Security Features in Maximo Application Suite

Robust data protection is a necessity in the digital age, especially regarding enterprise asset management.  

Security implications of any software implementation are significant for those relying on smooth and efficient daily operations. While enterprise asset management has seen growth in installation and expansion opportunities, this also comes with the challenge of keeping data secure.  

Continued innovation in key industries such as energy and utilities, manufacturing, life sciences, and transportation requires a heavier load of digital platforms for companies, meaning a more prevalent number of devices in these settings. Despite maintaining basic email, malware, and other security protections, industrial companies are often at the forefront of cybersecurity risks, as the number of devices storing asset information eventually increases over time.  

Key cybersecurity considerations with IBM Maximo Application Suite set benchmarks for EAMs across the board, supporting continued improvement and innovation for companies that need to accelerate production while also overcoming operational and financial challenges.  

Safeguarding Organizational Assets

Most companies rely on asset data for output, performance analysis, predictive and preventative maintenance, and financial stability. Thus, operational managers become a massive target for cybercriminals.  

With valuable client information, physical assets and operational data, and financial transactions available, cybercriminals often focus on asset management professionals and can potentially destroy the trust between provider and customer. This turns into a huge reputational risk for successful business models.  

So, how do asset management professionals avoid these cyber threats as digitization progresses?

Security Considerations and Preparations for an Upgrade to MAS

Implementing asset management software is a heavy undertaking, requiring some initial discovery steps:

• Comprehensive overview of all existing assets, their relationships, and overall function within the business (i.e. device discovery and protection)
• Identification of potential security gaps, vulnerabilities, associated costs, and potential risks
• Automated policy enforcement, actions, and workflows to simplify processes, including incident-response and remediation measures

Maximo Application Suite can be installed on multiple platforms; however, there are special AWS installation considerations. Industries that will be implementing the IBM Maximo Application Suite and installing on AWS will also need to meet certain security requirements:

• Communication to the IBM Maximo Manage database uses JDBC with SSL-enabled
• SSH keys used for the connection to the bootnode and Red Hat OpenShift cluster nodes
• Bootnode runs within the customer AWS account and does not have connectivity to the external network during and post-deployment
• Product images are pulled from authenticated IBM-entitled registries
• Credentials are kept in Red Hate OpenShift secrets
• Access to the Red Hat OpenShift cluster nodes is only through the bastion host using a private SSH key
• AWS portal uses HTTPS for encryption

Data Security in Maximo Application Suite

Cybersecurity integrations within the Maximo Application Suite are vast, using everything from network security protocols to user access controls to provide robust protection of your company’s most critical assets.  

Operating with risk-based security in mind, companies using MAS are provided with several features to help secure sensitive information, beginning with user access controls.

User Authentication and Access Controls

In the Security module, administrators can manage and monitor security for users and groups within their organization. Using the administrative console in MAS, users are given entitlements to Manage, a process that continuously queries the user registry as an additional protective layer. Users with this entitlement are authorized to access data and user interface components as the administrator sees fit.

• Strict user management with role-based access controls to categorize and limit what data each user can view and modify. This is based on specific job functions.
• SSO integration for centralized user authentication across multiple modules and applications
• MFA for added security when a user logs in
• Onboarding and offboarding automation
• Group synchronization and default assignments provided via security groups in Manage, with users assigned to one or more default security groups dependent on job function
• User records containing security profiles and identifying information to determine data access (can only view and modify data relevant to their job function)
• Administrative monitoring of login activity to identify suspicious behavior
• Administrative monitoring of idle time: AppPoints are returned when a user logs out, but if a user remains idle, those AppPoints are not available for someone else to complete their work. Administrators can now sign out users if extended inactivity is detected by setting idle time restrictions before a session is automatically logged out.
• Object Structure Authentications to define which data objects (i.e. assets, WOs, WRs, etc.) a user can access based on their assigned security group

AppPoint Usage

With MAS comes the licensing model (AppPoints) that serves as the “currency” for application usage, runtime, and user access across an organization. Administrators serve as the Application Admin User, giving permissions and assigning security groups for specific job functions and access controls based on what that user needs to see. There are three distinct user types within MAS with varying access privileges and AppPoints associated with each:

• Limited Users: 5 AppPoints and access to three modules within Manage, Monitor, Mobile, and Assist
• Base Users: 10 AppPoints and access to Manage Industry solutions and Predict module
• Premium Users: 15 AppPoints and access to Manage Industry solutions and Predict module

Authentication and Network Security

Authentication and encryption are part of the security measures that come with an upgrade to Manage, with custom configurations for user authentication and network communication.

• Local authentication with usernames and passwords stored on MongoDB
• LDAP and SAML authentication methods
• API key-based authentication for MAS 8.8 and up
• Database encryption (automated if not specified upon creation of a new Manage database)
• SSL/TLS Support that encrypts communication through HTTPS for secure browser access
• Optional VPN Access to establish a secure connection between remote client locations and the cloud data center

How MAS Security Measures Benefit Your Organization

Protecting organizational infrastructure and sensitive data from cyberattacks and other critical risks is vital in maintaining operational efficiency and demonstrating commitment to customer data protection. Maximo Application Suite provides robust security to help your organization to:

• Identify and mitigate risks by providing a window into company assets and security controls
• Meet regulatory compliance requirements by providing documentation and processes for protecting sensitive information
• Craft faster incident response processes based on asset location and health
• Identify and eliminate cost inefficiencies or risks over time (resulting in higher ROI)
• Preserve company reputation and brand integrity by minimizing security risks and ensuring customer data protection
• Prepare for audits by providing a singular view of organizational assets

‍

‍

Data protection is a top priority with Projetech’s Maximo as a Service. We are committed to data integrity for all of our customers, maintaining an ISMS that meets ISO 27001/27017 framework requirements, conducting annual formal penetration testing, vulnerability scanning, and using endpoint security applications to prevent malicious activity.  

Interested in learning more about Projetech’s security program and how MaaS can help to ensure organizational asset protection? Contact us today to get started.