Just How Secure IS Cloud PDM?
Introduction to the 3DEXPERIENCE Platform
Thousands of customers, from startups and innovation laboratories to manufacturers and engineering services have adopted the 3DEXPERIENCE Platform to securely connect stakeholders with their data, and each other, in a product lifecycle ecosystem.
Even companies with existing IT departments are looking for alternatives to the high total cost of ownership in setting up their own data management system with the ongoing maintenance, upgrades and administration of the hardware and software required.
The 3DEXPERIENCE public cloud is a multi-tenant, all-in-one data management solution combining Infrastructure-as-a-Service, Platform-as-a-Service, and Software-as-a-Service. The 3DEXPERIENCE platform is managed by Dassault Systèmes, allowing customers to reduce or eliminate their IT commitments amounting to a long-term lower cost of ownership.
Furthermore, the 3DEXPERIENCE platform is flexible. Products and users can be added to a customer’s tenant at any time, improving agility with confidence to support a changing workload. Product licenses are assigned to specific users, following the user where they work. This allows users to access and utilize their data virtually anywhere, without having to be logged in at a specific physical location to perform tasks.
Safeguarding Your Data in the Cloud
Dassault Systèmes understands that security is one of the chief necessities of people moving to a cloud data management solution. To meet this need, DS has placed security at the core of developing cloud-based applications and data storage, implementing a “Security in Depth” approach to protecting customer IP.
The security processes of the 3DEXPERIENCE platform are developed with an emphasis on meeting the following industry standards and best practices:
- ISO/IEC 2700X standards (Implementation Guide ISO/IEC 27002).
- NIST 800 series.
- OWASP testing methodologies.
- COBIT framework.
Best practices include secure means of authentication, access control, encryption, injection detection and prevention, penetration testing, server hardening and much more.
Customer data is safeguarded while ensuring availability, integrity, and confidentiality. Dassault Systèmes makes the following performance commitments to customers on the 3DEXPERIENCE public cloud:
- Monthly availability at 99.5% uptime.
- Backups of customer data every 24 hours and kept for 7 days minimum.
- Maximum downtime during an upgrade of 4 hours.
Operationally, the 3DEXPERIENCE cloud is managed and maintained by 3DS OUTSCALE, which is wholly owned by Dassault Systèmes.
Security In Depth
Dassault Systèmes’ Security in Depth approach to cloud security is a system of independent layers of control for each level of the 3DEXPERIENCE platform and its processes.
Internet Level – This level handles users coming into the platform, and the customer-specific tenant on the platform.
In-Cloud Level – This level controls what is happening within the infrastructure with data and users.
Application Level – This level handles what is happening with applications that users are currently implementing.
Virtual System Level – This controls the security of the virtualized system on which data and applications are hosted.
Physical Level – This controls how physical locations, hardware, and infrastructure are secured.
The initial point of entry into the 3DEXPERIENCE public cloud is simply the internet.
There are several security layers in place to ensure that only intended traffic and activities are processed by the platform and granted access. All incoming internet traffic is filtered by independent mechanisms ensuring reliability and lack of vulnerability cascading.
Customers access their private tenant by entering the secure credentials that are granted by Dassault Systèmes. They may grant access to others, but they too will need secure credentials. And two-factor authentication (2FA) is an available option including TOTP-compliant apps for personal mobile devices.
The hosting environment implements active countermeasures to prevent distributed denial of service (DDoS) attacks. And the platform uses encrypting protocol and secure channels between the hosting environment and the customer’s premises to ensure confidentiality and integrity of the transferred data.
Additional methodologies for internet security are ongoing and confidential.
A customer of the 3DEXPERIENCE platform receives a private tenant that only they can access and grant access to. But there are multiple private tenants within the public cloud.
While operating inside the 3DEXPERIENCE public cloud, the security of the customer tenant relative to other customer tenants is achieved through independent layers of solutions.
The first layer of in-cloud security are firewalls. Firewalls restrict the user traffic to within only the tenant or tenants they are authorized to enter.
Additionally, Dassault Systèmes has implemented processes to meet ISO/IEC 17799 standards in securing access to any data only to users who are authorized to see or modify it.
Furthermore, the structure of the public cloud environment ensures that each customer works on instances of applications that are hardcoded to their own tenant, preventing cross-customer data access and transmission. This structure mitigates the risks of network reconnaissance and attacks like “sniffing” and IP spoofing, as there is no common area on the public cloud where customers enter or engage before accessing their private tenant environment.
The importance of securing the applications that run on the platform is as critical as securing the platform’s internet access and in-cloud security. If there are holes in the code of the applications, there will be vulnerabilities that can be exploited to get to your data. If the applications are available to anyone on a customer’s tenant, an unauthorized user may cause unintended problems with customer data.
Access to applications is handled similarly to gaining access to the customer’s tenant. When applications are assigned to a user, the permission to use the application is tied to the user’s 3DPassport credentials and only they may use a particular license of that application. This is the first line of security regarding application use on the 3DEXPERIENCE platform.
To mitigate vulnerabilities in the code of applications, Dassault Systèmes has implemented security protocols to train application engineers, and a strict design and review process for new code that is created.
Every requirement for a new feature for an application also has a security requirement. If new code does not pass a security audit, the feature is not released. Code is double peer-reviewed by internal and third-party contractors to align with industry best practices.
Applications must pass penetration tests before being approved for release. Penetration tests are performed on the application ecosystem to discover any remaining vulnerabilities and complement the secure coding development process. These, too, are performed internally and by third-party agencies.
Additionally, Dassault Systèmes and 3DS OUTSCALE follow the Open Web Application Security Project (OWASP) standard for security standards and secure code review for 3DEXPERIENCE applications. Special attention is paid to testing against OWASP’s top ten list of threats.
Dassault Systèmes warranties that no known vulnerabilities to any of these threats are present in any new release of the 3DEXPERIENCE platform.
The current OWASP top ten web application threats are:
A01:2021-Broken Access Control
A06:2021-Vulnerable and Outdated Components
A07:2021-Identification and Authentication Failures
A08:2021-Software and Data Integrity Failures
A09:2021-Security Logging and Monitoring Failures
A10:2021-Server-Side Request Forgery (SSRF)
An internal operational team performs an ongoing process of scans to monitor various modules of the applications to ensure that application performance is meeting requirements and that any new threats that are discovered are mitigated.
Virtual System Security
The virtualized systems on which the data and applications are hosted are scrutinized closely from a security standpoint prior to being released into production.
The security lifecycle applied to virtual systems is very strict and maintains a high level of security after the production release. Dedicated teams perform security maintenance activities like system patching and services review. Furthermore, random attack scenarios are performed to test both the integrity of a model system and how the operational teams react to an attack to ensure that mature policies are in place for mitigating threats to security.
None of the above would be possible without a physical location for the hardware to host the systems and applications that comprise the 3DEXPERIENCE public cloud. These physical locations are non-descript. They are not emblazoned with Dassault Systèmes or 3DS OUTSCALE branding that would call attention to it.
Access is strictly limited to authorized staff. All contractors and visitors are always escorted by authorized Dassault Systèmes or 3DS OUTSCALE security. All physical access to data centers is logged and audited.
Physical storage is secured via redundant disks, disaster recovers, and backup/restore procedures. And all cloud providers are ISO/IEC 27001 certified.
Peace of Mind
When adopting the 3DEXPERIENCE solution you can be assured that Dassault Systèmes is serious about securing your data, your applications, the platform, and infrastructure of the 3DEXPERIENCE public cloud. You will reduce or eliminate your IT commitment, while you enjoy quickly accessing and managing your data from virtually anywhere while staying connected with stakeholders across your organization.
Dassault Systèmes, 3DS OUTSCALE, AWS and Huawei Compliances
Dassault Systèmes Quality Management System: ISO 9001:2015
Design | Development | Deployment | Cloud Operations | Software Portfolios
3DEXPERIENCE Platform Code of Practice for information security protocols: ISO 27002:2013
Information Technology | Security Techniques
ITAR and CGP Compliance
The 3DEXPERIENCE public cloud solution is neither ITAR compliant (for the United States) nor CGP compliant (for Canada). For customers that must meet these requirements, there are private cloud and on-premises 3DEXPERIENCE solutions.