Cloud service and data security
RS Production is delivered as a cloud service and is using Microsoft Azure as a cloud provider. All infrastructure is running on Microsoft Azure.
Microsoft Azure complies with the following certifications http://azure.microsoft.com/en-us/support/trust-center/compliance/
Configuration
Describes the current configuration/deployment of the RS Production cloud service in Azure. The current configuration is checked and maintained using Microsoft defender for the cloud - see 4. Security.
Azure deployment overview
A logical view of the current deployment
The application servers are reached through standard protocols using HTTPS (with Transport Layer Security, TLS).
Azure is used as a flexible server co-location service using virtual machines.
Each application server hosts between 4-16 customers.
Each customer has a Windows service running on the application server.
All data is stored in SQL Server, one database per customer.
Application servers
OS Windows Datacenter
Responsibility Host RS-Production service (server software), communicates with clients through HTTPS.
Database servers
OS Windows Datacenter
Responsibility Host Microsoft SQL Server. Communicates with the application server over private LAN, no public ports open to the Internet, all communication between app servers and database servers on internal LAN in Azure.
Database isolation
Every installation is fully isolated in its own database. It means that two customers’ data is never stored in the same database.
Customer-to-Azure communication
The RS Production client always tries to first connect through HTTPS if it fails it will failover to HTTP. If the Customer / Factory has opened their firewall to support HTTPS (encrypted HTTP) then the RS Production servers located in Azure will communicate over HTTPS, otherwise over HTTP.
RS Production mobile app always communicates over HTTPS.
Resilience
The standalone client works without an active connection to the server (in Azure), the operators can still work using the operator panels in production even if there is no active connection, all data is stored locally until the connection is reestablished, then all data is synced with the server.
No data loss if the connection to the server is lost
The client syncs all data when the server is up and running again
Backups
Backups are stored on a separate disc on Azure.
Application servers
All servers are backed up with daily image snapshots with 7 days retention.
SQL servers
All servers are backed up with daily image snapshots with 7 days retention.
Databases
Full backups twice a day
Transaction log every hour
Patching
Critical and security OS patches are performed on a weekly basis.
All server patching is done accordingly to alerts and recommendations from the Azure security center. The Azure security center alerts when a critical- or security update has been published. Read more about Azure security center under 4. Security.
Security
For cloud security, hardening, and policies we rely on the Microsoft defender for Cloud which gives us recommendations and insights about current threats, configurations, and patching. Microsoft defender for Cloud is continuously evolving helping us to remediate new security recommendations that are published.
Microsoft Defender for Cloud
https://azure.microsoft.com/en-us/services/security-center/
The threat detection and protection capabilities provided with Microsoft Defender for servers include:
Microsoft Defender for Endpoint for Windows - Provide comprehensive endpoint detection and response (EDR) capabilities. When Defender for Endpoint detects a threat, it triggers an alert. The alert is shown in Security Center. From Security Center, you can also pivot to the Defender for Endpoint console, and perform a detailed investigation to uncover the scope of the attack. Learn more about Microsoft Defender for Endpoint.
Vulnerability assessment scanning for VMs - The vulnerability scanner included with Azure Security Center is powered by Qualys. Qualys' scanner is one of the leading tools for real-time identification of vulnerabilities.
Just-in-time (JIT) virtual machine (VM) access - Threat actors actively hunt accessible machines with open management ports, like RDP or SSH. Just-in-time VM access can be used to to lock down the inbound traffic to the VMs, reducing exposure to attacks while providing easy access to connect to VMs when needed.
File integrity monitoring (FIM) - File integrity monitoring (FIM), also known as change monitoring, examines files and registries of operating system, application software, and others for changes that might indicate an attack. A comparison method is used to determine if the current state of the file is different from the last scan of the file. Azure Defender for servers, validates the integrity of Windows files, Windows registries, and Linux files.
Adaptive application controls (AAC) - Adaptive application controls are an intelligent and automated solution for defining allow lists of known-safe applications for your machines.
When you've enabled and configured adaptive application controls, you'll get security alerts if any application runs other than the ones you've defined as safe.
Adaptive network hardening (ANH) - Adaptive network hardening uses a machine learning algorithm that factors in actual traffic, known trusted configuration, threat intelligence, and other indicators of compromise, and then provides recommendations to allow traffic only from specific IP/port tuples.
Docker host hardening - Azure Security Center identifies unmanaged containers hosted on IaaS Linux VMs, or other Linux machines running Docker containers. Security Center continuously assesses the configurations of these containers. It then compares them with the Center for Internet Security (CIS) Docker Benchmark. Security Center includes the entire ruleset of the CIS Docker Benchmark and alerts you if your containers don't satisfy any of the controls.
Fileless attack detection (Windows only) - With fileless attack detection, automated memory forensic techniques identify fileless attack toolkits, techniques, and behaviors. The solution periodically scans the machines at runtime, and extracts insights directly from the memory of processes. Specific insights include the identification of:
Well-known toolkits and crypto mining software
Shellcode, which is a small piece of code typically used as the payload in the exploitation of a software vulnerability.
Injected malicious executable in process memory
Fileless attack detection generates detailed security alerts containing descriptions with additional process metadata, such as network activity.
Linux auditd alerts and Log Analytics agent integration (Linux only) - The auditd system consists of a kernel-level subsystem, which is responsible for monitoring system calls. Security Center integrates functionalities from the auditd package within the Log Analytics agent. This integration enables collection of auditd events in all supported Linux distributions. Auditd records are collected, enriched, and aggregated into events by using the Log Analytics agent for Linux agent. Similar to Windows capabilities, these analytics span across suspicious processes, dubious sign-in attempts, kernel module loading, and other activities. These activities can indicate a machine is either under attack or has been breached.
Security incidents
If an event may indicate that the measures put in place to protect the RS Cloud service have failed or RS and data have been compromised. An incident report will be compiled and sent to the customer’s Security contact or Support contact registered from the support system.
Identity access management
Remote access
All administrative access is through VPN.
Personal information
The only personal data that RS Production stores are the RS Production user profile. The user profile data has mandatory fields for username and password. The RS Production user accounts are handled by each customer and can be easily deleted. If a user account is deleted all history of the personal data will be erased after the database backup retention time has expired which currently is 14 days (snapshot + file backup).
Azure Active directory
All servers are joined to a domain service
All users accessing the servers in Azure are registered in Azure AD
Password policies can be set in a central manner
All user and password information that is not able to be registered in the Azure AD are stored in a password manager (current vendor 1Password).
RS Production
Passwords are encrypted in each customer database
Will support for 3rd party authentication using federation - see future roadmap 8.1
Support
The standard procedure when communicating with our support, there are four escalation levels
4: Affects production (all resources incl. development team)
This can occur when RS Production is highly integrated with the ERP system
3: Possible data loss (development team if support needs assistance)
Possible cause: the system is incorrectly configured
2: Data visualization (development team if support needs assistance)
The outcome of the system shows incorrect data (error in the calculation) but the underlying data is correct.
1: Normal
System administration, basic training
All support cases are rated according to the table above, and registered as new support cases in the support system. The above is the standard procedure for special handling and SLA see your specific support contract.
Technologies
RS Production
Both the client and server are built using the .NET framework.
Code signing
All executables are digitally signed using a code-sign certificate.
Hosting
Windows server
SQL Server and Application servers
Linux Ubuntu
Mobile servers
Nginx
Load balancer
Reversed proxy
Influx metrics database
Server metrics surveillance
Grafana
Server status dashboard
Microsoft SQL Server
Customer databases