Security

Our cloud services are certified by EuroCloud StarAudit.

Read the public audit report
View published certificate on StarAudit.org


The EuroCloud StarAudit defines several cross-process points, making sure that a high level of quality, security, availability is reached and maintained. The Role of EuroCloud, as a vendor-neutral and non-profit organization, is to deliver know-how, legal orientation, quality guidance and best practises policies for global usage.

Architecture

In order to understand relevant security aspects it is necessary to take a look at the system architecture : This will give the entry points for the security discussion and show critical points of interest. The data flow starts in the field at the instruments level. Via interface devices as e.g. gateways, this data can be transmitted into the cloud, where it is transformed into information. Within the cloud, additional data sources may be injected to gain additional information. These can arise from other Endress+Hauser systems or customer environments as engineering tools or ERP systems.

Quality Audit

As security, trust and compliance are very sensitive topics, a quality audit is essential. StarAudit provided by EuroCloud (www.eurocloud.org) offers Endress+Hauser an accountable quality assessment of cloud services through a transparent and reliable certification process.

Assessed areas are:

  • Contract & Compliance
  • Data Privacy
  • Operational Processes
  • Software as a Service

Standards, Regulations and Law

To comply with the Quality Audit and under the aspect of laws and regulations, Endress+Hauser needs to consider a number of frameworks. Conclusions and requirements from these documents find their application in the software itself, but as well internal processes, operational processes and in the content of contractual documents such as Terms of Service. The applied frameworks are:

  • ISO 27001 – Information Security Management
  • ISO 20000 – Service Management System
  • Swiss DSMS (Data Security Management System)
  • PCI SAQ A – Payment Card Industry Attestation of Compliance Furthermore, Endress+Hauser requires its service suppliers to fulfill these frameworks as well. This guarantees integrated security and overall compliance.

Functions & Features

To comply with all previously mentioned requirements, it is necessary to have proper functions & features implemented in the software. The following outlines some of the security measures that we undertake.

Encryption of passwords:

In order to provide user confidentiality of passwords we do not store them in plain text. On user side, passwords are encrypted with ‘bcrypt, salt and pepper cryptography’ and we just only save the hash within our database.


OAuth 2.0

In order to support safe user identification during the usage of the software, we use a tokenized process to identify users against our cloud service. User passwords are transmitted only for token generation. This complicates scamming attempts and guarantees a safe authorization.


Encrypted communication channels only

The communication channel to our cloud service can solely be established via a secure and encrypted https connection. Thereby all payload data is encrypted according to industry standards and our cloud computers are trustfully authenticated by a certificate issued by a worldwide renowned certificate authority.


User information

When accessing its account, the user is able to see his past activities. The same mechanisms are used for online banking to detect possible fraud usage or failed login attempts.


Processes

Even in the safest environment, the event of serious security incidents may occur. Therefore we established internal processes to react as quickly as possible and to inform all affected parties to keep our customers safe from harm.


Server location

We use the strongest cloud hosting partners on the market, and only use server locations in Europe. These servers are operated under European law and jurisdiction, which is among the most >stringent worldwide. Our customers can be sure that their data is subject to one of the highest data security standards worldwide.


Gateway security

The gateway is a critical point in the architecture as it represents the access point from and to the user’s plant. The gateway will record only data from the field and transmit these towards the cloud. The other way around, from cloud to the gateway, no communication is initiated. Thus all incoming ports to the gateway are blocked. Only exceptions are gateway software updates. In order to guarantee safe downloads, these updates are certified and checked against the original file to prevent manipulation. Software updates are installed in parallel to the running system. When the update-process is completed, the gateway switches to the updated runtime and disconnects for the period of the reboot.


Customer data:

All customer data used by Endress+Hauser is solely owned by the customer. We reserve the right to access this data to deliver our service. If we share customer data with 3rd party service providers, we inform our customers about this cooperation prior to data exchange and assure that this service provider acts according the given terms and guidelines.