Biscom Delivery Server is now “in process” for FIPS 140-2 certification. FIPS 140-2 (Federal Information Processing Standard) certification is a US Government security standard for accrediting cryptographic modules. The National Institute of Standards and Technology (NIST) defines the cryptography requirements in its FIPS 140-2 publication, and software like BDS must pass the Cryptographic Module Validation Program (CMVP) in order to receive certification. Level 1 is geared towards software solutions, whereas level 2 is required for hardware solutions that have physical security mechanisms.
Linda Musthaler, a frequent contributor to NetworkWorld, wrote a nice article (and a nice mention of Biscom Delivery Server) in the IT Best Practices Alert newsletter entitled File transfer solutions take pressure off email. She brings up great points about the issues with sending large files and the inadequacies of email, FTP, and thumb drives, especially for enterprises. This mirrors our view of email concerns, but she did seem to forget that Biscom has been offering an Outlook add-in for secure file transfer since Outlook 2003!
On the heels of my last blog post about dumpster diving online storage and file sharing services, Wired posted a story on the validity of Dropbox’s claims about their data security.
I guess the bottom line is you have to really understand how applications and services handle your information, and how it may affect your own security policies and requirements, especially SaaS services.
File sharing services are under scrutiny and most of them fail miserably. Researchers were able to harvest 310,735 files in just one month using a crawler, and included photos, zip files, PDFs, and office files. InfoWorld reported the results of the study, and “what they found will raise — no, curl your eyebrows.” And the study shows that there are people all over the world who are actively dumpster diving for files on these file sharing sites.
These file sharing and collaboration sites committed several sins, including the use of sequential IDs in their URLs. This is a good lesson for those of you looking for ways to send or share your files – make sure your vendor has extensive security experience, implements a secure architecture, and actively defends against common penetration attacks. Almost anyone can offer a secure file transfer solution, but not all SFT vendors are created equal. Do your homework, weed out the wannabes, and choose wisely. Or, you can just pick Biscom Delivery Server and be done with it.
On April 28, Biscom had the opportunity to support the 9th Annual CIO Forum. The forum, which was created by the Hildebrandt Institute and West, a Thomson Reuters business, hosted more than 30 IT leaders – a majority of which were from AmLaw 200 law firms. The event featured presentations from legal leadership at Viacom, Cisco and Microsoft – as well as Clifford Chance LLP and Bryan Cave LLP – and focused on topics such as cloud computing, outsourcing, data privacy, email management and security.
When you have this much IT leadership in one room, trends and common challenges are bound to come to the forefront. Based upon the presentations and conversations, here are some of the most prominent trends and ideas that dominated discussions:
In spite of the recent recession, there is growth: While many law firm practice areas have experienced contraction due to the economic downturn, litigation practices (including intellectual property litigation) have experienced growth.
Competition necessitates cost control and efficiency: With the forecast for legal industry growth trending towards flat, law firms are prompting growth by wooing clients from competitors. As a result, law firms are forced to turn a keen eye towards reducing cost and increasing efficiency to remain competitive and offer improved client-facing technologies.
IT downsizing: While 2011 IT budgets are experiencing a modest increase, most law firms’ IT headcounts will remain stable or experience a decrease. That means doing more with fewer resources.
In-house vs. outsourcing: CIOs are trending towards keeping core applications in-house while outsourcing content and commodity applications.
Fixed fees: Clients are demanding alternative fee arrangements and fixed fees with incentives for exceeding performance milestones. In order to leverage profit from these arrangements, law firms again are turning towards increasing staff efficiencies and decreasing costs related to delivering services.
Confidentiality is king: While clients these days are demanding that law firms “up the ante” when it comes to protecting their confidential data, there remains a significant lag in adopting new technology and policies to respond to this demand. Law firms, on a whole, continue to evaluate options – as opposed to executing them – to adopt policies and deploy technologies to comply with data privacy regulations. As other industries tighten their security, law firms are seen as vulnerable targets for malicious data breaches.
Do you see these trends applying to your law firm’s IT efforts? What are other trends and challenges do you think law firms are facing when it comes to IT?
This is a great story about BDS in a software as a service (SaaS) environment. BankLiberty was looking for a faster, more secure, and more efficient way to send their confidential information out. KDSA Consulting, our partner in North Andover, MA, hosts our secure file transfer solution in their datacenter, handling the back end so our customers don’t have to worry about hardware, software, and network connectivity.
My favorite quote in the article, by network administrator Dan Hagstrom, was when he said that “the results in 2010 have been transformative. It’s changed the way that we can communicate with the outside world.”
SQL injection is still out there as an attack. It worked against Twin America LLC, and it was only discovered this past October, after hundreds of thousands of records were stolen. It’s a well known ploy – you take advantage of web sites that have a form for inputting information. If a site doesn’t employ techniques to nullify SQL injection, an attacker can easily see your entire database, which often includes usernames, passwords, and account information, or worse, download the information and then destroy the database.
Two common areas that are potentially open to attack are unfiltered escape characters, and poor type handling. In an unfiltered web form, a form variable is plugged directly into a SQL statement. If I crafted just the right input, I could potentially append my own SQL clause to the one being executed. The classic example is:
SELECT * FROM user_table WHERE username = ‘ ” + username + ” ‘;”
If instead of a valid username, I entered ‘ or ’1=1, I’d now be running this statement:
SELECT * FROM user_table WHERE username = ‘ ‘ OR ’1′=’1′;
The OR ’1′ = ’1′ clause will always evaluate to true, retrieving all columns from the user table.
A second potential hole exists if the programmer does not check for type constraints. If a SQL statement is expecting a number, the input to supply that variable should be checked to make sure it truly is a number. Again, like the trick above, I could insert an entirely new statement like DROP TABLE user_table after entering a number into a form. The back end would then execute whatever statement I presented to it.
There are several techniques to protect a Web application from these types of attacks, including the use of parameterized statements, or even escaping characters that have a special meaning in SQL. But programmers have to be diligent about adding this protection, because hackers will find even the smallest hole and take advantage of it.
Biscom spends its time worried about these types of hacks, so you don’t have to. Countless penetration tests have proven our security model. We think our customers want a secure file transfer solution that is actually secure.
This was a nice review of BDS by SC Magazine. The reviewer looked at our VM appliance which as he noted, takes just minutes to deploy. Obviously, with limited space, he couldn’t possibly enumerate all the features and benefits of our product, nor could he possibly find them all. Biscom Delivery Server (BDS) packs in a huge number of features into a nice, easy-to-use package. It’s like Microsoft Word – most people will use 10% of the functionality, but it’s nice to know that there’s another 90% that can handle so much more.
But I think this gets the point across – BDS is easy to deploy, easy to use, and gets the job done. For tinkerers, you can fully customize the look and feel, set policies and rules, integrate with LDAP and AD, plug into Outlook, and truly configure BDS to fit so many different environments.
Some of the distinctions of BDS compared to other SFT products: multi-platform (Windows and Linux supported, and VM), Outlook plug-in, checkpoint restart, no file size limits (5GB? 10GB? 20GB? c’mon, that’s child’s play – try 150GB), strongest back end encryption (AES 256-bit), extremely granular tracking and reporting, Web services SDK, and our customers tell us we’re the easiest to use for end users. And we have the most advanced and secure back end architecture out there bar none. When you put us head to head with anyone, there’s no contest.
I’ve recently returned from the ILTA Conference in Las Vegas and if you haven’t heard, there’s been a lot of exciting buzz about the event. Biscom had the opportunity to exhibit at ILTA this year, we had a great turn out and when looking back, I’m pleased to say I left with many new connections, friends and valuable information (can’t say I left Vegas any richer though, the casinos won this time).
While the e-discovery, litigation support, and case management were among the usual hot topics at ILTA, discussions I’ve had with legal professionals suggest security and data protection are the new black. We experienced record crowds at the booth from law firms looking to solve the growing challenges of preventing unintended employee data breaches and meeting compliance with data privacy regulations. Furthermore, we were featured as one of the top 20 booths to visit at ILTA, according to Law Technology News we were the only secure file transfer provider at the conference, reinforcing our leadership in the legal market and our commitment to meeting the specific needs of law firms and corporate legal departments.
It was an exciting and successful event and one where we gained valuable insights regarding the needs and challenges of law firms, such as:
• Legal IT is growing increasingly frustrated with the cost and inefficiency of transferring large files through the traditional methods of e-mail , FTP and overnight courier. This was validated by the 2010 ILTA Member Purchasing Survey released at the conference. For the second year in a row, e-mail management was identified as the biggest challenge facing legal IT overall.
• File transfer security is an increasing concern. Security moved from the 7th position last year to the 4th position in the ILTA purchasing survey’s “biggest challenge facing IT”.
Somewhere in the middle of manning the Biscom fort in the exhibit hall, I had the chance to attend two very informative sessions; “Taming the E-mail Filing Monster with iManage WorkSite 8.5.” This session included an open panel discussion of three law firms and how they deployed iManage to move e-mails out of exchange to iManage for tracking e-mail content by matter and reducing exchange storage – a growing need for law firms. The other, “The Changing Regulatory Landscape and its Effect on Law Firms,” featured Beth Chiaiese, Director of Loss Prevention, and Jodi Malek, CIO, of Foley & Lardner. Key topics discussed involved HIPAA, HiTECH and the Massachusetts Data Breach regulations and the specific compliance requirements for each, including the important role technology plays in meeting compliance, such as the encryption and secure transfer of sensitive data.
We also had an opportunity to meet with several members of the press. Sean Doherty, Sr. Technical Editor, Law.com was excited to hear about the new BDS 4.0 features, integration with iManage and plans to integrate with SharePoint (Last December Sean published an in-depth BDS product review in Law.com). We certainly appreciate his time.
Overall, the ILTA Conference was a rousing success and we look forward to next year’s conference.
As an added benefit, you may also enjoy the these post-ILTA reviews:
Just got back from the RSA conference in San Francisco last week. It was quite a show — some heavy hitters were in attendance, including Secretary of the Department of Homeland Security Janet Napolitano, FBI director Robert Mueller, and a very cryptic NSA spokesperson. For you geeks out there, Whifield Diffie, Martin Hellman, Ron Rivest, Adi Shamir, and David Chaum played big parts in the keynotes and panels. It was interesting to see both the public and private sectors well represented here compared to previous RSA conferences, and there was definitely more openness between the two. The paranoia level was high, with many keynotes commenting on organized cybercrime, cyberwarfare, cloud security. Janet Napolitano actually tried to recruit hackers and other security talent for DHS in Hollywood-esque fashion!
The sessions were actually quite good, with tracks in application development, law, hackers and threats, data security, policy and government, and governance, risk and compliance. One session I attended on data breaches was interesting; the speaker asked the audience to raise their hands if they had experienced a data breach, and three quarters of the room raised their hands. Data breaches are occurring, and to their credit, companies seem to be aggressively pursuing a strategy of prevention over cure.
This was a nice 
I’ve recently returned from the ILTA Conference in Las Vegas and if you haven’t heard, there’s been a lot of exciting buzz about the event. Biscom had the opportunity to exhibit at ILTA this year, we had a great turn out and when looking back, I’m pleased to say I left with many new connections, friends and valuable information (can’t say I left Vegas any richer though, the casinos won this time).
