Security Spotlight
How to Evaluate Security Functions of Internet Document Delivery Services
Identity fraud is a real danger. It is easier than you might think to impersonate others online.
By Neil Iscoe
ON OCTOBER 1, 2000, the Electronic Signatures in Global and National Commerce Act went into law, legalizing electronic signatures and electronically transmitted records and contracts in consumer transactions.
At the official signing President Clinton announced that the Act, which enjoyed overwhelming bipartisan support in Congress, will open new frontiers of economic opportunity. Observers also expect the Act to fuel the already strong economy by allowing electronic transactions to take place around the clock. The Act already seems to be fulfilling its promise: Every day, more Internet companies spring up to offer services that accommodate electronic transactions. Many of these new companies specialize in the delivery of electronic documents, providing security services such as encryption, private transmission networks and verification of the customer's digital identity.
Law firms are among the primary businesses targeted by these Internet delivery services, largely because firms have extremely high security standards when communicating with clients and opposing counsel. Also, many courts allow firms to file documents electronically, increasing the need for delivery channels that guard digital identities against impostors, prevent hackers from accessing the data during transmission, and ensures that the correct recipient receives the data. If you have been entrusted to find the right fit between your firm and an Internet document delivery service, you must be prepared to do some homework. Consider the four following issues as you scroll through Web sites, send emails and place calls:
1. Encryption Options
There are three primary approaches to sending secure documents: Secure Socket Layer (SSL) encryption, "end-to-end" encrypted e-mail and third-party networks.
With SSL, a message is scrambled at its origination and is unscrambled when it arrives at its destination server -- before it is downloaded by the intended recipient. Although some companies can re-encrypt the message until the recipient opens it, there will always be some portion of time where the message is vulnerable in clear text.
SSL technology is best suited to situations like credit card transactions, where the information will be used when it reaches the server and will not be passed on to anyone else.
For sending confidential messages or digital packages from one user to another, however, SSL is not adequately secure.
By contrast, end-to-end encryption protects the message from appearing in clear text from "send" through "open." End-to-end encrypted e-mail is much more secure than SSL, but is still subject to the normal perils of e-mail transmission: delays, lost or misdirected messages, forgeries and interception by impostors.
The best answer is an end-to-end encryption system that avoids the normal e-mail infrastructure by transmitting through a third-party network. This combination is faster, more direct and more reliable than end-to-end alone. Additionally, messaging services that have their own network can verify the identities of their customers to provide a higher level of security.
2. Identification of Registrants.
Ms. A. Hacker wants to steal your sensitive files, but you're using end-to-end encryption on a third-party network. How can she do it? The easiest way is by impersonating you.
First, she signs up for an e-mail address in your name -- she can do this in a few minutes using any number of free e-mail services. Then she signs up for an account with your messaging service, again using your name and "your" e-mail address. Finally she sends out an e-mail, apparently coming from your real address, telling your colleagues and co-workers to send all sensitive documents to your "new" secure address.
Note that it doesn't take great hacking skills to accomplish any of this. How can you prevent Ms. Hacker from stealing your encrypted documents? The best way is to choose a messaging service that uses multiple steps to verify the identity of its customers.
Most services will at least send new customers a verification e-mail -- but in this case, Ms. Hacker would get that e-mail at her fake address, so she could easily "verify" that she is actually you.
A more thorough approach uses several different databases to cross-check information, such as tying identity into a physical business address or a telephone number. Here, Ms. Hacker would have to provide the real, verifiable address and phone number to go along with her fake name and e-mail address.
For an even higher level of security, ask if the messaging service would place a phone call to your publicly listed number, or if it would require a notarized copy of a picture I.D. if a database check proved inconclusive.
3. Third-party Verifications
If you're reasonably sure of the security of your prospective messaging service, find out about its level of accountability. Many services offer time stamps and return-receipts, which can be invaluable if a party claims that an important e-mail was late, or worse, never received.
But they may not be enough. Sophisticated hackers can easily falsify (or delete) such verifications on a server because messaging technology is generally insufficient to protect against this type of internal fraud.
The best way for a messaging service to ensure the accountability of its operations is to have an independent auditing company conduct a Statement on Auditing Services (SAS) No. 70.
The SAS-70 is an auditing standard developed by the American Institute of Certified Public Accountants that was designed to build trust between a company and its customers by giving "reasonable assurance" that the company is continually providing the services it promises. The continuation of service is shown through multiple audits of the company's controls and technologies.
The SAS-70 relieves the customer of the responsibility to request or arrange an audit, and allows the company to avoid the strain of multiple audits.
4. Safety Nets
Assume that you find a messaging company that meets the exact needs of your firm. Now that you have the ideal situation, destroy it. Pretend there has been a natural or infrastructure disaster, and check out the security net the company has established to deal with these worst-case scenarios.
Is there a secondary unit that will back-up the existing firewall if that hardware fails? Are there secondary Internet connections and power grids? The messaging service should also be able to detail the physical security level that protects the server at its data center. What type of identification is required to access the server, and can an unaccompanied user get in? Is there 24-hour surveillance?
Finally, assume that every control has failed and your firm's sensitive data has been lost. What can the messaging service do about it? Ask whether there is a compensation program such as an insurance policy or internal reimbursement plan. Your law firm may never need to rely on such safeguards, but as more legal business moves to the Internet, e-security issues will begin turning into malpractice issues. These standards are likely to become the rule rather than the exception.
Neil Iscoe is the chief executive officer of eCertain, an Austin-based secure online document service.
| 
