A Primer on Data Security: Online, On Your Server and in Your Office
March 31, 2016
Law firms will continue to adopt technologies that support efficient practice management and provide the capability to store extensive amounts of data. Be sure to secure that data online, on your server, or on office hardware.
As an attorney, you know the importance of maintaining the privacy of your clients’ privileged information. You probably believe your data to be fairly secure. But there are many ways in which data security may be breached, and you may discover that at least one aspect of your computer security is lacking. Fortunately, it can be easily strengthened with the proper measures.
Most passwords that are easy to remember are also weak. Moreover, it is a bad idea to use a single password to access multiple sources of sensitive data. Therefore, any password, or even system of passwords, that you are able to hold in your head is probably not very secure.
Some people striving for password security devise a system that varies passwords from site to site using some additional variable. For instance, they might decide on a string of random digits (say, “3&Hqn!”) to which they add the first three letters of the website's domain name. Thus, someone's password for Gmail might be, “3&Hqn!gma,” and for Facebook, “3&Hqn!fac”. Each individual password is strong, but the pattern would be immediately obvious to a hacker.
Instead, you need strong, random passwords that are never used for more than one source of sensitive data. A password is virtually uncrackable by modern computers if it: 1) is random; 2) is at least 12 characters long; 3) contains no dictionary words; and 4) contains at least one each of uppercase letters, lowercase letters, special characters (shift-number keys), and digits.
However, this solution also presents a new problem: how do you store and retrieve multiple complex passwords securely and conveniently? Paper is too easily lost or stolen, but a simple, encrypted, password-protected text document is a fair option. See the section on file encryption later in this article.
Software solutions offer added convenience and security to your firm. LastPass is a password management application that is compatible with all major web browsers, operating systems, and smartphones. When the user is logged in to the application, it can automatically fill in usernames and passwords for websites. Passwords are stored in encrypted form on your computer and on LastPass’s servers.
This may sound dangerous, but modern encryption ensures that the data is secure as long as the LastPass master password is complex. You therefore need to create, memorize, and back up one strong password, but that is “the last password you’ll have to remember,” as the company says. LastPass is widely praised and regarded as very secure. It is free for use with desktop browsers. Premium features, including smartphone apps, can be added for a fee of $1.00 per month.
LastPass contains a random password generator that should be employed for individual websites. It may also be used to create the master password, as long as the user ensures that the program does not retain this password.
Another, similar support option is Keychain, which replicates some of the functionality of LastPass and is built into Mac OS. KeePass is another popular option that does not maintain a database of passwords on third-party servers, rendering them marginally more secure against third-party attack, but far more vulnerable to loss.
Two-step verification (two-factor authentication) is a website login system that offers greatly increased security. All websites incorporate a “knowledge factor,” something only the user knows—a password. Two-step verification adds a “possession factor,” something only the user has—a code that is either sent to the user’s cell phone via text message or generated by a smartphone app. Access requires a user to know the correct password and to possess the cell phone whose number is associated with the account.
Sites offering two-step verification include Google, Dropbox, Amazon, and Facebook. Authy is a WordPress plugin that allows administrators to add two-factor authentication to WordPress sites and blogs.
Email Encryption: Securing Your Email Communications
“Email encryption” refers to both the encryption of text and to the authentication process used to verify the identity of the sender and the content of the message. Email in transit may be encrypted in a number of ways. Here is an overview of methods, from the least complex to the most.
The Simplest Solution: Password-Protected Archives
Sensitive computer files of any type—text documents, PDFs, images, etc.—may be “zipped” into a password-protected archive and then attached to an email. The contents are invisible until they are “unzipped” into their constituent files.
You will need to share the archive's password with the recipient by phone, by another email address, or by some other means – not by including it in your email. 7-Zip for Windows and The Unarchiver for Mac OS are free and easy-to-use utilities that create password-protected archives.
Email Management Software
Because email encryption can be challenging to implement, software service companies have created unified email management services. In addition to encryption, they tend to offer email archiving, file archiving, and backup access to email in the event of a server outage. Industry leaders include ZixCorp, Mimecast, and DataMotion. These commercial software services should offer good support, and basic packages are very affordable.
Public Key Encryption
PGP is a public key encryption standard used for email. A user has a public key (which anyone may use to encrypt data intended for that user) and a private decryption key (which is known only to that user). PortablePGP, a free application for Windows and Linux, is PGP encryption stripped to its essence.
Simply import a third party's public key from a plain-text file, type or paste your plain-text message into the application, encrypt it, and copy and paste the content into an email. PortablePGP also allows you to sign and verify messages. It does not integrate with any email application, but it is a good option for beginners and for those who only occasionally wish to send an encrypted email.
Webmail applications such as Gmail, Yahoo! Mail, and Outlook.com do not offer built-in encryption. Brower extensions, which add certain functionality to web browsers, can give you this capability.
One clear leader in extensions is Mailvelope, which uses a version of PGP called OpenPGP. Currently, it is only compatible with Google's Chrome browser, but a Firefox version is in the works.
Extension catalogs are available for all major web browsers. Search there or on Google for webmail encryption extensions compatible with your chosen browser and webmail provider.
Desktop Email Applications
Symantec Encryption Desktop is a commercial PGP encryption product. While not inexpensive, it offers encrypted email and files with telephone support available 24 hours a day, seven days a week.
Desktop email applications (e.g. Microsoft Outlook on Windows and Apple Mail on Mac OS) usually have built-in support for a public key encryption standard known as S/MIME (Secure/Multipurpose Internet Mail Extensions). To use this type of encryption, start by obtaining a certificate (digital ID) from a certificate authority. This certificate contains your public key and your email address. Examples of certificate authorities include VeriSign (owned by Symantec) and Comodo. Some authorities offer free certificates, while others charge a fee. After you sign up, the authority will send instructions for downloading and installing your certificate to your registered email address. After that, you can send encrypted and/or digitally signed email.
Third-party add-ons are available to integrate OpenPGP encryption into desktop email applications. Gpg4win is a package of tools to implement OpenPGP in Windows. GPGTools is a similar package for Mac OS. Both use an implementation of OpenPGP called “GNU Privacy Guard” (“GnuPG” or “GPG”). Both are free and open-source, include a plugin for the primary desktop email application (Microsoft Outlook and Apple Mail, respectively), and offer further file-encryption tools.
System and File Encryption: Securing your Computer
If you have to enter a password to log in to your computer, you may believe that the data on it is secure. In fact, that measure alone offers very limited security. If your computer were stolen, the thief could access the contents of the hard drive by removing it and placing it as a secondary drive on another computer, or even by booting your computer from a bootable USB flash drive. The data would be just as accessible as the data on an external hard drive that you might plug in yourself. That data even includes your email: a thief with access to your hard drive can run Outlook on a third-party computer to read your unencrypted, locally-stored email just as easily as your own Outlook client can.
You should still create a strong password to protect your user account, but you should encrypt your data as well. There are two different approaches to encrypting data. You can either encrypt sensitive files, folders, and volumes, or you can encrypt your hard drive as a whole.
Individual files and folders may be encrypted within your hard drive. Encrypting File System, a built-in feature of certain versions of Windows, has this feature. So do Symantec Encryption Desktop, Gpg4win, and GPGTools, which are addressed above. Encrypting File System, TrueCrypt, and Disk Utility (built into Mac OS) can also create encrypted volumes (file containers).
Full-disk encryption offers higher levels of security and transparency than file encryption, and is therefore generally preferable to these options.
Full Disk Encryption
When an entire hard drive is encrypted, the data is decrypted when it is accessed by a logged-in user and encrypted when it is written to the drive. This can be accomplished in several different ways.
Hardware-based full disk encryption is a system built into a computer’s physical hard drive. These drives are also called “self-encrypting drives” (SEDs). The password to access an SED is entered at the beginning of the boot process—the drive will not even begin to load Windows without a correct password. This is called “pro-boot authentication”.
Many SEDs feature a “self-destruct” capability. After a certain number of failed attempts to access the drive, the decryption key is erased, immediately rendering all data unrecoverable. A self-destructed drive remains entirely usable and may be regarded as securely erased, with no “data remanence” that would allow forensic data recovery later. Some drives offer a time-limited lockout as an alternative to self-destruct.
An SED may be installed as the main hard drive in your desktop or laptop computer. It may also be employed as an external hard drive or USB flash drive (thumb drive). In addition to a password, some of these incorporate physical authentication, such as a keypad for entering a PIN or even a fingerprint reader.
For both data protection and transparency to the user, self-encrypting drives are the gold standard.
Full-disk encryption is also available as a software solution. TrueCrypt is a popular program for Windows, Mac OS, and Linux. It encrypts an entire hard drive or USB drive. Encrypting the system drive (boot drive) implements pre-boot authentication, similar to those seen in hardware solutions. TrueCrypt offers free, robust, transparent protection for all major operating systems.
Some operating systems offer built-in full-disk encryption. Bitlocker and File Vault are available on certain versions of Windows and Mac OS, respectively.
Authentication: Securing Your Smartphone
An astonishing number of people employ absolutely no security features on their smartphones. That means their emails, text messages, social media apps, and more are accessible to anyone who gets his or her hands on the device—a device carried everywhere and sometimes left behind. Everyone should secure his or her smartphone with a password, PIN, swipe pattern, or voice/facial recognition.
Recent versions of Android offer system-wide encryption under their “Security” settings, but these features come with a major drawback. Each time the phone is powered on and the encryption password is entered, the entire file system must be decrypted—a process that can take up to an hour. Apple iPhones automatically employ encryption whenever password protection is in use. It only encrypts certain sensitive data sources, but this method does not suffer from the time delays of Android encryption.
The following steps will bring your firm to an exceptionally high level of security.
1) Protect your smartphone with any of the provided authentication options.
2) Audit your passwords for sensitive sites. Make sure they follow the complexity guidelines above, and back them up safely. Consider LastPass. Feel free to give it a trial run, using only passwords for less-sensitive websites.
3) Implement two-factor authentication for your most sensitive online passwords, including Gmail.
4) Implement one of the simple encrypted email solutions. If you wish to learn about PGP, start by using PortablePGP to trade encrypted messages with a friend.
5) Consider using self-encrypting drives for external hard drives and USB flash drives. Look into full-disk encryption using TrueCrypt.