Secure DevOps for PLM

Feet on the ground, head in the (3DEXPERIENCE®) clouds

What do we know about clouds? Apparently, some of them can be pleasantly intoxicating. I have never heard that expression before, but that’s not the first time I learn new things.
How does this apply to the 3DExperience universe? Dassault Systemes and its customers and partners actively discuss a move to the cloud and its benefits, but many of them are concerned about which exact cloud they must choose and the dangers of settling on the wrong cloud.
The easiest option is the 3DExperience cloud hosted by DS itself. You seem to get everything you need in one inexpensive package without need to take care of the 3DX back-end. The total cost of ownership of having all that powerful 3DX functionality is rather low. Upgrades happen automatically and they are extensively quality-controlled by DS itself. The system always uses the latest version of 3DX, and performance is apparently very good.

However, all that luxury comes at the cost of accepting certain built-in restrictions. These may be absolutely acceptable for some companies, such as smaller startups:
  • Integrations are extremely limited. You must use 3DX Web-Services REST API, which includes only basic functionality. This is going to improve as DS continues to work on it, but this restriction is still a major and legitimate concern for any company integrating with large non-DS systems.
  • Data load options are limited.
  • 3DX Cloud runs the truly and absolutely latest version of 3DExperience – which is one version above the latest build available for on-premises deployment. This makes it very difficult if not impossible to ever move back to on-premises use or to another cloud solution.
Altogether, 3DX Cloud presumes you are settling in the DS eco-sphere forever, and will never leave. A user must be prepared for such a one-way entry into this eternal marriage.
The price for more freedom is more responsibilities – if you want to get access to extended customization capabilities, Java API, MQL and direct database queries while still enjoying cloud virtualization infrastructure, you will need to manage your 3DX cloud yourself, almost the same way as you would do it for on-premise deployment – with exception of “instance provisioning” being done with a few clicks (using my personal favorite AWS as an example).

The next option for 3DExperience on the cloud is to use Outscale, a DS company providing virtualization platform. When I first saw the news, I thought Outscale had some special features making it friendlier to 3DX – but it does not. Outscale is virtualization platform apparently based on the so-called Nova OS open-source project. It has all the bells and whistles of AWS circa 2010 – it even has AWS compatibility mode to make the learning curve and adaptation of AWS-based scripts easier. However, it is so bare-bones compared to AWS or Azure, that I questioned its real value proposition – until I realized the value was not in the technology per se, but in what can be called jurisdiction shopping. Outscale appeared because Europeans realized they needed to move on with their cloud capabilities and stop being dependent on all the US companies related to the Patriot Act compliance nightmares. France led the charge as usual. Outscale contracts are country specific and each of them is based on a particular legislation. Which makes perfect sense for European companies, but is there anything that makes Outscale attractive to US clients vs AWS or Azure? Considering the fact that XDI – a respected DS partner – uses Outscale extensively for their own proprietary cloud offering, I can only guess they got very good terms from DS/Outscale, while AWS and Azure are quite expensive by comparison.

Noteas I was writing this article, Outlook announced OOS, a direct competitor to AWS S3 and Azure Blobs.
The kings of the cloud are AWS and Azure (for whatever reason we do not have good memories of using Google). They hold their crown not only because they offer a wide variety of instance types and unlimited storage capacities. They presently provide more features as a service than you can possibly count with all your fingers and toes. These features can be extremely relevant for the engineering/manufacturing companies: IoT Hub for integrating with sensor networks, ESB options starting from Kafka, containerization/Kubernetes, databases of different types and flavors, rich CI/CD processes, Elastic Search

Both AWS and Azure support so-called US government cloud – while keeping the same technology, which makes moving data and solutions and organizing CI/CD between regular civilian and ITAR clouds reasonably convenient.
Licensing is always a major topic: 3DExperience licensing depends on certain underlying hardware/software configuration:
In my experience, even when unable to use a particular public-cloud based 3DX license server, a 3DX license server was successfully deployed on premises and integrated with the rest of the pack on the cloud using VPN tunnel.
Security is a major concern for any cloud-based system, and 3DX is no exception. So far I have not heard about serious attacks on 3DX cloud implementations, but one must assume they may happen along the well-known lines of attack: DDoS, default or misconfigured security settings exploits, code injections with both original DS code and customization being analyzed for any such vulnerabilities – and then exploited, BruteforceMitM and worse of all – Spectre/Meltdown.
Mitigating those issues would require a standard array of measures.

  • Virtual Private Cloud with full network segmentation, which can be made even stronger by using VPN user connections;
  • CloudFront type DDoS shield;
  • Security audits for all elements of the environment, security focused code review and massive and regular automated testing for various regressions.
Fortunately, DS are taking the cloud security seriously and they published white papers on the subject.
Now, let’s talk about migration. I already mentioned the issue of 3DX Cloud not being too convenient for any data import or export, and therefore data migration from on-premise 3DExperience to 3DExpereince Cloud might become a challenge. At the same time, migrating from on-premise to the AWS type of cloud should be pretty straightforward for anyone experienced with general cloud migration techniques. After all, the 3DExperience environment consists of the application side and the data.
Applications can be either installed from scratch on EC2 type of infrastructure, linked by Route53 type of DNS and protected by VPC network setup – not much different from the on-premise overall – or they can be deployed much faster using containerization (Docker/Kubernetes).
Data consists of the databases and files (CAD, MS Office etc.). Oracle DataGuard can be an easy method of transparently and quickly moving database-related data from on-premise to the cloud without clogging the network. Files can be synchronized by rsync type of scripting.
By the way, the recent announcement of DS acquiring NuoDB makes sense in exactly that context: if a customer has a NuoDB as a part of 3DX on-premise setup, and then moves to the cloud, all they need to do is to create a NuoDB node on the cloud of choice and then sooner or later those two (or more) instances will get in sync.
Conclusion: for those who were wondering if it is possible (feasible) to move to a 3DX cloud implementation, the answer is definitely yes. It will be no more complicated than doing the same exercise with any other enterprise system – not without pains, but it is absolutely doable.
Cloud seems to be the future (until singularity kicks in and the Terminator rises and smiles back at us). I have accumulated a pretty decent experience working with 3DExperience on premises, on the cloud and in-between. At the same time, we are all still learning new things and I would be happy to hear from others about challenges of moving 3DExperience to the cloud, and see where I and my team can assist.