IT Security
Last updated
Last updated
The trust of our customers in the information and data security of the ENLYZE platform is a crucial factor for us in establishing successful and long-term customer relationships. Therefore, the security of your data and information is a central concern for us and plays a significant role in the development process of our software and hardware, the productive operation of our solutions, as well as data storage.
Regarding general questions about data protection, we refer at this point to our Terms and Conditions. In particular, points 10 (data ownership and confidentiality of data), 11 (confidentiality), 12 (customer data and indemnification), and 13 (data protection and information security) highlight our understanding of handling customer data to a special degree.
Technologically, this understanding translates as follows: As a basic principle of our security concept, we technically rely on a comprehensive defense-in-depth strategy consisting of multiple layers (defense). Through internal and external risk analyses, we continuously scrutinize our existing measures and implement additional technical and organizational security measures as needed. In this way, we can offer our customers a high level of technologically feasible information and data security.
To read and forward process data from a production plant to the ENLYZE platform, we use our own edge device, the ENLYZE SPARK. This is integrated into our customers' networks, enabling both connection to a machine and forwarding of process data to the ENLYZE Cloud.
We are aware that our system, by being integrated into the core of many manufacturing companies, must meet special security requirements. Below, we present some of our basic principles for this integration, striving for maximum transparency.
The ENLYZE SPARK has separate and mutually secured subnets, one for connecting to a machine and one for an internet connection. This separation ensures that only one of the ENLYZE SPARK's subnets is connected to the internet, while the machine remains completely isolated from an internet connection.
The SPARK communicates exclusively in a read-only manner with data sources of the machine, such as a machine controller. A write access is not implemented. This ensures that even if there is a malfunction in the ENLYZE SPARK software, it will not have any negative impact on the machine, as the SPARK "by-design" cannot influence the control of the machine.
All data centers and servers on which the ENLYZE Cloud & App are hosted are located in Germany. Machine data is processed in the Google Cloud Platform (GCP), with the instances used for this purpose hosted in Frankfurt am Main (Germany).
In addition, we use virtual machines from the cloud provider Hetzner in Falkenstein (Germany) and Nuremberg (Germany) to host our application databases and batch processes.
The service providers we use are certified according to ISO 27001 and other guidelines, meeting the highest standards of IT security, data security, and confidentiality.
📌 The ENLYZE platform solely records process data in a read-only manner and does not actively intervene in your production processes. A theoretical failure of the ENLYZE infrastructure therefore has no direct impact on your production in terms of downtime or standstill.
Despite this separation between your operational systems and the ENLYZE system, ENLYZE GmbH is covered by industry-standard liability insurance for financial losses. This protects our customers from financial damages that could arise from ENLYZE GmbH's fault.
To read machine data, the connection to a machine controller can be made directly or indirectly through intermediate firewalls/switches, depending on the existing network architecture. If further machine controllers are reachable via this switch, multiple machines can be read by a single SPARK if desired.
If local conditions and network architecture do not allow the reading of all necessary machine controllers via a single SPARK, one SPARK per machine or data source will be installed.
When choosing a direct connection, the SPARK is installed in the control cabinet of the machine to be connected. The connection is established directly via an Ethernet cable or a serial interface. For a direct connection, it must be ensured that an Ethernet port with internet access is available in the control cabinet.
Indirect Connection
When deciding for an indirect connection, the SPARK is integrated into an existing machine network and not directly connected to the machine controller.
In this case, any company firewall between the SPARK and the machine must be configured so that the SPARK can establish a connection to the IP addresses and ports of the respective machine controllers and communicate through them. Incoming or writing connections from the SPARK to the machine do not occur.
Typically, the IP addresses of the controllers have been assigned individually depending on the network architecture and must therefore be communicated to ENLYZE in advance. The used TCP ports differ depending on the manufacturer of the machine controller. If the machine controller is to be connected via OPC DA or OPC UA, additional individual TCP ports need to be opened. In case the communication protocol, IP addresses, or TCP ports are unknown, this can also be determined during an on-site visit by us.
To securely store and process the read machine data, the ENLYZE SPARK establishes an authenticated and encrypted VPN connection between the device and the ENLYZE Cloud. The so-called WireGuard VPN protocol is used, which operates exclusively over UDP as a peer-to-peer protocol. Unlike contenders such as OpenVPN, WireGuard does not enable bypassing firewalls via TCP. Further information can be found in the WireGuard Whitepaper.
The communication of the SPARKs, apart from the initially required DNS and NTP requests, is exclusively restricted to the authorized VPN server via firewall rules (see below). The VPN server itself further restricts communication through the VPN tunnel to a list of authorized hosts. Thus, in terms of a defense-in-depth strategy, any unusual network activity of the SPARKs is blocked. Communication from one SPARK to another via the VPN is also not possible.
The VPN tunnel enables access to view the SPARK status, configure a SPARK remotely, and update the SPARK software. This remote access to a SPARK is only possible for individual trained employees of ENLYZE GmbH via a dedicated server. This server is physically protected against access by third parties through electronic access control. All server hard drives are encrypted.
To integrate the SPARKs, the following outgoing connections in the firewall must be allowed. The SPARKs can be identified through their MAC-addresses in the network. Incoming connections to the SPARK (through port forwarding) are generally not necessary.
1.1.1.1
53 (DNS)
TCP, UDP
Resolution of hostnames to IP addresses
8.8.8.8
53 (DNS)
TCP, UDP
Resolution of hostnames to IP addresses
8.8.4.4
53 (DNS)
TCP, UDP
Resolution of hostnames to IP addresses
iot-edge-1.enlyze.com (159.69.177.150)
51821 (WireGuard)
UDP
Data transfer to the ENLYZE Cloud, SPARK configuration, installation of updates
ntp1.enlyze.com (157.90.230.207)
123 (NTP)
UDP
Synchronization of system time
ntp2.enlyze.com (162.55.43.234)
123 (NTP)
UDP
Synchronization of system time
The connection of booking systems (ERP/MES/BDE) is usually also accomplished via the ENLYZE SPARK. The connection to the respective booking system is used to record additional production-relevant data. This enables read machine parameters to be correlated with orders or products produced and their detailed components.
The data collection and processing of the ENLYZE platform explicitly do not include personal data (Reference: ENLYZE Terms and Conditions, Point 13 "Data Protection and Information Security"). If such data is stored within your ERP/MES/BDE system today, they are explicitly not read, stored, or otherwise used by ENLYZE.
The specific communication of the ENLYZE SPARK with a booking system varies depending on the system used, the necessary data, and the access paths through which the relevant data is available. A connection is either made via existing interfaces or by accessing the underlying server databases.
The connection is either made via an existing SPARK from the machine network or a dedicated SPARK specifically for this connection. If there is a company firewall between the SPARK and the booking system, it must be configured to allow a connection to the IP address and TCP port of the server and to communicate with it. Incoming connections from the booking system to the SPARK do not need to be allowed.
In addition, a username with read-only access to the relevant areas of the database server is required. This approach is in the interest of both parties, as it cleanly separates read operations on the booking system by ENLYZE from operations of other participants and can be traced back. Critical data is shared only to the necessary extent. Additionally, all write accesses are technically impossible.
Alternatively, the relevant data can, for example, also be exported to a dedicated .csv file and shared with ENLYZE via an FTP/SMB server. This further ensures that the ERP/BDE/MES system remains unaffected.
After the implementation is completed, the customer receives a list of all data points read by the ENLYZE system. In case of any adjustments, the customer receives an updated list and is thus fully informed at all times about all captured data points.
If your existing ERP/MES/BDE system has other interfaces, we can also establish a connection through them. Connection options must be discussed in this case. Please reach out to your ENLYZE contact person regarding this and discuss the option of connecting via other interfaces.
We hope we have been able to clarify all your questions and concerns regarding the integration of a SPARK into your infrastructure. If you have any further questions or concerns, please feel free to email us at support@enlyze.com or reach out to your ENLYZE contact person. We will get back to you as soon as possible.