Security architectures for cloud-based CAE and SPDM offerings, an interview with Ceetron’s CTO Fredrik Viken

011d339
Fredrik Viken. CTO Ceetron

The benefits of CAE in the cloud appear clear (see the blog post https://ceetronblog.com/2015/12/14/cae-in-the-cloud/  for an overview, from a Ceetron perspective). Ceetron is committed to a strategy of making 3D visualization in the cloud as efficient and immersive as it is on any desktop. Major CAE tool vendors like Simulia, Autodesk, Siemens, ANSYS, and others offer cloud-based products. But end-users remained concerned about the security of those products and their data.

In the following interview, Fredrik Viken, Ceetron’s CTO, explores how Ceetron is handling cloud security today, and offers some thoughts on how those solutions might evolve in the future.

Q1: Ceetron released last autumn Ceetron Cloud, an offering that allows end user to store, view, and collaborate on CAE models in the cloud.  Do potential customers ask questions about Ceetron Cloud’s security?

Fredrik: This is by far the biggest issue to overcome as the CAE world moves from desktop to cloud. Everyone sees security as the major issue when they consider moving their offering into the cloud. The benefits of a fully cloud-based offering are so large, however, that the industry needs to overcome this hurdle.  

Q2: What key technology elements does the security architecture of Ceetron Cloud comprise?

Fredrik: We use industry-standard security solutions in Ceetron Cloud. We use standard user authentication components based on node.js and Passport. We also use SSL (https) with an EV Certificate with Extended Validation that ensures that users know they are working with software from Ceetron in Norway. To obtain security validation, we have used several online third-party scanners to check cloud.ceetron.com for vulnerabilities. We have fixed all reported issues (even the more exotic ones).

Ceetron understands that some customers require an even greater degree of security, and are willing to do the extraordinary engineering required to realize it. This raises the whole issue of public vs. private clouds, and the technologies necessary to use them effectively. We will address that issue in a subsequent blog post

Q3: How many levels of security are offered by Ceetron Cloud?

Ceetron Cloud can accommodate all four standard levels of security:

  • Public models can be and found through browsing or searching on Ceetron Cloud, and can be seen by everyone.
  • Shareable models can be seen only by those who have the required link. The security is good, as the link is a GUID (base64 encoded) that is virtually impossible to guess (e.g. https://cloud.ceetron.com/v/MTyYNMfERDmTx-5NS_pJmQ). User must remember, however, that anyone intercepting the email/chat carrying the link can then look at the model.
  • In the next level of security, users on Ceetron Cloud can create a Team. All Team members must be logged in and authenticated by Ceetron Cloud, and only members of that Team can look at the model. Someone who has the right link, but who is not logged in and authenticated, cannot see the model.
  • Only the owner of the model can look at the model. This is ensured by requiring the user to be logged in and authenticated by Ceetron Cloud before viewing the model. Again, having the right link is not enough.

In Ceetron Cloud, users can select the default sharing level as either “Shareable”, ”Team {TeamName}” or “Private”. By setting it to “Private,” users ensure that nobody can see a given model until the sharing level is explicitly changed.

Q4: Ceetron Cloud is based on 3D object streaming and the use of AWS.  What were the toughest design decisions from a security perspective when you architected Ceetron Cloud this way?

Fredrik: The move to the web and cloud solutions has provided a steep learning curve. We have been working with cloud offerings for almost five years now, and I feel that we have succeeded in this transformation.  Going back to your question about security architecture, I think the two decisions we spent most time on, were the decisions to use object streaming rather than image streaming, and the use of Amazon Web Services (AWS).

Regarding the technical merits of object streaming rather than image streaming, I think they have been compellingly demonstrated.  See for example my blog about same in https://ceetronblog.com/2016/01/21/visualization-in-the-cloud-for-cae-a-tale-of-two-architectures/.  But one could envisage scenarios in which object streaming would be seen as less secure than image streaming, much the same was as thick or rich clients could be seen as less secure than thin clients.

Regarding the use of AWS, I think we are on pretty safe grounds.  We made that decision early on in the process through a fairly technical process, but our decision appears to have been vindicated by how for example Ansys has used Amazon EC2 for its Enterprise Cloud, Onshape has gone ‘all-in’ for AWS (according to its web site), Autodesk has based its A360 offering on AWS, and Dassault Systèmes Simulia has partnered with Amazon for its 3DS v6, all based on public information.  We understand the European sentiment that US companies are somehow less trustworthy, but fact is, few companies can afford to set up a private cloud with same security level as AWS

Q5: And why did Ceetron decide to deploy Ceetron Cloud on AWS, rather than on say Microsoft Azure, IBM Softlayer, or Google cloud Platform?

Fredrik: Our cloud offering can run on any platform; we consciously avoided implementing any features that would require a specific cloud provider. Our system needs only node.js 4.x and MongoDB 3.x support, toolkits that are supported on virtually any platform. Our framework for developing Web Apps (Ceetron 3D Components for Web) has even fewer requirements: only node.js. This independence of cloud provider or server configuration is key to our strategy.

The choice of AWS was based on our evaluation of it as a good technical and business solution, and on recommendations from customers. AWS is easy to set up, and offers lots of online help. AWS is also by far the biggest provider of cloud servers, so we thought that it more likely that potential customers would accept it.  

We know that several businesses will never use Ceetron Cloud; for whatever reason, these companies do not trust AWS with their data. Even if technical security were impregnable, there is always the chance that the US government (or other authority) would demand access. But this is true for any cloud provider.

Q6: Should Ceetron Cloud be seen as a technology demonstrator, or a defined public cloud product?

Fredrik: Smaller companies who just want a quick and easy way of enabling sharing in their applications would be happy with Ceetron Cloud, but we consider it more of a technology demonstrator. Most customers would require another kind of solution, either:

  1. Branded “Ceetron Cloud”. A branded/skinned version of Ceetron Cloud running on their cloud provider of choice (AWS/Azure/IBM/internal data center/etc.). Some customers might want to set this up on an Intranet to provide even stronger security, requiring a VPN connection or similar.  We have just completed the first branded “Ceetron Cloud” site this week. The features and capabilities are the same as on Ceetron Cloud, but the site has the customer’s look-and-feel, and will run on their hardware, thus ensuring the security of the solution.
  2. A custom sharing portal. Here we work with the customer to integrate the web-based visualization and progressive 3D object streaming of CAE data into their existing cloud portal. Many customers already have a portal for customer interaction (support/software download/etc.). In this scenario, the company would take care of all aspects of security, while we provide the CAE visualization support.

Q7: Could it be argued that at least for medium-sized companies with limited resources (e.g., a supplier to the automotive industry, or provider of specialized FEA- or CFD-based simulation tools), a standardized offering on a public cloud might actually be more secure than a private cloud or an on-premises solution?

Fredrik: There might be some truth in this. Most cloud providers have very good security and monitoring tools, and are harder to hack than internal servers. My view is that the most secure solution would be to run on an intranet behind firewalls, and let users use VPN if they’re offsite. But this would limit the possibilities to share data. Perhaps a hybrid system would be better: An internal server for sensitive data shared among employees, and then a public server for sharing less sensitive data with customers, partners, and others.

Q8: Why are companies happy to use Dropbox or OneDrive for storing sensitive business documents (e.g., financials), but not for storing CAE data or deploying an SPDM system?  Is this a culture thing that just takes time?

Fredrik: Dropbox and OneDrive have a good security record so far. Those who want to migrate CAE into the cloud must be convinced that our security is as good. I think starting with an Intranet solution might be the first step here, as it will showcase all the nice benefits from the web-based software solution, but still be securely stored behind company firewalls. One could see that approach evolving into a fully cloud-based solution over time.

Q9: Looking into the crystal ball and having a ten-year time horizon, will CAE offerings generally be deployed in a) the public cloud, b) as private clouds specific to CAE tool vendors, or c) as private clouds specific to end-users?

Fredrik: In this fast-changing world, 10 years is a VERY long time. I do think the main offering will be clouds specific to CAE tool vendors. The vendors will like solutions that are tightly integrated with their offering, and that have their look-and-feel. End-user specific private Clouds will only be practical for larger companies.

Q10: Does this mean that in the future all CAE offerings will essentially be cloud-based?

Fredrik: For the last two years I have personally been working a lot on cloud application and CAE visualization for cloud solutions. The benefits of a web application (no installation, always up-to-date, run on any device, run from any location) are too tempting to let go. In the past web applications were slow to use and did not offer the same premium user experience as their desktop counterparts. This gap is closing, and every year we see more-advanced user interfaces that rival any desktop application.

As a visualization company, we are very pleased with the adoption of WebGL. Today WebGL is supported on virtually any modern device (from smart TVs via phones and pads to high performance desktop systems). WebGL lets us create the same immersive visualization experiences in a web browser as we can do on desktop. We also get almost the same performance (say 95%) of the native desktop app.

Today we see several CAD application moving to the cloud and using WebGL to render fast and visually impressive models in a responsive user interface. The simulation world is not doing as well. Our goal at Ceetron is to help CAE companies make this transition quickly and successfully.

Thanks to Fredrik for this perspective on security architectures for cloud-based CAE and SPDM offerings, and for providing insight into Ceetron’s thinking regarding Ceetron Cloud.

Regards,

Grim Gjønnes
General Manager, Crisp Ideas

(DISCLAIMER: Though representing Crisp Ideas AS, I have and have had ongoing engagements with Ceetron AS.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s