«Un usage sécurisé du service BIM360 dans le cloud, rendu possible par des mesures adaptées »
The careful balance and considerations of some risks associated with BIM360 services and a look at some measures available to enable their use safely.
To quote Autodesk  “Security is at the core of BIM 360”, which is backed up by their industry standard SSAE-16 AT 101 SOC 2 attestation as well as ISO 27001, ISO 27017 and ISO 27018 certifications.
Powered by Amazon Web Services (AWS) it certainly ticks all the boxes to ensure: Confidentiality, Integrity and Availability, with a complete and long list of security controls that we would expect of the market leader (AES-256 encryption, Access Control, Physical Data Center Security, Disaster Recovery, OWASP Vulnerability Scans, external audits and much more)
So why would any reputable customer flinch at jumping into bed with them or even have the audacity to question their excellence, simply in one little word, “Privacy”. What and who can really ensure us that out “privacy” is really being respected.
2 elements of Privacy that are of particular concern for a French / European company are going to be of particular interest these are Personal information and company intellectual property, we will look at each in turn.
Personal information or personally identifiable information (PII) is any information relating to an identifiable person and the legalities of its governance was laid out in a European wide law called GDPR implemented in 25 May 2018. This caused many companies to radically change the way they handle PII and in particular the considerations for cloud services where they store their data. The Schrems II decision, in July 2020 at The Court of Justice of the European Union (CJEU) invalidated the previous ruling (2016/1250) on the adequacy of the protection provided by the EU-US Data Protection Shield. The data privacy shield was one of the biggest mechanisms used by big multinational American companies (like Facebook, Google and of course Autodesk) to transfer and store PII from Europe in USA. Autodesk and others could fall back on the use of standard contractual clauses (SCCs) for these purposes, however the spotlight was targeted back on Europeans PII.
Lets now look at company intellectual property, for some companies these are considered their most valuable assets and the secrecy of such their most highly guarded secrets (such as Coca-Cola recipe or perfume formulars). In some cases, it’s so secret that its not even written down in full, multiple people have only parts of the information and certainly would never be entered into IT systems let alone in a cloud.
Many companies must balance the advantages that cloud based technologies can provide with the risks they can present (in this case in terms of exposure of confidential company information). Cloud computing can provide competitive advantages through cost savings, availability, accessibility, throughput, speed, increased functionality and much more. Palantir, a public American software company that specializes in big data analytics (also based on AWS) exploits heavily the use of cloud services and has become the market leader in what they do. They boast a long list of customers including security agencies (NSA, la CIA et le FBI) to every sector eager to exploit the benefits of “business intelligence” (financial services, automotive, aeronautics…). The gains are often seen to largely outweigh the security concerns and many companies upload terabytes of their data often representing the large majority of their know how and operational processes. In most cases the administrative and security measures available are quite capable of mitigating the risks identified by most companies if setup and operated correctly.
Back to specifics, so where are BIM360 services hosted:
BIM 360 Docs, BIM 360 Glue and BIM 360 Field Cloud Servers are in the USA and the Republic of Ireland (depending on whether your account is on the US or EU server), in this context, for the EMEA sever, the information lays under EU GDPR rules.
BIM 360 Team: USA
Revit cloud collaboration: The main server is hosted in the United States, however cloud collaboration utilizes Amazon CloudFront (with multiple European hosting sites for local information caching)
If your services and data are in USA you may need to look at SCCs, but even if you are fully hosted in Europe you can be assured your data kept confidential and only accessible to those you want to access.
All files uploaded to BIM 360 are stored in the cloud on encrypted storage. The storage solution uses the 256-bit advanced encryption (AES-256) which is the state of the art standard. Network traffic containing sensitive information, such as credentials and session tokens, is transmitted securely encrypted using Transfer Layer Security (TLS) encryption technology.
Its important to understand the company constraints before embarking on a cloud based solution such as BIM 360 suite, so as to ensure the technical and administrative measures are implemented correctly and in doing so effectively enabling the end goal which is exploiting the value added these solutions offer.
For more information see the BIM 360 Security Whitepaper.