Navigating Security Issues with Agile PLM

Recently I have noticed a spate of articles and notifications around Agile PLM and security issues. Some of this information is directly from Oracle so I have no doubt based on the number of patches recently released that there are definitely causes for concern. I do wonder about how concerned we should be and whether there is an imminent threat because of Agile PLM and what should be done considering the situation and the risks of running 10-year-old plus software.

Let’s start with the question does running Agile PLM on your company’s network make your company more vulnerable to cyber-attacks? Keep in mind that according to Deloitte 91% of all cyber attacks begin with a phishing email to an unexpected victim. The likelihood that running Agile PLM exposes your company in some way is highly unlikely. I would strongly discourage using any kind of proxy server with Agile PLM that would open up network ports. I would also closely monitor and police any kind of VPN used for remote access to Agile PLM. Both of these external access solutions can be problematic. I have spoken to numerous companies and consultants about Agile PLM security, and I have yet to come across an instance where a company was hacked because of Agile PLM. These companies may exist, but I have not uncovered any with extensive efforts.

The next question is whether in the event of a network breach is Agile PLM vulnerable? The answer to this question is possibly. Obviously, Oracle is doing everything they can to continue to patch vulnerabilities. They are reacting to issues that are uncovered in the field which means there is a chance that Agile PLM could be compromised prior to the release of a new patch. Companies that are not current with patches are more vulnerable and companies that no longer have support and are running older versions of Agile are even more exposed. Keep in mind this only becomes an issue if a company’s network is breached and if that happens there will be numerous other issues that won’t involve or be caused by Agile PLM.

I do believe there is some reason to be concerned about Agile PLM and its age and the potential for security issues. The final question is based on the threats what are the appropriate steps a company should take to improve security? First off, eliminating or highly restricting external access to Agile PLM would be the highest priority assuming all appropriate security practices are being followed regarding company networks. If you have Oracle support for Agile PLM staying current with patches is highly advisable. Reviewing your roles and permissions in Agile PLM would also make sense in our current environment. Utilizing Attachment Intellectual Property reports present in most of the current Agile PLM releases to periodically check for unauthorized access to files is highly encouraged. Specifically, looking at rules around file attachments and how your environment is configured would help better protect your data. Finally, a review of your backup practices and a smoke test of current backups could be instrumental in avoiding negative consequences if your company does experience a network breach.

In conclusion, the current climate of cyber insecurity and the age of Agile PLM does create challenges. The best option would be to make plans to move to a more modern PLM solution that does not have these issues. A cloud-based solution like Propel PLM that utilizes the Salesforce platform is much more secure and offer options for external access that Agile PLM cannot. But changing PLM solutions takes time and money and companies must plan for major system changes. Following prudent practices around cyber security and ensuring Agile PLM’s access control logic is set up properly can help minimize risks. Working with professionals who are well versed in these issues can be a wise investment until you are ready to upgrade your PLM. The sky isn’t falling but you may want to grab an umbrella.

Click here to download our Agile Security Checklist to make your Agile PLM environment more secure.