3 security related questions to ask your PLM cloud provider

3 security related questions to ask your PLM cloud provider

plm-cloud-security

Cloud is getting wider adoption these days. An interesting trend I observe for the last year – customer are asking less questions about security. It was different 3-5 years ago. Everyone got concerned about cloud solutions security. Specifically for PLM domain, customers got concerned about company IP (drawings and other engineering-related materials that can be easy stolen without real ability to be returned).

It seems to me, the situation with security is getting different these days. Most of cloud companies are well prepared to answers on a typical set of questions related to data center protection, data redundancy, protection of customer data, monitoring and audit. Most of cloud companies are providing information about their security policies in a transparent way. Here are few examples – Amazon Security center; Autodesk Trust center; etc. There are lot of information cloud companies are placing outside to educate customers about security.

It is getting really hard for average business decision maker to make a conclusion about cloud security. The devil in details and to ask right questions is getting even more important than before. My attention was caught by InfoWorld article – Cloud security: We’re asking the wrong questions (thanks to one of my readers for sharing). My favorite passage is related to the ability to compare specific on-premise and cloud security aspects for a company:

To get an accurate answer to that question, you’d have to compare your on-premise solution (the entirety of it, including all your relationships) to the security offered by a particular cloud vendor. That’s hard to do in real life for a few reasons, led by the fact that most companies don’t know the security reality of their on-premise solutions — and followed by the fact that most cloud vendors won’t let you do onsite, direct security auditing of their systems. It’s a guessing game.

Companies have serious dilemma with regards to cloud adoption and security. On one side – anti-cloud specialists are keeping to buzz about cloud vulnerability and every security breach. On the other side, let’s face it, employees are using public and free cloud solutions anyway without IT approvals. It is important to come with a practical approach that helps company to make risk assessment with regards to cloud applications. InfoWorld article made me think about some set of initial questions that will help you to build an understanding of what “cloud solution” vendor is providing and how it does fit your company IT infrastructure. Here is the list I had in my mind this morning:

1- Account management. How cloud vendor manage user information and how company user database is mapped, used and / or imported into cloud infrastructure? The information about users and user-related characteristics is one of the most critical places for security breach. It is important to align it with your corporate directory management strategy. Specifically, check how to prevent potential APT (Advanced persistent threat).

2- Understand storage strategy. The risk of cloud implementation is a potential exposure of storage with sensitive data (eg. IP, documents, drawings, etc.). For short term storage oriented products it can be less sensitive. You maybe less concerned about storage for simulation results or visualization. However, storage of native CAD files with actual data can impose a different security risk.

3- Computing infrastructure. Cloud is a buzzword everyone use these days. However, behind fuzzy cloud words, actually you can find more info about specific computing infrastructure – IaaS, hosting, servers, operation systems, geographical locations and many others. Computing infrastructure strategy can be different and in many cases you can either ask vendor to disclose this information or find it by yourself. Usage of Google or Amazon won’t guarantee a specific security level. However, understanding of that, will help you to compare with your on-premise security level and assess your risks.

What is my conclusion? It is not simple to make a decision about your company readiness for cloud applications However, we need to face a reality, regardless on IT and management decision, the high probability is that your employees are already using cloud services. Engineers are placing documents on dropbox and using web email to send messages when your corporate email server stuck. Some of free collaboration software services are more efficient and/or more capable than your corporate PDM/PLM tools. So, better than ban cloud in your company, you should come with the list of questions that can help you to evaluate and build your path to the cloud. Just my thoughts…

Best, Oleg

Share

Share This Post

  • Ty H.

    It will be hard to point out a handful of the most important questions to ask, that will truly provide you the visibility to assess risk of a cloud solution vs. on-premises.
    Security risks assessment and mitigation are an ongoing activity. It requires attention to emerging threats and planning ahead for new security measures and evolving vulnerabilities.
    It is the existence of a Secure Development and Operation processes that will provide an answer to any question in any model.

  • beyondplm

    Ty, Thanks for your comment! I agree – security assessment is on going activity. However, I wanted to point on some important aspects of this assessment – not to say, it is one time job.

  • Michael Finocchiaro

    Great article as always Oleg. I see my friend Ty chimed in as well. At DS, we published a few cloud- and security-related white papers that you may have missed:
    Cloud Security Whitepaper (http://www.3ds.com/products-services/3dexperience/resource-center/whitepapers/cloud-security/) and OWASP and Application Security Whitepaper (http://www.3ds.com/products-services/3dexperience/resource-center/whitepapers/owasp-and-application-security/).

    I think the other non-negligible security issue which was not mentioned is government spying – if you don’t want a national government agency from the US or nearly anywhere else to access your data, you may not want it to be on a cloud. I thought that last point was well explained here: http://www.ozy.com/fast-forward/snowdens-unexpected-impact-on-the-cloud/30902.article.

  • beyondplm

    Michael, thanks for comments and links! You are right, governments around the world are part of the overall security play.