We take security seriously and implement OWASP security recommendations for IoT solutions in account (https://owasp.org/www-project-internet-of-things/). All data and services reside in an isolation in a dedicated cloud subscription controlled by the customer. Standard OAuth 2.0 providers is the mechanism of choice for authorization, with AD (Active Directory) integration for user and application management.
APIs are protected and managed by API management service which provide an abstraction level for throttling, DoS prevention and fine grain control over the access to raw or processed data.
Our on-premises data gateway supports 2-way communication for telemetry data ingestion and OTA (over the air update), configuration and command execution. However, the default setup is in passive mode and excludes the remote command execution until such is explicitly requested by the customer. This way we secure that the MDC (manufacturing data collection) process will not in any way interact with the normal behaviour of CNC or PLC machining and operations.