Photo: Rawpixel / Shutterstock

 

We've all read the articles about law firms being targets for hackers. This is often perceived to the case because they can be entities holding exceptionally valuable data (think M&A or valuable IP secrets) with infrastructures which might not be quite as secure as they could be. After all, let's be honest, most law firms are not hiring security experts from the CIA or Department of Defense, and many law firms are yet not obsessing over the difference between security, the perimeter, zero trust models or conducting quarterly vulnerability tests (although, arguably, perhaps they should be).

In some ways, the pieces comprising a suitable security plan might be considered more complex to assemble than a 5,000 piece jigsaw puzzle. But one thing is clear: New technologies are more the rage and increasing becoming a larger part of the solution. One of these technologies is clearly single sign on (SSO), powered by a technology known as SAML 2.0 (Security Assertion Markup Language) and generally put forward by a company providing Identity as a Service (IDaaS).

An IDaaS, sometimes also known as an identity service provider or identity assertion provider (identity provider, or IdP), is an online website or underlying service that authenticates internet users by means of security tokens, one of which is SAML 2.0.

So, what are some of the basic benefits to SAML 2.0? Well, one is clearly user convenience. There are fewer passwords for users to remember. Furthermore, companies benefit from vastly improved security because a SAML provider is passing in authorized tokens rather than users typing in user names and passwords to other systems. And a final benefit is that desktop single sign on (SSO), which makes the sign on experience easier for the end-user, is something often powered by an Integrated Windows Authentication (IWA) server.

Collectively, from a business perspective, these improvements will help users reset passwords more easily and result in a reduced number of password-related tickets in an organization's help desk. And, these advanced methods of authentication reduce an organization's exposure to social engineering attempts to hi-jack someone's credentials.

One can preach all we want about the fact users should not have the same or similar password for multiple systems, but we all know that is not the case. If we stipulate that fact, in a world where users at law firms have more and more passwords to remember and systems to access (email, CRM, document management, file transfer, legal news sites like ALM, client databases, extranets, etc.), the use cases for IdP's are numerous.

How exactly does this work? There is some “under the covers” work we'll omit from this article, but the general idea is that an entity like a law firm licenses an identity product (at Tanenbaum Keale, for the record, we use Okta). Appropriate services are placed on a domain server for domain-to-IdP communication and firm end users are provided access to the IDaaS. Then, one-by-one, applications are added to the identity service, Once that is done, end users have access to an area where they log in once (at TK, using Okta to directly authenticate against a domain controller), and then they are presented with a list of tiles they can use to access applications with a single click.

You may wonder what type of applications can be accessed in this manner. Most IdP's have a list of available common applications and there is also an API available to develop customized connections to other systems in use within a law firm. The “big kahuna,” of course, is Office 365. Depending on a law firm's environment (Office version, cloud/hybrid/on prem) the implementation steps vary, but the end goal is federation so tokens and direct authentication tactics replace the local typed credentials which are passed into your Office 365 tenant.

However, in addition to Office 365, there are tons of other connections one can create. Connections to common law firm products like Citrix ShareFile, iManage in the cloud, WestLaw, attorney CLE sites, and legal news sites are available. Other general connections like links to employee 401K vendors, health insurance providers and payroll companies are also in play.

All of these connections, viewed in totality, help a law firm in two significant ways. One is employee convenience and the second is security (the more passwords replaced by SAML tokens, the better).

Shifting our gaze from the table in front of us to the horizon, a number of other benefits are also offered by IDaaS providers like Okta. One can shift Office 365 provisioning from an on-prem domain server to the cloud, which eliminates a common point of failure for this function assuming one deploys multiple provisioning agents as compared to a single domain controller. There are a plethora of options available on the multi-factor authentication (MFA) front for law firms to implement to further lock down access to vital, private data. And, most recently, the Zero Trust Architecture model (which, simply put, means that instead of assuming a resource can access an area of a network or data, the access must be verified) is starting to be integrated into the IdP space.

Another type of benefit, one perhaps more valuable to larger law firms or organization, is the user of user account lifecycle management. This is a strategic viewpoint which defines enterprise administration of one user, one identity, and one infrastructure. Changing data one place and seeing it propagate forward via a federation strategy reduces administrative burdens and the challenges posed by synchronization strategies.

It is important to note that implementing SSO and SAML might not be considered the easiest network engineering project in the world. It's an emerging technology new to many folks in the IT space in the legal environment with a certain level of complexity to it. But, as described above, with the benefits are numerous, the investment is more than worth it.

Factoring passwords out of the equation, streamlining provisioning so that changes like employee departures or changes in roles can be handled in one place and then cascade through your application portfolio. And working to improve not only perimeter security around a law firm but also creating security zones within a law firm's network are all game changers in a world where technologists are trying to integrate all necessary security controls with somewhat manageable administrative requirements.

So, to sum it, consider taking some time to look at identity providers. They are an important piece of the security puzzle and surely will provide as much value to your enterprise as they have within Tanenbaum Keale.

 

Kenneth Jones is Chief Technologist of Tanenbaum Keale LLP, a boutique litigation law firm and Chief Operating Officer of the Xerdict Group, a SaaS legal collaboration software company. Xerdict is a wholly owned subsidiary of Tanenbaum Keale. Emmett Carey is the Director Of Technology for Tanenbaum Keale. Emmett is an expert in a wide variety law firm engineering, networking and cloud-based technologies which he cultivated via his assignments in the legal industry for close to two decades.