Infrastructure and Platform Services
Cerberus Cloud Apps utilizes AWS (Amazon Web Services) cloud infrastructure to host its application services, which, along with Siemens Connect gateway, provides an end-to-end solution to unlock new value for customers. AWS provide cloud infrastructure hardware, software and networks to meet the requirements of security-sensitive organizations and are responsible for protecting the global infrastructure that runs all services offered within their cloud. A detailed list of these can be found at: https://aws.amazon.com/security/.
Authentication, Access Control & Authorization
Authentication is the first step for any user of Cerberus Cloud Apps, its aim is simple – to verify the identity of the user. Cerberus Cloud Apps uses Siemens ID, a service based on an IDaaS platform (Identity as a Service), which offers authentication services and external identity management services for Siemens applications accessed by partners and customers. The main benefit of Siemens ID is the single sign-on to Siemens applications. This includes the ID administration by the user, a security token service and features an option for multi-factor authentication providing an added layer of security. You can find more about Siemens ID at https://cdn.login.siemens.com/help/index.html.
Authorization defines the set of actions that the identified user can perform and defines the access to a specific part of the infrastructure resource. Authorization is a security mechanism used to determine user privileges to devices, services, data and application features. Cerberus Cloud Apps implements a role-based access control (RBAC), limiting a user to applications and features. Access to sites and devices is limited by organizations and scopes.
Access control is covered by applying both authentication and authorization steps together.
Data Encryption-at-Rest - All data stored at rest is encrypted using AWS standard encryption. The AWS encryption conforms with the Federal Information Processing Standard (FIPS) 140-2 standards.
Data Encryption-in-Transit - All Data in transit (for example, communication to and from Cerberus Cloud Apps) is encrypted via HTTPS/TLS1.2.
Details on cryptography employed to secure Cerberus Cloud Apps cloud data is found in Appendix A.
Collected data can be classified into two types - personal data and data generated by the panels/peripherals of the building, for example, fire detectors. For Cerberus Cloud Apps, all collected personal data comply with European Union General Data Protection Regulation (EU GDPR), providing control to individuals over their personal data. The building data is owned by the building owner unless agreed otherwise in a contract.
Remote Access (Tunnel)
One of the features offered by Cerberus Cloud Apps is the access to on-premises fire networks from remote. Cerberus Tunnel enables commissioning engineers to service and access fire networks from remote offices. By default, Cerberus Tunnel has a session timeout of 10 minutes.
To use remote access with Cerberus Tunnel, no inbound connectivity is required.
Remote Web Client
The recommended browser for use with Cerberus Cloud Apps is Chrome.
Siemens has processes in place for handling security incidents. If a cybersecurity threat is suspected or found, immediately contact the Siemens Computer Emergency Response Team for products (Product CERT) or your local Siemens customer service.
More details on incident handling can be found at: https://www.siemens.com/cert/advisories.