Security Matters.  Does your industry have specific security requirements or concerns?  Look for certifications and evidence that a remote service solution exceeds the requirements of today and the vendor has a plan for how to handle changes in the future.

Dictionary.com provides many definitions for the word "security."  Two that are most applicable to remote service software are:

1. freedom from care, anxiety, or doubt; well-founded confidence.
2. precautions taken to guard against crime, attack, sabotage, espionage, etc.

The first represents the desired result.  The second is what you do to get there.

Any time you create the ability to reach into another company and collect data or perform actions, you have to identify and evaluate the security risks this could create. The assessment process of a remote service system includes the identification and analysis of:

1. all processes related to the system
2. threats that could affect the confidentiality, integrity or availability of the system
3. system vulnerabilities to the threats
4. potential impacts and risks from the threat activity
5. selection of appropriate security measures and analysis of the risk relationships

Let's look at these one at a time.

1. Processes
How are new users and devices are added to the system?  Are there controls or processes around who can add or change the system? During the evaluation phase, it is most important to identify the processes and confirm the vendor's ability to support them.

2. Threats
Security threats often come from an outside party that is working to disrupt or take over the system. However, they can also come from inside your company or at the customer location.  Try to identify the various groups that would attempt to attack the system and what their means of access could be.

"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards." - Gene Spafford

3. System Vulnerabilities
Vulnerabilities represent the "gaps in the fence" that would enable an attacker to gain entry into the system. It is difficult to evaluate this without a full scale security review.  Axeda has contracted with Verisign to annually conduct a security review of the ServiceLink software and of Axeda company processes.  It was not an easy or inexpensive process, but it is reassuring to know that an expert security organization such as Verisign has looked hard to find anything we might have missed.

Another area of vulnerability is outside the technology - the system's users.  Many security failures are due to human factors of using obvious passwords or writing them down in obvious places.  The ServiceLink software enables administrators to tightly control the privileges and visibility of devices in order to minimize this danger.  We also include settings for how often passwords must be changed and automatic inactivity logout.

"No serious commentary will say that the user has no responsibility. We all have responsibilities to lock our doors in our homes and to buckle up when we get in cars." - spokesman, Information Technology Association of America, Business Roundtable, AP, May 19, 2004

4. Potential Impacts
Security has a cost.  One of the challenges for evaluating security measures is to balance them with the potential risks or impacts of a breach.  You may take a different approach to protecting temperature readings of a machine vs. the recipes that are controlling the machine operation.  One is purely operational and the other may be expensive intellectual property or risk of machine damage. The amount of money and inconvenience you are willing to endure should depend directly on the calculated risk of security failure.

The FDA suggests[1] the following should be included in Software Hazard Analysis:

1. A list of all potential hazards identified.
2. The estimated severity of each identified hazard.
3. A list of all potential causes of each identified hazard.

5. Select Appropriate Measures
Once the risks and hazards are identified (what) and quantified (how likely) you can develop a strategy for mitigation. This is a broad area that will require the combined expertise of the product developers, the regulatory or risk management department and remote services users. An identified risk may be mitigated by changes in the product design, user training, or elimination of a capability.  In the case of the FDA and medical devices, there is a regulatory requirement to perform this analysis.  In other cases, it is a matter of good business practices, to protect you and your customers.

If this all seems a bit deep for the remote service solution evaluation process, it's not.  Security must be an integral part of the solution - not something to add in later.  Better to spend some time identifying the risks and requirements now than be surprised later on.

Security is a continuous process that spans hardware, software and humans.  Just when you think you have everything covered, a new threat appears.  It is important to evaluate how vendors manage response to security issues over time.  What is the culture around security issues? Do they have a hot fix process?  Is it possible to upgrade components already deployed in the field?

As a parting note, do not let security, as proxy for fear of the unknown, block progress on your remote service plans. Good engineering and security practices won't help you know the unknowns, but they will give you the ability to deal with them when they become knowns.

[1] Guidance for Industry, FDA Reviewers and Compliance on Off-The-Shelf Software Use in Medical Devices, http://www.fda.gov/cdrh/ode/guidance/585.html

Read the related articles for Randy's 10-Step Series:
10 Steps to a Successful Remote Service Evaluation
Step 1. Successful Remote Service Evaluations - Have a Vision of What Success Looks Like
Step 2. Successful Remote Service Evaluations - Work with Cross Functional Teams
Step 3. Successful Remote Service Evaluations - Answer What's in it For Your Customers! 
Step 4. Successful Remote Service Evaluations - Agree on a Scoring Matrix and an Evaluation Process