E-Discovery

In-House Legal Security: Understanding the Threat Landscape

In-House Legal Joins the Security Frontlines

Many security-themed e-discovery blogs start out with a statement like, “Security has never been more important to the legal office.” While that’s true, it is both obvious and an understatement of what is really going on at the intersection of corporate data, cloud-based vendors, and legal operations.

The macro trends legal teams are experiencing touch every part of the legal job description. Senior legal executives are becoming part of the enterprise’s Governance, Risk and Compliance (GRC) function, paralegals must navigate data asset managers and data maps, and the purchasing process for legal software now includes IT signoff and, frequently, security audits. Add on top of that the explosion of electronically stored information (ESI), the liability organizations hold to protect consumer data, the changing privacy regulations, and the increased sophistication of attacks, and there’s a storm brewing over every legal department in the country.

Oh, and now that many of our companies are getting familiar with remote work and work-from-home, cloud solutions are becoming both more critical to the functioning of remote teams and more exposed to malicious security activity. Yikes.

Today’s Corporate Data Security Snapshot

We recently took a step back to do a landscape survey of the types of security threats legal teams and their IT counterparts are concerned about, as well as an overview of the security features cloud vendors offer to address the threats.

Phishing and account takeovers

This is the risk from outside malicious actors targeting individual users. One recent study found that phishing attempts increased 350% during the Covid-19 time period. If phishing attempts are successful, malicious actors could log-in to a user’s account with the user’s credentials, effectively blowing down any firewalls or controls put up to guard un-provisioned use.

Data access

This is a general risk from any non-accredited, non-provisioned user accessing company data. The data accessed could be as small as one malicious actor logging in with stolen credentials or as big as a massive data breach. Basically, this is the catch-all bucket for “nobody but privileged users should see data, and even privileged users need fine grain controls on which data they have access to.”

Shared infrastructure

This risk is introduced by technology architecture that places multiple customer data in one central location (either physical or virtual). The risk is that a breach for one customer might mean a breach for many, or that customer A’s data might be wrongly displayed to customer B. There have been some major embarrassments in the technology industry related to shared infrastructure.

Lack of transparency and lack of clear SLAs

This risk is introduced by vendors who are not willing to share their controls with their customers and clients. Lack of transparency puts customers in a position of not being able to actively control all the other types of security threats. If a vendor does not clearly state its policies, controls, or service level agreements for detected threats or intrusions, disaster recovery, or risk mitigation, customers can’t adequately develop business continuity and risk mitigation plans. In the event of a breach or disaster, the customer is in the dark, which is the last place a customer should ever be.

Lack of federated identity management

This risk is introduced when a user has multiple “user identities” without a single source of truth on who the user is and which system the user is provisioned for. This risk is pronounced in the enterprise, where users have different role based access to multiple systems, and the workforce change-rate (exits, new hires, department changes, promotions, etc) is high.

Malware

This is introduced when vendors don’t regularly update and patch their libraries or codebase, creating a risk of malicious actors injecting code in known or newly-discovered weaknesses.

Data location

This risk is introduced by the cloud itself. One of the strengths of the cloud is the ability to store data in multiple locations, which addresses disaster recovery and business continuity needs, as well as the need for fail-over infrastructure, which ensures the vendor’s uptime SLAs can be met.

In addition, having data stored in multiple locations allows vendors to increase efficiency and performance of their applications. The risk is that different geographies and governments have different regulations and requirements, which introduces the possibility of a third party–including a governmental party–having access or granting themselves access through a jurisdiction claim. This risk becomes more complicated when considering that jurisdiction over data might be claimed for data in transit as well as data at rest, meaning that if your data is traveling over point B on its way from point A to point C, a government in point B might be able to see it.

Safeguard Your Data in the Cloud

Balanced against these threats, cloud vendors have security at the top of our priority list. This is a moral good–data privacy is equal to personal privacy, in my mind–but it is also good business. Cloud vendors know that a single security event that exposes customer data could put their business at risk.

Cloud vendors can not control malicious activity–phishing attempts are on the rise, threats from within are real, and hackers are always trying to attack–but we can put safeguards in place to both mitigate risks and to control exposure. Primary safeguards include federated user management features like SSO, multi-factor authentication, and session control, as well as IP restrictions, session management, advanced encryption, and threat alarming. Vendors can also ensure our multi-tenant architecture is set up so that in the event of a breach, the risk is contained and controlled.

Published .