The importance of data protection for a PLM system

In addition to these aggressive attacks, there's also a growing risk of business-critical data falling into the hands of third parties. Data is shared not only internally, but also with suppliers, engineering firms and customers.

The purpose of a product lifecycle management system (PLM) is to manage all product-related information, from idea and design to service.

In other words, a system containing the company's intellectual property (IP), a platform where people are able to easily collaborate, is therefore a very interesting target for data theft and/or (ransomware) attacks.

Fortunately, a modern PLM system, Windchill in particular, can be well-protected against data theft and hacker attacks, subject to a well-configured and managed system. 

Considering all the above, the following are important.

On-premise of Cloud (Azure or AWS) PLM Server

Contrary to popular belief, Cloud systems are often better protected than 'internal' on-premise systems.

For example, high level protection (preferably layer 7 of the ISO OSI model) of the PLM system is usually easier to achieve and maintain in a Cloud environment.

In this setup, the PLM system and data are protected by several firewalls, including a web application firewall, reverse proxy and a load balancer.

PLM system configuration 

Proper protection of the Windchill server itself against attacks is essential of course. This starts by encrypting (https) the data being uploaded and downloaded from Windchill, centralising access control with (Azure) Active Directory, and setting up and configuring Multi Factor Authentication (MFA) for access to Windchill.  Implementation of all recommended security (password encryption, Cross-site scripting (XSS) and Cross-Site Request Forgery Attacks (CSRF)) and configuration of the auditing are also important.  Auditing allows you to precisely monitor what someone has done in the PLM system and when.   

PLM application configuration

Within Windchill, data can be accessed by giving a person a particular role with rights in a product, library or project and by working with security labels and agreements.  Access to data is provided when a person is given access to data through their role (access control list) and when the person has access to the label on the data or is given access to the data for a certain period through an agreement.

In addition, specific data in Windchill can be shared from a product or library to a project. This makes it possible to give external parties access to the data in a very specific way, even in a mode whereby the external party is able to edit the data (e.g. outsourcing engineering or work preparation) and return (checked in) it to a product in Windchill in a controlled way.

PLM management

Windchill is a PLM system that meets the highest requirements in terms of security. Security updates and new Windchill versions are regularly released. Implementing them is essential for an optimal protection of the data in Windchill. In addition, management naturally includes creating users, granting access to data, granting access to security labels, drawing up agreements, but also continuously monitoring the system for irregularities and checking the audit logs.

Security awareness

As is often the case, people are often the weakest link. Despite all the above measures, we still cannot rule out 100% that a person with access to data in the PLM system may (unintentionally) share data with people who should not have or see the data.  Paying attention and creating awareness in the field of security is therefore the last and perhaps most important point of attention.

We're happy to provide advice on data protection.  This ranges from a sanity check of the environment to implementing our Best Practices in terms of data protection and the full management and monitoring of your Windchill environment in the Cloud.