Focus On: Data security and the method of the rubber hose

This month we will deal with the debate on data security.

The debate on the topic of information security and intellectual property – the heart of corporate knowledge – has never been so hot. The reason why is certainly the proliferation of solutions and the relentless success of cloud applications that are upsetting the way in which manufacturing companies implement their strategy of innovation.

During the product life cycle a great quantity of information (R&D documents, design schemes, CAD/CAM drawings) is generated that need to be shared both inside and outside the company, from suppliers to customers. All these contents are the result of the intellectual investment that a company must face in the early stages of the development process of the product. They are the winning ideas that will be transformed into practical and profitable applications and for this reason their protection becomes essential and necessary.

A PLM (Product Lifecycle Management) solution contains the technology that allows you to manage, safely and in a complex environment of product development, a significant amount of data.

The modern PLM systems, besides managing all product documentation, coding, technical bills of materials and revisions, also ensure that such information – especially files – are made available only to authorized operators at a given moment of the life cycle of the product . Sophisticated security features govern access to the archive of intellectual property: it is possible to define and assign to each user of the system specific operating privileges for each individual document or information managed by the system. Too often, speaking about data security, the attention focuses only on the technological aspect, codes and machines or hardware and software systems that make up the system of data management, leaving out the weakest ring: the human being.

To explain this concept Marcus J. Ranum, a famous hacker, described, with a euphemism, a technique that he defined quick and foolproof: “The method of the rubber hose“.

Let’s suppose we have to force a high technology server equipped with a hypothetically foolproof security system. In Ranum’s opinion the technique is much simpler and cheaper than you might imagine, here is the shopping list:

  • 1 ½ inch hose of rigid rubber, long about 50 cm (available at any hardware store)
  • 3 strong laces, 1m long

The next step is to kidnap the system administrator, tie him to a chair with the laces and hit him vigorously with the rubber hose until he himself will reveal the password to access the system.
Tip: Make sure that the password is correct before freeing the victim.

Probably Ramus has never tortured anyone, but this story is helpful for us to understand that any technological investment designed to improve internal security can be absolutely ineffective if the human aspect is not taken into serious consideration. The statistics are clear, the majority of information thefts occur without forcing the system. To give you some examples, the vast majority of technical drawings stolen were saved on a USB or even photocopied without any problem by employees who had legitimate access to the system.

With this we do not want to say that when choosing a PLM system is not important to carefully evaluate the technical aspects of the data security offered by the solution, but we want to highlight that it is equally important, during the implementation phase of a PLM system, that the future users are made aware and trained on security issues in order to protect intellectual property.

In conclusion, we discourage generic users (ex.:”technician”), with a password known and shared by dozens of people within the organization and invite you to assign distinct login credentials to each employee. Moreover, each person must commit to keep this information confidential: too many times we have seen post-its full of passwords sticked to the monitors in the offices!

And for ill-intentioned people: it is to know that a good PLM system is also capable to trace any operation executed on the system itself. The PLM always knows who and when someone gained access to that data.

See you next!