A Secure Federated Company

Transcription

1 A Secure Federated Company 10 nov 2010 Using Windchill Technology 1 THALES NEDERLAND B.V. THALES NEDERLAND B.V. AND/OR ITS SUPPLIERS. THIS INFORMATION CARRIER CONTAINS PROPRIETARY INFORMATION WHICH SHALL NOT BE USED, REPRODUCED OR DISCLOSED TO THIRD PARTIES WITHOUT PRIOR WRITTEN AUTHORIZATION BY THALES NEDERLAND B.V. AND/OR ITS SUPPLIERS, AS APPLICABLE.

2 Agenda: Mandate History Requirements General approach Implementation of business & security requirements Questions 2 THALES NEDERLAND B.V.

3 Mandate: Background wrt external interfacing: Changing needs: Collaboration (SR-FR, Nevesbu, customer, etc); engineering/design Outsourcing; manufacturing/design Shortened design cycles Opportunities: Efficiency/effectivity improvements in the communication with external partners; fast, configured and role based Ability to pay a key role in co-designer relations Threats: Insecure interfacing; usb-stick, , CD/DVD, hard-disk, quickplaces, etc Poorly managed; status, configuration, completeness, validity, etc Practically unworkable situation for Thales-Norma after moving date. 3 THALES NEDERLAND B.V.

4 Mandate: Goal: To realize proper configuration facilities for the mechanical engineering domain between both Thales and suppliers/codesigners and Thales-to-Thales internationally. Constraint: All collaborations exist within the setting of defence related products and are therefore subject to security constraints. 4 THALES NEDERLAND B.V.

5 Project B Product Radar X Thales, Fr Partner 3, NL Thales anywhere Thales Hengelo Project A Partner 1, NL Partner 2, D 5 THALES NEDERLAND B.V.

6 History: Feb Intralink->PDMlink 8 Architecture not sufficient (then 8 now 9.1) Requirements definition; security en business How do others work? Architectures Other approaches; UEE Windchill; external flexibility maintained No OEM approach; a federated company approach, Quickplaces; security becomes blocking PTC provides functionality in PDMlink/Projectlink THALES NEDERLAND B.V.

7 Dynamic links exist due to PDMLink & ProjectLink embedded solution PDMLink = Referential area for CAD documents (Permanent area) Collab. work within entity Collab. work between entities ProjectLink = Temporary area for collaborative work (Project area is removed when work is completed) 7 THALES NEDERLAND B.V.

8 Requirements: Business: Supplied solution must support collaboration for mechanical engineers in their day-to-day operational use of the system. It should conform to the general service level agreement KPI s that are in place for other engineering related services Specifically, it must be both easy and secure, to give visibility to engineering artefacts and communities that can be easily established and maintained within the solution. Security: 15 requirements defined including: Authorised locations-users-data-(time period) Data manager Logging who-what-when Encryption Also export control 8 THALES NEDERLAND B.V.

9 General approach: Use cases to be executed/demonstrated in three consecutive installation runs to assure: Correct migration; after the final migration there is no easy roll-back Meeting the security requirements; otherwise there will be no external collaboration allowed Operational availability and performance; to convince the key-users and the business Operational functionality of PDMlink 9.1; some new functions and working methods Final migration will be done in a weekend and after agreement of all parties. Hire specific Windchill knowledge No customisation, standard functionality and configuration Linux, virtualisation, migration, anti-virus, test-environment French corporate vision Controlled start-up; get experience and confidence 9 THALES NEDERLAND B.V.

10 Implementation: Implementation of Business Requirements Implementation of Security Requirements 10 THALES NEDERLAND B.V.

11 Implementation of Business Requirements Migrate Windchill 8.0 to new secure Windchill 9.1 environment Windchill 8.0 Windchill 9.1 Physic Servers (2 servers) Vmware Servers (6 servers) Windows 2003 Redhat Enterprise Linux No virus scanning on server Virus scanning for external slaves Windchill 8.0 M040 Windchill PDMLink & ProjectLink Contains mcad/ecad content Default user interface Windchill 9.1 M020 Windchill PDMLink & ProjectLink Contains same mcad/ecad content Simple role-based user interface Same or equal performance and minimal impact on daily work. 11 THALES NEDERLAND B.V.

12 Implementation of Business Requirements Role-based User Interface (Profiles) 12 THALES NEDERLAND B.V.

13 Implementation of Security Requirements Migrate Windchill 8.0 to new secure Windchill 9.1 environment Windchill 8.0 Windchill 9.1 Windchill Monolithic Secure Windchill Architecture Local area network (LAN) Demilitarized zone (DMZ) Windchill PDMLink & ProjectLink Windchill PDMLink & ProjectLink No Security Labeling and Agreements Security Labeling and Agreements No Windchill Auditing & Logging Windchill Auditing & Logging Use cases to define collaboration working scenario s and procedures. 13 THALES NEDERLAND B.V.

14 Implementation of Security Requirements Windchill Architecture HTTPS Windchill Cluster on virtual Linux Redhat in the DMZ VLAN PDM (inside VLAN DMZ) Thales NL Slave 1 View Master Oracle ThalesNet Slave 2 Thales Env. Internet Slave 3 Partner NL SAN Internet Slave 4 Partner NAVO 14 THALES NEDERLAND B.V.

15 Implementation of Security Requirements Windchill Thales NL Environment VLAN PDM (inside VLAN DMZ) Thales NL Slave 1 View Master Oracle Slave 2 Slave 3 Slave 1 Minimal required auditing & logging. Only Thales NL users can log in. Memory and caching parameters optimized for internal LAN use. SAN Slave 4 15 THALES NEDERLAND B.V.

16 Implementation of Security Requirements Windchill Thales NAVO Partner Environment Slave 4 All required auditing & logging. Memory and caching parameters optimized for internet use. Virus scanning on server. NAVO Partner needs: VPN Box from Thales NL. Thales SSL certificate from Thales NL. Valid username/password from Thales NL. Partner NAVO Internet Slave 1 Slave 2 Slave 3 Slave 4 VLAN PDM (inside VLAN DMZ) Master View Oracle SAN 16 THALES NEDERLAND B.V.

17 Implementation of Security Requirements Security Labeling and Agreements Export control: License required Authorised Participants (NL persons) A Authorised Participants (Internal people) Corporate Proprietary: Internal 17 THALES NEDERLAND B.V.

18 Implementation of Security Requirements Security Labeling and Agreements Security Labels Security Level Security Marking Export Control Intellectual Property Agreements Security Authorization Agreement Government Export License Commercial License Disclosure Agreement Non-Disclosure Agreement Example for: Security Marking 18 THALES NEDERLAND B.V.

19 Implementation of Security Requirements Report on who accessed what objects and when 60 discrete traceable events, including Viewing of pages and Downloading of content Critical information captured, including user ID and IP address as well as object details Additional Apache & Windchill logging 19 THALES NEDERLAND B.V.

20 Thank you for your attention! Questions? 20 THALES NEDERLAND B.V.