As companies continue to grapple with the effects of the COVID-19 pandemic, most are adopting longer term solutions that involve at least some of their workforce operating remotely on a permanent basis. For the thousands of companies undergoing digital transformation around the world, Software as a Service (SaaS) has emerged as a viable option for providing employees with access to mission critical software without becoming deeply enmeshed in the back-end administration of it. With that said, enterprises still need to remain cognizant of important considerations with respect to security and data management, even when using a SaaS product.
To address some common themes and address any potential hesitation with respect to SaaS adoption, we sat down with Walter Haydock, ThingWorx’s Director of IoT Security Product Management and a PTC resident cybersecurity expert.
Cybersecurity is critical because of the need to preserve the confidentiality, integrity, and availability of companies’ Intellectual Property (IP) – their lifeblood. Without the proper security tools, techniques, processes, and people in place, organizations put at risk their critical operations, business functions, and customer base.
Hackers are increasingly sophisticated and aggressive, and they understand the paramount importance of IP to enterprises. Whether by stealing data directly to sell later, encrypting it with ransomware, or taking down corporate systems with Distributed Denial of Service (DDoS) attacks, they can sometimes bring massive organizations to a screeching halt through a well-planned and executed attack.
The COVID-19 pandemic has only intensified these risks. Although a necessity for health and safety reasons, distributing workforces geographically can potentially open more attack vectors to hackers. To combat efforts from malicious cyber actors attempting to steal, corrupt, and deny legitimate access to critical data, companies have been investing more in their security infrastructures. At PTC, and especially within the Industrial IoT (IIoT) segment, we take security very seriously. To learn more I would recommend taking a look at the white paper we issued earlier this year, which details our strategy for securing the ThingWorx IIoT Solutions Platform.
From an information security perspective, SaaS is a welcome development for the most part. SaaS empowers application and network security efforts by providing:
Complications can arise, however, when taking into account other security-adjacent fields such as data governance and privacy. Although major cloud providers often have granular controls dictating in which jurisdictions data can be stored, some enterprises still feel uneasy with the inability to locate precisely and with absolute certainty where their or their customers’ information resides. Similarly, ensuring that SaaS providers and the platforms on which they operate don’t run afoul of new regulations is equally important. For example, the GDPR in the European Union and the CLOUD Act in the United States can be construed to apply their governments’ legal systems extraterritorially in certain cases, complicating compliance efforts in some scenarios.
To assist organizations as they prepare to move their deployments to the cloud, PTC has developed a detailed shared security model for ThingWorx, which identifies the exact roles and responsibilities of all stakeholders. This is complementary to paradigms that major cloud providers such as Microsoft Azure have published.
In addition to upholding their joint responsibilities, manufacturers can take additional steps to prepare their on-premises IIoT deployments for migration to the cloud. Enterprises have likely established well-understood paradigms for daily operations in their on-premises instances and will want the same business logic and functionality available when they move to a SaaS model. As a result, conducting a detailed security review of their ThingWorx deployment – especially when it comes to permissions management – is a great idea before beginning migrating workloads to the cloud.
For example, we specifically recommend a comprehensive review of appropriate Access Control Lists (ACL) and/or on-premises identity and access management systems to ensure the allocation of the absolute lowest level of privilege necessary to facilitate business operations. Additionally, creating and refining standardized or automated procedures to “clean up” and limit the permissions of users in their directory systems is another key step.
In a SaaS world, most of the responsibility of application cybersecurity is primarily handled by other parties. This can remove a huge burden from customers and allow them to focus on their business at hand, rather than securing their information technology resources. With that said, enterprises and their individual users still retain important roles and responsibilities.
As I mentioned previously, ThingWorx administrators should strive to assign the absolute minimum privileges necessary to individual users, in order to mitigate the potential for damage in the case of a malicious party gaining unauthorized access to a user account. Manufacturers' information technology organizations will also still need to ensure the security of user endpoints, enforcing effective patch management procedures for their operating systems and deploying the latest in malware detection technology. Finally, individual users of SaaS applications remain responsible for protecting their login credentials and restricting access to their physical devices.
Although the U.S. Congress can sometimes be slow to address emerging technologies, there has definitely been more legislative focus on IoT cybersecurity lately. Of note, the U.S. Senate recently passed the IoT Cybersecurity Improvement Act, which would clarify security standards, vulnerability disclosure and intake policies, and acquisitions procedures for most federal contractors, if passed into law.
While IoT cybersecurity will likely to a back seat to other priorities at the beginning of the next presidential administration and session of Congress, there remains substantial appetite in many quarters to enact sweeping connected device security, cloud governance, and privacy laws.
I think we will likely see the enaction of national-level standards mirroring those implemented by individual states or other countries, such as California’s Senate Bill 327, which banned the use of non-unique default passwords in devices sold within the state. Although there appears to be bipartisan consensus on the need for it, I think comprehensive U.S. data privacy legislation is substantially further off. Getting all of the relevant stakeholders to agree on the correct form and scope for such a framework is proving very difficult. Any conceivable version of such a law, however, would likely have huge impacts for SaaS-based IIoT solutions. We at PTC will definitely be paying close attention.