What Global Manufacturers Need to Know About Security in the Cloud


Manufacturers deal with sensitive information each and every day. This includes test and quality data, warranty information, device history records and the engineering specifications for a product that are highly confidential. Trusting that data to a cloud-based application or cloud services provider is a major step, and manufacturers need to fully educate themselves about the security risks and advantages of cloud-based software.

Consider the questions below as a guide to use when discussing application infrastructure and operations with cloud providers.

What do you do to keep my data safe?

This is the most important question a manufacturer should ask a cloud provider.

The answer should be long and multi-faceted. Because no single tool can defend against every kind of attack in any network, cloud providers must deploy multiple layers of defense using: internal systems; protection provided by tier 1 cloud platforms; and security service providers.

All of these elements come together to provide complete protection. Below are some examples of these layers:

  • Physical Defense: Cloud platform providers can and should exercise tight control of access to the physical devices on which the software systems reside. In best case scenarios, Independent auditors attest to the safety of this access. This control and documentation must be reviewed on a regular basis.
  • Barriers to Entry: Firewalls built into the cloud service can limit access to ports managed by the application. Unneeded ports should be blocked so that they cannot be accessed.
  • Application Password Protection: the best-designed cloud applications allow your organization’s identity management system to provide authentication and password management, limiting access to your data and following your internal security policies. This should also support two-factor authentication if your internal policies require it. Some of the more advanced systems can also provide an identity management service as an alternative to your internal solutions, if required.
  • Application Firewalls: Most enterprise-class application designs will include a Web Application Firewall service that uses the latest technology to defend against such things as denial of service attacks and other types of malicious access.
  • Activity Monitoring: State-of-the-art cloud platform providers continuously monitor for suspicious activity that could be the result of hacking or malware. Again, in best case scenarios, warnings are sent automatically and steps taken to protect the data and the integrity of the platform.
  • Malware Monitoring: Both the application provider and the hosting platform provider must run active checks for malicious code to ensure each piece of code that is executed matches the published signature for that code. Be warned: this is a step that many providers have not migrated to yet.
  • Code Standards: Good security starts with good code. Security standards must be included in the system development life cycle, governing every aspect of the system. Be sure to review the code standards of the application developer.
  • Third Party Code Scanning: The most advanced application providers use a third-party firm to scan code looking for opportunities to improve security and look for known vulnerabilities with each new version of the application. Ask for details about this, as there are many different levels of scanning available; a once-a-year scan is obviously not as valuable as regularly scheduled scans before each new release of software.
  • Data Encryption: Generally accepted practices for data encryption provide different options for data in different modes: data in transit (being communicated within the system or between the database and your user interface) and data at rest (data that resides within the database and is not currently being accessed).

○ Data in transit can be encrypted using industry standard encryption through the browser. Additionally, APIs that access the data should use encrypted data and include encrypted tokens to increase access control.
○ Encryption of data at rest protects against accessing data from outside the application’s control. As the physical access to the system is protected and the data is in password protected databases, at-rest encryption may not be essential for every customer - but the question is still worth asking.

What do you do to prevent the data from being hacked and stolen?

“Hacking” or stealing data is the number one security concern of most people considering a cloud solution. Note, however, that some common misunderstandings often drive this concern.

According to the “Data Breach Investigations Report” from Verizon, about 50 percent of all security incidents are caused by people inside an organization. Good user management and password security policies are the best way to prevent these types of attacks. This is the underlying purpose of application password protection, as described above.

For preventing external hacks and data theft, the system must be architected to prevent as many types of attacks as possible (see above). Also, application providers must use internal personnel and external consultants to run frequent penetration testing. These tests look for common paths that attackers use to gain access to systems through the internet. The tests help ensure there are no doors left open for hackers. Be sure to ask about penetration testing, including both the frequency and the methodologies used.

How does cloud security compare to on-premise security?

This is a question that should be asked internally, as well as externally. There is a common misperception that a set of servers running on-premise at a corporate office is more secure than a cloud-based application. Owning the hardware and software often gives a false sense of security; most on-premise systems fall far short of the security that the best cloud providers have deployed.

For example, the cloud storage system utilized by my company was designed for 99.999999999% durability and up to 99.99% availability of objects over a given year. That design and those numbers are virtually impossible to duplicate with an on premise solution. In addition, the comprehensive access control described above is nearly impossible to duplicate on-premise. To deploy tools like these in an on-premise environment would require not only large investments in infrastructure, but large teams to manage them too.

Ask yourself: how big is your security team? How much is your budget for security around your manufacturing data? Then remember, the best application providers and data centers have large, dedicated security teams who have implemented automated threat monitoring systems that operate 24x7. In the end, the best cloud software companies have dedicated more time, resources and budget to securing our systems than most organizations are able to provide themselves.

More Security in the Cloud

The security issue for cloud manufacturing software is perhaps best summed up by this quote from LNS Research:

“By moving to the Cloud, security is usually enhanced rather than diminished as Cloud suppliers devote huge efforts to ensuring their underlying systems are as secure as possible and are constantly updated to react to potential threats. No individual manufacturer could devote such efforts, and they should focus on plant security working with their MES and plant software vendors to ensure maximum security and properly maintained systems. Do not get caught out by obsolete and vulnerable systems.”

About the author: Srivats Ramaswami, CTO at 42Q, has worked at both OEM’s and contract manufacturers, most recently as vice president of IT Operations. His expertise includes the architecture and implementation of IT solutions, making the global supply chain visible and more efficient. Srivats is now responsible for customer acquisition and engagement, technology development and deployment for 42Q.

Copyright 2010 Respective Author at Infosec Island via Infosec Island Latest Articles "http://ift.tt/2CTfG4D"

Comments

Post a Comment

Popular posts from this blog

Evernote cuts staff as user growth stalls

Image
Note-taking app Evernote has fallen on hard times of late, culminating in its latest spate of job cuts impacting 15 percent of its workforce (54 employees). CEO Chris O' Neil -- an ex-Googler who took the reins in 2015 -- announced the firings at an all-hands meeting earlier today, reports TechCrunch . In a message on the Evernote blog , O' Neill admitted he'd set "incredibly aggressive goals" for the company in 2018. He continued: "Going forward, we are streamlining certain functions, like sales, so we can continue to speed up and scale others, like product development and engineering." The layoffs follow an exec exodus just weeks ago and the company's recent brand refresh (complete with a refined logo and wordmark). But critics are more concerned about its product, especially the free tier, which they claim lacks the perks to
Read more

The best air conditioner

Image
By Liam McCabe This post was done in partnership with Wirecutter . When readers choose to buy Wirecutter's independently chosen editorial picks, it may earn affiliate commissions that support its work. Read the full article here . After six summers of researching, testing, and recommending window air conditioners, we've learned that quiet and affordable ACs make most people the happiest—and we think the LG LW8016ER will fit the bill in most rooms. This 8,000 Btu unit cools as efficiently and effectively as any model with an equal Btu rating, and runs at a lower volume and deeper pitch than others at this price. Little extra features like a fresh-air vent, two-axis fan blades, and a removable drain plug help set it apart, too. The LG LW8016ER is a top choice for an office or den, and some people will find it quiet enough for a bedroom, too. If our main pic
Read more

We won't see a 'universal' vape oil cartridge anytime soon

Image
Pre-loaded cartridges of cannabis concentrate are currently among the most popular means of consumption, and for good reason. They're discreet to use and easy to handle, a far cry from the dark days of 2016 when we had to dribble hash oil or load wax into narrow-mouthed vape pens by hand. But, frustratingly, an ever increasing number of oil cartridge manufacturers employ one-off design standards so that their products won't work with those of their competitors, thereby locking customers into proprietary ecosystems. We've already seen this with nicotine vaporizers -- which has a seen a massive rise in "pod systems" in the last few years, each outfitted with a unique canister and battery built to be incompatible with those of their competition. Is it too late for the burgeoning cannabis industry to set a universal standard for their product designs?
Read more