According to the EU General Data Protection Regulation, data security means the careful handling of personal and company-related data. Many websites and apps have active connections in the background to data collectors of large corporations, such as Google, Facebook or Alibaba. Depending on what you as a user have accepted in the cookie settings or T&Cs of these websites and apps, they reveal quite a lot about themselves, albeit predominantly anonymously. Nevertheless, artificial intelligences are able to recognise corresponding patterns in your behaviour that enable the data octopi to suggest things that suit you very well with the next click or swipe – simply because there are millions of others with your behaviour pattern.
In the press you often read about data leaks and leaks and stolen data sets. IT security is on everyone’s lips, mainly the negative effects. In particular, this has become a “fear-and-fright” scenario with cloud applications, which fuels certain reservations about deploying and using cloud technologies. But what is actually behind this? That’s what my blog is about today.
However, data security starts on one’s own computer and smartphone, because it is mainly small carelessness on the part of end users that can cause major damage in the first place. Through phishing, criminals obtain their access data; through Trojans and other malware in email attachments, programmes are started in the background of their client that spread in the network of their company and thus also on servers themselves. Afterwards, data is exchanged with third parties who certainly have few good intentions. In the best case, they only want to share the computing power of the data centre and slow down the bandwidth with which the employees surf. In the worst case, your data is copied to other servers, your access is blocked, your entire network is paralysed, and against payment of large sums in crypto-currencies, this is reversed. Servers in data centres are usually well protected, but they also sometimes fall victim to cyberattacks, so that direct access to corresponding data sets is then possible.
If we now look at the production process in the process industry, the highest asset to be protected is probably the recipe, followed by the environmental variables of the production machines. Until now, the networks for the machines and the networks for the ERP data were usually separate from each other. Through the progressive digitalisation of the machine, it is becoming more and more possible to visualise the environmental variables for reporting on production and ultimately also to support decision-making for the plant operator. In fully automated production and maturing processes, simple decision algorithms can also be used to send control indicators to the plant and thus influence the production process.
So when the separate networks communicate with each other or even merge, the issue of data security must also be looked at more closely at this point. As long as the networks and servers are under the control of the producer (on-premise), he is responsible for data security and can implement suitable security measures. What happens if parts of the network are located in a rented data centre, how vulnerable are data lines of a branched WAN in a company? In this case, the security-relevant services of the service providers must be carefully scrutinised so that there are no surprises (see above). If you then give third parties access to the systems and machines for remote maintenance, the necessary caution increases and costs an immense amount of effort and money.
And in the cloud? Cloud means nothing more than “located somewhere else” (data centre), “does not belong to me” (rented) and “I use what is there” (application services). This means that you are forced to hand over parameters for your ERP and production data to a cloud operator who is certainly not interested in selling the same kind of service to only one customer. So I have to be careful and trust that the data worth protecting does not get mixed up in the cloud. The operator will be able to ensure separation, but will it want to do so in the long term? Data from the same type of source offers artificial intelligence the chance to recognise any patterns and valuable optimisations can be derived from the results. This is the case for the cloud operator with whom he wants to earn big money in the end. The revenue from the use of the application service is a drop in the ocean in comparison.
My personal opinion for the process industry is a hybrid approach of on-premise and cloud technologies. I protect my most valuable assets in the on-premise environment under my control and I use meaningful cloud services by sending anonymised data sets to the service and receiving the result back for further processing in my on-premise world. This is probably the most efficient and secure way for the future.