In my last blog, 5 Considerations When Deciding on Internet Communications Protocols, I highlighted the key factors you should consider when selecting the best Internet protocol (IP) for your company when exchanging EDI documents: data security, message management, ease of setup and use, and interoperability.
What are the most commonly used communications protocols?
- FTP (File Transfer Protocol) with VPN (Virtual Private Network) – FTP was the first robust, reliable file transfer protocol developed and is still used today by many businesses, particularly for file exchange within a company. However, FTP by itself does not provide the security needed for document exchange with other companies over the Internet. For this reason, businesses that use FTP use it in conjunction with VPN software to provide the security layer needed.However, neither FTP by itself nor FTP with VPN provides non-repudiation or message management. Moreover, interoperability may be an issue because there are many different ways of implementing VPN on your system, as well as possible differences in versions of VPN. Although FTP with VPN does not address all five factors, you can use it to connect to an EDI Network Services Provider which then provides the non-repudiation, message management and interoperability required.
- SFTP (Secure File Transfer Protocol) and FTPS (File Transfer Protocol Secure) – Both SFTP and FTPS are secure Internet protocols. The major difference is in how each provides security and performs encryption. The security layer used by SFTP was developed by the Internet Engineering Task Force, while the security layer used by FTPS was developed by the Internet browser company Netscape.Both protocols encrypt the data while in transit, keeping it safe while moving over the Internet, and then decrypt it upon arrival at its destination. However, neither provides non-repudiation or message management. As with FTP with VPN above, interoperability is a major issue, and again you can use either to connect to an EDI Network Services Provider, which then provides the non-repudiation, message management and interoperability required.
- AS2 (Applicability Statement 2) – AS2 was developed specifically to overcome the limitations of the other security protocols noted above. In addition to providing a high level of data security, it addresses non-repudiation, message management and interoperability. It was developed by the the Internet Engineering Task Force (IETF). The major boost to its usage was when it was mandated by Walmart as the only acceptable communication protocol for suppliers wishing to do business with them. Its usage soon spread to other major businesses.Let’s look at how AS2 addresses non-repudiation, message management and interoperability.
- Non-repudiation – AS2 uses a system of keys to ensure non-repudiation. A private key is used by one business to encrypt its digital signature (a special identity code) on a file being transmitted. That company’s public key is provided to all its business partners for use in decrypting the digital signature. No other key will work, thus verifying the identity of the sender.
- Interoperability – AS2 is backed by the Drummond Group, an organization that certifies that versions from different vendors are compatible. Thus, you are guaranteed that if you buy any two products from the list of Drummond-certified products that they will work together well.
- Message Management – AS2 provides a status message called the Message Disposition Notification (MDN), which informs you that the transmission was successfully received, decrypted and verified.There are several challenges to a successful AS2 program. AS2 is a “push” protocol, meaning documents are sent as soon as they are available and the business partner must be ready to receive them. The recipient’s server must be up and running 24×7, with personnel ready to troubleshoot any communication issues. In addition, management of the private and public keys used for non-repudiation and security adds another layer of complexity to its operation. Moreover, because AS2 is much more sophisticated than the other protocols, a highly skilled staff will be needed to support it.
In summary, you have several choices when selecting a secure communication protocol for your EDI documents. AS2 best addresses all the key requirements, but requires a higher level of commitment. Because of its full functionality, many companies opt to use AS2 for exchanging EDI documents for both their direct connect partners and to connect to an EDI Network Services Provider for the rest of their partner community. If you use one of the other secure protocols, then use of a Provider should be considered in order to address the gaps in capabilities.
If you’d like to learn more, you may be interested in viewing this webinar, “Which Communications Protocol is Best for B2B Integration?” during which you will learn more about the specific challenges around B2B communications decisions and alternatives.