Interbusiness Access: Distributed Partners

Internet-based Enterprises are already doing business with customers and partners over the Internet. Resellers, suppliers, distributors, or anyone part of the extended business may connect to corporate intranets and access important company information. Employees and representatives in the field increasingly use local access to public networks and then connect to remote corporate information sources. Windows NT security is evolving to support the changing needs of distributed computing over the Internet.

Interbusiness distributed computing is not lied to a single architecture and the security technology should not li business to a single way to access information. Many approaches are available as security technology rapidly changes. Windows NT has integrated support for the security protocols and user models that fit the application or business need. More important, Windows NT provides a migration from the Enterprise security in use today, with the opportunity to take advantage of Internet public-key security as the infrastructure matures.

Here are some of the options using Windows NT security to manage and support interbusiness relationships:

• An initial approach widely used today is simply to create user accounts for business partners to access corporate information services. Integrating Windows NT security with the Directory Services makes management of these special accounts much easier. Organization Units in the Directory can be used to group related accounts by partner, supplier, or other business relationship. Administration of these accounts can be delegated to the right people in the organization who manage these partner relations. Virtual Private Networks are established between organizations to encrypt network traffic carried over the public network. Using this approach, business partners can use remote access services to get to corporate information as any other remote employee. Access to databases or information repositories can be controlled with Windows NT access control.
• Domain trust relationships are another tool to use for establishing cross-business relationships. The Windows NT Directory Service provides much more flexibility to manage a tree of hierarchical domains. With Windows NT domain names integrated with DNS naming, Internet routing of information between two Windows NT domains is easy to configure. If the business relationship requires, a domain trust can be used as one way to configure client/server applications that also have the privacy and integrity features necessary to communicate over the Internet. Users can use either Kerberos or public-key authentication protocols to access shared resources in remote domains.
• Organizations can use Microsoft's Internet Security Framework to solve Internet security problems. Companies can issue public-key certificates to specific partners with a need to access specific information resources. Certificates can be used instead of creating a user account or defining a domain trust relationship as a way of providing user identification and authorization. Public-key certificates and the infrastructure required to support issuing certificates, and verifying certificate revocation, is accepted as the most effective way to support business-to-business relationships over the Internet. Windows NT supports X.509 Version 3 certificates issued by any certificate issuing system. System administrators on Windows NT define which Certificate Authorities are trusted and can associate external users authenticated by public-key certificates to Windows NT user accounts to define the access permissions associated with those users.