SOLIDWORKS: IDC Cloud Security | TPM
SOLIDWORKS: Modernizing Technical Communication by Leveraging 3D CAD Data
06-23-2021
SOLIDWORKS: Designing With The Single Modeling Environment
06-23-2021

SOLIDWORKS: IDC Cloud Security

IN THIS WHITE PAPER

Companies today are faced with the challenge of a complex and hypercompetitive global market. Aggressive competition from emerging economies coupled with increasing costs in creating continued innovation make product differentiation a challenge. For these companies to thrive globally, they need to look at how they can speed up their internal decision making, and also their integration with partners up and down the value chain so as to enable fast responses to marketplace demands and the development and delivery of innovative products.

The promise of cloud solutions can serve as an integration backbone for inter-enterprise collaboration through the virtualization of the IT infrastructure. Data can be exchanged any time and from anywhere between enterprises across the world over the cloud. This enables better and faster decision-making capabilities across trading partners operating in the same value chain, and in turn, drives new levels of innovation. However, perceived security concerns continue to be the single most important barrier to cloud adoption. This is a general perception that if the data is not on-premise, it is not secure. However, IDC research also shows that most security breaches come from inside the organization, and having all data in a central repository in a professionally managed cloud environment can in fact provide more security than leaving it to an organization. This is especially so for small and medium-sized businesses (SMBs) which tend to have limited budget and skills to manage security effectively.

This White Paper details the key issues impacting the on-premise and cloud environment for product development. It also discusses how organizations, especially SMBs, are responding to or should address the cloud security dilemma to maintain a competitive advantage.

SITUATION OVERVIEW

Today’s business consists of an integrated value chain of globally dispersed small and large companies which work together to deliver a product. This value chain is made up of companies that\ design, design and manufacture, or manufacture, supported by service companies which provide essential services such as logistics and testing. This value chain is having to compete globally with other value chains, and is facing a number of day-to-day challenges. The first is competition coming from anywhere around the globe. Second, businesses are operating in an environment where customers are demanding cheaper and more innovative products. Third, costs such as labor or utilities are increasing which drives up the cost of manufacturing. And finally, the ability to act quickly and be able to get products in the marketplace is becoming a key differentiator. For all companies across the value chain, competing and winning in this new environment requires improvements across all parts of the value chain.

In order to address these challenges, all companies across the value chain need to examine the way they operate. They need to look at how they can speed up their internal decision making, and also their integration with their partners up and down the value chain to work together to enable fast responses to marketplace demands and the development and delivery of innovative products. Although process improvement exercises will yield some result, companies must look to technology to deliver significant improvements. While much new technology has been focused at larger
organizations, the advent of cloud computing has given small organizations the ability to access data anywhere, to collaborate and to utilize massive computing power.

Technology Challenges of Small and Medium-Sized Businesses

For small and medium-sized businesses, there are a number of challenges in the adoption of technology, most notably the cost and skills required to purchase, implement and maintain the technology. At the outset, the justification of purchasing new technology is especially difficult in smaller companies as the investment money is usually limited, and there are many competing demands for it such as new staff, new equipment and new machines. Any investment in technology would need to justify itself against all the other investment priorities that exist within the organization.

And even if the new technology does justify itself, there are the challenges of implementation and maintenance of the technology to contend with. Within SMBs, it is typical that the role of IT Manager is handled by one of the engineers within the organization who has a passing interest in IT. It is not a fulltime role, and the requirements of the role have to compete with the other activities within the organization, which are typically linked directly to revenue generation. Coupled with the human challenges, the IT infrastructure within smaller companies is also extremely limited and often outdated.

THE POWER OF THE CLOUD ACROSS THE VALUE CHAIN

Current Adoption of Cloud

Companies can currently choose among a vast array of cloud deployment models. The three core deployment models researched for the purposes of this IDC Manufacturing Insights White Paper include public, private and hybrid cloud.

  • Public cloud. This cloud infrastructure is made available to the general public or a large industry group and is owned by an organization selling cloud services.
  • Private cloud. Private cloud is operated solely for an organization. It may be managed by the organization or a third party and may be hosted both on-premise and off-premise.
  • Hybrid cloud. This can be defined as a composition of the public and private clouds, which remain unique entities but are bound together by standardized or proprietary technology.

The current adoption of cloud technologies has been predominantly focused on IT management activities such as data backup and archiving, as well as enterprise resource applications. However, this is expected to change rapidly over the coming years, with an increasing number of business applications being offered in a cloud model, and organizations increasingly adopting cloud applications.

Advantages of Cloud Adoption

The main advantages of cloud adoption can be split into two categories: the first deals with the business benefits of adopting cloud-based applications, and the second deals with the ease of adoption. Looking at the business value, the key benefits are:

  • Connected. “Connected” allows for information existing in the cloud to be available anytime and anywhere. Information sitting in a cloud environment can be pulled from any device whether it be a smartphone, tablet or PC.
  • Social. Information in the cloud can be shared among team members, partners, suppliers and customers. The information sitting in the cloud can be made accessible to anyone granted
    privileges to view that information.
  • Governance. Using cloud technologies ensures that everyone has the latest version of the information, coupled with the history of iterations. It also ensures that everyone is running the same version of the software removing possible issues in version conflict.

In terms of the ease of adoption, key benefits include:

  •  Scalability of deployment. The time taken to deploy a cloud-based application is instantaneous. Organizations can therefore scale up quickly. Typically, once payment has been made, the application is made available immediately without the need of getting new hardware and configuring applications. This allows organizations to be more agile.
  • Minimal IT skills/hardware/infrastructure required. The deployment of cloud requires minimal IT skills to get the application up and running. All that is required is a PC or mobile device and an Internet connection. The cloud provider typically takes care of all the infrastructure requirements such as storage and security.
  • Pay based on what you need. The traditional model of buying software licenses and paying maintenance for upgrades is being re-thought by organizations. The opportunity to add users
    and capacity on needs-basis is attractive to many organizations. Consumption-based pricing is a benefit that cloud offers with software as a service (SaaS).

Concerns in Moving to the Cloud

The cloud has evolved through several phases over the past decade to become the services, applications and infrastructure that we see today. However, there are still concerns about moving to
the cloud. In Figure 1, we see that security stands out as the top concern about moving to the cloud for manufacturers. The concern here is not just about a security breach, where sensitive information is “hacked”, but also about the loss of control of the data. Regulatory requirements, auditability and other governance challenges are issues that organizations need to address.

Other concerns that need to be taken into account when considering moving to the cloud include regulatory requirements that prohibit some companies from putting systems and/or information outside their direct control, or outside of country borders, as well as the difficulty to integrate with in-house IT systems.

Security: A Closer Look

Before getting into IT security we need to look at the entire ecosystem in which today’s business operates, no matter how small. The challenge can be seen in Figure 2. Here we have end users
working on applications, on devices that are connected to the corporate infrastructure. Within this environment there are numerous security concerns. At the simplest we have lost/stolen devices where a laptop or portable hard disk or USB stick is misplaced, to the more deliberate form of attack where the organization is targeted in an organized attempt to steal data. This type of “espionage” attack is currently on the rise, with a recent Verizon 2014 Data Breach Investigations Report highlighting the increase of espionage type attacks.

Looking at the typical product development process, product designs are usually transferred and shared via email or a portable storage device like a hard disk or flash drive. The physical devices are often insecure, by nature, and make it very difficult to enforce access controls for unauthorized individuals. Some limited amount of protection can be added through encryption, but leaves a gap in the larger context of content control. Version control and the ability to track access and usage are lost across email and physical transfer, which breaks an essential component of effective change management of the product design. On the contrary, having the product design data centrally hosted in the cloud can provide a “single version of truth” of the same design as it progresses along the development process. Central data access control is also more effective through centralized user login access. As the design data only resides in the cloud, only centralized security on the single access point is necessary. This simplifies and improves the efficiency of security measures. However, there are still security concerns which need to be addressed, such as:

  • Availability — is it on? Can I use the product or access the data any time I want?
  • Asset management (how to prevent data loss and data destruction) — What if my data is lost? Is there any backup? How can I recover my lost data? How is my data managed?
  • Protecting intellectual property (IP) (data being stolen by competition/public) — How easily can competitors and/or the public hack into my data or system? Who has accessed my data?

A “Defense in Depth” Security Strategy

Security is an evolutionary process, not only due to the continuous developments in terms of technology and usage patterns in place, but also because of new security challenges. Organizations today need to therefore adopt a holistic approach to IT security that is often referred to as “defense in depth”. A defense in depth strategy embraces a multi-layered approach to security that is enforced independently between each layer. This can involve both endpoint (device) and network security, as well as content and information security, where a breach in one will not have a domino effect on the others. To introduce a defense in depth approach requires implementing technologies such as layered firewalls, domains of trust, enhanced user authentication processes and data protection strategies and tactics.

However, technology is only one part of the overall strategy. People and processes are also essential components. The process element is about having well-planned and documented processes that define the specific actions that need to take place when specific types of security breach occurs, whether it be a misplaced laptop or a hacker attack. This requires having sufficient people available to be able to envision the type of event that may happen (based on the levels of security required by the specific organization) as well as having a response team available that understands what, when and how action and reaction to an unwanted event should it take place. While large organizations can put in place teams to manage the security process, the challenge for smaller organizations is how to put in place acceptable technologies and processes within the company’s means.

IT Security

We continue to see a rise in the volume of threat incidents and sophistication of attack vectors. What has been changing over the last few years, according to the Verizon 2014 Data Breach Investigations Report, has been the growth of espionage type of attacks. This was highlighted as the number one type of attack in 2013 for manufacturing organizations, followed by denial of service attacks. With the increase in the number of attacks, the challenge on how to manage security becomes key.

There is a general perception among organizations that if the data is not on-premise, it is not secure. However, while attacks typically come from outside of the organization, many of the vulnerabilities and threats come from within. These internal security incidents can be more difficult to defend against. Examples of internal security incidents include a laptop being lost, a disgruntled employee downloading or deleting some files or a USB stick being misplaced. There is also the issue of hardware (e.g., hard disk drive) failure to be considered, and unless the organization has implemented backup policies, valuable information can be lost.

With this in mind, the idea of having all the data to a central repository — that is professionally managed, accessible from anywhere on any device, and provides more security than currently exists in many organizations today — becomes increasingly attractive. Having a professional cloud service provider (CSP) manage the cloud can offer greater assurance compared to leaving it to a organization, which has limited budget and skills to manage security effectively. Having data on-premise is not a guaranteed protection and can pose some risk, as we have seen in a number of high-profile cases in which companies were hacked and sensitive data stolen, such as those of Sony, Target, Honda, American Express and Facebook. To combat the threats posed by hackers, it is important to note that there are several types of hackers.

1. Hacktivist. This type of hacker tends to look for attention in the media or among their peers. Their attacks may be to deface or otherwise embarrass an organization. Although their attacks can be damaging, the nature of their attack tends to be loud and easy to recognize. This means that organizations are aware that an incident has occurred and can start to contain the threat and mitigate damages. The exfiltration of data is often in large volumes and happens as quickly as possible. This is more likely to be recognized by data loss prevention systems and is more likely to be blocked. Hacktivists may act in isolation or as part of a greater collective.
2. State-sponsored. These well-organized and well-funded groups are a significant threat to organizations, particularly in certain industries. Manufacturers, energy companies, defense contractors and utility providers are some of the most intensely attacked organizations by these types of hackers. The structure of these hacking groups often falls within the intelligence agency of the host nation. This lends itself to having a broad spectrum of hacking resources, including the people, the objectives and the equipment. The objectives often include stealing IP to gain advantage over competing nations. This includes channeling industrial research and development design into domestic companies. It also includes spying on commercial discussions to gain advantage in negotiations. The exfiltration of data tends to be slow, careful, intricate and very difficult to detect.
3. Specialist. Hackers who seek to make money. This group hacks into companies with the sole intent of stealing data, and then selling it. Typically, this group focuses on banks and retailers or any other company that has personal information combined with financial information. This group will steal the data and then sell it. In the case of discrete manufacturers, the product design is only of value when it is of the full design of the finished product and not of the parts only. With product design data and information, a designer’s implicit knowledge of the product design is essential and for hackers to obtain such design information, it is a challenge beyond just stealing the raw product data. Moreover, such acts can also be deterred and pursued for compensation through legal means. Another threat that comes from this group of hackers is the creation of botnets. This is the process of infecting a large group of computers and taking them over for coordinated illegal activity. This often includes the activation of a distributed denial of service (DDoS) attack against a target entity