User Manual
Table Of Contents
Getting started
Safety notes
2
16 | 47
A6V12237004_enUS_b
2.4.1 Cloud Security: Provider and Cloud Hosted Application
Infrastructure and Platform Services
Cerberus Cloud Apps utilizes AWS (Amazon Web Services) cloud infrastructure to
host its application services, which along with Siemens Connect X300 gateway,
provides an end-to-end solution to unlock new value for customers. AWS provides the
cloud infrastructure hardware, software and networking to meet the requirements of
security-sensitive organizations and are responsible for protecting the global
infrastructure that runs all services offered within their cloud. A detailed list of these
can be found at:
https://aws.amazon.com/security/ .
Authentication, Access Control & Authorization
Authentication is the first step for any user of Cerberus Cloud Apps, its aim is simple –
to verify the identity of the user. Cerberus Cloud Apps uses Siemens ID, a service
based on an IDaaS platform (Identity as a Service), which offers authentication
services and external identity management services for Siemens applications
accessed by partners and customers. The main benefit of Siemens ID is the single
sign-on to Siemens applications. This includes the ID administration by the user, a
security token service and features an option for multi-factor authentication providing
an added layer of security. You can find more about Siemens ID at
https://cdn.login.siemens.com/help/index.html.
Authorization defines the set of actions that the identified user can perform and
defines the access to a specific part of the infrastructure resource. Authorization is a
security mechanism used to determine user privileges to devices, services, data and
application features. Cerberus Cloud Apps implements a role-based access control
(RBAC), limiting a user to applications and features. Access to sites and devices is
limited by organizations and scopes.
Access control is covered by applying both authentication and authorization
steps together.
Data Security
Data Encryption-at-Rest - All data stored at rest is encrypted using AWS standard
encryption. The AWS encryption conforms with the Federal Information Processing
Standard (FIPS) 140-2 standards.
Data Encryption-in-Transit - All Data in transit (e.g. communication to and from
Cerberus Cloud Apps) is encrypted via HTTPS/TLS1.2.
Details on cryptography employed to secure Cerberus Cloud Apps cloud data is found
in Appendix A [➙ 46].
Data Privacy
Collected data can be classified into two types - personal data and data generated by
the building’s panels/peripherals e.g. fire detectors. For Cerberus Cloud Apps, all
collected personal data complies with European Union General Data Protection
Regulation (EU GDPR), providing control to individuals over their personal data. The
building data is owned by the building owner unless agreed otherwise in a contract.
Remote Access (Tunnel)
One of the features offered by Cerberus Cloud Apps is the access to on-premise fire
networks from remote. Cerberus Tunnel enables commissioning engineers to service
and access fire networks from remote offices. Cerberus Tunnel has a by default
session timeout of 10 minutes.
To use remote access with Cerberus Tunnel, no inbound connectivity is required.