Maximo Application Suit (MAS) and Cybersecurity: A Secure-by design Enterprise Asset Management platform
Enterprise Asset Management (EAM) systems, in this case IBM Maximo, serve as a central system of record for assets, locations, maintenance activities, supply chains, and system integrations. In industries where IT and OT environments converge – including energy, manufacturing, and critical infrastructure – this makes EAM platforms a high-value target for cyberattacks.
Threats range from identity theft and ransomware to the manipulation of operational data that can directly impact safety, availability and regulatory compliance. For this reason, security in Maximo Application Suite (MAS) is not an afterthought. It is designed as a systematic, end-to-end capability, spanning from the underlying platform, identity and access management, encryption, and outgoing vulnerability management.
According to ENISA and IBM X-Force*:
- Over 1/3 of attacks in EU target industrial and critical infrastructure systems
- Ransomware (malicious software for extortion) incidents in industrial sectors grew 50% year-over-year
- Attackers increasingly exfiltrate and manipulate operational data, not just encrypt it
MAS ARCHITECTURE
Maximo Application Suite is built as an integrated set of applications. Those include Maximo Manage, Monitor, Health, and Predict, all together running as containerised services on Red Hat OpenShift, a cloud-native architecture, that provides a strong security baseline while enabling scalability and operational flexibility.
For system integrations and machine-to-machine communication, MAS emphasizes API security using API keys. Compared to legacy authentication methods, API keys support controlled scopes, regular rotation, and better usage tracking, reducing the risk associated with long-lived credentials. Data protection is addressed through encryption both in transit (TLS) and at rest, including databases, storage, and backups. Key management—particularly for encrypted attributes in Maximo Manage—must be carefully planned, with defined processes for rotation and recovery.
Key benefits include namespace-level isolation, Kubernetes operators for lifecycle management, tightly controlled networking, and secure integrations with enterprise databases (Db2, Oracle, MS SQL) as well as supporting components for identity and registration metadata.
Together, these elements form a modular and resilient platform where security controls are enforced consistently across the entire suite. Centralized logging, monitoring, and alerting across the platform provide visibility into system behaviour and support rapid detection of security incidents. By combining application-level controls with platform‑level protections, MAS creates multiple layers of defence against both external and internal threats.
IDENTITY AND AUTHENTICATION: SECURITY AT THE SUITE LEVEL
With the transition from classic Maximo (7.6.) to Maximo Application Suite, authentication moves from individual applications to the suite level. This approach supports integration with enterprise identity providers and modern authentication standards. Security is further strengthened by enforcing multifactor authentication where available, clearly separating suite‑level administrative roles from application specific roles andmaintaining robust audit trails. Privileged actions can be monitored both at the application level and within the OpenShift platform, improving accountability and compliance readiness.
DATA ENCRYPTION AND PROTECTION
Data protection in MAS is addressed through encryption both in transit and at rest. All communications between components are protected using TLS, while data stored in databases, persistent storage, and backups can be encrypted depending on the deployment model and underlying infrastructure.
Within Maximo Manage, special attention must be given to encryption of sensitive attributes using CRYPTO and CRYPTOX fields. Proper key management—including key rotation, backup, and recovery processes—is essential to ensure long-term data confidentiality without compromising system operability.
ISO 27001 ALIGNMENT
ISO 27001 defines requirements for an information security management system (ISMS), covering areas such as access control, cryptographic protection, operational security, change management, and incident response. Maximo Application Suite supports many of these requirements through its built-in security architecture and operational controls.
In SaaS or managed deployment models, compliance is often demonstrated through standardised certifications and assurance artefacts provided by the service provider, rather than through fully customer led audits. This reduces the operational burden on organisations while still supporting regulatory and compliance goals.
https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
