Who goes there?

April 30, 2005

The legal profession faces pressing and unique challenges in today’s information society. A recent poll (conducted by Dimension Data, Microsoft and RSA Security) of law firms during seminars in Edinburgh and Glasgow revealed that many firms are struggling to marry increasing demands from clients for a more responsive service with the need to retain strong security on their information. As a consequence of this, many law firms’ IT departments are wasting money and missing out on many benefits offered by modern business technology.

To enable law firms to fully recognise their investment in technology, systems need to provide information at point-of-need to allow lawyers to respond with the speed and accuracy demanded by clients. However, these same systems must also protect the confidentiality of the information they hold by ensuring access is only possible by authorised individuals.

As demand for faster and more accurate responses increases, new systems are developed for various areas of a practice. To ensure the confidentiality of information, these systems all require user names and passwords and often incorporate unique business logic to control access to data within the systems. Users of the systems are required to remember a variety of user names, a similar number of increasingly complex passwords, and they need to change these passwords at increasingly frequent (but varying) intervals. The consequence of this is no better highlighted than by the example of an IT worker who participated in the above survey and admitted to spending 16 hours every week resetting lost and forgotten passwords.

In many business environments, establishing the cost of resetting passwords is often a primary factor in the decision to implement an identity management solution. But in businesses where services are billed by the hour, and an employee is prevented from working until an account is unlocked, the cost of these resets is considerably higher. This cost is further compounded when client dissatisfaction through missed deadlines or perceived slow responses is taken into account.

In law firms, the case for simplifying the process of creating and administering identities is compelling, and the need to protect the confidentiality and integrity of information within the systems unquestionable. Why is it, then, that so few firms adopt structured identity and access management systems?

When questioned, participants in the survey suggested that the main barriers to adoption were the perception that such a solution was so complex that it would never be completed and, perhaps more revealing, that nobody was sure where the ownership of such a solution lay: the infrastructure/server team, the applications team, the security team or perhaps not in IT at all. What was clear was that the solution touched every element of technology within a practice, from system logon and authentication, through to door access control, physical library access management and access to devices such as photocopiers and telephone systems.

Too often, the various elements of a practice operate in isolation: a document is produced and stored within the Document Management System (DMS) and then published through a secure portal to a client. The lawyer manually records his or her time through the Practice Management System (PMS) and the invoice is raised and sent to the client – even though the invoice details are stored in the PMS and not the DMS. Phone calls are recorded separately and disbursements such as postage and copying are captured at point-of-use but the information is then fed back into the PMS for an overall picture.

Users are required to move between systems, often logging on separately to each with a separate password (and, in many cases, a different user name). These processes have developed as applications have evolved to match existing manual processes.

When questioned about why there is so little integration of core processes, IT departments will often cite security as the key. If a single user name and password allows a user access to part of the system, automating the movement of data within the system becomes dangerous. Which leads back to the question of identity management: if a practice is sure of the identity of the user, then automation of processes can take place without risk.

So what exactly is identity management?

In a well-managed system, a user is established as a single object with attributes that identify the role of that user within an organisation. A structured identity management system also has a set of strong business rules that are applied to the user-object to control what they may and may not access. The default setting for any user-object will be no access so that access has to be consciously created. The final component is the mechanism for authentication of the user-object.

Passwords are increasingly regarded as the least secure form of authentication: two-factor authentication, using some form of physical token or smartcard and a PIN, is rapidly becoming the de facto standard in many organisations.

The technology for these solutions exists now and has a return on investment of months rather than years, something which is quite unusual in the world of IT. Take the following example and compare it to the process in your practice today:

A new lawyer joins a practice. The HR department will be the first people to be aware of the new starter: they will set the start date in their systems. The identity management system will scan the HR system regularly for new starters and capture the information. Using business rules based on job description, department, office location and any other relevant information, a user-object with basic attributes will be created within the identity management system. (It is possible to insert manual cut-offs within most systems to ensure that the process has created a proper object.) Once verified, the object is used to create user accounts in the authentication system, the e-mail system, the telephone switch, the door entry system, the DMS, the PMS, the telephone directory, etc. The system can also automatically order business cards. A PC or laptop image is created according to the user-object attributes which are used to determine which applications are required.

The new starter arrives and is handed a blank computer and an authentication key/card/token which also acts as their door entry system. They plug their computer into the network and it automatically installs all the software they need. From the point of the HR department clicking the “new starter” button on their system, there has been no human intervention in this process and the new user has a fully-functional system with token-based access to all his or her systems, meaning that there are no passwords anywhere in the environment.

With this level of security and identity management, law firms should feel more confident about linking information between systems because they can prove who is using their systems and reject unauthorised attempts to access the systems and data. When a user leaves, the process can be reversed and the user de-provisioned as effectively as they were provisioned in the first place. Additional rules to prevent data theft, e-mail deletion or post-departure systems access can be created easily and efficiently.

The Business Case

While a robust identity management infrastructure will require investment, the business case is clear. The status quo, where IT departments and already busy legal professionals are required to juggle multiple passwords is both inefficient and insecure. On the basis of a solid identity platform, firms can gain the stability and security needed to save money in the long term, while offering a more responsive service to clients and simultaneously avoiding the possibility of unintentional confidentiality breach.

Whilst identity management solutions have traditionally been implemented only in enterprise size clients (with enterprise size price tags to match), there are many offerings for the small and medium size firm that offer truly affordable solutions. The identity management solutions can be implemented for an initial cost of £200 per user with a further £100 for a secure token or card based authentication solution. Compared to the often quoted cost of simply re-setting a password at £25 per re-set, this alone provides a compelling business case. Add in the cost of locking out a lawyer for an hour, or the cost of inadvertently sharing information with the wrong people, and the argument is indisputable.

Simon Ratcliffe is Business Development Director for Dimension Data’s Operating Environments & Messaging Business Unit.