Why Should I Use Security Features in Project Management Software?
The level of security built into your project management software dictates how safe your project will be. This encompasses the integrity and confidentiality of your data, as well as the security of the infrastructure and the stability of your network.
Too little security can open you up to hackers and scammers. But too much security can restrict your own team from accessing the information they need. In this Professional Services Survey Report, 60% of leaders agreed that data security concerns keep their teams from being flexible and building better relationships with customers.
Striking the right balance can be challenging, especially with the rising concerns around cybersecurity. Between March 2017 and 2018, there were 2,216 data breaches and more than 53,000 cybersecurity incidents reported in 65 countries. To make matters worse, those numbers are only expected to rise this year.
These concerns make it critical that you select the appropriate project management software security.
Key features of project management software security
The best project management software includes security features that protect the safety and integrity of your data without making it onerous for approved users to gain access. The security settings should be flexible and customizable enough that you can align them with your company’s own security procedures, processes, and protocols, but robust enough to address industry-recognized threats to your data.
There are 5 areas of security that you should assess when selecting project management software:
- Physical security
- Network & system security
- Application security
Physical storage security encompasses where and how your data is stored. Different states and countries have very specific data-security compliances laws. If you’re operating in a different location (state or country) than the one storing your data, the security laws where you store your data might not align with your needs or requirements and legal commitments to your customers.
It’s important to ask where the project management software company stores its data and make sure the security standards at the storage facility are up to date and independently validated. You should also ask about the physical protection of the storage facilities. For instance, do they have 24/7 manned security, power backup systems, physical access controls, smoke and fire alarms, and digital surveillance systems?
Another aspect of physical security is how often your data is backed up. If a server crashes or a breach occurs, you want to know your data won’t be lost.
Look for a project management software vendor that provides near real-time replication. This feature will ensure your data is backed up and available on redundant and geographically dispersed servers. A full backup should be performed on a daily basis, and the data should be stored encrypted in an environment physically separate from the primary servers to ensure fault tolerance.
Network & system security
Network protection procedures — such as network segregation using VLANs, firewall, and router technologies, intrusion detection and prevention systems, centralized log aggregation, and alert mechanisms — should be standard for your software provider. All these systems should be overseen by dedicated and experienced security teams.
You also want a project management software provider that ensures secure connectivity, including secure channels and multi-factor authorization schemes for systems operations group personnel. These precautions allow your provider to prevent, detect, and promptly remediate the impact of some network attacks if they do occur.
Look for software that has a documented process of regular updates and patch management. You should also ask how frequently the vendor performs internal network security audits so they can easily spot and fix dangers. When it comes to data security, a quick and proven response is the difference between danger and disaster.
Uptime is the time during which a computer is operational, meaning that no key functions are unavailable, and it’s one of many useful ways to assess a provider’s infrastructure security. High uptime means a company is stable, secure, and experienced in the delivery of customer-facing services. Ask what the vendor’s uptime is to determine their security reliability, and look for one with a historically proven record of 99.9% uptime or higher.
Application security encompasses all of the features within the application that help ensure your project data stays safe. These features fall into 5 categories:
- User authentication
- Data sharing & role-based access control
- Monitoring user activities
- Project management software data encryption
- Mobile applications
Your chosen project management software should support multiple methods of federated authentication, including Google OpenID, Azure, Office 365, ADFS, SSO, and SAML2. This process enables employees to securely access your software without having to use a second, separate login and password.
Other authentication features to look for are customizable password security settings and 2-step verification.
Within the password settings of your project management software, you should be able to customize the following:
- Password strength settings, such as minimum password length, not allowing passwords to include the user’s first or last name, the number and type of characters used, etc.
- Password expiration settings dictating how often users need to change their password.
- Password history settings specifying how often a user can reuse the same password after they’ve made a change.
2-step verification (also called two-factor authentication or 2FA) provides an additional layer of security to the sign-in process. In addition to a username and password, you have to enter a time-sensitive verification code to gain access.
If some of your team members are using applications that do not natively support 2-step verification, make sure your software supports using one-time passwords instead. Otherwise, those users will find themselves locked out.
Your project management software should also allow you to use network access policy settings to add approved IP address and IP subnets for additional application security. With this feature enabled, users can only log in and access your software from those locations. If you have remote users, make sure you select a tool that allows for mobile users and other collaborators to login and access from any IP address.
Data sharing & role-based access control
Data sharing and role-based access specify who can access what data within project management software. A project administrator should be able to assign different roles and permission levels to each user to control what they can read and edit.
These features allow you to set up selective sharing within the software. This ability ensures that sensitive information is only accessible by those who need it and not everyone who has software access.
With discrete role-based permissions, you can segment project data and manage who sees what within the software. Plus, you can control how people interact with a project. For instance, team members can be granted full editing powers, only be able to change certain things like titles, or be allowed to view but not edit.
You can also offer guest reviewer capabilities that allow external stakeholders to provide feedback and approvals. The benefit of this is that feedback on client submissions can be provided directly on the document, while you maintain control of third-party visibility and permissions.
Another data sharing security feature is invitation settings. Invitation settings allow you to control who can invite new users to use your software. You can also limit who can be sent an invite. For instance, you can require that invitees have a specific email domain. Plus, you can determine what type of licenses users can grant when they invite someone.
Monitoring user activities and reporting
Even with user authentication and restricted data sharing, it’s important that you can monitor what is occurring within the software on a regular basis. Look for project management software that provides full reporting functions with up-to-date account activity information, including authentication events, changes in authorization and access controls, shared folders and tasks, and other security activities.
Access reports enable you to see which users have access to folders, projects, and tasks. They can also show you any tasks with attachments that external guest users have been invited to review.
Your project management software should use a minimum encryption of transport layer security (TLS) 1.2 with a preferred AES 256-bit algorithm in CBC mode and 2048-bit server key length with industry-leading modern browsers.
While this sounds complex, all it means is that when you access your software via a web browser, mobile applications, email add-in, or browser extension, the TLS technology protects your information using both server authentication and data encryption.
This level of encryption security is equivalent to network security methods used in banking and leading e-commerce sites. All users’ passwords, cookies, and sensitive information are reliably protected from electronic eavesdropping.
User files uploaded to servers via both web application and API are automatically encrypted with AES 256 using per-file keys. The encryption keys should be stored by the vendor in a secure key vault, which is a separate database decoupled from the file storage layer.
With this encryption, even if someone were to gain physical access to the file storage, your data would be impossible to read.
It’s important to have mobile access to your project management software so that your team can access it no matter where they are. However, mobile apps come with their own security concerns.
Any mobile apps should have all of the security functionality built into your project management software, such as password and data sharing restrictions. Plus, mobile apps need additional security features such as encryption at rest, certificate pinning, checking against rooted/jailbroken devices, and application-level protections using a PIN code or fingerprint.
When contacting customer support, it’s important to know that your vendor has strict policies on how to verify your identity and help you access your account, as well as how and when they can access your data.
Ask vendors to share their policies around escalation, management, knowledge sharing, risk management, and day-to-day operations. They should have strict policies in place to limit access to customer data to employees with a job-related need.
Their policies should also allow you to dictate when and how they see your data if you find their basic policies don’t meet your security requirements for sensitive information.
There are security compliance standards that any reputable software should vendor adhere to. These include:
- ISO/IEC 27001:2013 certification
- SOC2 Type II
- ISAE 3402 (Europe)
An ISO/IEC 27001:2013 certification demonstrates that the vendor has a complete security framework and a risk-based approach to managing information security. ISO/IEC 27001 is the only internationally recognized standard for the establishment and certification of an information security management system (ISMS).