Security

5 key points about TradeLens platform security

Ana Biazetti  

Supply-chain companies that are digitizing and leveraging data and document sharing will have the most to gain in the new shipping economy.

But there remains a concern: Companies worry that moving their own and their customers’ proprietary information to digital platforms exposes them to a sinister and serious list of security risks.

In many ways, the concerns are justified; there is a lot of nasty stuff out there. Here are some most people and businesses should be aware of:  

  • Ransomware
  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

So, what should smart businesses do if they want to take advantage of the opportunities of the digital revolution? Hesitating, and missing out on the latest technological advances might mean continuing practices that are just as risky if not more so.

Take documentation for example: Submitting forms via email comes with the risk of your data and documents ending up in the wrong hands if they get forwarded or posted in an insecure way. Even sitting in your network behind a firewall, your documents and data can be exposed to a world of malware that’s sometimes introduced to your system by trusted partners without their knowledge.

But security and creativity need not be in a tug of war.

Here are five ways that TradeLens offers the benefits of digitization while also ensuring business and personal information is kept secure.

1. Blockchain is a whole new ballgame

TradeLens uses Hyperledger Fabric, a permissioned blockchain that guarantees the immutability and traceability of shipping documents while protecting data using the world’s most advanced encryption technology. The IBM Blockchain platform is built on Z/System and LinuxONE security to prevent ransomware from locking data. Plus, permissioned blockchain protects against spoofing because every organization and user have cryptographic certificates.

Permissioned is an important differentiator. It’s very different from non-permissioned, public blockchains that are vulnerable to a “51% attack.” With permissioned blockchains, companies choose their members, specify their level of access and determine their level of control. Tampering and repudiation are prevented because the IBM Blockchain Platform records who did what. TradeLens members are also protected against information disclosure by data segregation with channels.

We understand that, in an industry built on trust, no one can afford to jeopardize the security of their or their customers’ private data.

2. Blockchain is just one bit of the security solution

Unsurpassed security standards and unparalleled processes ensure every entity and user in the TradeLens ecosystem belongs in the ecosystem. It’s an invite-only network: organizations are on-boarded after thorough checks. The process of adding users includes accurate management and monitoring of who has access to what using the Permission Matrix.

Access is secured through the use of user IDs and passwords managed by IBM ID. And authentication can be delegated through the use of OpenIDConnect Federated Authentication and OAuth2.

Businesses maintain complete control of their documents, including organization onboarding, certificates creation, etc. through the Document Store — on a segregated and encrypted blockchain node. To use blockchain-enabled document sharing, participants post trade documents to the IBM Blockchain Document Store, housed on a blockchain node. Any documents stored in nodes managed by IBM that contain personal data are considered to be “processed” by IBM. IBM will process such personal data only within the limits of the Data Processing Addendum (DPA) with the participant.

3. TradeLens is tempered with IBM’s enterprise-level security

TradeLens uses the same comprehensive security embedded in mission-critical platforms that IBM manages for Fortune 500 companies. All TradeLens users benefit from the same standards of security, robustness, and scalability that underpin platforms used by some of the world’s largest corporations.

From the earliest development, through implementation and its continuous evolution and support, TradeLens relies on IBM secure development processes that include source-code reviews, industry-standard encryption algorithms, and vulnerability management. Never ones to take security for granted, we use third-party specialists for penetration testing and ISO 27K compliance.

Every communication and all data exchanged to and from TradeLens is secured to the highest level in the world on HTTPS over TLSv1.2. This guarantees all our APIs are secured, and an imposing Cloudflare Firewall protects the entire solution from a multitude of threats, including Denial of Service.

4. TradeLens complies with GDPR, and then some

All data handling processes on TradeLens meet stringent GDPR requirements. IBM is an authority in General Data Protection Regulation (GDPR) which governs the use of personal data of EU citizens by third parties.

IBM’s rigorous compliance with GDPR ensures that the TradeLens platform and its members comply. IBM is a “processor” of personal data provided to the TradeLens platform; participants are considered “controllers” of that data, obligated to obtain or verify consent from those customers whose data will be processed by IBM.

In addition, IBM’s DPA specifies, a) the types of personal data that IBM will process in offering the TradeLens solution, b) the types of processing activities that IBM may undertake with personal data, c) the security measures in place to protect personal data, d) the location(s) where the processing activities will take place, and e) the procedure for requests for access and/or deletion of personal data contained on IBM’s systems.

5. When it comes to protection, it’s personal

We understand that, in an industry built on trust, no one can afford to jeopardize the security of their or their customers’ private data. TradeLens is sworn to protect ecosystem information, ensuring appropriately permissioned organizations can only access the information they are permitted to see. That translates to higher standards than mandated by GDPR or any other authority.

TradeLens standards are anchored by the practice of using blockchain technology to implicitly ensure people only have access to data and documents appropriate to their business and role.

TradeLens recently obtained ISO27K certification, which includes:

  1. ISO 27001: Information technology -Security Techniques -Information security management systems —Requirements
  2. ISO 27002: Code of practice for information security controls
  3. ISO 270017: Code of practice for information security controls based on ISO/IEC 27002 for cloud services
  4. ISO 270018: Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

The processes supporting these certifications include P-D-C-A cycle (Plan, Do, Check, Act) and continuously test and improve our solution security capabilities. 

Connecting supply chain partners so they can share information without hesitation or reservation is an endeavor that hinges entirely on trust. It’s because of that that we focus with equal intensity on both innovation and security.

Learn how TradeLens fared during a recent round of penetration testing.