AS2 (Applicability Statement 2) is a data/file transfer protocol that supports fully-automated, server-to-server file transfers. It's suitable for two or more parties who often transact with each other and require a fast, secure, reliable, and paper-free method of exchanging supporting documents.
Although capable of transmitting practically any type of data over the Internet, AS2 is mostly associated with the transmission of EDI messages. So to give you a good handle on AS2, it would probably be good to take up Electronic Data Interchange or EDI first.
What is EDI?
EDI is an efficient method for exchanging electronic documents used in support of interorganizational and intraorganizational transactions.
When two organizations or two departments (in the case of intra) transact or engage in a business process, they normally exchange supporting documents; often in paper form. For instance, a company and its supplier may exchange request for quotations (RFQs), purchase orders, purchase order acknowledgements, shipping notices, invoices, and many others.
To expedite these processes, many businesses eliminate the use of paper and transmit electronic documents instead. Some companies manually encode the supporting document and then send it to the other party via email. Others use EDI.
EDI is mostly carried out automatically between computer systems. In other words, it rarely involves human intervention (aside from exceptional cases like maintenance, troubleshoots or audits). More importantly, the contents of an EDI document or message are structured in a certain way and are based on a family of standards.
Because an EDI message is standardized, it is possible to automatically generate its contents using data from business applications (e.g. inventory, accounting, sales, purchasing, delivery, etc.) or an ERP system. Correspondingly, it is also possible to extract data from an EDI message and make it available to business applications - again, without human intervention.
As the illustration below suggests, an EDI mapping/translation software can be used to convert application data to EDI or the other way around, i.e., EDI to application data.
There are several benefits when you exchange business documents in this manner. You can:
1. Speed up and automate business processes;
2. Do away with manual entries and significantly reduce the risk of human error;
3. Enable fast and seamless data exchange between two organizations even if they employ entirely different IT systems and document/data formats;
4. Eliminate the use of paper as well as the costs associated with it (e.g. costs of sorting, searching, mailing, collecting, and distributing documents);
5. Simplify storage of pertinent information;
6. Expedite audits and streamline corporate governance initiatives.
The first implementers of electronic data interchange came from the automotive industry, where it was introduced alongside Just-In-Time and Lean Manufacturing processes. EDI made it possible for the largely geographically dispersed and heterogeneous systems of different suppliers to connect and transact quickly, seamlessly and efficiently. Today, EDI is implemented in various industries, including Finance, Insurance, Transportation, Supply Chain, and many others.
In the US Healthcare Industry, EDI is one of the key provisions in HIPAA or the Health Insurance Portability and Accountability Act, whose main objectives include the standardization of health care transactions.
But where does AS2 fit in all this?
See that orange bi-directional arrow in the figure above, the one connecting those two companies? AS2 plays a crucial role in that area. Let's talk about it now.
The role of AS2 in EDI
In EDI jargon, two parties who exchange information using EDI are called trading partners. Obviously, geographically separated trading partners must share a common method for transmitting/receiving messages over a WAN. The traditional way of exchanging EDI messages is through what is known as a Value-Added Network or VAN.
VANs are third-parties who operate like post offices, i.e., they receive EDI messages from a sending trading partner and forward it to the intended recipient. Trading partners must subscribe to the same VAN (or at least to VANs that are interconnected) in order to successfully engage in EDI.
Today, however, more and more organizations are avoiding VANs and are instead exchanging their EDI messages over the Internet through commonly-used protocols. This option is more affordable to small trading partners who have limited budgets. And because most organizations are already connected to the Internet, this method also allows businesses to quickly onboard new trading partners.
Of course, there's one major problem when you send data over the Internet. Your data will be exposed to numerous threats. So if the EDI messages you send contain sensitive or confidential information, they have to be secured. AS2 can provide the needed security.
AS2 possesses attributes designed to ensure secure file transfers. These include:
✔ SSL encryption - Prevents eavesdroppers from viewing the contents of the EDI message as it travels through the Internet;
✔ Digital signature (affixed by sender) - Allows the receiving party to verify that the EDI message came from a legitimate trading partner and not an impostor;
✔ Digital signature (affixed by receiver) - Used by the sending party to verify that the recipient received the message. This can then be used to enforce non-repudiation and resolve disputes;
AS2 is normally delivered over HTTP/S (HTTP or HTTPS). As a result, you likely won't have to make additional configurations on your firewall to allow those EDI messages through.
Let's now trace the flow of a typical AS2 data transfer.
How an AS2 secure file transfer is carried out
To protect your EDI messages with data-in-motion encryption, your AS2 file transfer has to be sent over HTTPS. HTTPS encrypts data using SSL. In addition, it allows your server to affix a digital signature that will enable the receiving trading partner to verify whether the message came from an identified source. An AS2 transmission done over HTTPS basically looks like this:
Note: The server in the figure below corresponds to the machine marked "Communications" in the previous figure.
Here's what happens at each step:
1. An EDI message is forwarded to the server;
2. The server encrypts the message and affixes a digital signature;
3. The encrypted message is sent through the Internet over AS2;
4. The receiving party decrypts the message using a decryption key. The receiving party also validates the sender by inspecting the digital signature. Note: Before two parties can transact using AS2, they would have to exchange keys (a.k.a. public keys). This is characteristic of SSL and other cryptographic protocols that use public key encryption. To learn more about public key encryption, read the article "Roles of Server and Client Keys in Secure File Transfers"; and
5. The server makes the EDI message available to business applications.
AS2 also provides trading partners with a means to issue electronic return receipts known as MDNs. An MDN or Message Disposition Notification serves as a confirmation that the transmission went through successfully. Basically, upon arrival of the EDI message, the receiving server automatically issues an MDN, affixes its digital signature to it, and then sends it back to the message sender.
This is how the AS2 transmission would look like when MDN is applied.
How to use AS2
The best way to transmit AS2 is through a managed file transfer server. When delivered through an MFT server, AS2's built-in security can be augmented by other secure features like logging, access control, DLP, strong authentication, and many others. Read more about the essential attributes of a secure file transfer.
DLP or data loss prevention, in particular, can help you detect sensitive data in your EDI messages - a must for companies operating in industries covered by regulations like PCI-DSS, HIPAA, SOX, and GLBA.
Another key advantage of transmitting AS2 using a managed file transfer server is that the same MFT server can be used to accomplish a full range of other file transfer tasks.
Lastly, a managed file transfer server like JSCAPE MFT Server supports triggers. Triggers are used in automating business processes and hence are essential in implementing EDI. To learn more about triggers, view these videos:
or read these posts:
JSCAPE MFT Server is a powerful platform-independent managed file transfer server with installers for Windows, Mac OS X, Linux, Solaris and UNIX platforms. Download a free fully-functional evaluation today.