IBX Connect security policy

Firewall protection

A dedicated firewall protects the IBX On-demand Production network from the Internet. The rules in this firewall are based on a “deny-all by default” approach: Access to systems is explicitly granted with the least amount of possible privileges. This solution prevents unauthorized access. Hence as part of every integration project firewall rules have to be configured for the trading partner's sending/receiving servers' IP addresses. Often firewalls on customer side have to be opened for access from/to IBX platform IP addresses, too. The appropriate IP addresses are exchanged during the setup phase of an integration project.

Application access control

Application security governs user access to the integration service for routing business documents via the IBX Connect platform. Across the whole IBX On-demand Platform unique user IDs and passwords are the primary means of user authentication and access control. All passwords are stored encrypted in the database. When trading partners' integration servers connect to the IBX Connect platform or vice versa then the basic authentication method applies prior to transmitting xml messages via the HTTP or FTP protocol. That means in the HTTP POST request the server initiating the connection has to present username and password. The use of SSL/TLS to encrypt the entire connection mitigates the fact that the Basic passwords themselves are not encrypted. Appropriate credentials for access to the IBX Connect platform are provided during the setup phase of an integration project.

Internet channel security

Internet channel security governs communications channel security between IBX On-demand applications, Tradeshift, and other suppliers and buyers. Communication to and from the IBX On-demand Platform occurs over the Internet, so customers' catalogues and transactions must be protected from interception. For increased security, Tradeshift uses HTTP over Secure Socket Layer (HTTPS) for communication by default. The TLS/SSL protocol is the industry standard method for protecting communications on IP networks. Tradeshift uses TLS/SSL for data encryption and server authentication. For inbound integrations to the IBX Connect platform trading partners usually have to install the IBX server certificate in a "trusted certificate" store on the server connecting to IBX. Vice versa for integrations from the IBX Connect platform to the trading partner's system the receiver's server certificate has to be installed in the IBX Connect platform integration servers as trusted certificate. Otherwise connections between the servers are not considered as trustworth and will be denied. Appropriate certficates are exchanged during the setup phase of an integration project.

Monitoring

Tradeshift uses centralized monitoring tools to provide maximum alerting capability. It monitors network traffic, processes system messages and alerts, application status, transaction status etc. Tradeshift uses network based intrusion detection. This technology provides logging and alert capabilities to assist in the detection of malicious acts and misuse. To monitor the service levels of the end-user applications, Tradeshift continuously executes pre-recorded scripts to simulate real user behaviour to measure real world data from an end-user perspective. The actual business document flow is monitored with a tool designed to enable the support organization to quickly ensure that the business document flow is working correctly and, if not, to show where the problem is located. Limited Tradeshift personnel have rights to access the monitoring systems.

• IBX On-demand Platform Information Security Controls