WL Secure Remote Servicing FAQ



Advanced

  • Which mechanism is used for the database persistency ?

    We make use of "Amazon RDS for Oracle" for the database persistency

    What are Worldline's Disaster Recovery Plan and KPI's for the solution?

    Our Disaster Recovery Plan (DRP) relies on the use of several AWS availability zones and the use of appropriate data replication mechanisms.
    Recovery Time Objective (RTO) for the platform is set to 8H.

    Does the solution support jump hosts?

    Yes, jump hosts in front of the hardware gateway are supported.
    Support for jump hosts between the hardware gateway and the device would need to be set up and is a feature we are open to discuss.

    Does the system logging cover security-relevant events and operational events and can these be forwarded to a SIEM- and Incident Management systems?

    CCP has system management and security monitoring in place for the central platform.
    SIEM = Security Information & Event Management

    Is it possible to use certificates for the communication between the clients and the back-end?

    A Backend Certificate is used for the communication between the clients and the back-end.
    Client Certificates can be used as well, yet certificates management has to be discussed.

    What is the pricing model ?

    The service is billed upon a number of key factors such as th number of connected remote devices and the payload. Setup, service, support and maintenance will be discussed depending on the needs of the customer.



Intermediate

  • What does CCP stand for?

    CCP stands for Core Connectivity Platform. It is a platform enabling management of remote connectivity.
    "Core" refers to a key characteristic of the platform: it is API driven an can be used as a "core" layer by other systems (it is actually how our biggest customer is making use of it).

    What is the relationship between CCP, WL Digital Doorman and WL Secure Remote Servicing ?

    While both Worldline (WL) Digital Doorman and WL Secure Remote Servicing are WL offering names, addressing different customer types and challenges, CCP refers to the key technical asset used for implementing both. This is the reason why detailed documentation about these two offerings will often refer to CCP (available after registration).
    While WL Secure Remote Servicing is an offering solving Manufacturers pains as remote service providers to their customers, WL Digital Doorman adresses the equipment owner's pains and challenges. Both rely on the CCP features for orchestrating remote connectivity.

    Is an on-premise installation possible?

    On-premise installation is technically possible, and can be provided depending on the specific customer case. It should be carefully analyzed what is the best solution based on the customer requirements.

    How does the solution support High Availability?

    We are using the AWS standards: Our services are duplicated over several AWS availability zones.
    WL guarantees 99,5% availability:16 hours planned downtime / year + max. 24 hours unplanned downtime (2 hours / month).
    Higher requirements can be discussed and depend on the customer case.

    What is the Support Model foreseen by Worldline for this solution?

    Available support models are described in the WL SRS / DD Support Policies.
    Our default model states that the customer should consolidate requests and incidents management within its services (Only Key users from the customers should contact Worldline).

    How do you ensure security to the cloud?

    The traffic to our backend is TLS encrypted.
    Once the secure TLS channel has been established the client authenticates with:

    STANDARD: Device ID + password
    - During installation of the client, the password is generated and stored on the file system of the client
    - The password is hashed before sending in the TLD-encrypted communication to the backend

    OPTIONAL: Certificates can be used, but we do not have certificate handling implemented right now, i.e. there is no automatic replacement of the certificate when it becomes invalid.

    What are the deployment options with WL Digital Doorman? Is WL Digital Doorman relying on a hardware box? How are embedded systems supported?

    WL Digital Doorman can be deployed in various options. WL Digital Doorman software can either be operated directly on the remote device, run on hardware gateway in front of the device (the device can run on a separate network behind the gateway, which encapsulates the device and allows protection of legacy hardware which software may be obsolete), or even run on a server or gateway in a DMZ.
    Worldline can recommend gateway hardware.

    Is CCP supporting mobile connectivity?

    Yes, CCP is agnostic regarding connectivity. Yet, connection stability may impact quality of the traffic, which may decrease perceived quality level by end users.

    Can CCP guarantee End to End encryption ?

    Yes. CCP tunnels (between end points and the back end) are encrypted . Non encrypted protocols can be additionnally encrypted at the backend level.

    Is the CCP Web UI web responsive?

    Yes, CCP Web UI may be used through a mobile or tablet.

    Can I customize the UI in my colors and with my logo? How about different language support apart from German and English?

    Only the logo can be customzed in the CCP Web UI.
    The list of supported languages can be extended depending on the customer case.

    Can I remote access devices worldwide from central Europe?

    Yes, but latency might affect your experience significantly. It is therefore important to qualify the kind of application you would use before asnwering this question.

    Are you experienced with remote access to/from China or Russia?

    Yes we are, and we can discuss futher the related constraints and limitations with your teams.

    Can CCP be integrated with an LDAP/AD?

    Yes. CCP Authentication can be integrated with LDAP/AD.

    Can CCP be deployed in a DMZ?

    Yes. CCP Client proposes several deployment options. It can for instance be deployed in a DMZ, with a route enabling connection from the CCP Client to the device through the internal firewalls.

    How should the CCP Client be deployed on a system?

    CCP Client can run either a Java program on a existing OS, or run as a VM (docker image).

    What is the frequency of CCP upgrades?

    Out of hotfixes and security updates, regular CCP releases are scheduled on a trimestrial or semestrial basis (from 2 to 4 regular releases per year). Additional releases can be scheduled when needed.



General

  • What is the WL Secure Remote Servicing delivery model ?

    WL Secure Remote Servicing is delivered in a SaaS mode.

    Is it possible to access multiple end points with one gateway?

    A gateway mode has been implemented for the CCP Client. One CCP client can manage several end points. Maximum number of end points managed through a single CCP client depends on the expected traffic to be managed and the hardware of the gateway.
    As a complement, the CCP client can be installed on hardware gateways, we e.g. have a close collaboration with Secunet on their secunet edge gateway and platform.

    Do you have a session recording feature?

    We only trace session meta-data (who, which device, which tunnel type, when), not the content of the session itself.
    We have chosen to be as little invasive as possible in order to avoid data privacy breaches. This is something which is for instance very important in the case of remote access to medical devices.
    Also, CCP is an app-agnostic connectivity tool.
    In case this is a strong requirement for the client, then we can of course discuss how to address this need. We have already looked into and investigated some options for a "properly notified (or informed) session recording" feature.

    What makes your solution suited for highly security-sensitive use cases?

    The security requirements for WL Secure Remote Servicing are deducted from several industrial standards such as IEC-62443-3.3 and IEC-62443-4.2 standards.
    Its key technical asset CCP is developed according to the CCP Secure Development Lifecycle which is based on the IEC-62443-4.1 standard.
    QMS for software development is based on ISO9001
    Operations according to ISO27001
    Data Protection:
    -Addressed as a subdomain of data security from a GDPR compliance point of view
    -Worldline has a Group Data Protection Policy that is legally binding for each product and employee of Worldline.
    -CCP is regularly assessed for its dataflow behavior.

    What is meant with IEC-62443 readiness?

    The IEC framework defines several roles:
    -Asset owner = customer
    -System Integrator = customer network team
    -Product Supplier = Worldline

    The Product Supplier is only responsible for a subsystem (or component) of the overall environment in which it is intended to be used.
    The Product Supplier develops the solution according to the IEC-62443-4.1 Secure Development Lifecycle. This is documented in our CCP SDL document and it implies that we:
    -Have people with the necessary Security expertise
    -Are aware of vulnerabilities and we mitigate them
    -Apply industry best practices for Security Design
    -Apply secure coding practices (mandatory yearly refresh training)
    -Do scans to verify whether our code is secure
    -Perform security an penetration testing regularly

    The Product Supplier works with the System Integrator to jointly do Requirements Engineering for the overall System Architecture (our implication is IEC-62443-3.3) and we translate those into specific IT Security requirements focused on our component(s) (IEC-62443-4.2).

    WL Secure Remote Servicing vs VPN's

    No more hidden internal costs to set up VPN's (IT teams to be involved for every VPN setup)
    Self-Administration means no IT involvement and an enhanced UX
    Reduced Business Risk: Easier compliance with company's Security Policy, no need to manage a complex environment of heterogeneous connectivity tools

    WL Secure Remote Servicing vs Desktop Sharing Apps

    Using desktop sharing apps without WL Secure Remote Servicing brings some security risks, among others because they are often increasing heterogeneity with third parties bringing their own solution from their own technical stack.
    With a desktop sharing app, remote connections would always require the participation of an employee. With WL Secure Remote Servicing, you can easily enforce your company's security policy and limit the actions users (employees or ) can do.
    WL Secure Remote Servicing allows M2M connections, which is not possible with Desktop Sharing Apps.

    How does WL Secure Remote Servicing contribute in building cyber resilience against ransomware?

    WL Secure Remote Servicing makes sure you can follow your company IT strategy.
    The main reason why WL Secure Remote Servicing contributes to building cyber resilience against ransomware is because the application of the Zero Trust tenets limit the attack surface of the equipments:
    - contrary to VPNs, tunnels can be used for one purpose only,
    - tunnels are not permanently active
    - thanks to the use of one single port, the usual internet traffic one, traffic can easily get scanned with and Intrusion Detection System (IDS), while usual VPNs use dedicated ports which may go under the radar.

    Which OS are supported by the CCPClient?

    Windows 10 64 Bits, Windows 7 64 Bits, Linux 64 Bits

    How can I get a demo of WL Secure Remote Servicing?

    You should only register through the dedicated form (available here) to request for a demo. We will contact you back to have it organized.