June 19th, 2009 by Rian Gauvreau
For many attorneys contemplating the switch to a SaaS solution for their practice, the matter of security is chief among their concerns – especially given the critical importance of ensuring client confidentiality and data security. The challenge with security in the realm of technology is that it’s a tricky metric to measure in any sort of absolute way. Often, the specific weakness of any given system is only realized once its been compromised. So, if data security is so hard to evaluate, what’s a responsible attorney to do if they’re not an armchair security expert?
In this post we’ll outline four of the most important aspects of web security: SSL, Server Security, Client Security, and Password Security.
One important component of the security equation is a technology called SSL, which stands for Secure Sockets Layer. SSL is an industry-standard technology which enables secure online banking and secure e-commerce sites such as Amazon.com.
Perhaps the best way to understand how SSL helps keep confidential information secure is to understand how non-SSL-encrypted communications over the Internet work. As the figure below shows, if we request information from our bank – say, the balance of our bank account, in a non-SSL communication both the request and response are received in plain text:
If we use SSL for this communication instead, the entire communication between your computer and your bank’s server is encrypted – if someone were to intercept or evesdrop on your communcations, they would look like random, unreadable data:
SSL is an extremely powerful technology, as it allows for completely secure communications even over public, untrusted networks. For example, thanks to SSL you can securely access your practice’s sensitive data, which is stored on Clio’s servers, while sitting in a Starbucks using a public Wi-Fi connection.
In a nutshell, if you’re accessing or sending sensitive information over the web, you should ensure the website you’re using supports SSL. How can you tell if a website uses SSL? Every web browser makes it easy by displaying an icon of a lock somewhere on its user interface:
While SSL helps secure communications between your computer and web sites, you also need to know the web site you’re communicating with is properly secured and not vulnerable to hackers. While it is hard for the average web user to assess this, there are services from companies such as McAfee that perform regular security audits on web sites to ensure server security.
Many secure and e-commerce website have contracts with the world’s largest dedicated security company, McAfee, to perform comprehensive network security and vulnerability scanning on a daily basis. This continuous penetration testing and security scanning helps ensure your data is safe and secure from hackers. You can read more about the McAfee Secure designation here.
While SaaS has the advantage of outsourcing server-level security and backup to a third-party service provider, one often-overlooked part of the security equation is the security of the desktop or laptop you are accessing the SaaS application from. SaaS doesn’t obviate the need to ensure your desktop or laptop is properly secured with a firewall, anti-virus, and the latest security updates for your operating system and web browser. For Windows users, Google Pack offers free anti-virus, anti-spyware, and Google’s own web browser, Chrome.
To ensure data stored on your desktop or laptop remains private even if it’s stolen, you may want to look at installing TrueCrypt, a free tool which will encrypt the entire contents of your hard drive.
Finally, security also encompasses password security. The best SSL encryption and client/server security can all be undone by the choice of a weak password. Be sure to choose a secure password for any website you’re using, and try to avoid using a given password for more than one website. Microsoft has a good resource on choosing passwords here. A great free password generator and manager is PasswordSafe.