Cloud security: Provider and Cloud-hosted applications - Engineering

Infrastructure and platform services

The Alarm Dashboard uses the AWS (Amazon Web Services) cloud infrastructure and Azure (Microsoft) to host ts application services. AWS and Azure provide Cloud infrastructure hards, software, and networks to meet the needs of organizations sensitive to security issues and are responsible for protecting the global infrastructure uses to operate all their Cloud offerings. A detailed list is available at: https://aws.amazon.com/security/ and https://docs.microsoft.com/en-us/azure/security/

Authentication, access control, authorization

Authentication is the first step for each Alarm Dashboard user with the simple goal of checking the identity of the user. Alarm Dashboard user the Siemens ID, a service based on a IDaaS platform (Identity as a Service), the Authentication services and external ID management services for Siemens applications; accessible to partners and customers. The greatest advantage of Siemens ID is the single sign-on for Siemens applications. This include the ID management on the part of the user, a security token service, and an option for multistage authentication, offering an additional layer of security. Learn more about Siemens ID at https://cdn.login.siemens.com/help/index.html.

Authorization defines a series of measures that the identified user can perform and defines access to a specific part of the infrastructure resource. Authorization is a security mechanism that set user rights for devices, services, data, and application functions. Role-base access control (RBAC) is implemented in the Alarm Dashboard. RBAC limit user access to applications and functions. Organizations and areas of validity restrict access to facilities and devices.

Access is controlled via authentication and authorization steps.

Data security

Data-at-rest-encryption - All saved, but resting data is encrypted with standard AWS encryption. AWS encryption meets the Federal Information Processing Standard (FIPS) 140-2.

Data-in-transit-encryption - All data is encrypted during transmission (e.g. Communication to and from the Alarm Dashboard) via HTTPS/TLS1.2.

Data protection

Collected data is classified in two ways - personal data and data created by the fire control panels/periphery devices in a building, e.g. fire detectors. On the Alarm Dashboard, all collected personal data meets the requirements pursuant to the EU General Data Protection Regulation (EU GDPA), whereby individuals control their own personal data. Building data is the property of the building owner, unless otherwise agreed to.

Remote /web client

Chrome is the recommend browser for the Alarm Dashboard.

Handling incidents

Siemens has procedures in place to handing security incidents. In the event of a suspected or actual cybersecurity threat, immediately contact the Siemens Computer Emergency Response Team for Products (Product CERT) or your local Siemens customer representative.

Additional on handling incidents is available at: https://www.siemens.com/cert/advisories.