Security Within a Multinational Firm
By Bill Onwusah
LAWYERS deal, on a daily basis, with paper-based information that is confidential and commercially (and sometimes politically) sensitive. While attorneys readily accept security restrictions when handling paper, they may not be as confidentiality-conscious in their electronic dealings. Mention the words electronic security to lawyers and techies and eyes begin to roll. Everyone knows that security is important, but the practicalities tend to be difficult and jargon-laden.
But as browser-accessed databases become a global reality, lawyers must become more security savvy.
Today, Internet-based information can be accessed freely, including from non-legal environments such as Internet cafés. The move from databases stored on a standalone PC to databases accessed via the Internet has been characterized by an increase in the number of potential access points to our systems -- especially as our legal teams have become larger.
Additionally, external users (such as clients, counsel and experts) have arrived on the scene. More importantly, the legal teams have become global and they want their databases to be accessible anywhere at any time.
This has raised all sorts of security issues relating to access. Lovell's response has been to look for ways to prevent people from accessing inappropriate information.
This might appear to be at odds with the technology department's role within the firm -- which has been to increase and improve access to our litigation support databases for teams working within our buildings. The reality is that we are dealing with different sides of the same coin.
The range of products that we use shows that there is no single correct way of implementing database security, and indeed different products emphasise different aspects of security.
We have a series of organizational infrastructure security controls that are common to both of our database programs. These include intruder protection, firewalls, direct connections (dial-up modems, frame relay links, and virtual private networks) and audit trails.
First, a bit of history. Lovells was created in 2000, with the merger of Lovell White Durrant and Boesebeck Droste. We are the fourth largest law firm in Europe, and the eighth biggest in the world. We operate in 26 cities, and have about 315 partners, 858 lawyers and 1,920 non-lawyer staff worldwide.
We are a PC-based law firm and is near the end of a firm-wide rollout of Microsoft Corp.'s Windows 2000 and Office XP. Time recording is via Carpe Diem (from Best U.S. Holdings Inc.) and our document management system is DOCS Open Version 3.9, from Hummingbird Ltd.
Back to security. Let's look at two products in use at Lovells, which deal with the problem of security in different ways.
First, we have been using a litigation support system called JFS Litigators Notebook (from Bowne & Co. Inc.) for some years at Lovells. A U.S.-derived product, its key attraction to us was that it allowed users access to our databases anywhere in the world.
The system allows our many legal teams to collaborate in a shared forum and work on a combined work product.
For example, we received a request for access to a database of evidentiary documents from teams of lawyers working in our New York, Chicago and London offices. By detailing our security architecture to our clients, we assured them that we had addressed their security concerns and that we could proceed.
We opted to have individual replicas of the database loaded on the hard disk of the lawyers' computers and we established "computer to server" links between the various PCs and the London JFS server. A central copy of the database was stored on a JFS server in our London office.
We were able to advise the clients that as JFS was designed to be used both by users connected to a network and by users either temporarily or permanently unconnected to a network, it had several integrated security features. Unlike many litigation support systems, it is not overly reliant on network operating system security features such as password protected network logins.
JFS uses a unique password-protected ID file and users must prove their identity each time they attempt to access a JFS database or server. It offers strong access control features. Only explicitly named users have access to JFS servers and databases.
We only use direct, private-line connections -- for example, frame relay links or dial-up modem connections -- for replication. Replication is the process that synchronizes copies of databases and ensures that everyone is looking at the most current data. For additional security, all data transmission is encrypted. This means that the data is scrambled and is unintelligible to would-be eavesdroppers.
We were conscious that each time we created a replica of a database we also increased the threat of data misuse. We were therefore careful to limit the number of replica databases that we created, and we protected those that we created by encrypting them with the authorized user's I.D. file, thereby limiting access to the authorized user only.
Several security concerns must be addressed to keep our internal JFS infrastructure secure. You may be familiar with the concept of a firewall. A firewall can consist of software, hardware or a combination of both and is a system that provides some form of access control between two networks, generally a company's private network and the Internet. Every packet of data that leaves or enters a private network is examined and, based on a set of predefined rules, it determines whether or not that particular packet of data is allowed into or out of the network.
We have used the same principle in designing our JFS infrastructure. Our firewall JFS server is used to store databases used for replication by our external users. Only Lovells users are given access to our central JFS server however, and this server is inside our private network.
Often applying security to a system adds a layer of complexity making the system difficult for users to operate. Our goal has been to work towards a security architecture that is as transparent as possible to the end user yet is effective in its denial of all unauthorized access.
Recently, we have been looking at another litigation support system called Ringtail, from Australia-based Ringtail Solutions Inc., which has similar functionality to JFS, but is designed specifically to work over the Internet via an Internet browser.
The architecture of the product is also different to JFS, based as it is on Microsoft databases and standards rather than JFS' use of Lotus-based standards.
The Ringtail servers are located in a physically secure environment within a dedicated server room. Access to this room is limited to members of the Lovells group running the software, and to selected individuals within the Lovells technology department.
Every time a user logs into Ringtail, a Unique Session Identification (UID) is issued both to the Web server and to the user's PC. This identifies the user. Without a UID you cannot access information on the system. After logout, the UID is discarded. This means users have to re-identify themselves each time they access the system.
There are six default categories of user logins, from "administrator" with the most privileges, to "read-only," which allows users read-only access to document lists.
Users cannot see a case unless they are a member of that case's group of users, or look at a folder if the folder is categorised as private and they are not an owner or member of a group with access rights to it. This form of blocking removes the temptation from users to try and access something to which they have no rights.
Once access has been granted to the database, an auditing system takes over which details the user's document history, case audit trail, log of most visited documents and log of database changes. This is similar to the audit trail of server activity found in JFS.
At the operating system level, Ringtail will run on either Windows 2000 or Windows NT, each with their own systems of login and encryption. Windows allows groups of users to be set up, with rights of access to information tightly controlled. This is similar to access control in Ringtail and JFS.
An effective security policy does not rely just on the security afforded by a single product. An efficient security umbrella is the result of security produced by individual products, such as databases combined with the security produced by products that are actually designed to protect the firm such as a firewall.
The consequence of a correctly implemented security policy is that it acquires a resilience and synergy of its own, because the degree of protection provided by such a policy is far greater than the sum of its parts.
Finally, we arrive at the age-old question, "How much security is enough?" One simple answer is, "Security is acceptable when lawyers and clients are satisfied that their data is safe."
Some clients are more easily satisfied than others, depending on the sensitivity of the information in question. Ultimately, the systems that we use and the security policies that we implement need to be robust and flexible enough to deal with all contingencies.
Bill Onwusah is litigation support department manager for Lovells, based in London.