Law Journal Newsletters: Client document security audits: Is your law firm ready?

Recent high profile data breaches at law firms have led companies to increase scrutiny of their outside counsels’ cybersecurity “readiness.” International banks, major corporations, and government agencies are increasingly vetting the internal controls and security practices of legal document systems in particular and requiring extensive disclosures on compliance and information governance practices. It is essential for all law firms, however, to safeguard their clients’ documents against ever-evolving threats and thoroughly understand the security challenges and potential solutions in today’s demanding world of legal document compliance.

Client-driven security audits focused on such document security issues are causing sleepless “CIO” nights. This article not only focuses on some of these issues, but also the solutions available from modern cloud technologies.

Encryption Requirements

Taking into account the advances in cryptography in modern Document Management Systems (DMS) and clients’ increased demand for encryption to secure their documents, it would be irresponsible for law firms to continue storing and moving documents in internal networks in clear text format. Encryption at Rest Sensitive client information is at risk when it is left unencrypted at rest (that is, in storage). Surprisingly, many law firms today still have not implemented basic at-rest encryption in their traditional DMS due to cost, complexity, and lack of native support for encryption in traditional systems.

A limited number of firms have implemented this kind of encryption in a traditional, on-premises DMS. Many of these implementations, however, are based on ineffective hardware encryption methodologies (self-encrypting disks) or file system encryption. These methods are inadequate not only because they do not protect data from internal IT staff, but also because all internal network traffic between the DMS and the storage remains in clear text.

Many clients now require their law firms to store cryptographic keys in a Hardware Security Module (HSM), which is a purpose-built, advanced security container for cypher key storage. Major banks are not only encouraging HSM cryptography, but also requesting that the HSM be accredited to the Federal Information Processing Standard called FIPS 140-2 Level 3 with tamper detection circuitry.

Law firms should be aware that modern document systems today do provide HSM-based encryption with tamper detection circuitry for full encryption at-rest and in-transit within the internal network, capable of satisfying the strictest regulations.

Granular Cryptography

Instead of having a single crypto key for all content, a secure environment has a unique key per matter and per specific time period, implemented through key rotation. Granular cryptography protects against the risk of a total security breach should a single crypto key be compromised. Modern document technologies can provide law firms with granular cryptography supporting a unique AES-256 crypto key per document, which is further encrypted by a unique key per matter, and another unique key per time period.

Entropic Encryption

Encryption strength is critical in defending against attacks by nations. Government-sponsored hacks have prodigious computing power and are easily able to break into documents with weak encryption keys via brute-force trial and error. Secure cloud technologies provide entropic encryption using quantum physics technology for randomization as a main defense against such threats, satisfying the highest security standards. Case in point, NIST (National Institute of Standards & Technology) strongly recommends against generating encryption keys via weak software algorithms (referred to as pseudo-random number generators). Instead, NIST urges the use of strong technologies that rely on random, entropic natural phenomena, such as the photons in a laser beam.

Custody over Cryptographic Keys

International banks are demanding that firms obtain custody over encryption keys to stop their service providers from disclosing documents upon receipt of a subpoena. Furthermore, banks and other companies will soon want custody over such encryption keys themselves. “Silent subpoenas” issued against the service provider represent the greatest risk. They mandate document production and prohibit the service provider from disclosing the silent subpoena to the client. Cloud technology has evolved to the level of dual encryption custody, in which two separate organisations hold a unique entropic cypher key (or half of the key), requiring both organizations to work cooperatively to respond to subpoenas, rendering unilateral actions impotent.

Perimeter Defence

Perimeter defence must encompass distributed denial of service (DDoS), Web application firewalls (WAF), threat management gateways (for IPS and IDS protection), strong security policies, and best practices for managing ingress. The presence of a simple firewall is not enough. DDoS, for example, is a complex problem. Facing an average DDoS attack intensity of 48 gigabits per second, an Internet line of only 1 gigabit per second will be flooded with “garbage” beyond the ability of the DDoS technology to inspect the Internet packets. The inadequacy of most firms to have adequate perimeter defence is a serious concern. Fortunately, modern cloud DMS services are well equipped for DDoS and perimeter defences.

‘Protection Against Self’ and End Users

The highest level of risk in any organisation is posed by its own internal staff. Wall Street firms are increasingly asking law firms to eliminate the risk of their internal staff, especially IT staff having indiscriminate access to the firm’s documents. This requirement of “protection against self” will be more pervasive in the near future. Mitigation practices, such as segregation of duties and “need to know basis,” can help. These minimise the risk of internal nefarious actions that require collusion among multiple people.

For classified documents, however, segregation of duties is not good enough, and clients are increasingly requesting complete protection against internal staff acting under collusion. Law firms must anticipate this upcoming security standard and realise the near impossibility of implementing such protection on their own. How do you effectively protect against yourself if you are in control of the system? A viable solution for protection against the firm’s own IT staff is to deploy a technology with multi-custody entropic cryptography.

For mobile device document editing, security restrictions must be permitted for Microsoft Office applications to directly read and write files to the document management system, thereby eliminating the security risk of having documents locally stored, even temporarily, on tablets or phones, or on Microsoft OneDrive or Google Drive.

Underpinning this is clients’ expectations that outside council adopt a pessimistic security model for document access control, restricting every user to accessing only those matters that he or she is working on or those within a particular practice group.


Law firms and corporate legal departments are under significant pressure to do more with less and to be more agile with their technologies. Such pressures are even more evident when it comes to security and compliance so having a beyond base knowledge of threats and potential technology solutions afforded by most modern DMS systems is paramount.

Alvin Tedjamulia is NetDocuments’ CIO and an original co-founder. He frequently writes and speaks on topics of DMS security and world-class software-as-a-service and security-as-a-service delivery.

Click here to find out more about the Tikit and NetDocument partnership.

(Article written by Alvin Tedjamulia and republished with kind permission from NetDocuments)