Infrastructure and Platform Services
Desigo Fire Cloud Apps utilizes AWS (Amazon Web Services) cloud infrastructure to host its application services, which, along with Siemens Connect gateway, provides an end-to-end solution to unlock new value for customers. AWS provide cloud infrastructure hardware, software and networks to meet the requirements of security-sensitive organizations and are responsible for protecting the global infrastructure that runs all services offered within their cloud. A detailed list of these can be found at: https://aws.amazon.com/security/.
Authentication, Access Control & Authorization
Authentication is the first step for any user of Desigo Fire Cloud Apps, its aim is simple – to verify the identity of the user. Desigo Fire Cloud Apps uses Siemens ID, a service based on an IDaaS platform (Identity as a Service), which offers authentication services and external identity management services for Siemens applications accessed by partners and customers. The main benefit of Siemens ID is the single sign-on to Siemens applications. This includes the ID administration by the user, a security token service and features an option for multi-factor authentication providing an added layer of security. You can find more about Siemens ID at https://cdn.login.siemens.com/help/index.html.
Authorization defines the set of actions that the identified user can perform and defines the access to a specific part of the infrastructure resource. Authorization is a security mechanism used to determine user privileges to devices, services, data and application features. Desigo Fire Cloud Apps implements a role-based access control (RBAC), limiting a user to applications and features. Access to sites and devices is limited by organizations and scopes.
Access control is covered by applying both authentication and authorization steps together.
Data Security
Data Encryption-at-Rest - All data stored at rest is encrypted using AWS standard encryption. The AWS encryption conforms with the Federal Information Processing Standard (FIPS) 140-2 standards.
Data Encryption-in-Transit - All Data in transit (for example, communication to and from Desigo Fire Cloud Apps) is encrypted via HTTPS/TLS1.2.
Details on cryptography employed to secure Desigo Fire Cloud Apps cloud data is found in Appendix A, Cybersecurity guidelines A6V12131430 and white paper of the product.
Data Privacy
Collected data can be classified into two types - personal data and data generated by the panels/peripherals of the building, for example, fire detectors. For Desigo Fire Cloud Apps, all collected personal data comply with European Union General Data Protection Regulation (EU GDPR), providing control to individuals over their personal data. The building data is owned by the building owner unless agreed otherwise in a contract.
Remote Access (Tunnel)
One of the features offered by Desigo Fire Cloud Apps is the access to on-premises fire networks from remote. Desigo Fire Tunnel enables commissioning engineers to service and access fire networks from remote offices. By default, Desigo Fire Tunnel has a session timeout of 10 minutes.
To use remote access with Desigo Fire Tunnel, no inbound connectivity is required.
Remote Web Client
The recommended browser for use with Desigo Fire Cloud Apps is Chrome.
Incident Handling
Siemens has processes in place for handling security incidents. If a cybersecurity threat is suspected or found, immediately contact the Siemens Computer Emergency Response Team for products (Product CERT) or your local Siemens customer service.
More details on incident handling can be found at: https://www.siemens.com/cert/advisories.