Secure Application Development Practices
In most B2B relationships, partners grant limited authority to passinto each other's systems and access critical information. If yourpartner is using proprietary applications that touch your system,security must be built into that application. Your partner must showyou how security is incorporated into its application design,development and deployment plans, says DeMaio. Look for access andauthorization controls built into applications, path isolation toensure that the app's user goes only where he's allowed to go, andlogging and reconciliation to provide a record of where any user hasbeen--matching up with what he's done. "Make sure the applicationdoesn't turn off or ignore other security controls, like encryption,associated with the [B2B] system," adds DeMaio.

Access Control and User Authentication
Lax access controls within your partner's systems will give you anExcedrin headache. Ray Bedard, a partner in PricewaterhouseCoopers'supply chain practice in Virginia Beach, Va., tells of a company heworked with that failed to terminate a departing employee's access toits B2B applications. Before the employee left, he went into thesystem and ordered a bunch of goods from an online partner. The goodsarrived and nobody could figure out what they were doing there. Ittook several hundred man-hours for the parties to resolvethe mess.

To avoid that sort of tampering, companies should require partners tomaintain strong, active password programs. Measures should includerequirements to change passwords frequently, monitoring and logging ofpassword usage, tools to detect easily guessed passwords and a centralauthority to set access policies. Wade adds that you should forbidyour partner to set up departmental passwords if the partner accessesyour systems through its network. "This is always a sticking point innegotiations," he says. "The partner always wants to use some easierform" of password protection.

For sensitive information, companies should require higher-levelaccess and authorization tools. Ramana Palepu, CTO of the WorldwideRetail Exchange in Alexandria, Va., says his members requirepublic-key infrastructure authentication technology, and will expectdigital signatures for financial settlement and payment services theexchange may offer in the future. But for less sensitive transactions,such as purchase orders, auctions and item tracking, strong passwordand user-name controls suffice.