RS Production is delivered as cloud service and is using Microsoft Azure as cloud provider. All infrastructure are running on Microsoft Azure.

Microsoft Azure complies the following certifications http://azure.microsoft.com/en-us/support/trust-center/compliance/

Configuration

Describes the current configuration / deployment of the RS Production cloud service in Azure. The current configuration is checked and maintained using the Azure Security center - see 4. Security.

Azure deployment overview

A logical view of the current deployment

 

The application servers is reached through standard protocols using HTTPS.

 

  • Azure is used as a flexible server co-location service using virtual machines.

  • Each application server hosts between 4-16 customers.

  • Each customer has a Windows service running at the application server.

  • All data is stored in SQL Server, one database per customer.

Application servers

OS Windows (2012 - 2019) Datacenter
Responsibility Host RS-Production service (server software), communicates with clients through HTTPS or HTTP as fallback if the customer do not have port in firewall open for HTTPS.

Database servers

OS Windows (2012 - 2019) Datacenter
Responsibility Host Microsoft SQL Server. Communicates with the application server over LAN, no public ports open to the Internet, all communication between app servers and database servers on internal LAN in Azure.

Database isolation

Every installation is fully isolated in their own database. It means that two customer’s data is newer stored in the same database.

Customer to Azure communication

The RS Production client always tries to first connect through HTTPS if it fails it will failover to HTTP. If the Customer / Factory has opened their firewall to support HTTPS (encrypted HTTP) then the RS Production servers located in Azure will communicate over HTTPS, otherwise over HTTP.

RS Production mobile app always communicates over HTTPS.

Resilience

The standalone client works without an active connection to the server (in Azure), the operators can still work using the operator panels in production even if there is no active connection, all data is stored locally until the connection is reestablished, then all data is synced with the server.

  • No data loss if connection to the server is lost

  • Client syncs all data when server is up and running again

Backups

Application servers

  • All servers are backed up with daily image snapshots with 7 days retention.

SQL servers

  • All servers are backed up with daily image snapshots with 7 days retention.

Databases

  • Full backups twice a day

  • Transaction log every hour

Patching

Critical and security OS patches are performed on a weekly basis.

All server patching is done accordingly to alerts and recommendations from Azure security center. The Azure security center alerts when a critical- or security update has been published. Read more about Azure security center under 4. Security.

Security

For cloud security, hardening and policies we rely on the Azure security Center that gives us recommendations and insights about current threats, configurations and patching. For endpoint security we use Microsoft defender for endpoint included in the Azure security center. Azure security center is continuously evolving helping us to remediate on new security recommendations that is published.

Azure security center

https://azure.microsoft.com/en-us/services/security-center/

The threat detection and protection capabilities provided with Azure Defender for servers include:

  • Microsoft Defender for Endpoint for Windows - Provide comprehensive endpoint detection and response (EDR) capabilities. When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Security Center. From Security Center, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack. Learn more about Microsoft Defender for Endpoint.

  • Vulnerability assessment scanning for VMs - The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities.

  • Just-in-time (JIT) virtual machine (VM) access - Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. Just-in-time VM access can be used to to lock down the inbound traffic to the VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.

  • File integrity monitoring (FIM) - File integrity monitoring (FIM), also known as change monitoring, examines files and registries of operating system, application software, and others for changes that might indicate an attack. A comparison method is used to determine if the current state of the file is different from the last scan of the file. Azure Defender for servers, validates the integrity of Windows files, Windows registries, and Linux files. 

  • Adaptive application controls (AAC) - Adaptive application controls are an intelligent and automated solution for defining allow lists of known-safe applications for your machines.

    When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe. 

  • Adaptive network hardening (ANH) - Adaptive network hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples. 

  • Docker host hardening - Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark. Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls.

  • Fileless attack detection (Windows only) - With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. The solution periodically scans the machines at runtime, and extracts insights directly from the memory of processes. Specific insights include the identification of:

    • Well-known toolkits and crypto mining software

    • Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.

    • Injected malicious executable in process memory

    Fileless attack detection generates detailed security alerts containing the descriptions with additional process metadata, such as network activity.

  • Linux auditd alerts and Log Analytics agent integration (Linux only) - The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. Security Center integrates functionalities from the auditd package within the Log Analytics agent. This integration enables collection of auditd events in all supported Linux distributions. Auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign-in attempts, kernel module loading, and other activities. These activities can indicate a machine is either under attack or has been breached.

Identity access management

Remote access

All administrative access is through VPN.

Personal information

The only personal data that RS Production stores is the RS Production user profile. The user profile data has mandatory fields for username and password. The RS Production user accounts are handled by each customer and can be easily be deleted. If a user account is deleted all history of the personal data will be erased after the database backup retention time has expired which currently is 14 days (snapshot + file backup).

Azure Active directory

  • All servers are joined to a domain service

  • All users accessing the servers in Azure are registered in Azure AD

    • Password policies can be set in a central manner

  • All user and password information that is not able to be registered in the Azure AD are stored in a password manager (current vendor 1Password).

RS Production

  • Passwords are encrypted in each customer database

  • Will support for 3rd party authentication using federation - see future roadmap 8.1

Support

The standard procedure when communication with our support, there are four escalation levels

  • 4: Affects production (all resources incl. development team)

    • Can occur when RS Production is highly integrated with ERP system

  • 3: Possible data loss (development team if support need assistance)

    • Possible cause: system is incorrect configured

  • 2: Data visualization (development team if support need assistance)

    • Outcome of the system shows incorrect data (error in calculation) but the underlying data is correct.

  • 1: Normal

    • System administration, basic training

All support cases are rated according to the table above, registered as a new support case in our support system. The above is the standard procedure for special handling and SLA see your specific support contract.

Technologies

RS Production

Both the client and server is built using .NET framework 4.5.2

Code signing

All executables are digitally signed using a code-sign certificate.

Hosting

  • Windows server (2012, 2016, 2019)

    • SQL Server and Application servers

  • Linux Ubuntu 18.4 LTS

    • Mobile servers

    • Nginx

      • Load balancer

      • Reversed proxy

    • Influx metrics database

      • Server metrics surveillance

    • Grafana

      • Server status dashboard

  • Microsoft SQL Server

    • Customer databases