Achieving SaaS Security Success: Q&A With Walter Haydock

Written By: Alexandra Puig
  • 11/18/2020
  • Read Time : 5 min

As companies continue to grapple with the effects of the COVID-19 pandemic, most are adopting longer term solutions that involve at least some of their workforce operating remotely on a permanent basis. For the thousands of companies undergoing digital transformation around the world, Software as a Service (SaaS) has emerged as a viable option for providing employees with access to mission critical software without becoming deeply enmeshed in the back-end administration of it. With that said, enterprises still need to remain cognizant of important considerations with respect to security and data management, even when using a SaaS product.

To address some common themes and address any potential hesitation with respect to SaaS adoption, we sat down with Walter Haydock, ThingWorx’s Director of IoT Security Product Management and a PTC resident cybersecurity expert.

Talk about the importance of cybersecurity. Why is it one of the most prioritized aspects of hardware and software development process?

Cybersecurity is critical because of the need to preserve the confidentiality, integrity, and availability of companies’ Intellectual Property (IP) – their lifeblood. Without the proper security tools, techniques, processes, and people in place, organizations put at risk their critical operations, business functions, and customer base.

Hackers are increasingly sophisticated and aggressive, and they understand the paramount importance of IP to enterprises. Whether by stealing data directly to sell later, encrypting it with ransomware, or taking down corporate systems with Distributed Denial of Service (DDoS) attacks, they can sometimes bring massive organizations to a screeching halt through a well-planned and executed attack.

The COVID-19 pandemic has only intensified these risks. Although a necessity for health and safety reasons, distributing workforces geographically can potentially open more attack vectors to hackers. To combat efforts from malicious cyber actors attempting to steal, corrupt, and deny legitimate access to critical data, companies have been investing more in their security infrastructures. At PTC, and especially within the Industrial IoT (IIoT) segment, we take security very seriously. To learn more I would recommend taking a look at the white paper we issued earlier this year, which details our strategy for securing the ThingWorx IIoT Solutions Platform.

What are the implications of companies increasingly offering and consuming applications via a SaaS model?

From an information security perspective, SaaS is a welcome development for the most part. SaaS empowers application and network security efforts by providing:

  • Mandatory and seamless updates to the latest version of an application, allowing company information technology organizations to stop worrying about testing and deploying patches and upgrades.
  • Significant reductions in the possibility of accidental misconfigurations, a frequent cause of security breaches.
  • The ability to rely on hyperscale cloud providers like Microsoft Azure, which have state-of-the art systems and massive resources to secure much of the underlying infrastructure.

Complications can arise, however, when taking into account other security-adjacent fields such as data governance and privacy. Although major cloud providers often have granular controls dictating in which jurisdictions data can be stored, some enterprises still feel uneasy with the inability to locate precisely and with absolute certainty where their or their customers’ information resides. Similarly, ensuring that SaaS providers and the platforms on which they operate don’t run afoul of new regulations is equally important. For example, the GDPR in the European Union and the CLOUD Act in the United States can be construed to apply their governments’ legal systems extraterritorially in certain cases, complicating compliance efforts in some scenarios.

What are some of the best practices that manufacturers can implement to best set themselves up for an eventual transition to SaaS?

To assist organizations as they prepare to move their deployments to the cloud, PTC has developed a detailed shared security model for ThingWorx, which identifies the exact roles and responsibilities of all stakeholders. This is complementary to paradigms that major cloud providers such as Microsoft Azure have published.

In addition to upholding their joint responsibilities, manufacturers can take additional steps to prepare their on-premises IIoT deployments for migration to the cloud. Enterprises have likely established well-understood paradigms for daily operations in their on-premises instances and will want the same business logic and functionality available when they move to a SaaS model. As a result, conducting a detailed security review of their ThingWorx deployment – especially when it comes to permissions management – is a great idea before beginning migrating workloads to the cloud.

For example, we specifically recommend a comprehensive review of appropriate Access Control Lists (ACL) and/or on-premises identity and access management systems to ensure the allocation of the absolute lowest level of privilege necessary to facilitate business operations. Additionally, creating and refining standardized or automated procedures to “clean up” and limit the permissions of users in their directory systems is another key step.

For manufacturers that are already implementing SaaS offerings, what can they do to keep themselves as secure as possible?

In a SaaS world, most of the responsibility of application cybersecurity is primarily handled by other parties. This can remove a huge burden from customers and allow them to focus on their business at hand, rather than securing their information technology resources. With that said, enterprises and their individual users still retain important roles and responsibilities.

As I mentioned previously, ThingWorx administrators should strive to assign the absolute minimum privileges necessary to individual users, in order to mitigate the potential for damage in the case of a malicious party gaining unauthorized access to a user account. Manufacturers' information technology organizations will also still need to ensure the security of user endpoints, enforcing effective patch management procedures for their operating systems and deploying the latest in malware detection technology. Finally, individual users of SaaS applications remain responsible for protecting their login credentials and restricting access to their physical devices.

IoT cybersecurity legislation and regulation continue to be frequently discussed topics in both the United States and abroad. Can you speculate as to how these discussions may evolve to include cloud-based offerings?

Although the U.S. Congress can sometimes be slow to address emerging technologies, there has definitely been more legislative focus on IoT cybersecurity lately. Of note, the U.S. Senate recently passed the IoT Cybersecurity Improvement Act, which would clarify security standards, vulnerability disclosure and intake policies, and acquisitions procedures for most federal contractors, if passed into law.

While IoT cybersecurity will likely to a back seat to other priorities at the beginning of the next presidential administration and session of Congress, there remains substantial appetite in many quarters to enact sweeping connected device security, cloud governance, and privacy laws.

I think we will likely see the enaction of national-level standards mirroring those implemented by individual states or other countries, such as California’s Senate Bill 327, which banned the use of non-unique default passwords in devices sold within the state. Although there appears to be bipartisan consensus on the need for it, I think comprehensive U.S. data privacy legislation is substantially further off. Getting all of the relevant stakeholders to agree on the correct form and scope for such a framework is proving very difficult. Any conceivable version of such a law, however, would likely have huge impacts for SaaS-based IIoT solutions. We at PTC will definitely be paying close attention.



What Switching to SaaS Means for Cybersecurity

This whitepaper addresses one of top concerns in switching to SaaS

  • Industrial Internet of Things
  • Thingworx
  • SaaS

About the Author

Alexandra Puig

Alexandra Puig is a corporate communications specialist based in PTC’s Boston headquarters. Prior to joining PTC, she practiced public relations at a leading law firm and life sciences organization. Alexandra earned her B.A. in Political Science from The George Washington University in Washington, D.C.