I was recently asked a question which confounded me and left me speechless. On the one hand, the answer to the question was, to me, so obvious that I could not conceive of anyone asking it. I was left speechless because I could not formulate an answer that was not simply ‘duh’. But then I took a moment to consider the question, its context, and its real meaning. The question was “Why is security important to Agile PLM?”
It seems obvious in today’s world that any professional would understand, implicitly, why security of an Agile Product Lifecycle Management (PLM) system is important and why it is necessary to assess that security occasionally. After all, the news is filled with reports of data breaches, network breaches, and the latest ransomware, yet, it simply whizzes past many of us not tuned in to its ramifications. Most Agile PLM systems are tucked away in the inner network of an organization with strong account controls, often integrated with Microsoft Active Directory, and has the security of the network perimeter to keep out unwanted visitors. The reality is of course that none of this speaks to the security of your Agile PLM system or its data since the majority of breaches come from inside organizations. Either intentionally or unintentionally, when otherwise responsible members of staff click the wrong web site, plug in an infected USB drive, or perform some other act with the simple intention of getting his or her work done, such as connecting to an unsecured WiFi network, an insider attack can happen.
This question was from an individual whose only exposure to Agile PLM was as an end user. This person regularly logged on to the system, did the work they needed, and then logged off. Sometimes she performed administrative functions within the system to construct workflows or add criteria objects to the system for others to use. Occasionally she also provisioned a new account using the system’s roles and privileges without much thought to the impact of those decisions except to give a new user the power to do his or her job.
From this perspective, the overall security of the system is like the lake surrounding the castle. It’s always been there and it is assumed to be deep enough to repel attackers. But often, canals are dug, gates are removed (or added), and suddenly you have a dry lake with concrete pathways to the castle.
I am reminded of an often-told story about the venerable IBM AS400. The AS400 was such a reliable computing server that today, it's not unexpected to find one tucked in the back of a server room. The AS400 just continues to chug along delivering data and supporting the efforts of unknowing workers. The organization has likely introduced many new services and even security improvements while the AS400 sits ignored because it does not break and therefore does not attract much attention. It has been forgotten, even though it supports critical services that people use daily. Agile PLM is often treated in the same way. Once installed, it is left to run without any thought unless someone complains of a functionality issue or the underlying operating system requires servicing. Many IT organizations are so overloaded with work that they are often forced to prioritize their workload based on fighting the immediate fires and concerns of perimeter security. Website hacking and identity security take an even higher precedence.
Prior to achieving my EC-Council Certified Ethical Hacker certificate, I felt I was reasonably aware of and knowledgeable in security, especially in the Windows arena. I was so very wrong about that. The CEH certification opened my eyes to just how vulnerable the tech world is and how much can be done to safeguard it. I applied my attention to the specifics of Agile PLM as I currently specialize in Agile PLM server administration and engineering. I was able to apply several of my newly acquired skills and my expanded knowledge and recognized that most companies do not do enough of the simple things that could make their Agile PLM system more secure.
Over time, and through several administrator changes, the PLM server can become a repository of unneeded software, open ports, overlapping privileges and forgotten password files. Individually, these gaps in server management may not be critical, but in total, they can leave your PLM system vulnerable.
To help our customers manage the security of their Agile PLM system, Zero Wait-State has developed a new Security Assessment service. The service is designed to identify security weaknesses in the PLM servers and the Agile PLM internal security model. By using modern security tools and the resources within Agile PLM, we are able to shine a light on the forgotten system. Bringing together our expansive expertise in Agile PLM functionality, security design, and server engineering, we are uniquely positioned to help our customers assess the security of their PLM system and offer real-world solutions.
The question is not “Why is security important to Agile PLM?” but “Why isn’t the security of Agile PLM more important to me?”
Author Bob McDuffee, Certified Ethical Hacker (CEH), has over 30 years experience and is a System Engineer for Zero Wait-State. He is responsible for installing software for clients and overseeing hosted and virtual environments. He provides configuration information for customers and debugs hardware issues both for clients and the company internally. His experience includes implementing, troubleshooting and upgrading PDM systems on Linux, Solaris and Windows servers utilizing both WebLogic and Oracle Application Server.