GT Nexus operates the world’s largest cloud-based business network and execution platform for global trade and supply chain management. GT Nexus’s security system is built upon five tenets of data security: authentication, authorization, confidentiality, integrity and non-repudiation. These building blocks work together to provide a comprehensive data security infrastructure.
Authentication is accomplished primarily by a login and password mechanism. Logins and passwords are only issued after verifying a registered user’s credentials. Users are required to change their password upon initial login and periodically thereafter. Strong passwords are enforced ensuring a minimal length that includes characters, digits and special characters. Passwords are stored encrypted in the database. GT Nexus may identify and authenticate users to the system using two-factor authentication. When a user is authenticated to the GT Nexus system with two-factor authentication, s/he provides a unique username and password, as well as a one-time access code generated by the e-identity Security System. The e-identity Security System utilizes a card that generates an access code that is unique to the token. The access code can be used only once to access the GT Nexus system; a different access code is generated each time the card is used. The card can be taken away or disabled to prevent access to the GT Nexus system. Each authenticated user session has an inactivity time out. User inactivity for a specific amount of time will require the user to re-authenticate to the GT Nexus system.
Users of the GT Nexus system also have to trust that they are connecting to GT Nexus and not a rogue machine that may be set up to look and act like GT Nexus. Server authentication is provided by the use of a server certificate. When a browser connects to the GT Nexus system, the browser automatically uses the certificate to verify that it is connecting with the legitimate GT Nexus site.
Authorization is the process of granting or denying access to a resource based upon the identity of a user. In the GT Nexus system, the authorization model defines what actions individual users and parties can perform within the scope of a GT Nexus transaction. GT Nexus defines authorization via the configuration of access control lists, user and company roles and business workflow rules within the system.
Access to the documents in a GT Nexus transaction are configured by a member organization’s system administrator who controls what individual users are allowed to see and do within the GT Nexus system. The business rules interact with the workflow system to control which parties can act on a transaction at any time.
The SSL (Secure Socket Layer) protocol provides a secure mechanism for exchanging data on the GT Nexus system. GT Nexus’s Server Certificate enables strong (128-bit) encryption on all communications between a user’s browser and GT Nexus’s servers.
The integrity of data in a transaction is extremely important to parties involved in it. There needs to be some level of assurance that an unauthorized individual has not altered the information in a transaction. The data must remain exactly as was entered and approved by the different parties involved in the transaction.
Digital signatures help protect the integrity of documents in the GT Nexus system. When a user first accesses the GT Nexus system s/he automatically generates a Public/Private key pair. The private key is encrypted with a password that is known only by the user and stored with the unencrypted public key. To apply a digital signature a user must present his/her password to decrypt the private key. The private key is then utilized to create the digital signature on the document data. The GT Nexus system can prove the integrity of document data at a later date by passing the document data and public key into the digital signature verification algorithm. If the document data has been altered in any way the verification process will fail.
User passwords are never stored in the GT Nexus system; instead, only hashed values of the password are persisted. No one with access to the GT Nexus system database will be able to find out a user’s password for the purpose of accessing the system.
Non-Repudiation is the ability of a party involved in a transaction to enforce the terms of the transaction against the other party. GT Nexus seeks to achieve non-repudiation through the use of the four previous tenets of security. Strong non-repudiation means that no party involved in a transaction can successfully deny that it had involvement in the completion of the transaction.
Non-Repudiation in the GT Nexus system is ensured with the addition of auditing to all the above security tenets. The ability to authenticate users, authorize user access, provide for confidentiality, prove the integrity and the auditing of transactions provides a means for proving a user’s involvement in a transaction and enforceability of the transaction terms. Every action a user makes is logged along with the data involved in the action to an audit facility in the GT Nexus Network the moment that they are performed. This data is captured for auditing purposes only and there is no system access provided to the audited information.