The ever-growing interest in Software as a Service (SaaS) has necessitated a new paradigm for security requirements. Since customer information is transferred, processed and stored outside the customers’ usual environment, emphasis must be placed on cloud security for design data on the 3DEXPERIENCE Platform.
Dassault Systèmes have put security at the heart of their online business experience platform development and deployment in order to ensure several well-controlled layers of security, with a particular emphasis on Security in Depth. The following overview is intended to introduce the methodology we follow to secure their most valuable asset: their customers’ data. It is intended to be a high-level document describing methodologies and techniques used to mitigate security risks.
Cloud Security in depth
The concept of “Security in Depth” at Dassault Systèmes relies on the fact that several independent mechanisms are put in place in order to mitigate any single risk. An unlikely failure to block the malevolent action will therefore not result in a threat but will be subsequently blocked by a different mechanism. The security processes of their online 3DEXPERIENCE Platform follow industry standards and best practices, where practical and applicable, with a particular emphasis on:
- ISO 2700x standards, and in particular Implementation Guide ISO 27002
- NIST 800 series
- OWASP methodologies
- CobIT framework
Several security layers are in place to ensure that only intended traffic and activities are actually processed by the online platform. All incoming Internet traffic is filtered by independent mechanisms ensuring reliability and lack of vulnerability cascading. Moreover, the internet-scale hosting environment is robust to Distributed Denial of Service attacks. Secured communication channels between the hosting environment and the customer’s premises are used, where applicable, to ensure the confidentiality and integrity of the transferred data.
The application layer of the Dassault Systèmes online solution undergoes a very strict security design and review process. Dassault Systèmes Development & Verification processes are designed with security awareness & controls embedded in them. The code is aligned with industry best practices and recommendations and is double-peer reviewed (internally and externally). Special attention is placed on the top OWASP threats. A cyclic penetration testing exercise is performed on the application ecosystem to add an additional protection check which complements the secure coding paradigm. Finally, a continuous process of scans is in place to constantly monitor various modules of the application.
While inside the Dassault Systèmes cloud, the security of the customer environment relative to other elements in the cloud (in-cloud security) is once again ensured though independent layers of solutions. Beyond traffic restriction (firewalls), each customer works on instances that are independent from the other systems. Such an approach protects from cross-customer data access; this compartmentalization is also hardcoded at the application level.
The structure of the cloud environment which ensures the separation above also mitigates classical risks of network
reconnaissance and attacks. In particular sniffing and IP spoofing is not feasible by design.
Virtual Systems Security
The virtualized systems on which the data and applications are hosted are closely scrutinized from a security standpoint prior to being released into production. The security lifecycle applied to these systems is very strict and maintains a high level of security after the production release.
Beyond classical security maintenance activities (system patching, services review), Dassault Systèmes regularly proceeds with attack-like scenarios that test the integrity of a model system, as well as the reactivity of the operational teams. The cyclic, yet random, nature of these tests ensures a reunification of the findings (causal analysis).
- Customer data (or IP) is stored and processed in nondescript data centers to which access is strictly limited to authorized staff.
- All contractors and visitors are escorted at all times.
- All physical access to data centers is logged and audited.
- Physical storage is also secured via redundant disks, disaster recovery, and backup and restore procedures.
Security Tests and Reviews
Information security is built into the process of developing Dassault Systèmes cloud solutions for their customers. This is the result of a common effort undertaken by R&D and Information Security teams who work closely together to identify and address all potential issues.
In addition to these proactive efforts, independent tests are performed at least yearly and at each major change of the platform. These tests stress the various security layers, and attempt to breach the environment in a hacker-like manner. These activities are all carefully planned and executed as part of their global design, implementation & validation cycle. In addition to platform security mechanisms, a complete roles-based access control is implemented within the application, enabling the data owner to set granular access rights.
Finally, access to the application is possible only after a correct license has been obtained, minimizing the possible surface of attack. TLS based mechanisms ensure a safe connectivity, addressing the risk of eavesdropping or Man-in-the-Middle attacks.
As you have read, the concept of Security in Depth is designed around several independent mechanisms for mitigating any single risk on the Dassault Systèmes 3DEXPERIENCE Platform when it is deployed On Cloud. Customers can feel confidence in using a SaaS platform because we have placed security at the heart of an online business experience platform.