User Manual
Cloud Security: Provider and Cloud Hosted Application
3
A6V11852371_en_h
7 | 19
3 Cloud Security: Provider and Cloud
Hosted Application
Infrastructure and Platform Services
Building Operator utilizes AWS (Amazon Web Services) to host its application
services, which along with Siemens Connect Device, provides an end to end
solution to unlock new value for customers. AWS provides the cloud infrastructure
hardware, software and networking to meet the requirements of the most security-
sensitive organizations and are responsible for protecting the global infrastructure
that runs all its services offered within their cloud. A detailed list on these topics
can be found at:
https://aws.amazon.com/security/
Containerized architecture: In addition to AWS infrastructure, Building Operator
application software uses a container-based architecture adding standardization
around development, build, test, and production environments. This creates an
additional layer of security with benefits of control from trusted sources of content,
protection from attacks and vulnerabilities in all layers of the platform and secure
services through standard interfaces and APIs.
Deployment
Building Operator consists of multiple apps, see the list below. Security measures
apply to all apps.
App
URL
Account Manager
https://account.bpcloudapps.siemens.co
m
Asset Manager
https://assets.bpcloudapps.siemens.co
m
Building Operator
https://buildingoperator.siemens.com
Building Operator stores and processes data in data centers location in Ireland.
Authentication, Access Control & Authorization
Authentication is the first step of for any user on Building Operator apps, its aim is
simple – to verify the identity of the user. Building Operator uses Siemens ID, a
service based on an IDaaS platform (Identity as a Service), which offers
authentication services and external identity management services for Siemens
applications accessed by partners and customers. The main benefit of Siemens ID
is the single sign-on to Siemens applications. This includes the ID administration
by the user, security token service and features option for multi-factor
authentication enabling an added layer security. You can find more about Siemens
ID at https://id.login.siemens.com/about/faq .
Authentication also employs access control, an additional authentication steps to
further protect important resources once the identity proves they are who they say
they are. An example of this is a user invited to company A, once authenticated,
however is limited to only access sites belonging to company A.
Authorization defines the set of actions that the identity can perform after gaining
access to a specific part of the infrastructure resource. Authorization is
a security mechanism used to determine user privileges to devices, services, data
and application features. Building Operator implements a principle of least privilege
and separation of duties with role-based access control (RBAC), limiting a user to
sites, devices, applications and features. An example of this is where a user has an
admin role for company A, only the admin user is authorized to invite others to their
organization (company A) to use Building Operator.
Data Security
Data Encryption-at-Rest - All data stored at rest is encrypted using either AWS
standard encryption or Hashicorp Vault encryption. The AWS and Hashicorp Vault