The Swissdec data exchange platform (distributor) transmits wage and accident information to many Swiss companies. The protection of this data is essential. Therefore, in addition to double encryption, Swissdec will in future rely on authentication of the companies in order to also guarantee the binding nature of the processes. Data protection and security are essential for Swissdec. The Swissdec process handles very sensitive data such as wage and accident information of a company’s employees. If such information were to fall into the wrong hands, trust in the solution would dwindle and usage would rapidly decline. The entire investment of all participants would be severely jeopardised.
Figure 1: Authentication
The authentication of companies, which today is based only on subject-specific self-disclosure (Figure 1), prevents the development of intelligently automated, bidirectional solutions. In the distributor’s annual security checks by external specialists, this circumstance is repeatedly reprimanded as a security risk. For this reason, solutions were sought as early as 2012. The following requirements were placed on the authentication of companies:
- Uniform, simple, secure and affordable solution
- Technically and legally “sensibly embedded” in the business process
- Standardised SW and HW solutions for the market
- Easy to use for SMEs and large companies
The protection target coverage (see Figure 2) shows on the one hand that the signing and the “double” encryption on the two levels are very secure: In addition to the secure channel on the transport level (SSL/TLS), the web services are secured by the standardised security concepts of WSS (Web Services Security; SOAP Message Security: signature+encryption). On the other hand, the authenticity and binding with regard to companies is not on the same security level.
Figure 2: Protection target coverage
Two circumstances are essential for corporate authentication:
- The participation of the ERP systems in the processes is secured by means of an X509 certificate. Each outgoing message is signed with this and is then checked by the distributor. This solution has proven itself since the first version in 2005 until today.
- Only the company needs to be authenticated. No person/role authentication is required in the process. These are the responsibility of the company or its ERP system and IT infrastructure.
Figure 3: Public, private and responsibility in authentication
A description of the future Swissdec corporate authentication follows in another article.