Siemens’ Railigent Application Suite helps rail transportation companies optimize their infrastructure and assets through proactive monitoring and data analysis that reduces maintenance costs and unplanned downtime as well as increases rail transportation’s overall competitiveness. While a security breach at Railigent wouldn’t cause a crash, it would increase clients’ maintenance costs and cause delays or reduced train availability.

From the beginning, it was clear that Siemens would need a way to monitor the digital infrastructure and assets in the AWS-based Railigent ecosystem, both to ensure that it stayed as secure as possible as well as to control IT costs. CloudCheckr, now from Spot by NetApp, has streamlined Railigent’s security protocols, ensuring developers can easily identify the most urgent security issues, and reduced cloud costs by up to 20%.


Building an Internet of Trains

Siemens Mobility enables rail operators and maintenance providers worldwide to make infrastructure intelligent, increase value sustainably over the entire lifecycle and guarantee availability by using Railigent®: the rail solution for the secure and reliable handling of big data in a cloud environment. By combining comprehensive domain knowledge, best-in-class data analytics and both clients’ and partner’s expertise, Railigent® enables comprehensive asset management, optimized maintenance and safe operations.

The AWS-based application suite is used by rail companies around the world to monitor and optimize their physical assets and infrastructure. The physical assets being monitored—trains, tracks and signals, for example—are configured to send reports via a secure channel to a cloud-based data lake that operates on top of AWS. End users log in to the Railigent interface and use the information gathered from the sensors and analyzed by Railigent to lower maintenance costs, decrease unplanned downtime and increase overall efficiency.

Even before Railigent was launched, it was clear that Siemens would need to find a way to automate cloud security monitoring above and beyond what is available out-of-the-box with AWS. While individual developers cannot change the production AWS account, the Continuous Integration / Continuous Deployment (CICD) pipeline means it’s essential to immediately catch things like changes in security groups or S3 buckets that have been made public as developers are working in the development AWS account.

“We did not want to implement a solution completely on our own, because this is not our business focus,” Friedrich Glöckner, Systems Architect at Siemens Mobility Services, explains. “We could do that. We could create a team of developers to create such a solution, but it would cost a lot of money, and it’s not our core competence.”

Indeed, Siemens Mobility needed an outside solution that worked out-of-the-box and provided enough granular reporting and alerting to let the team continuously check for best practice and corporate policy compliance as well as react to security-related events. CloudCheckr goes even further, with Self-Healing Automation, to correct misconfigurations and vulnerabilities, automatically, upon detection, without requiring human intervention. This allows Siemens’ personnel to completely focus on their customer business.


High-Speed Development

For the most part, CloudCheckr is invisible to Railigent’s end customers—but those customers get a better product because CloudCheckr is running, Glöckner says. “In general our goal behind the decision of using cloud based services like AWS is a faster time-to-market,” he says. “CloudCheckr helps us focus on the right things.” The result: End customers get a more secure platform that is also more responsive to their needs.


Keeping Costs on Track

Although security was Glöckner’s primary concern, it was not the only thing Railigent needed to monitor—controlling cloud spend was also important, as well as gaining visibility into how much individual teams were spending on cloud services. Everything needed to work seamlessly across Railigent’s four AWS accounts—sandbox, dev, test and production—as well as be compatible with the company-wide IT rules and guidelines.

Siemens Mobility Services started a Proof of Concept trial with CloudCheckr in December 2016, and started using CloudCheckr in production in mid-2017.

“As soon as it’s set up, you have immediately all the CloudCheckr security recommendations,” Glöckner explains. “The cool thing is it gives you a checklist, and this is combined with reporting functionality, and you can prioritize security problems and say yes, we definitely need to work on this problem first. This is exactly what we did, and that helped us to improve the overall security of our ecosystem.”

Not only did security improve immediately, but so did cost monitoring. One of the first cost-related recommendations CloudCheckr provided, Glöckner remembers, was that Railigent did not need the more expensive RDS Microsoft SQL Server Standard Edition and could save 30-40% in RDS costs by switching to the RDS Microsoft SQL Server Web Edition. “Which is what we did, and we saved the costs,” he says.

Siemens has strict corporate guidelines about how each developer and team should tag cloud resources, but AWS’ billing reports only allow sorting by one tag dimension—not enough granularity for actionable business insights. With CloudCheckr, Siemens gets reports that break down costs based on as many tags as necessary. This makes it possible to track costs by team and project and to manage internal budget allocation in a way that would not be possible otherwise.


Moving Forward with CloudCheckr

Now that Railigent has been up and running on CloudCheckr for over a year, over 100 Siemens employees use CloudCheckr on a regular basis, primarily to check for cloud security vulnerabilities, unexpected costs and to follow up on both security and cost optimization recommendations.

From a cost perspective, team members can look at an instance report and sort by potential cost savings, allowing them to focus on resizing instances where the potential savings are a dollar per hour rather than two cents per hour. Glöckner estimates that Railigent continues to save up to 20% in total cloud costs because of CloudCheckr’s recommendations.

​​​​​It’s harder to put a value on security improvements, but Glöckner is emphatic that Siemens has had better control over all four AWS accounts from the day CloudCheckr was implemented. The prioritized security checklists CloudCheckr provides make is easy to ensure that Railigent is following best practices and the alerting features means that security vulnerabilities are brought to the team’s attention immediately—and never lead to security breaches.

Siemens’ Railigent® Application Suite helps rail transportation companies optimize their infrastructure and assets through proactive monitoring and data analysis that reduces maintenance costs and unplanned downtime as well as increases rail transportation’s overall competitiveness. Railigent monitors the physical infrastructure required to keep rail transportation reliable and safe, but turned to CloudCheckr to ensure the cloud infrastructure it relies on is just as secure.