f full safety to business processes.
Safety tools o f corporate portals
There are multiple facets o f assuring top-level safety o f inform ation processing with the use o f corporate portals’ capabilities and flexibility. This issue is also exceptionally im portant, as attem pts to attack e-transactions often take place. W hile preparing the strategy of inform ation protection, one can utilise the TISM m ethodology, which initial elem ent is to distinguish the types of inform ation. M r P. M usiał, IT/ITSec specialist, differentiates between com pulsory, attractive and worthy information and thinks that there will be two the m ost im portant subjects in the nearest future, nam ely, the teleinform ation operators who provide sophisticated digital products and teleinform ation safety (m ainly: securities and encoding digital products). Tools offering safe access to the data and their processing concentrate on com plex solutions and inform ation technology. List o f possible solutions is shown by the securities pyram id (fig. 1). They are (detail levels o f e-business safety strategy):
1 Vortal is a vertical portal providing specialist information on strictly defined subject (on the basis o f subscription)
1. C om plete E ’Business Integration (C EB I), which am ong other things includes designing, im plem entation, integration and protecting inform ation systems. CEBI tools are based on „best o f breed” applications. C onform ing to C om puterLand opinion, the CEBI supports functional areas o f the Internet, e ’com m erce, e ’procurem ent, C RM , PRM , Supply C hain M anagem ent, EDI. (high level of details given in solutions and small use of IT tools)6.
2. Inform ation Safety Policy (TISM ) which (according to M. B yczkow ski) consists o f m onitoring threats to the inform ation, security and audit procedures for inform ation safety level in e-business. Specialist tools supporting TISM are: SOW A, OKW , EM PI, BlackICE. The role o f Network Safety A dm inistrator (ABI) is sim ilar to that played by T IS M '.
3. Infrastructure of Public Key (PIK - encoding algorithm s), which consists o f encoding keys, instrum ents for creation and receipt of certificates, tools for im m ediate cancellation of certificates in situations o f any crisis or attack takes place, procedures and tools for confirm ing business partner identification.8. Data encoding algorithm s are: IDEA (128-bit), R C 2-40 (40- bit), RC4-40 (40-bit), RC4-128 (128-bit), DES (56-bit), DES-40 (40-bit), 3DES (168-bit), Fortezz (80-bit), certificates conform ing to X .509 recom m endation.
4. Protecting m echanism s at the level of: teleinform ation network, transm ission o f signals, applications. The following can be used am ong others: TLS (Transport Layer Security), M IM E (M ultipurpose Internet Mail Extensions), S/M IM E (Secure M ultipurpose Internet Mail Extensions), SET (Secure Electronic Transaction) , IPSec (Internet Protocol Secure Standard), SSL (Secure Sockets Layer), BlackICE D efender, BlackICE Agent, BlackICE, G uard9, B uster10, P ro " , ADO+ (A ctveX Data Object NET).
6 PRM makes it possible to market participants to use another link within the partner chain (apart from CRM). According to ChannelW ave Company, PRM gives detailed knowledge on performance and effectiveness o f particular business partners. This solution is especially designed for those whose substantial part o f revenues comes from the indirect sale channels. 7 See ABI and IB in www.kerberos.pl
8 '
W. Ślusarczyk presents classic PIK infrastructure. It consists o f (am ong others): certification policy, certification authorization, storing keys, canceling certificates, creation of two keys, creation o f electronic signature, verification o f this signature and confidential exchange of keys. For more information on ICE instruments to protect corporate networks see at
O riginal and effective A D O + IJ protection consists o f three m odules. They are: presentation layer (W W W browser, DataSet, B2B solutions), business layer (integrated applications of ERP, CRM class, O L A P packages for inform ation analysis, support to business sectors - CRM , workflow), data sources (databases o f m ultiple form ats including object databases, w arehouses, data m ining), know ledge databases. ADO+ interface allows controlled dealing with separated data resources and enables safe e-business (EM PI). Use o f form atted X M L and DataSet files facilitates com m unication between any scattered elem ents o f the inform ation system. Thus, DataSet permits utilisation o f a range o f any inform ation sources, which - related to each other - can determ ine data hierarchy, if reasonable. During transm ission AD O + and D ataSet determ ine autom atically and independently which set of data should be exploited and select operations necessary to transfer this information (to the other server or database). T hese tools have “strongly defined types” so they support effectiveness and safety o f corporate portals, especially when linked to SSL (Secure Sockets Layer). SSL is an elem ent o f open standard of data transm ission p rotection13. It is a base for flexible TLS (Transport Layer Security) specification, developed by Internet Engineering Task Force (IETF). The Secure Sockets Layer procedure consists o f four stages:
1. Session encoding.
2. C onfirm ation of identification. 3. M essage transm ission.
4. M aintaining cohesion of messages.
The very im portant problem o f m aintaining the cohesion of m essages in the SSL is overcom e by linking encoded m essages and check num bers in transm ission channels. To encode the inform ation the SSL can use tw o m ethods, sym m etrical m ethod with secret private key known to both partners involved or asym m etrical m ethod with two keys (private CA, public PIK). T he Public key is known to everyone, but can be decoded only by an individual key. The SSL is one o f the main elem ents enabling safe transm issions in global networks. Othei elem ents used to protect against any attack are: SET (Secuie Electronic T ransactions) specialised in securing transactions where credit catds ate used,
'°It operates as a pr server and controls all HP calls. Moreover, it deletes all unnecessary coo files and other information.
"P ro tects users computers from cookies, applets, scripts, advertisements and animations. l2ADO+ built MS which is the upgraded interface for the architecture conforming to the standard. USSL was developed by Netscape Comm unications and currently its version no. 3.0. is available.
IPSec (Internet Protocol Secure Standard) identifying network instrum ents, S/M IM E (Secure M ultipurpose Internet Mail Extensions) protection EDI and e-m ail. The figure 2 shows transm ission safety triad in corporate po rtals14. The triad consists of:
> Starting H TTPs procedure. SSL is switched on autom atically while the Internet brow ser is being started.
> H andshake. Staged procedure of negotiating the determ inants of transm ission session.
> Security transportation. Safe inform ation exchange betw een transm ission operators.
C losed safety cycle in corporate portals is form ed by the following: idea of safety triad, tasks: “operator requests safe connection” and “end o f safe transm ission process in the corporate portal”, questions: "W as SSL successfully sta rte d ?" "Is the exchange o f information a nd data com pleted?'', "W ere the negotiation successfully accom plished?". Requirem ents put on corporate portals are still g ro w ing15.
14
Doyle Shaun: What is Missing fro m Campaign Management Today / SeU G l 19, Florence, maj,
2001
1 See Business Objects Launches the Knowledge Exchange. International Knowledge Management News no 23, 2001
Operator reqviesis sale conaeciion
I St.’rlin ij H T T P i pro ced u re. SSL is switched on automatically
w hile the Internet browser is hcinx M iirjo L
Wai SSL sutre.sxfiillv
CONDITION n.
2. H andshake Staged p m m lu r c o f negotiating I he determinantu o f iransmissmn session
CONDITION [\\ fully a u m p t i s h c ď no END
J
? " ♦ yes ,3. S ecu rity tra n sp o rta tio n
Safe inform ation exchange between transmission operators
Is I lit I'xrlhin^t! of inp>rnutlikn and dútn lonipłetr ?
C O N D IT IO N END
D
Fnd of siile trrninniiMiion process in the corporate portal
Figure 2 Transmission safety triad in corporate portals Source: Own elaborate
Sum m ary
It is assum ed that modern portals will enable tree access to any inform ation expected by the business at the particular time, but they will also provide full safety to the transactions. Therefore, in order to execute com plex tasks related to transm ission safety and taking the heterogeneity of data sources into consideration it is necessary that each corporate portal should utilise many specialist tools for encoding and protecting from unauthorised access. One of effective instrum ents in this field is the SSL. The tests conducted shown that it is a flexible, universal instrument and allows effective protection of any data that can be transm itted via corporate portal.
R eferences
1. CIMOSA Association, CIMOSA -A Prim er on Key Concepts. Purpose and Business Value. Stuttgart, 1995
2. Doumeibgts G., Vallespir B., Marcotlc F.: A Proposal f o r an Integrated M odel o f
a Manufacturing System: Application to the Re-engineering o f an Assem bly Shop. Control
Engineering Practice, no 3, 1995
3. Kosanke K.: CIMOSA - Offene System Architektur. W A.W. Scheer: Handbuch Informationsm anagement, G abler Verlag, W iesbaden, 1993
4. Kasanke K., Naccari F.: Enterprise Engineering with CIMOSA, European W orkshop on Integrated M anufacturing Systems Engineering. Grenoble, np. 12-14, 1994
5. Krcmar H.; Bedeutung und Ziele von Informationssystem -Architekturen. W irtschaftsinformatik, no 5. 1990
6. Krupa K .: Portal informacyjny - inteligentne narzędzie zarządzania. EiOP, nr 3, 2000
7. Krupa K.: Struktura otwartych portali biznesowych i równoważona karta wyników (wybrane aspekty). Red. R. Knosala. W Komputerowo zintegrowane zarządzanie. WNT, Warszawa, 2002
8. Li H.. W illiams Th.J : Explaining the Purdue Architecture and tlie Purdue M ethodology Using
the Axiom s o f Engineering Design. Com puter in Industry no 34, 1997
9. Olle T.W., Hagelstein J., Macdonald . G., Rolland C., Sol II.G., Van Assche F.J.M ., Verrijn- Stuart A.A.: Information Systems Methodologies: A Framework f o r Understanding.
Workingham, 1991
10. Taking digital control applications into the future. Technology Innovations, 2000 11. US Army Knowledge Portal. International Knowledge M anagement News no 23, 2001 12. Vernadat F.B.: Enterprise M odeling and Integration: Principles a nd Applications.
Chapman& Hall, London, 1996
13. Vezzosi H.: ’-STtffRt: Statistics in the Net. SeUGI 19, Florence, maj, 2001 14 Waglc D.; The Case fo r ERP Systems. The M cKinsey Quarterly, no 2, 1998
15. W iliams T.J.. The Purdue Enterprise Reference Architecture. Computers in Industry, no 24. 1994
16. Wiliams T.J.: D evelopment o f GERAM, a Generic Enterprise Reference Architecture and Enterprise Integration Methodology. W Ladet P.. Vernadat F.B.: Integrated M anufacturing Systems Engineering. Chapman& Hall. London, 1995
17. httpV/hotne.netscane.cont/sccuritv/tLchbricix/ssI.hunl 18. http://www.microsofi.eom/teclmet/clia p trl4 .asp 19. hUpV/www.ietf.org/litml.chartcr.s/tsl-chnrter.htm/ 20. www.nelworkicc.coni
21- www./.siratcgic/iiilu.nl/w icd/A now lcd.him 22. www./stralegie/pcg-6-Dortale-finansowe.htm 23. www.kerbcros.pl
