User Manual

ManualsBrandsSiemens ManualsFire - Modular & Networkable Control SystemsFire control panel (2L, AU)

Table Of Contents

Getting started

Safety notes

16 | 47

A6V12237004_enUS_b

2.4.1 Cloud Security: Provider and Cloud Hosted Application

Infrastructure and Platform Services

Cerberus Cloud Apps utilizes AWS (Amazon Web Services) cloud infrastructure to

host its application services, which along with Siemens Connect X300 gateway,

provides an end-to-end solution to unlock new value for customers. AWS provides the

cloud infrastructure hardware, software and networking to meet the requirements of

security-sensitive organizations and are responsible for protecting the global

infrastructure that runs all services offered within their cloud. A detailed list of these

can be found at:

https://aws.amazon.com/security/ .

Authentication, Access Control & Authorization

Authentication is the first step for any user of Cerberus Cloud Apps, its aim is simple –

to verify the identity of the user. Cerberus Cloud Apps uses Siemens ID, a service

based on an IDaaS platform (Identity as a Service), which offers authentication

services and external identity management services for Siemens applications

accessed by partners and customers. The main benefit of Siemens ID is the single

sign-on to Siemens applications. This includes the ID administration by the user, a

security token service and features an option for multi-factor authentication providing

an added layer of security. You can find more about Siemens ID at

https://cdn.login.siemens.com/help/index.html.

Authorization defines the set of actions that the identified user can perform and

defines the access to a specific part of the infrastructure resource. Authorization is a

security mechanism used to determine user privileges to devices, services, data and

application features. Cerberus Cloud Apps implements a role-based access control

(RBAC), limiting a user to applications and features. Access to sites and devices is

limited by organizations and scopes.

Access control is covered by applying both authentication and authorization

steps together.

Data Security

Data Encryption-at-Rest - All data stored at rest is encrypted using AWS standard

encryption. The AWS encryption conforms with the Federal Information Processing

Standard (FIPS) 140-2 standards.

Data Encryption-in-Transit - All Data in transit (e.g. communication to and from

Cerberus Cloud Apps) is encrypted via HTTPS/TLS1.2.

Details on cryptography employed to secure Cerberus Cloud Apps cloud data is found

in Appendix A [➙ 46].

Data Privacy

Collected data can be classified into two types - personal data and data generated by

the building’s panels/peripherals e.g. fire detectors. For Cerberus Cloud Apps, all

collected personal data complies with European Union General Data Protection

Regulation (EU GDPR), providing control to individuals over their personal data. The

building data is owned by the building owner unless agreed otherwise in a contract.

Remote Access (Tunnel)

One of the features offered by Cerberus Cloud Apps is the access to on-premise fire

networks from remote. Cerberus Tunnel enables commissioning engineers to service

and access fire networks from remote offices. Cerberus Tunnel has a by default

session timeout of 10 minutes.

To use remote access with Cerberus Tunnel, no inbound connectivity is required.