security ray verhoeff vice president – engineering
TRANSCRIPT
![Page 1: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/1.jpg)
Security
Security
Ray VerhoeffVice President – Engineering
![Page 2: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/2.jpg)
Security
Agenda
• Operating System Security
• PI Server Security
• PI Clients
• Auditing
• “Best Practices” White Paper
![Page 3: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/3.jpg)
Security
Motivation
• Widely held misconceptions
• Pharmaceutical Industry audits
![Page 4: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/4.jpg)
Security
What do these have in common?
• Complete Works of Shakespeare
• The Bible
• California Tax Code
• Tao Te Ching
• 21CFR11
![Page 5: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/5.jpg)
Security
Answers…
• None are clear or specific
• Subject to interpretation
• Have inspired great minds to debate the issues for hours
• Commentaries now outweigh the original document
![Page 6: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/6.jpg)
Security
21CFR11
• Electronic Records
• “Code of Federal Regulations”• Not Law• Not Standard
• Subject to interpretation
• Details will be shaped by FDA rulings
![Page 7: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/7.jpg)
Security
Examples
• Electronic Signature
• Human Readable
![Page 8: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/8.jpg)
Security
21CFR11 Tug-of-War
• Users want software to handle everything
• Vendors push for Standard Operating Procedures (SOP)
![Page 9: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/9.jpg)
Security
Misconceptions
• PI files are installed “Everyone/Full Control”
• piadmin/pidemo have no password
• No login prompt when on Server console
• “PI does not support Windows integrated login”
![Page 10: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/10.jpg)
Security
PI Installation
• “Setup” is a starting point
• Site must configure PI for its own environment
![Page 11: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/11.jpg)
Security
Physical Security
• This means locking the computer room
• Access to the hardware can always compromise security• Reboot• Power off• Pull network wire
![Page 12: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/12.jpg)
Security
Operating System Security
• Groups, Users & Passwords• control access to privileged accounts
• File Permissions
• Auditing
![Page 13: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/13.jpg)
Security
Usernames & Passwords
• Domain users• Independently validated by Domain
Controller
• Passwords:• Lifetime: min & max• Length• History• Complexity
![Page 14: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/14.jpg)
Security
Windows Auditing
• You can track just about any operation• Login/Logout• File Operations
• creation• deletion• execution• change permissions/take ownership• “Traverse Folder”
![Page 15: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/15.jpg)
Security
Windows Event Log
• All audit messages go here• Security group
• Do not configure “Overwrite as Needed”• Loss of audit trail• SOP must be in place:
• backup audit trail• manually purge
![Page 16: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/16.jpg)
Security
File Permissions
• PI Server will run with D:\PI set to:• Local Administrators/Full Control• Everyone else/Nothing
![Page 17: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/17.jpg)
Security
Standard Operating Procedures
• Control access to Domain Administrator account
• No auto-login• Don’t expose PI directory as File
Share• You may expose the PI backup
directory• read-only
![Page 18: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/18.jpg)
Security
PI Server Security
• PI Firewall• restrict access to your IP domain
• PI Trust• don’t map to “piadmin”
• PI Users and Groups
![Page 19: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/19.jpg)
Security
Connecting to PI
• PI API vs. PI SDK
• Connecting vs. Logging In
• The Default User
![Page 20: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/20.jpg)
Security
The Default User
• no name, can’t assign one
• no group, can’t assign one
• gets “world” access• Disable this in PI 3.3 SR2• if disabled, PI Server appears empty
• Degrade to this if you attempt a login and fail!
![Page 21: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/21.jpg)
Security
Windows Integrated Login
• “Login to Windows = Login to PI”
• You still need to:• Control which Windows users are PI
users• Assign ownership and permissions of PI
points, etc.
![Page 22: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/22.jpg)
Security
PI Trust
• Strong start with PI Trust table• Supports Windows domain membership
as well as TCP/IP credentials
• “Domain,User,PIuser” as “OSI,$,$” is powerful
• PI ICE uses this exclusively
![Page 23: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/23.jpg)
Security
PI Client User Experience
• PI API clients attempt a login• Gives perception that PI does not support
Windows login
• PI SDK clients attempt a trust lookup• If trust is Domain-based, you have
integration
![Page 24: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/24.jpg)
Security
PI SDK Clients
• PI Point Builder
• PI Tag Configurator
• PI Auto Point Sync
• PI ICE 1.0
• PI ProcessBook 3.0
• PI Datalink 3.0
![Page 25: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/25.jpg)
Security
21CFR11 Audit Requirements
• Record Windows username of editor
• Contents are unreadable
• Contents cannot be tampered with
• Maintained outside primary data store
![Page 26: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/26.jpg)
Security
PI Audit Requirements
• Cannot detract from the primary function of the PI Server
• To support this:• Audit trail cannot be read on-line• PI does not process or format the trail
• pidiag -xa
• PI Audit Viewer
![Page 27: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/27.jpg)
Security
PI Audit Viewer – Edit
![Page 28: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/28.jpg)
Security
PI Audit Viewer – Detail
![Page 29: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/29.jpg)
Security
PI Audit Database additions
• PI Batch database auditing
• PI Module Database auditing
![Page 30: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/30.jpg)
Security
PI Audit Database futures
• Auditing of new events for specific points• Workaround: code using “replace” mode
when inserting data
![Page 31: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/31.jpg)
Security
Best Practices White Paper
• Gives details of Windows and PI configuration• Many thanks to OSIsoft Field Service
• Supplements “PI in Compliance”
![Page 32: Security Ray Verhoeff Vice President – Engineering](https://reader036.vdocuments.mx/reader036/viewer/2022081603/56649e265503460f94b15df6/html5/thumbnails/32.jpg)
Security
Questions?
ASSIGN CONTEXT
ANALYZE
DISTRIBUTE
VISUALIZE
ACT
GATHER EVENTS & DATA Data Collection from Inside and Outside the Corporation
Make the data relevant to users
Aggregation, Analysis, Reconciliation, Calculation, Cases
Get the Information to people who need it
People Need Pictures, Graphs, Trends specific to their Role
Without Action, there is no Benefit. Empowered people take better Actions!