I read an interesting report at Symantec’s website - The
average organizational cost of a data breach [in 2010] increased to $7.2
million and cost companies an average of $214 per compromised record, markedly
higher when compared to $204 in 2009. The full report is here.
Also per the Second Annual Cost of Cyber Crime Study
Cyber attacks have become common occurrences. The companies in our study experienced 72 successful attacks per week and more than one successful attack per company per week. This represents an increase of 44 percent from last year’s successful attack experience.Pretty frightening huh! I am not sure it would be possible to break up such estimates into a granular level, but data loss from a PLM system would be also very expensive. And that needs to be seriously looked into. With this mission I looked at various PLM vendors websites – all they claimed was that their system was “highly secure” – But how secure is the question? Is there an established criterion or matrices or has it been quantitatively corroborated? CIMData deals with this topic in their white paper “TenQuestions to Ask PLM Solution Suppliers - What You Need to Know to Make anInformed Decision” though very briefly.
The risks are not only external but also present due to the fact that today users work from everywhere and not only from their office and even iPad apps are being released by several vendors. Other requirements like ITAR, export control, and other security protocols make it more imminent to secure your PLM environment. I believe during the PLM evaluation phase itself security mechanisms need to be evaluated and security should not be added as an afterthought.
Some of the security measures that come to mind (and nowhere
are these comprehensive):
→
Application Layer Security
o
Application Security – Including On-site and
off-site tape storage, OS hardening, Virus protection on all servers, etc.
o
User Authentication - Access Control and Data
classification model. Strike the right balance between sharing information and
securing it. See Ford’s slides on Product Data Security and Access Management.
→
Data Management Security
o
Data Encryption – 128-bit Secure Sockets Layer
(SSL) data encryption, etc.
o
Database Security – minimal open ports, no
scott/tiger or Default Password’s (I have seen
this a lot!), no master passwords to control access to all systems, No text (property)
file passwords!
o
Lock down on file vaulting servers(s)
→
Systems Security
o
Internal and Operating Systems Security –
Firewalls, network address translation, port redirection, IP masquerading,
non-routable IP addressing schemes, DMZ, Intrusion detection systems, etc.
o
PerimeterDefense including video surveillance
→
Data
Center Security
o
Physical
Security of server farms including biometric authentication for access. (Though one of my customers had an enterprise down scenario when rats gnawed down some of their fiber optic cables)
o
Reliability
and Backup –Hardware: UPS battery systems, diesel generators, and HVAC systems
– (I saw this first hand when a few years back a snow storm hit a customer site
in New England area and power lines were down, they didn’t have diesel
generators and UPS battery lasted only for an hour or so causing servers to
crash). Disaster recovery sites, Backup tapes also are important.
o
Water Suppression,
Fire protection facility in server room.
o
Social
Engineering – Do not underestimate the human aspect of security. Ignorant or discontented
employees can cause more harm than you can imagine. Former computer hacker Kevin
D. Mitnick has a good book on this topic: “The Human Element of Security”
Audits and Standards
Facilities can be designed to withstand extreme elements
that comply with ISO/IEC 27001 standards.
A SAS 70 Type II or SSAE 16 or ISAE 3402 audits can also be
done. A comprehensive security assessment and mitigation of risks related to
system would bring in peace of mind.
Conclusion
There is a Data Breach Risk Calculator available
which will estimate your risk exposure and can calculate amongst others the
cost of a data breach at your company.
Organizations should remember the costs involved
– What a mid tier firm might have the funds for will be appreciably different
from what a Fortune 100 firm would. They should pigeonhole the sets of security features
needed based on priority and significance and make practical decisions based on
their budget.
ITC Infotech is one of the leading PLM solutions providers globally, which enables companies and organizations to achieve its goals by solving its key business issues.
ReplyDelete