User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cloud Security: Provider and Cloud Hosted Application

A6V11852371_en_e

7 | 19

3 Cloud Security: Provider and Cloud Hosted

Application

Infrastructure and Platform Services

Building Operator utilizes AWS (Amazon Web Services) and Azure (Microsoft)

cloud infrastructure to host its application services, which along with Siemens

Connect Device, provides an end to end solution to unlock new value for

customers. AWS and Azure provides the cloud infrastructure hardware, software

and networking to meet the requirements of the most security-sensitive

organizations and are responsible for protecting the global infrastructure that runs

all its services offered within their cloud. A detailed list on these topics can be

found at: https://aws.amazon.com/security/ and https://docs.microsoft.com/en-

us/azure/security/

Containerized architecture: In addition to AWS infrastructure, Building Operator

application software uses a container-based architecture adding standardization

around development, build, test, and production environments. This creates an

additional layer of security with benefits of control from trusted sources of content,

protection from attacks and vulnerabilities in all layers of the platform and secure

services through standard interfaces and APIs.

Deployment

Building Operator consists of multiple apps, see the list below. Security measures

apply to all apps.

App

URL

Account Manager

https://account.bpcloudapps.siemens.co

Asset Manager

https://assets.bpcloudapps.siemens.co

Building Operator

https://buildingoperator.siemens.com

Building Operator stores and processes data in data centers location in Ireland.

Authentication, Access Control & Authorization

Authentication

is the first step of for any user on Building Operator apps, its aim is

simple – to verify the identity of the user. Building Operator uses Siemens ID, a

service based on an IDaaS platform (Identity as a Service), which offers

authentication services and external identity management services for Siemens

applications accessed by partners and customers. The main benefit of Siemens ID

is the single sign-on to Siemens applications. This includes the ID administration

by the user, security token service and features option for multi-factor

authentication enabling an added layer security. You can find more about Siemens

ID at https://id.login.siemens.com/about/faq .

Authentication also employs access control, an additional authentication steps to

further protect important resources once the identity proves they are who they say

they are. An example of this is a user invited to company A, once authenticated,

however is limited to only access sites belonging to company A.

Authorization

defines the set of actions that the identity can perform after gaining

access to a specific part of the infrastructure resource. Authorization is

a security mechanism used to determine user privileges to devices, services, data

and application features. Building Operator implements a principle of least privilege

and separation of duties with role-based access control (RBAC), limiting a user to

sites, devices, applications and features. An example of this is where a user has an

admin

role for company A, only the

admin

user is authorized to invite others to their

organization (company A) to use Building Operator.