Infrastructure and Platform Services 

Sinteso Cloud Apps utilizes AWS (Amazon Web Services) cloud infrastructure to host its application services, which, along with Siemens Connect gateway, provides an end-to-end solution to unlock new value for customers. AWS provide cloud infrastructure hardware, software and networks to meet the requirements of security-sensitive organizations and are responsible for protecting the global infrastructure that runs all services offered within their cloud. A detailed list of these can be found at: https://aws.amazon.com/security/.

Authentication, Access Control & Authorization

Authentication is the first step for any user of Sinteso Cloud Apps, its aim is simple – to verify the identity of the user. Sinteso Cloud Apps uses Siemens ID, a service based on an IDaaS platform (Identity as a Service), which offers authentication services and external identity management services for Siemens applications accessed by partners and customers. The main benefit of Siemens ID is the single sign-on to Siemens applications. This includes the ID administration by the user, a security token service and features an option for multi-factor authentication providing an added layer of security. You can find more about Siemens ID at https://cdn.login.siemens.com/help/index.html.

Authorization defines the set of actions that the identified user can perform and defines the access to a specific part of the infrastructure resource. Authorization is a security mechanism used to determine user privileges to devices, services, data and application features. Sinteso Cloud Apps implements a role-based access control (RBAC), limiting a user to applications and features. Access to sites and devices is limited by organizations and scopes.

Access control is covered by applying both authentication and authorization steps together.

Data Security

Data Encryption-at-Rest - All data stored at rest is encrypted using AWS standard encryption. The AWS encryption conforms with the Federal Information Processing Standard (FIPS) 140-2 standards.

Data Encryption-in-Transit - All Data in transit (for example, communication to and from Sinteso Cloud Apps) is encrypted via HTTPS/TLS1.2.

Details on cryptography employed to secure Sinteso Cloud Apps cloud data is found in Appendix A.

Data Privacy

Collected data can be classified into two types - personal data and data generated by the panels/peripherals of the building, for example, fire detectors. For Sinteso Cloud Apps, all collected personal data comply with European Union General Data Protection Regulation (EU GDPR), providing control to individuals over their personal data. The building data is owned by the building owner unless agreed otherwise in a contract.

Remote Access (Tunnel)

One of the features offered by Sinteso Cloud Apps is the access to on-premises fire networks from remote. Sinteso Tunnel enables commissioning engineers to service and access fire networks from remote offices. By default, Sinteso Tunnel has a session timeout of 10 minutes.

To use remote access with Sinteso Tunnel, no inbound connectivity is required.

Remote Web Client

The recommended browser for use with Sinteso Cloud Apps is Chrome.

Incident Handling 

Siemens has processes in place for handling security incidents. If a cybersecurity threat is suspected or found, immediately contact the Siemens Computer Emergency Response Team for products (Product CERT) or your local Siemens customer service.

More details on incident handling can be found at: https://www.siemens.com/cert/advisories.