Vendors Serving Construction Comment on Cyber Security Concerns Today
The evolution of cybercrime has executives on edge, particularly as construction increasingly uses electronic data and hosted services. ENR asked an array of vendors serving the industry how they assure customers their data is secure and their services will not become a vector for the next cyberattack.
We received responses from Aconex, CMiC, EarthCam, FieldLens, Fluid Contract Manager, Heavy Construction Systems Specialists Inc. (HCSS), JB Knowledge Inc., Nasuni, NoteVault, Panzura, Sage Construction and Real Estate, and Viewpoint Construction Software. The extended responses are in alphabetical order below.
The most often mentioned assurance is that, due to scale, management and R&D investments, customers of vendors with services built on major cloud providers—such as the Amazon Web Service (AWS) cloud infrastructure—automatically gain a lot of protection against cyberrisk. "The cloud acts as a shield," says Nikol Par, CMiC communications manager. Amazon AWS was cited as a pillar of security by several respondents, including cloud-based document storage system vendor Panzura, and voice-to-text service provider NoteVault. "Amazon is far more secure than what a company can build themselves," says NoteVault CEO Peter Lasensky, who adds that companies also need intelligent monitoring, which Amazon AWS provides. "Alerts on unusual activity set off automatic alarms that can help companies nip the problem in the bud with early detection of a breach," he says.
Other platforms received praise. Jon Witty, vice president and general manager of Sage Construction and Real Estate, cited the Microsoft Azure platform, which his company uses, as a "reliable application-hosting platform that assures the highest levels of data integrity, availability and confidentiality."
Witty and others also say industry customers should look for platforms that include notifications, audit trails and regular third-party security audits of service providers. Viewpoint Construction Software added several other considerations: "For any hosted solution, confirm that the data is being encrypted during transmission, that personally identifiable information is obfuscated, and that the vendor's data-center partner has the necessary certifications—ISO and SOC-2 and SOC-3—in place."
James Benham, CEO of JBKnowledge Inc., adds, "Those of us who have implemented security policies and procedures can certainly reassure our customer base that we have taken every reasonable measure possible to safeguard their information."
The responses:
Aconex
From Rob Phillpot, co-founder and senior vice president of product and engineering, and David Chatterton, chief information officer:
The move to Software as a Service (SaaS) at the end of the internal investment cycle:
Organizations in construction and engineering are moving to SaaS. As recently as five years ago, many organizations were still skeptical of hosting sensitive data in “the cloud.” It was unknown to many industry IT departments – even if the security offered by cloud vendors was often beyond what individual companies could achieve on their own.
It’s taken around a decade for the IT investment in internally hosted systems to be fully amortized. At the same time, certain disruptive technology trends - notably BIM and mobile – have given organizations a choice between doubling down on their aging infrastructure or moving to a sophisticated, purpose-built system backed by significant ongoing R&D.
For the same reasons that architects built their own CAD software in-house in the 80s and then moved to commercially available software, and that organizations built their own ERP systems in the 90s and then moved to commercial solutions, construction and engineering firms are now faced with choices regarding the internally hosted EDMS and collaboration systems that they’d built in the late 90s and early 2000s.
True multi-tenant environments versus shared internal environments:
The main issue with internally hosted systems is that the sensitive corporate data of different organizations on a project has to reside on another company’s network or be maintained in parallel in the organization’s own network. The redundancy of parallel systems for project information management created inefficiency and risk. Every information flow that crosses company boundaries requires manual export and import, wasting significant amounts of time on data entry and posing the enormous risk that one company’s version of the truth isn’t necessarily the same as another company’s.
The two differing schools of thought are: 1) “This is my system, and I will let people in and decide who gets to see what”; and 2) “On a common platform, let everyone have their own space that they control and then each can decide who sees their information.” Moving from the first view to the second represents a subtle yet fundamental step change in project collaboration across different organizations. It means that every company on a project can truly manage all of their project information, plus share what they want—and no more—with other organizations. As a result, the adoption of cross-company, cloud-based collaboration platforms has skyrocketed, and their inherent efficiency, risk mitigation and value have been validated by the industry.
Security protection and user authentication:
In the past, companies have adopted a “ringed fence” approach to security—i.e., build enough walls to keep others out. In construction collaboration, that isn’t enough. In addition to building enough walls, companies need to patrol their boundaries and look for unwanted visitors who may have made their way inside. Companies must avoid the trap of believing that their walls are perfect and must constantly build new walls.
If an unwanted visitor has the right credentials, then they can get inside the project collaboration system. Therefore, collaboration service providers need to offer tools that allow users and organizations to add successive layers of authentication. Traditional methods of username/password authentication are no longer sufficient. If a password is compromised, then anyone, anywhere can use it. Implementing two-factor authentication (2FA), using tokens as well as passwords, provides significant additional protection. Also, implementing single sign-on (SSO) allows organizations to integrate their internal security protocols with the SaaS collaboration platform to provide two key advantages: 1) users can pass seamlessly between their internal work and their SaaS collaboration environment; 2) the collaboration platform adheres to the company’s internal security protocols.
Significantly, in a SaaS environment, project owners and managers can apply additional security measures to other organizations that are working on the project—from implementing 2FA to additional password complexity and expiration rules. This allows everyone to have their own project space while collaborating seamlessly and ensures that the highest level of security is enforced across the entire project team.
Protection from denial of service:
Sometimes, the main security concern isn’t hacking but rather the inability to access project data. If users can’t access project information, then it might as well be lost—the project suffers and risk escalates. Preventing denial of service (DDoS) attacks is key not only for managing risk but also for avoiding potential extortion.
Managing unauthorized entry:
Companies shouldn’t assume that the security of their project collaboration system can never be compromised. They should invest in a security operations center (SOC) team to constantly monitor traffic, trends and activity to keep the platform and its data safe. If someone is logging in simultaneously from two different locations, then this is a red flag that should be addressed quickly.
Encrypting traffic across the internet is a given, but the protection of media where project data is stored is also critical. Companies need to have encryption at rest to protect sensitive data, even when it isn’t in transit.
Investment in security across multiple customers:
When they reach scale, SaaS collaboration platform vendors can invest more in security than their individual customers can – and definitely more than the subcontractors who are sharing information with their customers.
SaaS vendors can and should work closely with their customers’ IT security teams to ensure that common threats are adequately addressed.
SaaS vendors have undergone security evaluations from multiple customers and have demonstrated their security capabilities multiple times. A collaboration service provider’s logos can provide additional assurance that it has met rigorous industry standards for security.
In summary, not all SaaS collaboration platforms are created equal. Companies seeking maximum security for their construction project information and processes in today’s environment should consider these three priorities in selecting a collaboration solution:
—Provide a neutral, common platform while allowing each organization on the project to control their own destiny for sharing information with the project team
—Implement higher security hurdles across the project community, including 2FA and SSO
—Assume that their collaboration systems are imperfect and therefore constantly add new protections while monitoring traffic, trends and activity for red flags.
Only the largest SaaS collaboration service providers are able to invest in R&D for both advanced, industry-specific functionality and security measures – both functional and procedural. At the same time, only the largest providers have the teams in place to monitor activity and support their customers in identifying and assessing security threats.
CMiC
From communictions maanger Nikol Paar:
CMiC has been in the construction business for over 40 years now, we've watched the construction industry change and adapt to trends and attacks, and due to this reason we feel confident in stating that clients, vendors, and the like, can feel safe that their data is secured in the cloud - the trend that attacks its attacker.
CMiC launched subsidiary HIKUU Construction Cloud for this very reason, to keep client information and data secure, and conveniently stored. The cloud acts as a shield of protection against cyber attacks. HIKUU uses the Amazon Web Service (AWS) cloud infrastructure, which offers world-class protection that has achieved ISO 27001 certification and has been validated as a Level 1 service provider under the Payment Card Industry (PCI) Data Security Standard (DSS). Clients can rest assured that today's progressive construction software companies are two steps ahead of cyber attackers and have the necessary tools in place to prevent cyber crime.
EarthCam
From Brian Cury, CEO & Founder:
An important note is that within your own organization, either purposefully or inadvertently, personnel may pose a larger threat to data security than any technology exploit ever could. Experience has shown that competitors will not shy away from utilizing traditional hacking techniques as well as social engineering of personnel to gain access to sensitive information. Choose your technology partners wisely, and always look closely at your servers and web logs; you might be surprised who is watching and waiting both inside and outside the firewall.
In addition, EarthCam maintains its own dedicated server platforms and Enterprise-Class storage systems in private data centers, not “cloud” or “virtualized” environments shared with others.
FieldLens
From CEO Doug Chambers:
At FieldLens our primary concern as a communication platform is the security of the data we store for our users. There is certainly a difference in the level of security a SaaS provider offers versus email, for example.
Email routing is “store and forward”, with the data having the potential to be physically present on many third-party servers. This is especially true for a construction project team where several companies working together are usually using different email systems. This leaves information vulnerable to prying eyes and manipulation.
With first-in-class SaaS platforms like FieldLens, data is sent to the Platform with a secure connection, and once it’s there mobile clients have to go through the Platform code to access the database, just like the web. Every interaction with the database is governed by the Platform code.
Nobody has physical access to the servers with a SaaS platform, so attacking the system is much more difficult. Finally, information stored in the platform has an audit trail that cannot be modified, and this ensures the integrity of all stakeholder information.
Fluid Contract Manager
From Don Speedie, president:
As a provider for mobile, construction cloud services, this topic is near and dear to my heart. One of the companies we at Fluid CM are working with is a company called Proacteye which specializes in monitoring cloud based applications 24x7 and has personnel in place to review any alarms when they are raised. It is a good combination of monitoring technology combined with a human on the other end validating any issues as they arise.
More to follow...
HCSS
From Josh McDonald, services senior manager
Anyone doing business with "electronic data and vendor services" needs to vet the securability of the data and services. This can be a complicated topic if we let it. To simplify, consumers need to know and be assured of two items:
—How the electronic data and service works. An understanding of the application, data, and how it works technically will provide the right amount of information to Information Technology leads to design a solution to protect the data and services. This should be a primary role of IT, but it requires thoughtful digging and asking the right questions to the software/service vendor.
—How the solution is audited and secured. Whether it is hosted internally on company servers or hosted externally in any number of different cloud environments, the consumer needs to understand the auditing process and security layers that the solution provides. Security includes firewalls, virus protection, and intrusion protection, but it also includes more tangible things like who has a key to access the server rack or what external providers are servicing the cloud solution provider and has potential access to data through ancillary means.
HCSS understands both of these points and takes strong efforts to understand how to environmentally secure our products as well as build security measures into the application itself to provide proper assurances.
The thing to remember when it comes to security is that it is an ever evolving problem with ever evolving solutions. It's important to keep security efforts moving forward at all times and one advantage in this area can be found in simply selecting the correct partners to help.
JB Knowledge
From James Benham, CEO
While no company can promise that an event will never occur, just like they can’t promise that their data center is “flood proof” or “earthquake proof”, those of us who have implemented security policies and procedures can certainly reassure our customer base that we have taken every reasonable measure possible to safeguard their information. We can accomplish this through:
—Providing tours of facilities and responding to on-site audits. We have routinely had our customers visit our data centers and development centers to review our physical and logical security so they can gain first hand knowledge of our protective measures.
—Providing documentation of our security equipment, personnel and procedures that are in place to safeguard facilities, systems and data.
—Contracting with third parties for intrusion review and intrusion prevention and detection services. Our companies should have inside and outside eyes on our systems at all times.
—Providing proof of cyber liability insurance to our customers upon request.
While this is certainly not a comprehensive list of what measures a company can take to secure their clients’ information, it describes what I believe are the top things we can do to reassure our customers that we have their best interests in mind.
Nasuni
From Andres Rodriguez, founder, president and CEO:
From the perspective of storage and cloud, the most important measure AEC firms can take to protect their data is to encrypt everything stored in the cloud with keys that are created and controlled by the firm. That way, if there’s a breach at the cloud vendor, even if data were compromised, it won’t matter. Without the encryption keys, it’s just gibberish.
Other things that definitely help raise the bar are: controlling access to files inside the company and across to clients, keeping logs of who has accessed what and making sure the data record is immutable so that you can reverse any changes if struck by ramsonware virus (i.e. CryptoLocker). I’m happy to put you in touch with customers that can give you first hand experiences with some these vulnerabilities.
NoteVault
From Peter Lasensky, CEO:
NoteVault is using Amazon Web Services because Amazon is far more secure than what a company can build themselves. Security is so complicated these days that it is better to utilize a team of experts like only a company the size of Amazon could put together to secure data.
Security is about more than password protection. As we saw with the Sony breach, it only took a user name and password to bring them to their knees.
Companies need an IT network that has intelligent monitoring. Amazon, for example, tracks downloads because they get paid for it. Alerts on unusual activity can set off automatic alarms that could help companies “nip the problem in the bud” with early detection of a breech.
Panzura:
From Andy Knauf, vice president of IT at customer, Mead & Hunt:
“I feel the best way to protect your company's assets from cyber attack is always knowing who has access to your system.
More times than not the attack comes from internal, and not keeping your internal records current could cause harm to your system. It's safe to say, most of us use the best firewalls we can find and try and education our users by making them use strong passwords to keep our systems protected. But what happens when you do everything right and somehow your system is still compromised? Your backup is your only savior when your system is compromised, and that is only as good as the system you use to back up your data.
We decided more than a year ago to trust all our data to Amazon AWS ,which is encrypted to everyone other than our company but can be recovered by them because they have access to the physical media.
We also placed Panzura controllers in all our offices because files are secured at rest and in transit. Panzura is only company that is using FIPS 140-2 compliance and stores unique blocks, and the data is obfuscated. Because your data is on Amazon and you're using Panzura you are protected not only from an internal attack but external as well.”
Sage Construction and Real Estate
From Jon Witty, vice president and general manager:
Security is especially important as more and more construction firms are using mobile devices and applications to exchange information between the field and back-office financial and operations systems. Software vendors must provide these remote capabilities with built-in security. Data security safeguards that should be a part of every cloud-based application architecture include:
—Development on a reliable application hosting platform (Microsoft Azure as a leading example) that assures the highest levels of data integrity, availability, and confidentiality.
—Regular third-party audits. We use Comsec, a global information security consulting firm.
—Encryption for any data that flows from mobile applications to back-off systems.
—Secure web service for connections between servers and with mobile devices to mitigate unauthorized access, network eavesdropping, and other threats.
—Dedicated secure site so data is safeguarded from others.
—Notifications and audit trails that show who requests, accesses, and views information.
Viewpoint Construction Software
From Bruce Kenny, vice president of product development
Security and Data Privacy has always been a critical aspect of any IT solution. In the past we have relied, perhaps naively, on the physical security of our office buildings housing our On-Premises solutions. As the construction industry dramatically accelerates its adoption of technology—particularly mobile, SaaS (software as a service) and other hosted solutions—and increases its use of digital data in their day-to-day operations, the burden of responsibility for security and data privacy increasingly shifts from the company itself to their selected vendors. With these distributed and hosted solutions the company must not only ensure their internal practices and systems are secure, they must now ensure that the solutions and environments of their vendors are secure.
The construction industry is fortunate as we can learn quickly from many other industries that have already navigated through the data security and privacy challenges that mobile and hosted solutions deliver. Many industries have already made the transition from on-premises to hosted solutions, from paper-based to digital workflows, from centralized computing to highly distributed mobile and SaaS solutions. Industries such as Financial Services, Health Care and Manufacturing have been leveraging hosted and mobile solutions for over a decade and as use increased, they pushed their vendors for tighter controls and practices. We see this maturity from vendors in technology sectors such as CRM (Customer Relationship Management), Customer Service & Support, Marketing Automation, Financial Services and Health Care—all areas of business that have embraced very high security and privacy practices as a cornerstone of their offerings.
While a few high profile cases of data breaches have been reported over the last few years, the reality is that the vast majority of technology vendors (software, hardware and infrastructure providers) have invested in and created superior security and privacy protections than most of their customers. The services industry has responded with increased standards and certifications to ease the burden-of-proof on any single company.
Specifically around data security and privacy there are a number of standards and certifications that a company can rely upon to confirm that their solutions vendor has taken security and privacy seriously. Standards such as ISO 27001 and SOC-1/2/3 (Service Organization Controls) are in place to ensure vendors, particularity those that process and store sensitive data, have the controls and processes in place to protect the data assets they are entrusted with.
Security and Privacy must be part of every solution evaluation. For any hosted solution, confirm that the data is being encrypted during transmission, that personally identifiable information is obfuscated, and that the vendor’s data center partner has the necessary certifications—ISO and SOC-2 & SOC-3—in place. It is important to also look beyond the vendors core solution and confirm that any 3rd-party solutions— social plug-ins such as Facebook and Twitter—are being used correctly, as we must protect against any premeditated offensive attack but equally protect against the proper use and distribution of data by our own employees, who may unwitting be sharing data they should not.
