A snapshot from a typical hall: the beeps of readers and buzzes of printers resound throughout the warehouse. Operators are scanning barcodes and printing stickers that they will then be placing on packages of materials or finished products. Data is flowing between each reader/printer and the server swiftly, safely and with no need for user intervention. At least in the case of an on-premise solution. But how is it with connecting these devices to the cloud?
Currently, the vast majority of communication runs through a customer’s own computer network. So data rarely peeps out over a hall’s walls into the unsafe world of the internet; it flows along the company’s safe internal wires only. Thanks to this feeling of safety, old, insecure communication protocols such as Telnet for text or traditional HTTP for web browsers are used in even the most modern on-premise information systems. In a cloud-based world, all of this will have to change completely.
Once cloud services are in play within an information system, it no longer lies on “home” ground in a company’s own server room; instead, it is accessed via the insecure, open internet and faces a number of potential risk factors. Data theft and manipulation are the main risks that arise when insecure communication is used between the client (the mobile reader or printer – or your PC) and the information system on the server. Enterprise data is an ever more valuable commodity, and if you’re sending information over an insecure protocol, you might as well ask your bank to send your PIN on a postcard.
The second main risk is potentially exposing your information system to practically everyone on the internet. Back when it was on your server, no outside parties could reach it. But cloud tools and systems are available to everyone. This situation demands that you secure your solution.
IT developers are well aware of the risks, and countermeasures exist for every one of them. The risk of data theft or manipulation is mainly addressed by encrypting your communication. Encryption is a process wherein a sender’s sensitive information is turned into something that looks like nonsense, but is readable using the decryption key held by the receiver. Ordinary users never notice the encryption; it takes place between software programs only.
HTTP is one of the most popular communication protocols on computer networks today. Even though it was originally developed for displaying web pages only, it has become the de facto transfer medium for other applications as well. Its secure variant HTTPS is the right solution for tools in the cloud. Not only does HTTPS ensure the encryption of the transferred data, as well as its continuous integrity (confirmation that no-one has manipulated it along the way), it also verifies the other party’s identity. So if for example, you send an EDI message or a transaction for a WMS system over HTTPS, you have the certainty of knowing precisely who you’re communicating with, and simultaneously knowing that nobody has changed or read the data in the transaction or message.
Within aimtec.cloud, we use the HTTPS protocol to connect to not only mobile terminals but also end-user PCs, as well as any touch panels. Mobile terminals, meanwhile, use HTTPS within the native DCIx Touch Client Android app – a product developed by Aimtec itself. Computer users can stick to their usual web browser, but instead of “http”, aimtec.cloud web addresses will begin with “https” – as has become the standard for the majority of web pages today. The same applies for touch panels; these panels are typically located in the spaces that are used for collecting manufacturing data.
In certain cases, HTTPS can also be put to use for sending print jobs to printers. Normally, a server located in a cloud data centre should not have any access at all to the printer on the desk next to you; these printers should be connected to your local enterprise network only. However, the modern IPP printing protocol can optionally be used for printing labels or customer documents from aimtec.cloud; IPP makes use of HTTPS and thus of its security features as well.
All the same, the ideal solution is to define a secure tunnel over a VPN. This represents a secure route for data even over the public internet, and it gives both sides full control over the rules for data flow. Ideally, the VPN connection is set up between the data centre and the customer’s network in one direction only (from the cloud to the customer) and for a precisely defined set of endpoints (printers). This eliminates the risk of printers potentially being exposed to the internet.
A second fundamental security problem, reliable authentication, is primarily addressed through a well-designed password policy and password management. Within aimtec.cloud, passwords are treated as extremely sensitive data – they are encrypted, and the password policy enforces a certain minimum length, non-reuse or limited validity for passwords, and the blocking of accounts after a certain number of failed logins. In connection with the function used, Microsoft Active Directory integration can also be applied, thus retaining centralised user administration.
Security is one of our main priorities in the development of aimtec.cloud. Securing communication between the client and the server is one area in which we apply the latest approaches to our overall system design, but it’s far from the only one. This approach makes the entire platform highly modular and fully secure, yet still fully open to communication with the rest of the world.