Think Your Data Is Safe With On-Premise PLM? Think Again...
Oleg Shilovitsky
CEO @ OpenBOM | Innovator, Leader, Industry Pioneer | Transforming CAD, PLM, Engineering & Manufacturing | Advisor @ BeyondPLM
The original article was published?on my?Beyond PLM blog
Data is a centerpiece of any business today and there is a growing concern among companies about protecting their data assets. CAD/PLM business touches one of the most sensitive parts of the business IP - design, engineering data, manufacturing process, and related information. Back in the 2010s, the common grounds were that design and engineering information must be safely stored on-premises and there is no manufacturing company in the world that will place CAD and other engineering data on the cloud. Things have changed in the last decade and manufacturing companies have learned a lot about modern data management architectures, cloud and SaaS systems. Still, there are quite a lot of companies that believe the old and proven on-premise PLM technologies can ensure their data won't be compromised or stolen.
My attention was caught by The Bilbo Baggins Threat To PLM Assets , written by a former DS colleague which is an excellent write-up that can give you an idea about multiple ways the data can be compromised or stolen with a few very conventional approaches. Read the article and draw your conclusion. Here is my favorite passage:
Going after humans provides attackers with access to whatever is allowed to those humans' accounts. Application users usually have a rather restricted route to PLM data, while elevated-access IT personnel have direct access to databases and files.
PLM systems store engineering data in the database and physical files. It is much more rewarding to steal massive amounts of data by going directly for the juicy, tasty raw databases and files rather than trying to get around the application security setup.
All major PLM vendors are using relational databases such as Oracle and MS SQL to store metadata. A PLM system business logic "unites" metadata using SQL queries. That logic may be reproduced by an attacker who obtains a particular database account credentials and/or steals the entire database and then runs these queries.
All major PLM vendors stated in the article have more or less the same old architecture, which combined with the need to provide extended access to data these days, create a perfect environment where data can be compromised and stolen. Some of the old PLM systems have a transparent data model, which is used by many implementers as a way to integrate systems. While it is a very good approach for openness. it is a terrible approach when it comes to security and data protection. You also need to add that an average manufacturing company is still actively printing data for a variety of reasons starting from the simplest need - to be used in manufacturing shop floor facilities. Also, I cannot stop remembering very old fashion and ugly things like the usage of logins and passwords that don't change for ages and sometimes even (for convenience) written next to the working space.
So, what is the alternative, why the root cause of the problem is in the data and system architecture, and how modern SaaS/Cloud systems can help you to solve the problems of security much faster than protecting existing PLM databases? Here are a few things to think about.
领英推荐
1- SaaS data architectures don't provide direct access to databases and usually give DaaS (database as a service approach) that introduce another level of access.
2- Hosted databases are typically encrypted at rest and transit by default and web communication protocols provide a much better security level compared to an old client-server architecture.
3- Advanced login mechanisms with multi-factor authentications can provide additional security levels.
4- Modern data architecture stores data in multiple databases that are accessed by server applications, so stealing actually the data won't give you much advantage
On top of this SaaS completely eliminates the physical access to machines that can use another source to compromise the data assets. The same can be said about both databases and files. Of course, SaaS architecture doesn't guarantee that your data will be safe either. Any system potentially can be hacked and one of the questions is to check how the developer of PLM (and any other system) is following standards and processes of data and security management.
What is my conclusion? One of the biggest security holes is related to people and old data and system architecture. New data management approaches, using secured data centers, and modern processes to manage security are the foundation that will make your data safe. The devil is in the details, so if you're running or planning to install a 20 years old PDM/PLM system in your company, check how you will ensure data is safe and will not be compromised. Just my thoughts...
Best, Oleg
Disclaimer: I’m co-founder and CEO of?OpenBOM ?developing a digital network-based platform that manages product data and connects manufacturers, construction companies, and their supply chain networks.?My opinion can be unintentionally biased.
Digitalisierung in der Produktentwicklung - von Dateien und Ordnern zu Daten und der Cloud
3 年Good article showing the unsecurity of current old architectures. You hit the point. If only commands, fragments of informations going back and fort through the Internet and Intranet, safety is high due to the fact, that they are worthless without the encrypted central database. Furthermore, if there is no sending files back and forth with classical PDM/PLM check out / check out procedures is obsolete, than another medium containing Intelectual Property cannot be stolen. Simple math: Everything, which does not leave the desk / the central Fort Knox like database cannot be stolen. The aspect of Social Engineering, hostage users to steal for you, is the other thread. You quote Alex Bruskin, he describes great mechanisms to fight against in his article.