Introduction
The safety and security of your data is our top priority. We recognize that your industrial data demands a rigorous set of operating standards compared to other information domains. We are committed to ensuring the highest standards of cyber security throughout our codebase and across our ecosystem of customers, partners and employees.
We work hand-in-hand with our customers and partners to ensure leading data security and risk mitigation principles are embedded throughout our software and systems. We constantly monitor our operations to mitigate emerging vulnerabilities and ensure new threats are tracked and acted on rapidly.
Physical Security
Best-In-Class, Certified Data Centers
At AVEVA our cloud offerings are hosted in Microsoft Azure and Amazon AWS, which are two of the leading public cloud service providers. Each company provides a robust global cloud platform that incorporates strong security practices as well as ensuring high availability.
Both Microsoft Azure and Amazon AWS have many security features designed to protect data and applications, ranging from physical and environmental security through network security to data privacy and security controls. This is achieved through compliance with numerous standards including ISO 27001/27017/27018 and AICPA SOC 2 along with transparency in how security is implemented and managed.
Data Security
Committed to market leading cybersecurity best practices
Data at Rest
All sensitive customer data is encrypted, logically segregated and segmented in a multi-tenant architecture. These measures offer the best assurances that customer data is safe from unauthorized access, and limit the risk of data being compromised in any meaningful manner while protecting the privacy, control and autonomy of each customer’s data independently from any other. We have U.S. Patents Pending around the unique industrial implementation underpinning the solution.
Data in Motion
All data flow communications to and from AVEVA cloud services are encrypted using SSL/TLS over HTTP (i.e., HTTPS) on the industry standard and well defined Port 443 using Advanced Encryption Standard (AES) 256-bit encryption with secure 2048-bit X.509 certificates. This is true for our on-premises data publishers, our modern browser based client and our native mobile apps. Our secure and publicly accessible REST based APIs are also leveraging this security scheme.
We continuously monitor the changing security landscape of cryptography and cybersecurity to ensure that we offer the best available protections to our customers and their sensitive data.
Hybrid Deployments
Given our long, rich history and domain expertise in the industrial automation market, we fully support and complement traditional industrial on-premises systems pushing data to the cloud in a hybrid-architecture where on-premises systems work in tandem with our cloud solutions.
IT Friendly
Our real-time small footprint data publishers are very IT friendly from a local network point of view in that we only require a single, outbound and unidirectional port to be opened to communicate to our cloud services securely with encryption using SSL/TLS over HTTP on Port 443.
Our real-time on-premises data publishers do not receive inbound connections, only outbound connections are initiated by the system of trust from customer networks and never the other way around by any external agent. Our data publishers also do not auto-update on-premises O/S components. Updates are controlled manually by our customers at their discretion.
All data from our on-premises publishers can be safely routed through traditional next generation firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS) and network segmented demilitarized zones (DMZ).
Data Transmission Reliability: Store & Forward
All real-time data publishers provided by us employ store and forward mechanisms so that no data is ever lost in the event that a network connection between the on-premises publisher and our Insight cloud services becomes unavailable. When network connectivity resumes, a parallel data stream will be initiated to back-fill any data that was collecting during the period of network unavailability.
Application Security
Protecting and defending your data across people, process and technology.
Identity and Access Management (IAM)
Authentication
Customers register, sign-in and authenticate through the AVEVA Connect cloud platform which is based on the OpenID Connect (OIDC) authentication layer on top of the OAuth 2.0 authorization framework.
For enterprise customers, Single-Sign-On (SSO) and federated identity access integrations are available with a customer’s existing IAM implementation.
We enforce a level of password complexity during sign-up and registration to promote secure credentials.
We verify account ownership during registration and for password resets to ensure the request is from an authentic source.
Authorization
Customers have complete and granular control over who they chose to allow to have visibility and access to various elements of their data in the AVEVA Connect common cloud platform. At any time, customers can add, modify and remove users from their account as well as immediately revoke any access by any user at their discretion.
External Security Audits
We continue to work with respected third-party professional application security monitoring and assessment experts on a regular and periodic basis in an effort to proactively identify any potential vulnerabilities so that we can quickly address those concerns and stay current with the ever changing cybersecurity landscape.
In these engagements, these third-party companies conduct vulnerability and penetration scans amongst a number of additional security reviews such as OWASP identified vulnerabilities and related audits.
Continuous Monitoring and Security Assessments
We have in place various proactive monitoring and active security policies and procedures to identify abnormal behavior, catch anomalous activity, detect and isolate suspicious activity against or within our online solution. Examples include limitations on authentication requests, location based risk evaluations, size and growth of user activity, failed authentications, API rate requests and more.
Ensuring continued availability of our offering is outlined in our service level agreement (SLA) which can be referenced via the Product Schedules found on legal resources page.
For more information on the individual cloud services please refer to the Service Descriptions page.