Monday, June 10, 2013

Legal Extranet Security Considerations

Security settings and methods are critically important in the area of deploying client extranets. Here are some of the "basics".

Firstly, we expose extranets both on the internet and intranet. Therefore, it is necessary to protect the data with an SSL certificate so that any data flowing over the internet is appropriately encrypted.

Within your application itself, there are several dimensions to consider. Some of the more important areas are:

- The type of access you will grant to various types of data (submit, modify, delete). Ideally, the access levels can vary by entity type (cases, documents, calendar events, etc.).

- The creation of a set of system privileges (to grant access to see various types of functionality) and a set of corresponding roles granting different sets of privileges. The system roles should correlate to functional roles within a law firm and clients of the law firm. To cite a primitive example, one might consider creating roles for Administrators, Staff Members, Staff Attorneys, Partners and Clients, each with a different set of system privileges (depending on the nature of work they need to do in the extranet).

- Visibility to collections of data must also be protected. For example, to cite another primitive example, some workers in a law firm need access to data from Client A, others to date from Client B, and others still require access to both Client A and Client B's data. Clients A and B obviously may not be granted access to each other's data.