I was recently asked to talk at the European eInvoicing and eBilling conference about better ways to integrate the transfer of e Invoicing and e billing into existing applications and security solutions. By the way, it was held in Munich and, if you go, definitely check out the surfing at the south end of the Englischer Garten. There's more information on the conference and proceedings here: www.expp-summit.com
Anyhow I did actually manage to get some work done and one of the things that struck me was how similar e invoicing integration issues are with banking and healthcare which the SOA Products group already has extensive experience of. the acronyms and standards change but the general method of solving the security and flexibility problems remains the same.
So here's some of the barriers to adoption or difficulties we’re facing:
- The big picture, each country has its own security, audit and legal requirements and during research I could not find 2 countries that approached e-invoicing exactly the same way.
- Heterogeneous environment doesn’t have the advantages or disadvantages of enforced transfer networks like banks with SWIFT.
- Advantages – a clear direction, good docs, security, reliability, assurance.
- Disadvantages – high cost, little flexibility, slow adaptation.
- Some companies find comfort in paper and others don’t feel they’re technically up-to-speed for e-invoicing especially small and medium enterprises.
And on top of these there’s security; always the necessary evil. Mainly a concern for large enterprises and service providers servicing SMEs. From the slide, generally the hard and fast requirements are “Assurance/Compliance” & “Trust & Control” boxes.
“Perimeter Defence” and “External Threats” are best practices to protect confidential enterprise data that’s being exchanged. In effect they’re pretty much requirements as well.
Starting from the top we have the generation of signature. Should it be an Advanced signature or a Qualified digital signature? Does the the signing certificate need to be bound to the individual or the organisation because there are differing regulations for that in different countries.
Does your set of signing certificates fit in with your existing Certification Authority and public key infrastructure? Is the trust relationship there with other business systems & issuers? Can you deal with multiple types of authorisation including tying your e-Invoicing application into your organisations existing Single Sign On? The SSO and Certificate trust structure becomes important when you realise the need to maintain personal responsibility for the invoice with the individual who generated it.
Can you deal with multiple encryption types, especially when you start trading in another country and your existing e-Invoicing application does not provide support for the new cryptographic requirements?
With your external B2B and B2C trading partners you may have to have an internet facing service. Do you really want your e-invoicing or billing application to have to face issues like content attack and denial of service? All these add up to a headache that’s necessary for business continuity.
The advantage is that once this hurdle is passed there is little change required. Only additions to existing services.
Clearly there’s a requirement for flexible, generalised software tools like Service Gateways to apply some mediation and governance.
A Service Gateway is an obvious solution to tackling the difficulties above without recourse to excessive customisation of your existing e-Invoicing app which then leaves you with a point to point integration problem i.e. you have to start coding a lot of interfaces between formats, security token types, certificates, encryption routines etc. Always assuming your e-Invoicing application supports all of those that you wish to communicate with.
Because most or all of your security, certification and signing requirements are built into a Service Gateway like Intel® SOA Expressway you don't have to worry about different sets of capabilities for the multiple e-Invoicing apps you have in your own organisation and there's only one place you need to update when integrating externally, especially when billing between countries. As the Service Gateway seamlessly deals with routing and mediation for both format and protocol there are fewer integration worries. Indeed if you're part of a larger enterprise you may already have a Service Gateway that you can make use of.
For more in depth information, including seminars visit Dynamic Perimeter.com.