Security in the Era of Cloud

Stolen credentials are a greater threat than stolen laptops.

Stolen credentials are a greater threat than stolen laptops.

Gartner’s Magic Quadrant is the little square that all companies want to be a part of. Published as part of Gartner’s annual industry sector reports, the square identifies market leaders, challengers, niche players and visionaries. In the analyst’s “Magic Quadrant for Unified Endpoint Management Tools,” published August 2019, VMware, along with Citrix, Microsoft and IBM, showed up in the Leaders’ corner.

“VMware shows strength in helping its customers bridge between legacy client management tools (CMTs) and UEM unified endpoint management (UEM) by building on previous common CMT functions such as patch management natively within the Workspace ONE offering,” wrote Gartner. It also singled out “VMware’s 2018 launch of the Workspace ONE AirLift offering” as an innovation in the space.

“We are seeing a trend toward virtualization technology, and this is a key enabler for running our software in the cloud,” notes Prakash Kota, CIO, Autodesk. “Many Autodesk customers are exploring the option of moving their desktops running Autodesk software to the cloud. We are also seeing companies such as Citrix, AWS and Microsoft Azure offer cloud-based desktops.”

The shift from on-premises desktop to virtual machines suggests the security risks, too, have migrated to the cloud. But human behavior, as it turns out, remains a bigger security risk than the holes in the company firewall and the cloud.

A Famous IP Theft Case

One of the most high-profile IP theft cases in the CAD industry occurred in 2002, when the source code of a pre-

release version of SolidWorks was stolen. The culprit, Shekhar Verma, was a former employee of an outsourced contractor in India. He was eventually apprehended when he attempted to sell the code to an undercover federal agent from India. (“At Risk Offshore,” Michael Fitzgerald, Computerworld, November 2003, ComputerWorld.com.) It was long before the rise of software-as-a-service and virtual desktop infrastructure, and ultimately an act of a disgruntled employee.

Could mission-critical CAD design files be stolen from the cloud, or via a virtual machine? It’s quite probable, but Robert Thompson, senior technical instructor, VMware, worries more about poor security practices among humans than the virtual holes in the VDI.

“Have you ever worked with designers who said, ‘Hey, log in and take a look at project XYZ. Here’s my password’,” he asked. “Never give your password out to anyone, especially if your login has access to high visibility projects with lots of IP. The extra step of creating [and] requesting another login for your colleague could very well prevent theft,” he adds.

Tight deadlines and a human preference for efficiency may tempt some to bypass established security protocols, perhaps not out of malicious intent but purely out of the need to get things done quickly.

Password sharing is not only dangerous but it’s unnecessary with good VDI. “There’s a feature in VMware Horizon called session sharing that would remove the need to share passwords with applications like CAD,” says Thompson.

CAD in Cloud

CAD software in its origin was written to run on personal workstations. That was the case with SolidWorks, Autodesk Inventor, PTC Pro/ENGINEER (later rebranded as PTC Creo), and Siemens NX and Solid Edge. In that sense, Onshape, launched in 2012, was a groundbreaker. It was architected from the start to run in the cloud, SaaS-style. The software was acquired by PTC in late 2019.

“SaaS is very different from virtualization. With SaaS, you have a centralized multi-tenant network of computers that provides service to people,” says Jon Hirschtick, co-founder and CEO of Onshape. “As a result, you are not working in the inherently insecure Windows OS workstation environment; you are not copying and emailing files around; and you are not maintaining hundreds of different instances of the project.”

In Onshape, users collaborate with others by inviting them into the same modeling session, or sharing the centralized cloud-stored file with someone via a link, where you control the recipient’s reading, writing and editing privileges.

“The argument that you are more vulnerable in the cloud is a bit old-fashioned, like keeping your money under the mattress because you don’t trust the bank,” Hirschtick says. “We have to worry about hacking, just like any modern business these days. But I dare say, our security measures for our data center are far more secure than the steps taken by a typical corporate IT team or PC user.”

“With some government and military customers, they don’t even allow you to bring in your cellphone or storage devices into the facility,” observes Hirschtick. “These types of places currently won’t let you run SaaS software.”

Compliance and Security

But it’s not necessarily the end of the road for SaaS vendors who want to work with strict military or government clients. Amazon, one of the biggest cloud service providers, launched GovCloud in late 2011, creating a way for SaaS vendors to comply with the regulations.

“AWS GovCloud is a new AWS Region designed to allow U.S. government agencies and contractors to move more sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements,” writes Amazon.

AWS data centers running the AWS GovCloud services are located in geographic regions acceptable to government and military users, both for compliance and security reasons. The stringent requirements go both ways. To use the GovCloud services, the customer also has to meet certain criteria.

“AWS GovCloud (US-East) and (US-West) regions are operated by employees who are U.S. citizens on U.S. soil. AWS GovCloud (U.S.) is only accessible to U.S. entities and root account holders who pass a screening process. Customers must confirm that they will only use a U.S. person (green card holder or citizen as defined by the U.S. Department of State) to manage and access root account keys to these regions,” Amazon states.

“We will at some point put our product on AWS GovCloud. When we do, we can reach these types of clients,” says Hirschtick.

Stolen Credentials

With increasing numbers of companies switching to SaaS or VDI for cost savings, stolen credentials are now a much greater risk than stolen computers.

“If you steal my computer right now, you still cannot get my Onshape CAD files. Onshape data never leaves the server. It never gets copied into your local machine,” says Hirschtick. “But there’s no system that can fully prevent credential misappropriation. It’s just like someone getting your banking credentials and logging into your bank account.”

“Most of the customers I work with do not see virtualized infrastructure as an added vulnerability,” says Thompson. “Whether you are using physical or virtual machines, there is still a chance of intrusion, especially if your machines are secure but your network internet connection/firewall is wide open.”

“Some common causes of data breach regardless of physical or virtual environment include weak and stolen credentials, application vulnerabilities, malicious insiders or insider error. Addressing these issues and implementing a proper security and defense strategy is essential to minimizing risk,” says Kota. 

Share This Article

Subscribe to our FREE magazine, FREE email newsletters or both!

Join over 90,000 engineering professionals who get fresh engineering news as soon as it is published.




About the Author

Kenneth Wong's avatar
Kenneth Wong

Kenneth Wong is Digital Engineering’s resident blogger and senior editor. Email him at [email protected] or share your thoughts on this article at digitaleng.news/facebook.

      Follow DE
#23731