PLM Security and Cross-Enterprise Collaboration
Robert de Monts, VP of Marketing and Business Development at Imera Systems and former VP at Dassault Systèmes and Check Point Softwar

To remain competitive and continue producing innovative products, enterprises have put into place an increasing number of both information systems and supply chain partners. Providing increased information access to this larger ecosystem as well as processes to streamline the necessary collaboration among partners, suppliers, and vendors are two of the resulting challenges. To be effective, all parties need to constantly interact throughout the complete design and manufacturing cycle. The issue is complex: how does the enterprise increase collaboration and control costs when cross-enterprise collaboration may directly conflict with the security roadmap at most companies?

This article reviews the cross-domain security issues presented by current PLM collaboration deployments and the resulting impact on operations. It discusses how a distributed architecture can enable effective cross-company collaboration while maintaining compatibility with enterprise security infrastructures. The benefits in terms of time to market, product quality, and productivity are significant.

The Case for Cross-Enterprise Collaboration
To remain competitive, companies are focusing on core competencies. This includes outsourcing all activities that can be more effectively handled outside the corporation. Administrative activities, IT, and manufacturing have been outsourced or off-shored for quite some time, but more recently core activities such as engineering and design are also following this trend. As more companies rely on partners to bring products to market, the need to efficiently collaborate between all companies within an OEM ecosystem increases. In a 2006 study, the Aberdeen group indicated that key drivers for a company's profitable growth are reduced time to market and product innovation. Effective collaboration among all parties in the product value chain is key in achieving such objectives. The Aberdeen survey pointed out that 63% of manufacturing companies "collaborate" on design and manufacturing with customers and suppliers. Surveyed companies listed their key objectives as:

• Better customer/market requirement definition (71%)
• Faster time to market (67%)
• Product cost reduction (67%)

The study indicates that key focus areas include:

• Design reviews to eliminate ECO (43%)
• Component parallel design (37%)

Real time visual collaboration was the most broadly used collaboration technology. Finally the survey's best-in-class companies collaborate externally, across the entire life cycle, around a collaboration platform that they either provide or endorse.

Security and Collaboration
This direction is unfortunately hampered by another executive direction, which it to keep the enterprise secure. Most IT organizations at large companies will admit that their number one priority is to protect the company from viruses, intrusion, IP theft, rogue employees, and possible civil and criminal litigation resulting from data theft or the inability to meet regulatory audit requirements. As a result, IT organizations have been strengthening the defenses, starting with perimeter security such as firewalls, then internal security with intrusion detection and internal security gateways (they block unwanted traffic across different network segments), and now moving to end-point security to ensure that individual desktops do not get infected by inappropriate software installs, and/or unauthorized application use. Some companies block ActiveX or Java plug-ins, or even outbound HTTPS traffic, effectively preventing the use of web conferencing solutions, or access to secure portals, etc. IT organizations are also particularly concerned with data exchanges outside the enterprise that they cannot effectively monitor and audit. Added to this are concerns about IP theft and regulatory compliance issues. Consequently it is increasingly difficult for engineering and design organizations to collaborate with the outside world because of these security concerns.

PLM Collaboration Architecture Evolution
When PLM, or more accurately PDM solutions emerged in the early nineties, they were primarily focused at addressing the Engineering and CAD data management needs at the departmental level. Typical issues addressed at that time were large file manipulations, long check-in/out cycles, consistency between CAD files and assemblies, bills of materials, specification documents, and so forth. In the late nineties, PLM systems expanded to reach multiple departments and larger enterprises. The traditional client server architecture evolved into a thin client, rich-in-functionality web portal. Leveraging HTTPS protocols and new developments in web application security, companies have begun deploying these portals to the outside world, primarily contractors, design partners, and suppliers. More recent improvements in portals, such as Dassault Systems VPM and 3DLive, or UGS Team Center, or PTC Windchill, have added limited IM-based collaboration to provide some level of instant collaboration in addition to the core data distribution/access/management functionalities.

Security and Current PLM Collaboration Architecture
These recent developments in PLM collaboration are certainly valuable, and welcomed by internal and external users. The problem is that such portals require that everyone, whether inside or outside the enterprise, logon to the portal in order to "collaborate". Although this approach may address certain needs for inter-company collaboration, the security issues that such an approach raises means that deployment is necessarily limited to a small community of external users at partner companies. Let me explain: Assume an OEM deploys such a portal to collaborate with external supply partners. In order to collaborate, employees at partner companies need to be logged on to the OEM portal. This connection is probably a direct SSL VPN connection to the portal, which means that no company collaborating with the OEM has visibility into what information is being exchanged between its employees and the OEM. Security-conscious companies will not allow such traffic, or at best will limit such connections by essentially establishing security policy exceptions for a select few employees. Managing these exceptions puts an additional burden on partner IT organizations. Additionally, the OEM's IT organization must create/monitor accounts on its portal for all the external users — forcing both partners and the OEM's IT teams to spend time coordinating user access.

Figure 1: Moving from scheduled project management reviews to always-on, instantaneous engineer-to-engineer collaboration.

These issues are becoming more pressing as a growing trend among most larger companies is to allow as many engineers in their companies to collaborate (resolve issues mainly) directly, and often on a one-to-one basis with engineers at partner companies. The obvious benefit is that as more engineers collaborate at the individual level, more issues are resolved sooner, resulting in increased time to market, higher product quality, and superior productivity benefits.

Next Generation Cross Enterprise Collaboration
To address these limitations and achieve the desired objectives, any collaboration solution has to be extremely friendly and promote efficient communications (I "see" you, I "call" you, I share instantly). It also has to comply with the security roadmap at all locations (i.e., provide full control/audit of what is being shared with whom), and allow each IT organization to manage its own user policies independent of one another. A distributed architecture (domain federation) allows this. Using such an approach, any employee at an OEM and at its partner companies can collaborate with one another, and do so securely. The IT organization at each collaborating company has full audit / user access control / session control over its users and across the sessions involving any other users. Such a solution could be securely deployed to everyone everywhere in an ecosystem of partners.

Figure 2: TeamLinks Collaboration Complements PLM Portals

The benefit to the ecosystem in leveraging a collaborative environment is clear. One method to share actual data between collaborating companies is via a data sharing portal, accessed by a select few external employees at partner companies, such as project managers. Security issues raised by this approach are mitigated by limiting access to only a very few. However, for maximum efficiency and productivity, this issue resolution capability must be extended to the entire engineering/manufacturing community of engineers in the ecosystem. Next-generation solutions provide for superior security while offering integrated features such as always on presence awareness and one-click connectivity that reaches across the entire ecosystem. Imera TeamLinks next generation collaboration solutions were created to address these requirements by providing a highly secure, distributed instant collaboration environment for cross-enterprise collaboration.

TeamLinks supplements PLM portal solutions by providing an instant "light-weight" cross-domain collaboration service that can be extended to all users in a collaboration ecosystem. With TeamLinks, users can view the presence of any given project's participants, and collaborate (with permission) to instantly share any information displayed on their desktops, whether these participants are inside the company or at partner or other companies outside the company domain. TeamLinks complies with all participating company security infrastructures for unparalleled security and its ease of use provides for faster adoption across partner organizations. With TeamLinks, the data stays inside the enterprise; only views of the data go outside. TeamLinks collaboration solution therefore nicely complements data sharing portals that limit access to a select few external employees.

For questions, comments, or interest, please contact the author at the following e-mail address: rdemonts@imera.com