Fraunhofer IEM guarantees the highest security standards for “OSIRIS Premium” – the secure outpost
Secure data exchange, locally and with head office: The Fraunhofer IEM put the security concept of the OSIRIS server platform through its paces.
Photo: Janz Tec / Fraunhofer IEM
How is it possible to ensure secure data storage and protect data communication, even in insecure environments? International companies are increasingly facing this challenge. Luckily, this is the forte of the award-winning platform OSIRIS. From the outset, Janz Tec has relied on cooperation with the Fraunhofer Institute for Mechatronic Systems Design IEM. True to the “security by design” principle, the research institute assisted in the development of the security concept and is now putting the finished product through its paces. In practical terms, this means that the researchers try to hack OSIRIS.
Sven Merschjohann, a scientist at the Fraunhofer IEM, starts out by explaining “so far, we haven’t managed to do so. Both the OSIRIS software and hardware are extremely secure.” “Even so, software is never ‘finished’. For instance, you constantly need to install the latest version.” This is why Sven Merschjohann paid special attention to ensuring that OSIRIS has a reliable mechanism for future software updates.
Regular updates are just one part of the security concept that Janz Tec, the industrial computer systems specialist from Paderborn, developed, in cooperation with the scientists from the Fraunhofer IEM, specifically for its OSIRIS Secure Appliance solution, which won the “BEST OF 2017” award at the INNOVATIONSPREIS IT 2017. The finished security concept is the result of comprehensive collaboration from the product development process onwards: The topic of security was an integral feature of OSIRIS right from the beginning of the concept stage, as an explicit hardware and software requirement. “On the one hand, this integrated approach reduces our development time, on the other hand, we now have a product with perfectly coordinated security components, which don’t need to be added later in an emergency,” explains Dr. Markus von Detten, Head of Systems Engineering and Software Development at Janz Tec.
IT security: Tailored to meet the demands on any budget
The holistic approach, which directly integrates measures for the development of secure software-intensive systems right through from requirements engineering to the finished product, is called “Security by Design”. The developers conducted a comprehensive threat analysis while OSIRIS was still in the design stage. On the basis of various scenarios concerning weak spots in the system or external attacks, they derived protection objectives which they then bore in mind during the rest of the development process.
Especially for small and medium-sized companies, it is important to take the question of cost-effectiveness into consideration. To avoid placing unnecessary burdens on the development budget and the cost of the end product due to superfluous features, it is important to critically examine which security features are actually needed for each product. “I am sure that there are also pragmatic solutions at a reasonable price for small and medium-sized companies. With a sensible and needs-oriented concept, everyone can afford IT security,” says Sven Merschjohann.
OSIRIS is a large-scale solution for industry that needs to cover a lot of bases: It is a secure outpost for product and process data, ensuring secure and efficient data exchange between globally distributed teams or entire production plants with the server at home.
Data needs to be stored securely locally and synchronised with head office “under supervision”, which is why the OSIRIS security concept is so comprehensive and meets the highest security standards. It describes both the physical structure as well as the software structure in detail and specifies which measure is to be used in which scenario. The scientists at the Fraunhofer IEM have thoroughly tested the individual precautions: Where and how is sensitive information physically stored on the platform? Which cryptographic methods are used? Is adequate authentication required? Does the encryption meet the latest standards? Will there be regular software updates for OSIRIS, even when in operation? The Federal Office for Information Security (BSI) provides information on the regulations and standards, the international ISO/IEC 27000 series and the IEC 62443 standard, which formed the basis of the work of the scientists at the Fraunhofer IEM.
On the test stand
Janz Tec itself has excellent software developers and the BSI guides. Nevertheless, Dr. Markus von Detten believes the cooperation with the Fraunhofer researchers is essential: “Our customers rely on the total security of our products, so we make doubly sure by allowing a third party to take an objective look at it.”
This double-layer of protection goes so far as Sven Merschjohann assuming the role of a potential attacker. He systematically tries to find security gaps in the OSIRIS software and to gain access to the platform – this time without using his login details. This enables Janz Tec to ensure that its customers’ data is as secure as possible and prevent it from landing in unauthorised third parties’ hands. If he were to find a way in, Janz Tec could let the customer know about the bug right away and fix it in the next update, but when it comes to OSIRIS, Sven Merschjohann is scratching at the door in vain because all of the locks remain secure.