Cloud-based systems for plant process management (PPM) deliver significant benefits in terms of access, convenience, and handling. But are they safe to be used in sensitive industries like chemical or pharmaceutical manufacturing? The answer is yes … if designed with data security as a priority.
The growing need for applications with secure and rapidly scalable data storage and processing led to an increasing relevance of cloud computing, i.e., data processing and storage on an external server.
As a software-as-a-service (SaaS) solution, software is provided by a provider. ‘In-house IT’ does not have to worry about the threat landscape, updates and hosting. Contributing to the debate over whether ‘SaaS or On-Prem’ has higher priority were the following developments:
- Rapidly changing requirements under volatile market conditions.
- Requirements for reduced email traffic and a solid database that can also be accessed decentrally
- Sensitive data and an ever-changing IT threat landscape
- Increasing demand for services, such as AI (artificial intelligence)-based applications
Even today, many manufacturers are hesitant to move their data to the cloud. However, a well-designed cloud solution that meets modern security standards and regulations can be more secure than storing data on your internal network. For example, cloud solutions provide additional security through centralised data storage to ensure data confidentiality, integrity and availability – especially for companies that have already ventured into digitised process management.
Local Hosting vs. Cloud Security: Confidentiality, Integrity and Availability
When evaluating the security of a software application, there are three important elements to consider, collectively known in the security industry as the CIA Triad.
Confidentiality refers to how data is protected from disclosure or unauthorised access. This encompasses who is allowed to view the data, how access is controlled, and what protection measures are in place to prevent unauthorised entities from breaking into the system.
Integrity is about how accurate and reliable the data is. Duplicate entries or unreliable sources of information decrease the integrity coefficient.
Availability means that data is accessible and usable whenever and wherever we need it and is not prone to be at risk due to system outages or network failures.
On all three measures, secure cloud-based systems can offer advantages over those that are hosted locally. Few manufacturers have the cybersecurity expertise on staff to design, implement and sustain a comprehensive cybersecurity program. Legacy systems often do not meet modern standards for secure system design and lack critical updates to address new or emerging security threats. In addition, PPM software exists within a complex software ecosystem, which can create new and unknown access points and security vulnerabilities for sensitive plant data.
A locally hosted solution can be vulnerable to:
- Unauthorised access or ‘back doors’
- Data tampering by unauthorised parties
- Data loss if local servers are damaged or destroyed in a system outage
With cloud-based PPM systems, manufacturers can leverage the cybersecurity expertise of the cloud service provider (CSP). In a ‘Software-as-a-Service’ (SaaS) model, the CSP takes on the job of maintaining security programs for the application and safeguarding data confidentiality, integrity and availability. That includes ensuring compliance with current cybersecurity regulations and best practices, updating software as new security threats and vulnerabilities are discovered, and ongoing threat monitoring and detection.
What to Look for in a CSP
To ensure data confidentiality, integrity, and availability, secure cloud applications should adhere to current best practices and comply with all regulations for cloud cybersecurity.
Information security management is governed by ISO 27001, which provides a framework for establishing, implementing, maintaining and continually improving security management systems, procedures and policies. CSPs should design their security programs in compliance with ISO 27001.
They should also have an ISO 9001 certification, which governs quality management systems for software development. It is also useful to ask for an SOC 2 report, which provides an audit of the company’s controls related to security, availability, processing integrity, confidentiality and privacy.
The development of a secure cloud application includes several aspects, including:
- System architecture
- Software development practices
- Backup and disaster recovery practices
- Security monitoring
- Testing and analysis
- Incident management
Moving Existing Data Security Systems to the Cloud
Moving to a cloud-based plant process management system that complies with modern security standards and regulations can be an important part of a data security plan for pharmaceutical manufacturers. A cloud-based PPM adds an extra layer of security through the browser. By offloading security management to the CSP, implementing cloud-based PPM also reduces the burden on the manufacturer’s IT staff. A SaaS model is simpler to implement, easier to manage and scale, and more secure than keeping it all in-house.
Software applications that are cloud-based shift handover and PPM platforms should be ISO 27001 and ISO 9001 certified and developed according to current best practices and standards for cloud security.
As the process industry continues in its digital transformation, understanding the security implications of cloud-based technologies will help companies ask the right questions and make confident data security decisions.
To learn more about how confidentially, integrity and availability principles are managed in cloud-based systems, read eschbach’s white paper on Cloud Security.