Secure DevOps for PLM

Hybrid and Proud

These days people choose a personal identity for every facet of their lives, but when we speak about IT infrastructure, there seem to be only one direction – to the cloud. You can still decide which cloud you are going to trust with your IP, your data, and your business processes – AWS, Azure, Google Cloud for Oceania, Alibaba, Tencent for Eastasia or even smaller private data-centers based on VmWare or OpenStack.
Once upon a time I was a big fan of Jack Welch shutting down all non-performing business units at GE. That was until I realized: his strategy reaped huge short term dividends for the shareholders, but after all neutron dust settled, the devastation that strategy caused to the American industrial base became visible to everyone. Entire layers of competence had been irrevocably wiped out, and Pentagon became forever dependent on China for nuts and bolts.
Which brings us to the topic of PLM vendors joining the rush and building up their managed cloud offerings: 3DX Cloud and PTC Cloud, with PTC acquiring Arena to give it even more options for multi-tenant environment.
That rush holds unique dangers for engineering and manufacturing companies. I have no problem with sales and ERP moving to the cloud, because they operate with relatively simple data. But what if a SaaS PLM upgrade will slightly alter decimal points treatment of tolerances? How can PLM vendors guarantee that the relationships between CAD parts will not be affected?
Data Integrity
As far as I know, no present PLM system provides a built-in mechanism to physically compare the entire state of its data from one version of software to another – or entire state of its data from one day to another either. I am speaking here both about designs stored in physical files (CATIA V5) and fully database managed designs (CATIA V6) – a big bowl of exposed assemblies.
But while we can still do that comparison for on-premise solution – and its equivalent for deployment on a public cloud (still controlled by an OEM), fully managed solutions like 3DX Cloud and PTC Cloud neither provide any means of data integrity validation themselves, nor do they allow any such guerilla activity to the concerned OEMs.
Security
Security for everything located outside of your corporate firewall is a perpetual concern. It is bad when personal information is stolen, but when an OEM’s entire IP is gone – stolen by an adversary’s military-industrial complex, or published on a Wiki site by some do-gooder hacker group. And do not forget about the potential for surreptitious sabotage, with some bad foreign actor making minor design changes that go unnoticed and unauthorized…
Note: It is certainly more tempting to steal physical CAD files than exposed assemblies, as it requires less effort to analyze them, but not impossible – in the days of an open economic warfare the IP theft projects will always have their line items approved.
Supplier Collaboration
An OEM must collaborate with suppliers and expose a slice of its PLM data and provide them with licenses. That concerns both on-premise and cloud-based PLM.
There is a real need to clearly separate which contextual data is available to different suppliers: you still want your cheap Chinese plastic, but you may not want to advertise what it will be used for.
Going Hybrid, Going DevSecOps
From the practical perspective, what an OEM can do? There are a number of paths here:
  • For larger OEMs – avoid multi-tenant cloud PLM systems as a primary source of truth. If you must go to the cloud, the preference should be for IaaS and your own IT maintaining your system there, deciding on the upgrades, integrity checks, etc.
  • Split the system into on-premise (or IaaS) core to store the main IP and guarantee high level of data stability and security, and cloud based BOM for a supplier collaboration portal and even a design collaboration system, similar to OnShape. But again, the core data would better reside under protection your own beautiful firewall. ShareASpace from Eurostep might be an interesting solution for that kind of functionality.
  • Use Kubernetes to insulate PLM deployment from the cloud vendor.
  • Use advanced DevOps (aka DevSecOps), with SonarCube and GitLab type of security control tools to check every customization commit long before it is deployed anywhere.
  • For smaller OEMs with scarce budgets and no real choice but to use a managed cloud PLM – if you are in a regulated industry, do not leave your belongings unattended.
  • I am interested in the PLM-PIM (Product Information Management) concepts, where an OEM publishes data to customers or suppliers in a particular manner: sharing product details and models while hiding the material specs and calibrations.
Taking all the above, going Hybrid is the real future for those who want to use a powerful PLM, ride the cloud, eat the cake, sleep well, while staying compliant with all relevant regulations.