In the past lawyers generally took for granted that their work product was secure.  Lately, this notion of taking security for granted has started to fall apart, and attorneys are starting to worry about the security of their work product (while at the same time pushing to get closer to the client).  No place has this need for security become more evident than in the realm of intranets and extranets.

Intranets and extranets both, by definition, have the following features in common:

• Rely on TCP/IP - for connecting two or more parties to share the information
• Share information - the purpose for their existence
• Identify and control access for authorized personnel - to preserve the confidentiality and integrity of the information

These common features, when brought into the legal arena, present some interesting challenges to both attorneys and IS departments given the current risk and regulatory landscape.

Rely on TCP/IP
Starting with the basics, the purpose of the TCP/IP protocol in the intranet/extranet arrangement is to allow multiple devices to communicate with the hosting server or servers.  This protocol, working in conjunction with the hosting server, works to break down the information being transmitted between the requesting device and the hosting server (bi-directionally) into chunks that are sent across one or more networks which connect the two.

The risk in this arrangement centers on the fact that the path between the two devices may (and often does) traverse one or more networks that are untrusted and may host malicious or nefarious people or devices.  How do you protect information using this transport protocol?

Probably the most common approach to protecting information being stored or transmitted from nefarious systems or personnel is to encrypt the data prior to transmission or storage.  There are numerous technologies capable of performing this task, however, the following seem to be the de facto standards:

SSL Encryption.  Secure Socket Layer (SSL) encryption technologies have been around for quite some time.  They essentially extend the Hyper Text Transfer Protocol (HTTP), which is used over TCP/IP to communicate the chunks of information between the two devices, to include capabilities to encrypt the chunks using strong, certificate-based encryption technologies.  SSL is very mature and is ubiquitous among Web browsers; however, it does require a trusted root certificate.

Root Certificate Provider.  Given that SSL relies on a certificate to encrypt and decrypt the data, a root certificate authority must be available to validate the certificates being used.  Many of these certificate authorities are, by default, set up in mainstream Web browsers making this process easy for both the sender and receiver, and they must be considered when implementing SSL technologies.

In addition to the above de facto standards, the following technologies can also play an important role in a best practice, well-secured intranet/extranet system:

Database Encryption.  In most cases, the information being shared over TCP/IP is stored in a database.  While this information is not in transit, it is at risk from TCP/IP-based attacks, which if successful, would allow information to be inadvertently released.  To manage this risk, database encryption technologies have become very popular.  These technologies encrypt the data and decrypt it only when a well-formed, authorized and successful request is executed by the database system.

Web/Database Server Tunnel.  In virtually every case, the system hosting the intranet/extranet setup is not operating independently.  In fact, there are usually several systems required in order for it to work at all.  While these systems play different roles, usually relying on TCP/IP to communicate, they can also be targets in a successful Web-based attack and as a result, should be protected.  The final and often overlooked step that can be taken to manage the risk of TCP/IP-based attacks requires setting up an encrypted link between the system hosting the intranet/extranet and that which actually stores the information being shared.  While this may sound complicated or difficult, it is fairly straight-forward with IPSec VPN technologies freely available from both commercial vendors and open source vendors.

Unfortunately, the risks stemming from TCP/IP are numerous, but these risk can be managed by using common technologies which are widely available in today's commercial and open source marketplace.

Share Information
The "widget" that lawyers produce is information, which can take many forms.  In the intranet/extranet framework, this information is usually stored on a system along with many other pieces of information making the intranet/extranet server essentially a multipurpose device.  Furthermore, this information is shared via Web server software using the TCP/IP transport described above to move the information between the host server and requesting workstation.

The risk in this arrangement centers on the information itself.  The question needs to be asked, "If this information were to be made publicly available, would there be any negative effect or consequences?"  If the answer is yes, then the information itself needs to be categorized, grouped, identified, and steps must taken to protect this information from an unplanned disclosure either inadvertently or to an aggressive, but unintended recipient.

Probably the most common approach to managing intranet/extranet information in law firms centers on one of two strategies:

Document/Records Management Systems.  Integrating D/RMS systems with portal technologies has become more mainstream.  These integrations extend D/RMS system security into a portal arrangement, and, in doing so, facilitate the technical aspect of secure collaboration via an intranet/extranet.  However, without a culture where the information is categorized, classified and identified, the risk remains.

Records Program or Custodian.  Law firms have begun to recognize that information has value and must be protected, and furthermore, not protecting this information has negative consequences.  Firms have begun developing records management processes and identifying a point of contact who drives this effort.  Given the residual risk, one best practice is to have a records manager or custodian review information prior to its posting to the intranet/extranet, forcing the categorization, classification and identification process which generally reduces the risk to an acceptable level.

However, integrating either one of these strategies into an intranet/ extranet is easier said than done both technically and culturally.  The key driving force in determining which information to share and with whom generally originates with the client, and each client usually wants slightly different sets of information presented differently.

Identification/Access/Authorization
The final and often not well-structured component of intranets/ extranets is the process by which information being shared is linked to those who need access to it.  This process is often tedious, making it a likely candidate for being generalized or ignored, but it may also be the one which makes the difference between a successfully secured intranet/extranet and one that is not.

Now that the information is shared on a system that fosters communication between the lawyer and client, it becomes important to know who is accessing this system and what they are doing with this information.  The risk centers on preserving the confidentiality and integrity of the information.  One must uniquely identify the person publishing and reviewing the information, and one must describe and enforce, by policy if at all possible, what can be done with the information.  While this may sound tedious, there are technologies to help, including:

Identification/Authentication.  There are many ways to identify and authenticate a user to an intranet or extranet.  While the most common method includes SSL-based username/password authentication sequences, there are others which afford greater levels of security, such as two-factor authentication for highly secured systems.  Most portal software packages provide several means of identifying and authenticating a person to a system, at least one of which should be employed in an intranet/extranet system.

Authorization.  Given the identification/authentication paragraph above, it would be safe to assume that the person or entity requesting access to the information being shared on the intranet or extranet is known.  It is critical that they only be given access to the information they require and only have the ability to manipulate the information as necessary.  This authorization process is usually accomplished by the use of groups within the portal and/or D/RMS system in conjunction with these groups' specific permissions assigned both in terms of portal page access as well as information access.

While the processes of identification/authentication and authorization are slightly more abstract and are a bit less tangible, they are not necessarily more complex to select and implement.  Furthermore, technologies such as identity management and single sign-on hold great potential for further simplifying this process and should be considered for future implementation.  The key, however, in managing this risk is collecting, reviewing and preserving (for a period of time) audit logs demonstrating who accessed what, when and with which policy.  It may mitigate or eliminate a call to the authorities or your insurance company when bad things happen.

All Secure
The use of intranets and extranets has widely become a basic expectation from our client community.  This expectation is both reasonable and practical given the geographic diversity of our lawyers and clients.  Along with this expectation of service comes an expectation of security and privacy, which falls squarely on the shoulders of those who support the underlying technology.  The process of securing these intranets and extranets involves several steps and includes cultural changes.  Ultimately, it will help meet or exceed your clients' expectations.  At the same time, these steps will help manage the risks associated with communicating this information that your firm accepts in so doing.

About our author . . .

Adam Hansen is Manager of Information Security at Sonnenschein Nath & Rosenthal LLP, where is responsible for all information security, including setting policy, risk management, product selection and implementation, investigation and crisis management.  He holds numerous certifications and sits on a variety of boards dedicated to the improvement of the practice of information security.  He can be reached at ahansen@sonnenschein.com.