Supply Chain Intelligence in Real Time

Supply Chain Intelligence in Real-time

BI Info Days, Bayer Business Services May 24, 2012

Matthieu-P. Schapranow Hasso Plattner Institute

Chair of Prof. Hasso Plattner

Agenda

■  Requirements of EPCglobal Networks

■  In-memory Building Blocks

■  Real-time Tracking and Tracing

■  Security Extensions for Reliable Exchange of Event Data

Real-time Sec. Ext. for EPCglobal Networks, Bayer BI Info Days, M. Schapranow, May 24, 2012

2

European Pharmaceutical Industry Manufacturing


3

European Pharmaceutical Industry Counterfeits


4

European Pharmaceutical Industry Motivation

■  Increasing counterfeit rates in pharmaceutical industry

■  34 million fake drugs in only two months in Europe

■  Pharmaceuticals: 3rd place / 10% of all intercepted articles

■  Related work proposes Radio Frequency Identification (RFID) technology or data matrix for anti-counterfeiting

□  RFID enables fine-grained tracking and tracing of each item

□  Problem: Low-cost tags do not provide security mechanisms

■  EU: “Privacy by design”

■  BSI: “Minimize the use of personal data”


5

European Pharmaceutical Industry Components for Anti-counterfeiting


■  Anti-counterfeiting service provider validates authenticity of concrete item for customers, e.g. in a pharmacy

■  EPC Discovery Service (EPCDS) supports identification of appropriate Electronic Product Code Information Services (EPCIS) repository

■  EPCIS repository contains all event data for handled products of a certain supply chain partner

RFID-enabled Company

Supply ChainParticipant

Middleware

EPCISEPCIS

Repository

ReaderReader tagTag

Anti-Counterfeiting

Service Provider

R

R

R

R

DiscoveryService

6

In-memory Building Blocks


7 Any attribute as index

Insert only for time travel

Combined column and row store

+

No aggregate tables

Minimal projections

Partitioning

Analytics on historical data t

Single and multi-tenancy

SQL interface on columns & rows

SQL

Reduction of layers

xx

Lightweight Compression

Multi-core/ parallelization

On-the-fly extensibility

+ + +

Active/passive data store PA

Bulk load

Discovery Service

Read Event Repositories

Verification Services

SAP HANA

● ●

P A

up to 8.000 read event notifications

per second

up to 2.000 requests

per second

Discovery Service



SAP HANA

● ●

P A


per second


per second

+ + + +

T Text Retrieval and Extraction

Object to relational mapping

Dynamic multi-threading within nodes

Map reduce

No disk Group Key

Real-time Tracking and Tracing In-Memory EPCDS

■  First EPCDS based on in-memory technology

■  Stores references to read events in distributed EPCIS repositories

■  Analyzes routes of products in real-time

■  Enables detection of counterfeits, e.g. at the checkout of the pharmacy


8

Real-time Tracking and Tracing Architecture


9

Up to 50.000 records/s

Passive event data is transfered from main memory to SSDs for data retention

10 TB raw event data compressed to 600 GB (17:1)

Bulk Loading

Compression

Active vs. Passive Store

Discovery Service



SAP HANA● ●

up to 8,000 read event notifications

per second

up to 2,000 requests

per second

Discovery Service



SAP HANA● ●

P A


per second


per second

Discovery Service



SAP HANA● ●

P A


per second


per second

P A

HANA

Security Extensions Definitions

■  Specific security definitions for EPCglobal networks are missing

■  IT Security := {confidentiality, integrity, availability} [4]

■  Confidentiality := prevent unauthorized reading of event data

■  Integrity := protect event data from being manipulated

■  Availability := provide access only to authorized parties


10

IT Security Confidentiality

Integrity

Availability

Security Extensions Access Control

■  Problem: Granularity of protection, e.g. event- vs. attribute-level

■  Hypotheses:

□  History-based access control while keeping the entire request history is feasible

□  Validation of access rights is possible in real-time, i.e. <2s

□  Real-time access control stops access to data immediately once data leakage was detected

□  Bivalent vs. continuous control of access


11

Security Extensions Attack Scenarios

■  Inside the Supply Chain: controllable by supply chain participants

■  Outside the Supply Chain: vulnerable environment

■  Transition Zone: customer’s risk


12 Inside the Supply Chain

Outside the Supply Chain

TransitionZone

Manufacturer Wholesaler Retailer

Customer

Counterfeiter Attacker

Competitor

SupplierSupplier

Security Extensions Continuous Control of Access

■  Access is controlled on inquirer basis

■  Event data is transparently filtered

■  Existing applications can consume data without modifications, e.g. FOSSTRAK query client

■  Builds on in-memory ported FOSSTRAK architecture


13

Security Extensions Architecture

■  Access Control Server (ACS):

□  Logs inquirer and their associated queries

□  Analyzes query history,

□  Retrieves event data from EPCIS repository, and

□  Derives inquirer-specific access rights

■  Access Control Client (ACC):

□  Guarantees integrity of exchange data

□  Filters event data and enforces access rights from ACS

■  Trust Relationship Server (TRS):

□  Store penalty for bad business behavior

□  Provides initial scoring for unknown inquirers Real-time Sec. Ext. for EPCglobal Networks, Bayer BI Info Days, M. Schapranow, May 24, 2012

14 Internet

Inquirer A

EventRepository

EPCIS ofSupply Chain

Party B

R

TRS

ACSR

R

ACC

R

Security Extensions Authentication

■  Public Key Infrastructure (PKI) is feasible to handle authentication requirement for pharmaceutical supply chains

■  Unique X.509 certificates of a trusted Certificate Authority (CA) per inquirer enable identification of inquirers and attack paths


15

CA

ACC ofInquirer A

ACS ofManufacturer B

X.509 Cert A:Issuer: CN=HBAC-CA,Subject: CN=Inquirer A,Subject Public Key Info,

Validity

X.509 Cert B:Issuer: CN=HBAC-CA,

Subject: CN=Manufacturer B,Subject Public Key Info,

Validity

CRL

X.509 Cert CA:X509v3 Basic Constraints: CA:TRUE,

Issuer: CN=HBAC-CA,Subject: CN=HBAC-CA,Subject Public Key Info,

Validity

R

R

SSL

Security Extensions History-based Access Control (HBAC)

■  Role-based Access Control (RBAC):

□  Inquirers are assigned to roles

□  Allowed actions are assigned to roles instead of individual inquirers

■  Rule-based Access Control (RuBAC):

□  Rules consist of predicates

□  Predicates can be obtained from various sensors, e.g. IP address, time, location, etc.

■  HBAC

□  Combines RBAC and RuBAC

□  Enables continuous control [declined, granted] instead of bivalent {declined, granted}


16

RBAC RuBAC

ROLE RULE

**

USER

groups

*

*

* *

IDENTITY

belongs to

*

assigned to

KEY

used for enc.

*

consists of

*

*

ACL

performs

1

linked to

HISTORY

consists of

*REQUEST

*

1

assigned to

*

*

*1

Security Extensions Trust Relationship Server

■  Local Scoring Engine: Contains rules for calculating specific trust score based on input from inquirer data

■  Global Scoring Engine: List of known TRSs to retrieve initial trust information about unknown inquirers


17

Known Business PartnerTRS

Manufacturer BTRS

Internet

Inquirer A

R LocalScoringEngine

ACS

ACC

R

Internet

RGlobalScoringEngine

GlobalScoringEngine

LocalScoringEngine

List of TRSsInquirer Data,TRS Rules

AuthorizedTRSs

BehavioralInquirer Data

R

Security Extensions In-memory Building Blocks

■  Combined Column and Row Store as foundation for Insert-Only and Partitioning

■  Insert-Only to keep complete query history

■  Lightweight Compression to reduce storage requirements and improve hardware usage

■  Partitioning as scalability factor and for aging

■  Multi-core/Parallelization to met response time requirements

■  Active/Passive Data Store to enable data retention management

■  Reduction of Layers to improve maintainability


18

Thank you for your interest! Keep in contact with us.


19

Hasso Plattner Institute Enterprise Platform & Integration Concepts

Matthieu-P. Schapranow August-Bebel-Str. 88

14482 Potsdam, Germany

Matthieu-P. Schapranow, M.Sc. [email protected]

http://j.mp/schapranow

Technology

Supply Chain Intelligence in Real Time