How secure is your Cloud?
Architects are often the custodian of potentially sensitive data. Many public and private sector buildings can be a source of sensitive information or potential security risks, including information useful to commercial rivals.
Outsourced data storage, in particular the Cloud services offered by the IT software giants, has become increasingly routine for built environment professionals. But architects working on any type of sensitive building project need to appreciate that not all data storage services are equal, especially in a shared data environment.
‘Cloud storage offers extreme flexibility in terms of access to software and services, which can be added on an ad-hoc basis, but despite the title, the data is still stored in a physical data centre, somewhere’.
The first questions an IT security consultant will ask about data storage is where and how the data is stored, says Nathan Jones, Senior Project Manager at Turner & Townsend. They will also want to know which countries the data is routed through.
While such detective work will be too time intensive for most busy architects, the next best alternative is to look at the information provided by data storage providers.
Data centres and Cloud services generally offer four tiers of assurance, tier one being the lowest. Not all data centres will provide assurance around the security of the data in terms of third party access, it is therefore imperative to know what you are signing up to on the Service Level Agreement, says Jones.
Storage providers will often outsource to other data centres that may not offer the same level of assurance, without the user necessarily knowing.
‘You need to look at the small print of your data storage contract for an indication of what level of security is being offered,’ says Jones.
‘Don’t assume your outsourced data is secure. Look at existing contracts and ask yourself “does this satisfy me”. If you are concerned, question the service provider.’
The same questions apply when using an electronic data management system (EDMS), where information is posted to a third party website and shared. EDMS are often not responsible for data back up; they will own and control the portal via which the data is accessed by the user but will outsource the storage to a data centre, again, without the user necessarily knowing.
‘On a sensitive project using EDMS, architects should consider employing a professional to organise data storage for the project. The level of security should always meet the security requirements of that project, and access to that data needs to be assessed and organised so not everyone has access to everything,’ says Jones.
For BIM projects, Jones suggests the best place for architects to start is PAS 1192-5, the BSI’s ‘Specification for security-minded building information modelling, digital built environments and smart asset management’ (available free from BSI shop).
This gives guidance and steers BIM team members through the security measures that should apply to projects according to their sensitivity. It also indicates when the client should appoint a Built Asset Security Manager (BASM) to oversee data security.
Stage 0 is where data security needs to be thought through, and if it is a BIM environment then a BASM should be consulted (or must be, if the project is to meet BIM Level 2 requirements) .
Back in your own office, Jones recommends the government-sponsored Cyber Essentials scheme, which takes the form of a self-assessment questionnaire to identify what cyber security and protection measures should be in place.
‘Cyber Essentials is about your own hardware and internal systems, taking you through an internal audit of your IT health. You can be assessed and join the Cyber Essentials scheme, although it can be a bit like marking your own homework,’ Jones cautions.
For the more committed – which includes Jones’s own Turner & Townsend – there is Cyber Essentials Plus, which involves an independent audit.
Thanks to Nathan Jones, Senior Project Manager (Technology), Turner & Townsend.
Text by Neal Morris. This is a ‘Practice News’ post edited by the RIBA Practice team. The team would like to hear your feedback and ideas for Practice News: firstname.lastname@example.org