/
Verifying Security Functionalities in the symmedia Hub

Verifying Security Functionalities in the symmedia Hub

Mar 27, 2025

Introduction

The symmedia Hub is cloud-native application for Machine Manufacturers, Service Providers and Operators to collaborate. It offers a range of features to enable frictionless remote service through tightly secured connections and without the need to open ports in the operator’s infrastructure. Whenever remote connections are required, a symmedia Edge Device must be operated to facilitate the connection. This document briefly describes how users can ensure that all relevant built-in security features are working as expected.


symmedia Hub

The symmedia Hub is the core of the application. It is accessible through the so-called “Portal”, the main user interface of the application. The Portal provides access to all the available functionalities of the symmedia Hub. The main security criteria to be checked are:

  1. Encrypted Connection (Browser)

  2. Users, Roles and Permissions

  3. Service Case Management

  4. On the Edge Device


Encrypted Connection

Ensure that the connection to the Portal is always encrypted:

User, Roles and Scopes

Ensure that roles with certain security related capabilities (such as setting up and starting remote connection or Tenant Admins) are restricted to people who really need them to do their jobs.

  • Role assignments define what actions a user can perform.

  • The scope defines the set of objects on which a user can perform actions.

See: User Management

  • Check the impact of role assignments on a user's capabilities by removing and adding role assignments or removing and adding scopes.

Adding/removing roles changes the available menu items in the left hand navigation:

  • Add roles to add additional items to the menu bar on the left.

Service Case Management

See: Service Cases and Operator - Service Cases

Audit Logs

Each Service Case is monitored by an Audit Log, which records all relevant changes made to a Service Case. You can check that this feature is working correctly by making changes to a Service Case and comparing them with the entries in the Audit Log.


Remote Connections

  • Check that remote connections can only be made by invitation by attempting to initiate remote sessions in Service Cases on connected machines that have not been invited by the Operator.



On the Edge Device

  • Check the firewall configuration and make any necessary changes to enable the connectivity to the Azure Cloud.

You can also expose additional services on the existing interfaces.

See: Commissioning and Configuration

  • Check that only configured ports are visible on the interface under test. You can test the available ports using a port scanning tool such as Nmap. Run, e.g:

nmap <IP>




Be aware that port scanning OT devices can cause services to behave in unexpected ways. Ensure that only the edge device is targeted and that no sensitive applications are running on it. It's the customer's responsibility to facilitate these scans with the necessary care.