This installment of "Questions to Ask before Investing in Construction Management Software" focuses on Data Security and SaaS Solution Providers.
First, let me define SaaS.
SaaS is an acronym for 'Software as a Service' and is a software delivery model in which software is licensed on a subscription basis and is centrally hosted. The term 'Hosted' refers to software that is installed, managed and accessed entirely from a remote server or location; not on individual computers such as gaming software you'd buy at Fry's or Best Buy. SaaS solutions, therefore, are Software solutions, provided by 3rd party vendors, who host, manage, and maintain the servers upon which the software resides.
The Construction Industry has become more competitive than ever before. The expectation to deliver projects on time (even early) and under budget has everyone looking for ways to do more with less and set themselves apart from the competition. Let's face it; no one manages a single project anymore. The use of Excel, FTP, and email to manage multiple projects, or entire programs, is no longer effective or efficient.
Project Management Software is nothing new. Other industries have been using it for years to manage all kinds of projects from event planning to product development. Project Management Software designed specifically to manage Construction projects entered the market in the early 2000's. At that time, technology and connectivity was in its infancy and very few construction professionals took to the idea, since everything they do is outside an office. With the introduction of web/cloud services and mobile phones and devices, the construction industry has rapidly accepted the benefits of web-based Construction Project Management Software and has created a huge demand for it.
To meet this new demand, software companies offering web-based Construction Project Management Software are popping up everywhere. The website Software Advice alone lists 277 software solutions for construction with new SaaS vendors throwing their hats in the ring daily. This is great news for construction professionals and project owners, but can be a scary reality for security teams. You wouldn't hire a new employee before checking their references, would you? So why would you blindly bring on a new vendor?
So, the question remains: Are Your Prototypes, Designs and Project Data Safe With SaaS Solution Providers?
The Answer is not black and white -- it all depends on the vendor.
I have put together a list of 10 questions that are critical to ask ANY SaaS vendor BEFORE signing on the dotted line:
- Do You Have an SSAE16 SOC 2/Type2 Audit? The Service Organization Controls (SOC) are widely accepted as the industry security standard for cloud service providers. When a vendor tells you that they have a "SOC 2 audit," they're essentially telling you that they conform to one of the highest data security standards in the industry. The "Type 2" part of the term means that those standards have been in place and effective for at least one year in most cases, and this has been verified by an independent, third-party agency. More importantly, and because this audit really is largely accepted as the industry standard, any vendor you're seriously considering should have a SOC 2/Type 2 audit. If the vendor can't verify their compliance, they really aren't worth the risk of doing business with.
- Is Your Encryption HIPAA-Compliant? Even if you're not in the health care industry, you've probably heard of the Health Insurance Portability and Accountability Act (HIPAA). Enacted in 1996, HIPAA is a federal law designed to keep private information, well, private. To make sure this in fact happens, HIPAA demands some of the most stringent encryption and data-protection standards out there. As a result, SaaS providers that are HIPAA-compliant are encrypting data to the highest, most complicated level. So whether you're dealing with actual health care data or proprietary information such as Prototypes, Designs and Project data, you should opt for the peace of mind that comes with HIPAA compliance.
- Can You Tell Me About Your Datacenter Security? Encryption and data security obviously are huge parts of data protection, but do not overlook physical security. Since the SaaS vendor manages, and has access to, the servers that house your Project data, you need to verify the security of those physical servers. Does the vendor house the servers in the back coat closet or to they use an off-site datacenter? Do they require badges to enter and exit? Do they have additional control systems such as fingerprint scanning? Ideally, you want to choose a vendor that requires 'dual-factor authentication,' which means they require multiple forms of ID such as a badge plus fingerprint scanning to enter the facility.
- Do You Have a Company-Wide, Comprehensive Security Awareness Program? There is a reason why most hackers target lower-level employees. Typically, the executives and IT folks who work directly with sensitive data have gone through security training and awareness. This is not necessarily the case for employees farther down the chain of command. This is why it is critical that you choose a SaaS vendor that makes security a priority company-wide, from the C-level to the hourly worker. Even though your physical server is located in a secure facility, and your Project data is encrypted, none of that matters if the vendor's employees accessing your data, whether to support you or create custom reports, are not trained and accountable for security protocols. All the physical security and data encryption in the world will not protect you from one ignorant or malicious employee.
- Is there an option that provides for single tenant hosting? Most SaaS vendors provide what is called 'Multi-tenant' hosting. Just like an apartment complex with each building comprised of several apartment units, your software solution and project data resides in one 'apartment' on the 'complex' which is the server. In other words, you are not the only client accessing a single server to access the vendor's software solution. Ideally, if the SaaS vendor can provide your organization with its own dedicated, private server, there is no risk of 'cross-contamination' with other clients, the software solution can be custom-configured and wrap itself around your workflows and approval processes, and enables integration with other internal software systems. Just make sure that the vendor's single-tenancy solution is comprised of BOTH the software application and data storage.
- Is There a Backup and Recovery Plan? One thing that doesn't get talked about as much when it comes to SaaS security is business continuity--how the provider protects its customers against potential denial-of-service attacks or in the event of a natural or man-made disaster. Your company should also be concerned with the physical location of the hosting facility, requesting an on-site inspection if possible. Geography also matters: If the SaaS vendor hosts the data in another country, you should acquaint yourself with the privacy and data ownership laws of those jurisdictions.
- Do You Keep a Signed Audit Trail of Which Users Performed What Actions When, Both on Your User Interface (UI) and API? It's important to help protect against both mistaken and malicious actions -- when users know there is an audit trail, they will act with greater potential to detail, and also be dissuaded from using the platform as a vehicle for an attack. Having an audit trail is also helpful for troubleshooting purposes and root cause analysis.
- What Is Your Termination or 'Exit Process' for Ensuring Successful Transition from Your Services To An Alternative Offering? You need to review how to gracefully and effectively exit a relationship with a SaaS vendor. How will the vendor assist with the transition, including providing the company's data back to them or a third party in an effective manner? What is the vendor's destruction or electronic shredding policies? How do they provide evidence that your data is no longer resident on the vendor's systems and, therefore, not subject to attack or e-discovery.
- What is Your Service Level Agreement (SLA) for Uptime? Many vendors offer a 99.9% uptime, which equates to nearly 45 minutes of unscheduled downtime per month. Even when the SLA is breached, a 'credit' issued to your account is only a percentage of the monthly fee - not anywhere near to the downtime cost to your business. Selecting a cloud provider that offers the right uptime guarantee is critical in finding the right solution for your specific company's needs.
- How Are You Going To Support Me? You can purchase a top of the line, all the bells and whistles solution, but without proper support, it is doomed for failure. Does the vendor outsource customer support to a 3rd party in Timbuktu, or do they have an internal support team? How many employees comprise the support team? Will you be required to submit support tickets via email or can you speak to a live person? Does the vendor provide 24 x 7 support or only M-F from 10am-1pm Eastern Time?
SaaS solutions designed to manage Construction projects are revolutionizing the industry by making us more efficient and providing visibilities that didn't exist 20 years ago. Simply knowing the 'Questions To Ask Before Investing In Construction Project Management Software,' you can not only ensure time and money savings, but also the peace of mind knowing that your proprietary project data is safe and sound.