PLM security: data and classification complexity

PLM security: data and classification complexity

security-plm

Security. It is hard to underestimate the importance of the topic. Information is one of the biggest assets companies have. Data and information is a lifeblood of every engineering and manufacturing organization. This is a key element of company IP. Combined of 3D models, Bill of Materials, manufacturing instructions, suppliers quotes, regulatory data and zillions of other pieces of information.

My attention caught Forrester TechRadar™: Data Security, Q2 2014 publication. Navigate to the following link to download the publication. The number of data security points is huge and overwhelming. There are different aspects of security. One of the interesting facts I learned about security from the report is growing focus on data security. Data security budgets are 17% as for 2013 and Forester predicts the increase of 5% in 2014.

forrester-data-security-plm

The reports made me think about some specific characteristics of PLM solutions – data and information classification. The specific characteristic of every PLM system is high level of data complexity, data richness and dependencies. The information about product, materials, BOMs, suppliers, etc. is significantly intertwined. We can speak a lot of about PLM system security and data access layers. Simple put, it takes a lot of specifics of product, company, business process and vendor relationships. As company business is getting global, security mode and data access is getting very complicated. Here is an interesting passage from report related to data classification:

Data classification tools parse structured and unstructured data, looking for sensitive data that matches predened patterns or custom policies established by customers. Classiers generally look for data that can be matched deterministically, such as credit card numbers or social security numbers. Some data classiers also use fuzzy logic, syntactic analysis, and other techniques to classify less-structured information. Many data classification tools also support user-driven classification that users can add, change, or conrm classification based on their knowledge and the context of a given activity. Automated classication works well when you’re trying to classify specic content such as credit card numbers but becomes more challenging for other types of content.

In my view, PLM content is one of the best examples of data that can be hardly classified and secured. It takes long time to specify what pieces of information should be protected and how. Complex role-based security model, sensitive IP, regulation, business relations and many other factors are coming into play to provide classification model to secure PLM data.

What is my conclusion? I can see a growing concern to secure data access in complex IT solutions. PLM is one of them. To protect complex content is not simple – in many situations out of the box solutions won’t work. PLM architects and developers should consider how to provide easier ways to classify and secure product information and at the same time be compliant with multiple business and technical requirements. Important topic for coming years. Just my thoughts…

Best, Oleg

Share

Share This Post

  • kaheniem

    Interesting chart, although somewhat useless in my view. Identity Management typically goes hand in hand with access management which in turn is typically part of Risk & Compliance Management where the whole point is to gain GOVERNANCE on data security. Who is who and by what rights should he have access to this and that 🙂 But it does tell a sales guy like me what is the most likely discussion opener to go after even though the end result might be the same.

    Security has always been about protecting business critical information leakage & misuse and information is built on data so I don’t really see why “data security” is suddenly a topic or technology on its own.

  • beyondplm

    Kaheniem, thanks for asking these questions! I agree, the chart is complicated. I found these categories overlapping. What is clear is “data security”. And as you said, this is “primarily” concern of IT org in every company. To me, it helps to structure the discussion about elements of security to make it actionable.

  • kaheniem

    It is unfortunate that security is typically the concern of IT orgs, although it should be the business’ concern. IT can’t build Security Governance and set up policies and processes required for data security. IT shouldn’t be responsible of making the decision should I be given the access to a certain data when I request so or when I start as a new employee in a company.

    The most common security mistake found in audits is “Excessive Access Rights”.
    One reason is the complexity in today’s systems and most PLM & ERP’s don’t really have a usable yet robust built-in access management that most companies would require even though they are built to handle very business critical information (not to mention CRM :)).

  • kaheniem

    It is unfortunate that security is typically the concern of IT orgs, although it should be the business’ concern. IT can’t build Security Governance and set up policies and processes required for data security. IT shouldn’t be responsible of making the decision should I be given the access to a certain data when I request so or when I start as a new employee in a company.

    The most common security mistake found in audits is “Excessive Access Rights”.
    One reason is the complexity in today’s systems and most PLM & ERP’s don’t really have a usable yet robust built-in access management that most companies would require even though they are built to handle very business critical information (not to mention CRM :)).

  • beyondplm

    You are right PLM and ERP systems have very complicated access rights mechanism. The main reason – data complexity and business process complexity. However, in every organization I’ve seen, people like to keep IT accountable for data security. In my view, it is just a matter of COMFORT ZONE. Usable access management tools are key- I agree 100%.