Securing your PLM Infrastructure (before it’s too late!)

I read an interesting report at Symantec’s website - The average organizational cost of a data breach [in 2010] increased to $7.2 million and cost companies an average of $214 per compromised record, markedly higher when compared to $204 in 2009. The full report is here. Also per the Second Annual Cost of Cyber Crime Study

Cyber attacks have become common occurrences. The companies in our study experienced 72 successful attacks per week and more than one successful attack per company per week. This represents an increase of 44 percent from last year’s successful attack experience.

Pretty frightening huh! I am not sure it would be possible to break up such estimates into a granular level, but data loss from a PLM system would be also very expensive. And that needs to be seriously looked into. With this mission I looked at various PLM vendors websites – all they claimed was that their system was “highly secure” – But how secure is the question? Is there an established criterion or matrices or has it been quantitatively corroborated? CIMData  deals with this topic in their white paper  “TenQuestions to Ask PLM Solution Suppliers - What You Need to Know to Make anInformed Decision” though very briefly.

The risks are not only external but also present due to the fact that today users work from everywhere and not only from their office and even iPad apps are being released by several vendors. Other requirements like ITAR, export control, and other security protocols make it more imminent to secure your PLM environment. I believe during the PLM evaluation phase itself security mechanisms need to be evaluated and security should not be added as an afterthought.

Some of the security measures that come to mind (and nowhere are these comprehensive):

→     Application Layer Security

o   Application Security – Including On-site and off-site tape storage, OS hardening, Virus protection on all servers, etc.

o   User Authentication - Access Control and Data classification model. Strike the right balance between sharing information and securing it. See Ford’s slides on Product Data Security and Access Management.

o   IP Based Access Control.

→     Data Management Security

o   Data Encryption – 128-bit Secure Sockets Layer (SSL) data encryption, etc.

o   Database Security – minimal open ports, no scott/tiger or Default Password’s (I have seen this a lot!), no master passwords to control access to all systems, No text (property) file passwords!

o   Lock down on file vaulting servers(s)

→     Systems Security

o   Internal and Operating Systems Security – Firewalls, network address translation, port redirection, IP masquerading, non-routable IP addressing schemes, DMZ, Intrusion detection systems, etc.

o   PerimeterDefense including video surveillance

→     Data Center Security

o   Physical Security of server farms including biometric authentication for access. (Though one of my customers had an enterprise down scenario when rats gnawed down some of their fiber optic cables)

o   Reliability and Backup –Hardware: UPS battery systems, diesel generators, and HVAC systems – (I saw this first hand when a few years back a snow storm hit a customer site in New England area and power lines were down, they didn’t have diesel generators and UPS battery lasted only for an hour or so causing servers to crash). Disaster recovery sites, Backup tapes also are important.

o   Water Suppression, Fire protection facility in server room.

o   Social Engineering – Do not underestimate the human aspect of security. Ignorant or discontented employees can cause more harm than you can imagine. Former computer hacker Kevin D. Mitnick has a good book on this topic: “The Human Element of Security”

Audits and Standards

Facilities can be designed to withstand extreme elements that comply with ISO/IEC 27001 standards. A SAS 70 Type II or SSAE 16 or ISAE 3402  audits can also be done. A comprehensive security assessment and mitigation of risks related to system would bring in peace of mind.

Conclusion

There is a Data Breach Risk Calculator available which will estimate your risk exposure and can calculate amongst others the cost of a data breach at your company.

Organizations should remember the costs involved – What a mid tier firm might have the funds for will be appreciably different from what a Fortune 100 firm would. They should pigeonhole the sets of security features needed based on priority and significance and make practical decisions based on their budget.