plm 360 security white paper - asihub …asihub-cdn.s3.amazonaws.com/ds/pdf/products/plm360... ·...

Autodesk® PLM 360 Security OverviewNovember 2013

Table of ContentsIntroduction .................................................................................................. 1Document Purpose ........................................................................................ 1Autodesk’s Cloud Computing Platform .......................................................... 1Confidentiality ............................................................................................... 2Integrity......................................................................................................... 2Availability ..................................................................................................... 3Security Standards and Attestations............................................................... 3Organizational Security.................................................................................. 4 Personnel Policy........................................................................................... 4 Autodesk 360 Operations............................................................................ 4 Autodesk 360 Information Security.............................................................. 4 PLM 360 Engineering .................................................................................. 5 Security Operations Center .......................................................................... 6Operational Security ...................................................................................... 6 Identity and Access Management ................................................................ 6 Incident Management ................................................................................. 6 Patch Management ..................................................................................... 7 Change Management .................................................................................. 8 Capacity Management................................................................................. 8 Storage Decommissioning ........................................................................... 9 Secure Data Handling .................................................................................. 9Application Security....................................................................................... 9 Authentication............................................................................................. 9 Revision Control .......................................................................................... 9 Administrative Controls ............................................................................... 9 Provisioning Users ................................................................................... 10 Using Role-based Security........................................................................ 10 Accessing Security Information ................................................................ 10 Monitoring and Auditing User Activity ..................................................... 10 Restricting Access .................................................................................... 10 User Controls............................................................................................. 10 Setting Access Controls on Data .............................................................. 11 Versioning File Attachments .................................................................... 11Secure Software Development Process ........................................................ 11Network Security ......................................................................................... 11 Encryption of Data in Transit ..................................................................... 12 Encryption of Data at Rest ......................................................................... 12 Firewalls .................................................................................................... 12 Private VLANs............................................................................................ 12 Intrusion Detection Systems....................................................................... 12 Operating System Hardening ..................................................................... 12 Hypervisor Hardening ................................................................................ 13 Virus and Malware Protection.................................................................... 13 Security Scans............................................................................................ 13

Logging and Monitoring............................................................................ 14High Availability........................................................................................... 14 Clustering .................................................................................................. 14 Network Optimization ............................................................................... 15Disaster Recovery ........................................................................................ 15 Data Replication ........................................................................................ 15 Geographic Redundancy............................................................................ 15 Power System Redundancy........................................................................ 15 Internet Connectivity Redundancy ............................................................. 15 Fail-Over Testing........................................................................................ 16Physical Infrastructure Security..................................................................... 16 Facilities Access Control............................................................................. 16 Fire Prevention .......................................................................................... 16 Climate Controls........................................................................................ 16File Integrity Monitoring System .................................................................. 16Change Management Integrity Controls ...................................................... 17Resources .................................................................................................... 17Glossary....................................................................................................... 18

Autodesk PLM 360 Security Overview

IntroductionAutodesk PLM 360 delivers powerful product lifecycle management tools through Autodesk’s cloud computing platform. To provide customers with secure access to PLM 360 and to pro-tect the confidentiality and integrity of their information, Autodesk uses a range of controls, including encryption and real-time file integrity monitoring. PLM 360 also provides customers with an integrated and intuitive set of tools for building custom security policies that match the needs of their organization. To keep customer information highly available, PLM 360 runs on an elastically scalable infrastructure that automatically adds resources in response to usage spikes. The prevention of data loss is another important requirement that is addressed by the design of PLM 360’s infrastructure. To maintain business continuity in the event of a disaster, redundant data centers in different regions are linked by a high-speed private network over which data are replicated. The security controls used by PLM 360 are based on the extensive knowledge of cloud security that Autodesk has developed through its experience providing Software as a Service (SaaS) for over a decade. Autodesk’s first cloud service, Autodesk Buzz-saw, was introduced in 1999.

Document PurposeThe purpose of this document is to explain the security measures implemented in PLM 360 and provide answers to common security questions. Both high-level and more detailed ques-tions are addressed. At a high-level, readers may need to know:

• What are the specific organizations within Autodesk that focus on cloud security?• What security standards does PLM 360 follow?• How do the procedures used to operate PLM 360 contribute to security?

At a more detailed level, readers may need to know:

• How does PLM 360 secure data in transit and data at rest?• What types of network security measures, such as firewalls, does PLM 360 implement?• How is the virtualization layer of PLM 360 secured?• How is security handled in the PLM 360 software development life cycle?

Autodesk’s Cloud Computing PlatformThe security controls that protect customer data and provide high availability in PLM 360 work throughout Autodesk’s cloud computing platform. Cloud computing consists of three layers: Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Ser-vice (IaaS). Within Autodesk’s PaaS layer, common functionality such as Identity and Data Management are made available to many Autodesk SaaS offerings, including PLM 360. Both SaaS and PaaS functionality run on infrastructure services that consist of physical resources

1


such as data centers and software services such as virtual machines. Autodesk’s cloud com-puting platform is described in Figure 1.

Figure 1 : Autodesk’s Cloud Computing Platform

ConfidentialityPLM 360’s confidentiality measures work to protect sensitive customer data from unautho-rized access. Some of the ways PLM 360 provides confidentiality include:

• Administrative functionality – PLM 360’s administrative tools provide a flexible way for administrators to manage users, role-based permissions, password policy, and other access controls.

• Encryption – Encryption of confidential information protects data in transit and data at rest from eavesdropping and other types of unauthorized access.

• Physical restrictions to data centers – Physical restrictions to data centers help prevent unauthorized parties from accessing the hardware and support systems used by PLM 360.

• Extensive background checks – Extensive background checks are required for employ-ees with potential physical access to the computing resources and support systems used by PLM 360.

IntegrityIntegrity enforces the consistency of customer data and system configurations over time. Some of the ways PLM 360 provides integrity include:

2


• File integrity monitoring - Critical files are monitored to detect deviations from a trusted base-line of file content and attributes.

• Change management integrity controls - Software deployment is performed using technology that executes installations instructions consistently across all targeted instances and environments.

AvailabilityAvailability addresses threats that could cause customers to lose access to their data through service interruptions or system failures. Some of the ways PLM 360 provides availability include:

• Geographically isolated data centers – Geographically isolated data centers are used to prevent service interruptions due to regional events such as natural disasters.

• Data replication – Data replication copies customer data across redundant data centers so that business continuity can be maintained if a fail-over between facilities occurs.

• Redundant technologies - Redundant technologies such as load balancers and clustered application servers limit single points of failure.

Security Standards and AttestationsBy adhering to recognized security standards, the teams responsible for PLM 360 address reg-ulatory compliance and align security policies with proven best-practices. Measures that enforce security in PLM 360 are guided by the following standards and attested by the follow-ing audit reports:

• AT Section 101 SOC 2 - AT Section 101 SOC 2 (formerly SSAE 16 SOC 2) is an audit report attesting that the information security principles defined by the American Institute of Certified Public Accountants (AICPA) are followed by the audited organization. Requests to view this confidential audit report under a non-disclosure agreement can be sent to [email protected].

• ISO 27002 - PLM 360 security controls are designed using the ISO 27002 framework, which is a key industry standard providing guidelines for information security.

• ITIL V3 - IT Infrastructure Library (ITIL) V3 is a framework that defines best practices for planning, delivering, and supporting an information system. The Autodesk 360 Operations team, which is responsible for maintaining PLM 360, follows ITIL best practices at each stage of the IT service life cycle. Key processes that affect security, such as incident man-agement and change management, are derived from ITIL recommendations.

• NIST and DoD Media Sanitation Standards - The National Institute of Standards and Technology (NIST) Special Publication 800-88 and DoD Directive 5220.22-M define proce-dures for secure media sanitation. These procedures are followed when decommissioning media devices used by PLM 360.

3

mailto:[email protected]


Organizational SecurityA number of organizations within Autodesk are dedicated to information security within the cloud. The Autodesk 360 Information Security team defines and implements security policy for Autodesk’s cloud computing platform. The Information Security team works closely with the Autodesk 360 Operations team, which maintains PLM 360 services and infrastructure. The PLM 360 Engineering team uses secure software development techniques to design and implement PLM 360.

Personnel PolicyAutodesk's personnel policy is designed to maintain a high level of employee trustworthiness and to keep employees aware of key aspects of information security and privacy. Employees must comply with a formal code of conduct that emphasizes confidentiality, ethics, and pro-fessionalism in all interactions with Autodesk's users, partners, and competitors. Autodesk 360 Operations personnel are subject to background checks that thoroughly vet personnel before access to production systems is authorized. To further protect customer data, Autodesk policy requires that all new employees sign a confidentiality agreement.

As part of new hire orientation, employees must affirm the importance of information secu-rity. Employees also attend training sessions covering the legal and ethical responsibilities defined by the Autodesk Code of Conduct and the penalties for deviating from expected behavior. Depending on employee role, additional security training may be required.

Autodesk 360 OperationsThe Autodesk 360 Operations team is responsible for defining and executing procedures for application release management, hardware and operating system upgrades, system's health monitoring, and other activities required for the maintenance of PLM 360. The Operations team follows ITIL standards when conducting maintenance operations. Team members are certified ITIL V3 Experts.

Autodesk 360 Information SecurityLed by Autodesk 360’s Chief Security Officer, the Autodesk 360 Information Security team is a dedicated cross-functional group of information security specialists focused solely on identify-ing and enforcing security standards within the cloud. Members of the Information Security team possess certifications such as:

• ISC2 (International Information Systems Security Certification Consortium)• CISSP (Certified Information Systems Security Professional)• CISA (Certified Information Systems Auditor)• CISM (Certified Information Security Manager)• CRISC (Certification in Risk and Information System Control)• PCIP (Payment Card Industry Professional)• CCIE Security (Cisco Certified Internetwork Expert in Security)• Certified ITIL V3 Expert

4


The Information Security team's responsibilities include:

• Reviewing the security of cloud infrastructure design and implementation. • Implementing procedures that follow security standards, such as ISO 27002.• Defining and implementing identity and access management policy, including procedures

for assigning unique and trackable identities to each member of the Autodesk 360 Opera-tions team.

• Defining and implementing a password management policy that requires strong pass-words, forces passwords to be regularly changed, and prevents password reuse.

• Defining and implementing anti-virus and anti-malware policies that guard against emerg-ing threats and enforce the use of protection for all corporate systems that connect to PLM 360 environments.

• Defining data confidentiality classifications that require employees who access PLM 360 customer information to do so in a prescribed manner that limits the possibility of unau-thorized access.

• Driving compliance with established security procedures by conducting internal reviews and audits.

• Identifying and implementing technologies that secure customer information, including encryption technologies for data in transit and data at rest.

• Engaging third-party security experts to conduct information security assessments that are based on penetration tests.

• Monitoring cloud services for possible security issues and responding to alarms by follow-ing incident management policy.

• Holding regular security training sessions for Operations personnel.• Conducting annual and as-needed reviews of security policy.

PLM 360 EngineeringThe PLM 360 Engineering team is responsible for designing, implementing, and testing the software services provided by PLM 360. Within Engineering, individual teams work on specific feature-sets, making use of common security services, such as Autodesk’s single sign-on (SSO) service. Across all teams, security architects collaborate with individual contributors to embed security within the design and implementation of each software component. The Engineering team works closely with the Information Security and Operations teams to identify security concerns, develop monitoring procedures, and implement protective technology. The security responsibilities of the Engineering team include:

• Defining and implementing secure design and coding practices.• Conducting design reviews to identify areas of possible security concern prior to coding.• Conducting code reviews to identify code that could be exploited to grant unauthorized

access to customer data.• Conducting code reviews to identify code that could negatively impact availability.• Performing load tests in pre-production environments to verify that availability require-

ments have been met.

5


Security Operations CenterPLM 360 security statuses are monitored 24 hours a day, seven days a week by the Security Operations Center (SOC), a dedicated facility staffed by GIAC Intrusion Analyst certified secu-rity experts. In addition to intrusion detection knowledge, specialized product and industry skills are available from SOC team members with certifications such as CISSP, CCNA, CCSP, CCSE, CCSA, and MCSE. The SOC organizes a large volume of security metrics to provide high visibility to key indicators, including:

• Failed access attempts to password protected resources.• Port-scanning attempts.• Patch versions running in each PLM 360 environment.

Security indicators are aggregated by the SOC and displayed on dashboards to provide an overview that security personnel can use to quickly determine if the system is operating within defined parameters. In addition to providing a centralized view of PLM 360 security, the SOC facilitates clear communication in the case of a security incident by connecting the security incident leader, who is responsible for driving issue resolution, with support teams.

Operational SecurityThe policies and procedures that govern the PLM 360 operational life cycle are based on stan-dards that emphasize security in both routine maintenance activities such as storage decom-missioning and key processes such as change management.

Identity and Access ManagementIdentity and access management policy requires that all PLM 360 personnel be provisioned with unique and trackable identities in the form of a User ID. Identity and access management policy enforces the principle of least privilege, which restricts PLM 360 personnel to the mini-mum level of access required to complete their assigned tasks. Virtual instances, firewalls, database servers, and other infrastructure software and hardware are protected by user iden-tities that have been granted a limited set of permissions. Permission grants are regularly reviewed by the Operations team and revoked when an employee leaves the company. The Operations team enforces a password policy throughout the cloud that requires strong pass-words, regular password expiration, and restrictions on password reuse. Multi-factor authen-tication is required to remotely access servers, routers, firewalls, and other production systems used by PLM 360.

Incident ManagementPLM 360 incident management policy is guided by the ITIL V3 framework, which defines best practices for driving incident resolution. The PLM 360 incident management policy empha-sizes extensive logging of remediation steps and the use of root cause analysis to build a knowledge-base of actionable procedures. The goal of the PLM 360 incident management policy is not only to quickly and effectively close incidents, but to collect and distribute inci-dent information so that processes are continuously improved and future responses are driven

6


by accumulated knowledge. Incident management involves a life cycle defined by ITIL that includes initial diagnosis, classification, prioritization, escalation, and closure. PLM 360 inci-dent management policy addresses each stage of the life cycle by defining:

• Incident identification business rules that are applied to resources such as memory, CPU, and storage. Business rules automatically create and categorize incidents and generate notifications via email, SMS, and phone.

• Incident classification categories and sub-categories that reflect both functional and tech-nological areas, such as user management functionality and database server processes.

• Incident prioritization levels that clearly inform responders of the criticality of an issue.• Personnel roles that define the responsibilities of each team member involved in an inci-

dent, including the incident owner who is responsible for coordinating resources and driv-ing resolution.

• Incident escalation and communication time-frames that allow incidents to be efficiently addressed by the right personnel and that keep customers updated at regular intervals on incident status.

• Incident closure procedures that encourage feedback from customers so that levels of sat-isfaction can be tracked and continuously improved.

Once an incident is opened, communication is maintained using collaboration tools provided by facilities like the SOC. Each incident is driven by an incident leader with the authority to bring together all parties necessary to provide resolution. Incident status is tracked using an incident management system that allows each step in the resolution process to be logged. Artifacts related to the incident, such as heap dumps and other log and system files, are also stored in the incident management system. When an incident is closed, root cause analysis is undertaken and findings are documented and made available. Preventative steps are defined based on findings and action items are assigned to appropriate teams.

Patch ManagementSoftware vendors are continually strengthening their products as new threats to security emerge. In order to keep the third party software used by PLM 360 current with vendor fixes, the Operations team follows a detailed patch management policy that covers the discovery, testing, and deployment of security patches. The Operations team actively monitors vendor security advisories and subscribes to new patch release notifications. Where possible, automa-tion is in place to check for new patches and prepare deployment lists that can be approved by authorized Operations personnel. Deployment is highly configurable, allowing patches to be targeted at groups of instances or single instances and scheduled for periods of low user activity. Patching policy also defines criteria for determining the impact of a patch on systems stability. If a patch is identified as having a possibly high impact, thorough regression testing is completed before the patch is deployed. Patching policy also requires the creation of detailed audit records when patch installation occurs. Audit records keep track of the instances affected by a patch deployment, the personnel who authorized and deployed the patch, whether an instance recycle was required during deployment, and other information neces-sary to maintain a clear historic record and to assist with diagnosis if an incident occurs.

7


Change ManagementThe Operations team makes extensive use of the ITIL V3 framework to define its change man-agement policy. ITIL consists of an IT service life cycle composed of phases, including the ser-vice transition phase. During service transition, existing IT services are modified, which carries the risk of service disruption. To address this risk, ITIL recommends best practices be used before, during, and after a change is deployed. The Operations team follows ITIL recommen-dations by:

• Requiring the submission of a Request For Change (RFC) form, which includes the name of the change initiator, the change priority, the business justification for the change, and a requested change implementation date. By requiring an RFC be submitted, the Operations team can gather the information necessary for conducting risk assessment.

• Generating a change evaluation report prior to major deployments. A change evaluation report contains detailed information that identifies availability risks, such as performance degradation if large data sets must be loaded, failure to serve assets if HTTP servers must be restarted, and processing timeouts if caches must be invalidated. The report also lists functional areas that may be disrupted by the change. By identifying risks prior to deploy-ment, the Operations team can develop a deployment plan that avoids or mitigates issues.

• Defining detailed back out plans. The Operations team creates detailed back out plans prior to deployment so that system state can be restored if a change causes a service dis-ruption. Back out plans include executable instructions defined in scripts that restore sys-tem state with a minimum of manual steps.

• Defining maintenance windows. Scheduled, emergency, and extended maintenance win-dows are specified by the Operations team and regularly planned maintenance is sched-uled during off-peak hours.

• Defining tests to verify that functionality is accessible after the deployment of a change. Once deployment is complete, the Operations team executes tests to check that function-ality identified as at-risk remains available.

Capacity ManagementBecause customer access to cloud services is provisioned on-demand through a self-service model, traffic patterns are highly variable and subject to usage spikes. When a spike occurs, the availability of a service can be negatively impacted if the pool of computing resources powering the service is exhausted. To maintain a high level of availability, the Operations team implements a detailed capacity management policy based on ITIL best practices. These best practices include:

• Frequent recording of resource use - PLM 360 resource use is collected at frequent inter-vals across a range of infrastructure components, including virtual instances, virtual stor-age volumes, and virtual network devices. Usage statistics are stored in a capacity management repository.

• Building a capacity plan documenting current resource use and forecasting future require-ments - The capacity management repository is used by the Operations team to generate a detailed capacity plan that documents current levels of use and models future levels based on statistical analysis and the impact of upcoming enhancements to business func-

8


tionality. The capacity plan is generated annually and may be updated at more frequent intervals if significant changes to usage patterns are detected.

Storage DecommissioningStorage devices are decommissioned by following the procedures for media sanitation pub-lished in the National Institute of Standards and Technology (NIST) Special Publication 800-88 or DoD Directive 5220.22-M. The procedures in these standards protect the confidentiality of customer information even if extraordinary measures are taken to recover data from devices that have been withdrawn from service.

Secure Data HandlingData handling policy subjects data to severe restrictions that limit access across a matrix of data classifications and PLM 360 personnel roles. Only designated Autodesk employees are allowed to access customer data. Furthermore, all data are classified according to sensitivity so that even authorized personnel are restricted from viewing certain data elements. Cus-tomer data are never moved outside secure data center environments without explicit cus-tomer authorization. When data are transferred outside the data center, obfuscation and de-personalization procedures are used to protect especially sensitive information such as pass-words.

Application SecurityPLM 360 provides administrators with security tools that allow detailed identity and access management policies to be created. Non-administrative users can use PLM 360’s security tools to manage ownership of their workspace items and set sharing permissions on their reports.

AuthenticationCredentials, consisting of a User ID and password, are required to access PLM 360. Creden-tials are secured using SSL during network transmission.

Revision ControlRevision control enforces restrictions on workspace items that are determined by a product’s phase in its lifecycle. Users can only change an item during specific modification windows and each set of modifications is captured in a snapshot. For example, during the design phase of a product’s lifecycle, only users with a specified role can participate in design iterations and each iteration is saved with a revision number.

Administrative ControlsAdministrators can create custom identity and access management policies that align with those already in use by their organization.

9


Provisioning Users

Administrators can create and deactivate users and delegate administrative authority to other users.

Using Role-based Security

PLM 360 roles allow administrators to customize access control levels to match the job responsibilities defined within their organizations. Roles are collections of permissions to data and functionality that are related to a job function. Once a role is created, it can be associated with a user group so that users within the group are granted the role’s permissions. For exam-ple, a “Customer Details” role can contain permissions allowing customer information to be viewed, added, and deleted. To grant these permissions to users who are responsible for reg-istering customers, a group named “Customer Registration” can be created and populated with employees belonging to the department that processes new customers. The “Customer Details” role can then be associated with the “Customer Registration” group, allowing mem-bers of the group to create and delete customer information. By providing a flexible way of assigning permissions using groups and roles, PLM 360 enforces the principle of least privi-lege, which requires that each user’s access to data and functionality be limited to what is needed for the completion of assigned tasks.

Accessing Security Information

Administrators can view a wide range of security information, including group membership, workspace permissions assigned to users, and revision control settings.

Monitoring and Auditing User Activity

PLM 360 enforces accountability by making detailed activity logs available to administrators. Activity logs provide information about the actions performed by users, including workspace item modifications, workflow actions, and logins.

Restricting Access

PLM 360 allows administrators to create network access restrictions based on IP address white lists. PLM 360 also allows administrators to deny access to users who execute multiple unsuccessful login attempts.

User ControlsUsers can control access to workspace items, reports, and files they own subject to adminis-trative restrictions. Users can also use file versioning to restore old versions of files they have attached to workspace items.

10


Setting Access Controls on DataUsers can grant access to their workspace items by modifying an item’s ownership list. Adding an owner to a workspace item allows the additional owners to view and edit the item. Access to reports can be granted to other users or groups by the report owner.

Versioning File Attachments

PLM 360 maintains a version history for files that have been attached to workspace items. When an attachment is checked out, modified, and checked in, a new version of the attach-ment is created and a change record is added to the version history. Versioning protects the integrity of data by allowing invalid changes to be rolled back and provides an auditable list containing information about each file modification.

Secure Software Development ProcessThe design, coding, and testing of PLM 360 is based on a software development process that explicitly guards against security vulnerabilities and enforces compliance with stringent avail-ability requirements. During the design stage, detailed design documents are produced and are reviewed by security architects. During implementation, code reviews by software engi-neers and security architects are conducted to detect deviations from secure application development practices. The secure application development practices used to implement PLM 360 include:

• Encoding data to minimize the possibility of cross site scripting, SQL-injection, and other exploits that rely on un-validated input.

• Excluding sensitive information from HTTP GET requests so that confidential data cannot be viewed over a network or cached by a Web browser.

• Transmitting session cookies containing sensitive information over an SSL-secured chan-nel.

• Use of extensive caching throughout the system to increase performance and availability.• Setting appropriate timeouts when establishing network connections to limit the possibil-

ity of thread pool exhaustion.• Processing data asynchronously to keep the user interface highly available.

Security tests that execute common exploits are run in pre-production environments to detect gaps in the use of secure application development practices. To maintain a high level of avail-ability, performance and load tests are also executed prior to each code release. Key members of the PLM 360 leadership team must sign-off on test results before a release can be deployed to production.

Network SecurityNetwork security is enforced using a combination of physical and logical controls, including encryption, firewalls, and systems hardening procedures.

11


Encryption of Data in TransitNetwork traffic containing sensitive information, such as credentials, access tokens and user profiles, is encrypted with SSL using strong ciphers. Application session information that is transmitted using cookies is also sent over an SSL-secured channel.

Encryption of Data at RestCustomer data is encrypted at rest and encryption keys are encrypted and regularly rotated. Passwords are salted and stored as SHA-1 hashes.

FirewallsStand-alone firewalls are deployed at the perimeter of the cloud in a redundant, high-avail-ability configuration and host-based firewalls examine traffic within the PLM 360 network. All ports except those required to serve customer requests are blocked and stateful packet inspection is used to prevent the establishment of invalid connections.

Private VLANsThe network architecture used by PLM 360 makes use of private VLANs to isolate functionally independent groups of cloud resources, such as database servers and HTTP servers. These measures reduce the risk of a compromised network node threatening confidentiality throughout the cloud. Traffic passing between private VLANs must go through a router that prevents a compromised node from faking traffic to nodes outside its VLAN or eavesdropping on traffic that is not intended for the VLAN to which it belongs.

Intrusion Detection SystemsDedicated Intrusion Detection Systems (IDSs) inspect network traffic in real-time, comparing incoming requests with previous requests to check for patterns that indicate malicious activity. For example, repeated requests for a protected URL that use different query string parameters may indicate that unauthorized access attempts are being executed. PLM 360 IDSs are config-ured to detect this pattern and to automatically notify Operations personnel upon detection. In some cases, a specific threat pattern will trigger IDS rules that block further access to the targeted resource.

Operating System HardeningSecurity policy dictates that new virtual instances be provisioned with a hardened guest oper-ating system that has been extensively customized by the Operations team. Default services and settings that may jeopardize confidentiality are removed or changed so that the installa-tion is strengthened against attack. For example, unnecessary administrator and guest accounts are removed. Security policy also requires that temporary file systems be configured with highly restrictive access controls. In this way, the possibility of an attacker installing exe-cutable code on temporary file systems is eliminated. Other types of software are also spe-cially configured to reduce security risks. The installation and configuration of HTTP servers,

12


application servers, database servers, and other software that could be exploited by an attacker is subject to configuration checklists that define detailed hardening procedures.

Hypervisor HardeningPLM 360 runs on virtual computing resources that are allocated and monitored by a hypervi-sor. The hypervisor divides hardware, including disk devices, memory, and CPU cores, into vir-tual instances onto which guest operating systems are installed. Although virtualization provides powerful benefits, such as the ability to pool computing resources in an efficient way, it increases the number of options an attacker can use to access confidential information and conduct other malicious activity. For example, an attacker who gains access to a guest operating system could attempt to exploit an un-hardened hypervisor to read network traffic meant for un-compromised instances that share the same network interface. To address this risk, an embedded firewall that prevents virtual instances from inspecting traffic meant for other instances sharing the same physical network interface is used. Hardening at the virtual-ization layer also restricts guest operating systems from accessing raw disk devices. Instead, a special virtual storage interface is exposed that protects un-compromised shared storage from being accessed by a compromised instance. Hypervisor hardening configurations recom-mended by the Center for Internet Security (CIS) are also implemented, including the use of a central directory server for authenticating access to hypervisor administration functionality. Default hypervisor services that could compromise security, such as file and clip-board sharing, are disabled.

Virus and Malware ProtectionAll workstations and devices used by Autodesk personnel are required to have strong virus and malware protections that guard against the local installation of malicious code and its transmission to remote systems. Virus and malware protection is also installed on servers throughout the cloud. Anti-virus and anti-malware agents perform real-time scans using defi-nitions that are updated daily.

Security ScansThe Operations team conducts internal security scans of PLM 360 services and infrastructure in addition to coordinating external scans with third-party security experts. Detailed reports that break down each security test by category and that quantify vulnerability levels are pro-duced, reviewed, and if necessary, acted upon. Security scans address a wide range of vulner-abilities, including those defined by the Open Web Application Security Project (OWASP). Scan coverage includes:

• Code Injection Attacks - Scans are made to identify vulnerabilities that would allow an attacker to inject malicious code into a user’s device or the PLM 360 infrastructure. Tests that detect cross site scripting and SQL-injection vulnerabilities are included in security scans.

• Broken Authentication and Session Management - Scans are made to verify that user cre-dentials and other sensitive session information are encrypted.

13


• Insecure Direct Object References - Scans are made to detect the exposure of internal identifiers that could be used by an attacker to gain unauthorized access to customer information.

• Security Misconfiguration - Scans are made to determine if security patches are current and insecure default configurations are disabled.

Logging and MonitoringExtensive logging of user activity is performed throughout the cloud in order to maintain a high level of accountability and to record unauthorized attempts to access PLM 360 services and infrastructure. Detailed logs of network requests and hardware and software operations are captured at a highly granular level. When possible, logging levels that provide forensic-quality evidence are used. To facilitate a quick and effective response to security incidents, logs can be viewed by authorized personnel in real-time and extensively searched using key-words and regular expressions. Logs are stored using a tamper-proof method and only autho-rized Autodesk personnel can access log records.

The Operations team monitors log records to detect behavior that threatens restrictions defined by identity and access management policy. Monitoring occurs throughout the cloud to detect unauthorized attempts to access firewalls, networks, database servers, and other software and hardware infrastructure. Customer-facing cloud services are also monitored to detect attacks that attempt to access login forms, password-reminder functionality, and other sensitive URLs. Logs are regularly mined by automatic processes so that threats can be proac-tively addressed.

Processes that monitor availability metrics are continuously run to detect performance degra-dation that could negatively impact availability. Resources such as CPU and memory are also monitored at all times and alarms are in place to notify Operations personnel if usage exceeds thresholds. In addition, common user-facing functionality is executed by automated tools so that response times can be logged. These logs are monitored to compare response times with thresholds. If a threshold is exceeded, on-call support staff is notified and an incident is opened. To keep logging and monitoring processes from adding load to the systems that sup-port customer requests, log archives are physically separated from customer data. Queries and other requests executed against log data do not use resources that have been allocated to customer-facing functionality.

High AvailabilityPLM 360 is designed to achieve a high level of availability by employing redundant systems and distributing load across a dynamically scalable fleet of instances. In addition, network optimization technologies are used to minimize load on origin infrastructure.

ClusteringClustering technology keeps PLM 360 highly available by limiting single points of failure and directing service requests away from instances that are highly utilized. Infrastructure compo-nents, including HTTP servers and application servers, are deployed in clusters and accessed

14


through load balancers that can automatically allocate new instances if increased load threat-ens to negatively impact availability.

Network OptimizationNetwork optimization technologies are used by PLM 360 so that requests for static content can be off-loaded from origin infrastructure. PLM 360 uses high-performance caching tech-nology that delivers frequently-used content, such as JavaScript and CSS, from dedicated resources close to the customer. Additionally, TCP optimizations and proprietary network pro-tocols are used to minimize the number of round-trips needed for each network request. These optimizations increase the amount of load that can be handled by cloud infrastructure and minimize the risk of unplanned infrastructure adjustments that could cause service inter-ruptions.

Disaster RecoveryPLM 360 disaster recovery plans cover a wide range of contingencies, including power fail-ures, ISP outages, and natural disasters. In addition to developing and implementing disaster recovery technology and procedures, the Operations team regularly tests the effectiveness of the disaster recovery plan by verifying that access to PLM 360 can be maintained after a simu-lated infrastructure failure.

Data ReplicationReplication of customer data is performed between data centers in different regions using asynchronous block-level data transfers over a private, low-latency link. Replication limits the possibility of data loss or a delay in service resumption if fail-over to a backup data center is required.

Geographic RedundancyIdentical physical infrastructures are maintained in regionally isolated data centers to provide protection against events such as natural disasters.

Power System RedundancyRedundant electrical power systems are installed in data centers to maintain operations 24 hours a day, seven days a week. Uninterruptible Power Supplies (UPSs) automatically provide backup to primary electrical systems in the event of a failure. Generators at each data center provide long-term backup power if an outage occurs.

Internet Connectivity RedundancyA redundant multi-vendor system is used to maintain Internet connectivity.

15


Fail-Over TestingFail-over testing simulates the effects of different types of hardware and software failures to confirm that fault tolerant systems work as expected. Fail-over testing provides a high level of confidence that customers can continue to access functionality and data even if significant parts of the PLM 360 infrastructure are unavailable. The ability to quickly switch between redundant components, including databases, virtual instances, and data centers, is thoroughly vetted by these tests. Fail-over tests are regularly executed and are also scheduled after signif-icant infrastructure and application changes.

Physical Infrastructure SecurityPLM 360 runs in secure data centers that are protected from unauthorized access and envi-ronmental hazards by a range security controls.

Facilities Access ControlData centers are guarded 24 hours a day, seven days a week by professional security staff. The perimeter of each data center as well as rooms that contain computing and support equip-ment are protected by video surveillance and other intrusion detection systems. Video surveil-lance is preserved on secure digital media that allows recent activity to be viewed on demand. Data center entrances are guarded by mantraps that restrict access to a single person at a time. All visitors and contractors must present identification to be admitted and are escorted by authorized personnel at all times. Only employees with a legitimate business need are pro-vided with data center access and all visits are logged electronically and routinely audited.

Fire PreventionFire detection and suppression systems, such as smoke alarms and heat-activated wet pipes, are installed throughout each data center to guard rooms containing computing equipment and support systems. Fire detection sensors are installed in the ceiling and underneath a raised floor.

Climate ControlsData center climate controls protect servers, routers, and other equipment subject to failure if strict environmental ranges are violated. Monitoring by both systems and personnel is in place to prevent dangerous conditions, such as overheating, from occurring. Adjustments that keep temperature and other environmental measurements within acceptable ranges are made automatically by control systems.

File Integrity Monitoring SystemThe integrity of critical files is validated in real-time using a comprehensive file integrity moni-toring system that addresses issues such as inconsistent manual changes to file content and permissions. Verification methods support the calculation of MD5 and SHA checksums based

16


on file data and attributes. Verification is done across a wide range of attributes, including file and directory ownership, access time, and modification time.

Change Management Integrity ControlsThe consistent deployment of code and configuration versions across a range of redundant systems is required for the maintenance of a cloud computing platform. Updates to PLM 360 are deployed using technology that enforces the consistent execution of installation instruc-tions throughout the cloud. Deployment targets known as nodes, which include physical serv-ers and virtual instances, are registered in centralized deployment servers. The deployment servers also contain installation instructions that govern how a deployment is executed. Nodes can be addressed individually or grouped together in a highly flexible way. During deployment, if an installation action fails on a single node, the deployment can be rolled back across all affected nodes to a previous consistent state.

ResourcesThe following resources provide general information about Autodesk and other topics refer-enced in the main section of this document.

• Autodesk - To view information about Autodesk, visit http://www.autodesk.com.• Center for Internet Security - To view information about the Center for Internet Security

(CIS), visit http://www.cisecurity.org.• The Open Web Application Security Project - To view information about the Open Web

Application Security Project (OWASP), visit https://www.owasp.org.

17

https://www.owasp.org

https://www.owasp.org

http://www.autodesk.com

http://www.cisecurity.org


GlossaryAutodesk 360 - Autodesk 360 is the cloud computing platform that powers many of Autodesk’s SaaS offerings, including Buzzsaw, BIM 360 Glue, PLM 360, and Simulation 360 Pro.

Caching - Caching allows frequently-accessed data and content, such as HTML pages, to be stored in an intermediate location so that multiple requests can be served without re-execut-ing the operations required to service the initial request.

Checksum - A checksum is a small data value computed from a block of source data. The checksum is used to detect errors that may have been introduced when the source data was transmitted or stored.

Cross Site Scripting - Cross site scripting (XSS) is a type of code-injection attack that attempts to inject malicious script into resources that are accessed by the attack target. When a compromised resource, such as a HTML page, is loaded by a user’s Web client, the malicious code tries to gain access to sensitive information stored on the client, such as session keys and email addresses. Once accessed, the information can be sent to an untrusted Web site or oth-erwise used in a harmful way.

Elastic Scalability - Elastic scalability is a key feature of cloud computing that allows resources to be dynamically allocated when increased load is detected and dynamically deallo-cated in response to reduced activity. Elastic scalability keeps customer costs closely aligned with resource use and provides a high level of availability by mitigating usage spikes.

Firewall - A firewall is software or hardware that applies a named set of rules to the network packets it monitors and executes actions associated with matching rules. Firewalls apply rules as network transmissions arrive, attempting to match each rule to specific data, such as packet headers. If a rule matches a data pattern, one or more actions, such as dropping or redirecting the packet, are executed. Firewalls provide a way to keep unauthorized or mal-formed data from being transmitted between nodes on a network.

Guest Operating System - A guest operating system runs on a virtual instance that is man-aged by a hypervisor. The requests for hardware resources issued by the guest operating sys-tem must pass through the hypervisor. Multiple guest operating systems can run concurrently on a single physical computer through the use of a hypervisor.

Hypervisor - A hypervisor is software or hardware that allocates computing hardware between guest operating systems and controls requests by guest operating systems for hard-ware resources. A hypervisor allows multiple guest operating systems to run concurrently on a a single physical computer.

Identity and Access Management - Identity and access management (IAM) is the policy of creating identities and permissions for users who must access an information system.

Instance - An instance is a running software process, such as a database server or an operat-ing system.

Least Privilege - Least privilege is a principle that requires each information system user be assigned the most limited set of permissions consistent with the execution of his or her

18

Autodesk 360 Managed Services Security Overview

responsibilities. Least privilege enforces confidentiality within an information system and is dependent on identity and access management policy.

Origin - In a content caching infrastructure, the origin consists of computing resources that process an initial request for application functionality or data. The origin serves content, such as HTML pages and images, that can be cached by the content caching infrastructure. Reduc-ing requests to origin is important when optimizing the computing resources used by an infor-mation system.

SSL - Secure Sockets Layer (SSL) is a technology allowing data to be encrypted for confidential transmission over a network.

Service - A service is a related set of functionality delivered over a network. Services can be customer-facing, as in the case of PLM 360, or limited to consumption by other higher-level services.

Single Sign-On - Single sign-on (SSO) provides a way to seamlessly authenticate users across different but related services. SSO functionality allows users to access services in tandem with-out repeated prompts for credentials.

Software as a Service - Software as a Service (SaaS) is a model of software delivery that uses cloud computing to enable access to rich sets of functionality over a network.

Stateful Packet Inspection - Stateful packet inspection provides a way for firewalls to track network packets over time. By tracking the state of packets, rules can be defined that limit network access based on connection properties in addition to individual packet properties.

Virtual Instance - A virtual instance is a set of virtual hardware resources onto which an operating system can be installed. Multiple virtual instances can be run concurrently on the same physical computer. Virtual instances are also referred to as virtual machines or simply “instances.”

Virtualization - Virtualization is the concept of splitting a pool of hardware resources, such as memory, CPU, and storage, into “virtual” devices that can be allocated efficiently and dynamically between guest operating systems.

19

Autodesk, Autodesk Buzzsaw®, BIM 360™ Glue®, Sim 360™ Pro, and the Autodesk logo are registered trade-marks or trademarks of Autodesk, Inc., and/or its subsidiaries and/or affiliates in the USA and/or other countries. All other brand names, product names, or trademarks belong to their respective holders. Autodesk reserves the right to alter product and services offerings, and specifications and pricing at any time without notice, and is not responsible for typographical or graphical errors that may appear in this document. © 2013 Autodesk, Inc. All rights reserved.

plm 360 security white paper - asihub …asihub-cdn.s3.amazonaws.com/ds/pdf/products/plm360... ·...

Documents