Has Your Law Firm Tried the Zero-Trust Approach to Data Security?

18 October 2022 by Ross eDiscovery zero-trust data-security

Takeaway: A zero-trust approach assumes that trust has to be continually earned. So, no one has blanket access to your firm’s data – even if they have the correct access passwords. Instead, they must periodically pass security checks to confirm their identity and authorization level. The payoff? You’re protecting your clients’ data from direct hacks (e.g., trojans, viruses, etc.) and employee error (e.g., falling for a phishing scam).

Traditionally, cybersecurity meant walling off your data from the outside world.

The earliest cybersecurity models focused on creating a secured boundary between your data and the world. The logic was that if you build a strong enough wall, only authorized people would ever make it in. So, security specialists designed sophisticated gatekeeper systems/routines like checking IP addresses, securing ports, establishing access protocols, building firewalls, and setting up virtual private networks (VPNs).

We assumed that the stronger the wall, the more secure its inner ‘safe zone.’

Think of it like airport security, where most effort goes into screening inbound traffic (passengers, crew, ground staff, etc.). The idea is that an elaborate screening process keeps out troublemakers. So, the stronger the wall, the safer everyone inside is. This perimeter vs safe-zone approach meant that once you’re in, you’ve been ‘okayed’ and can do whatever you want.

A zero-trust approach shakes things up. It ignores the idea of a safe zone, seeing everyone as potentially hostile.

With the growth of the Cloud, there’s no centralized safe zone to protect anymore. Data is everywhere, so it’s hard to find a specific boundary to guard – meaning we need a new paradigm. And here’s where the concept of zero trust comes in. It’s a cybersecurity approach that assumes trust has to be continually earned. There’s no single entry point beyond which everyone is safe. Rather, all traffic is potentially hostile until proven innocent. (These terms sound militaristic for a reason. They’re rooted in the Department of Defense’s ‘black core’ strategy – i.e., safety comes from monitoring individual interactions rather than an entire perimeter.)

This means you’re repeatedly security-checked – whoever you are and whatever your clearance level.

In a zero-trust system, traffic is assessed for two things: Who are you, and what are you cleared to access? So, a one-time login doesn’t give you blanket access to everything. For example, you might only be allowed to read (not write or delete) data. Or access some (but not all) devices. If the old cybersecurity model was like entering an airport, the zero-trust model is like entering the Pentagon. I.e., visitors get the lowest authorization level that lets them finish a specific task.

For most law firms, zero-trust means using software with clearly defined user permissions.

Zero-trust cybersecurity is perfect for eDiscovery, where data often includes sensitive personal information (social security numbers, credit card details, etc.), intellectual property, financial records, and more. Cloud eDiscovery applications like GoldFynch tackle this using strict user access permissions. So, some users are authorized only to review data, while others get to add/modify it, and only top-level users can change access permissions, add/delete cases, etc. This granular approach – clearing users only for a specific task – protects your data from direct attacks (e.g., viruses, trojans, etc.) and indirect ones (e.g., an employee mistakenly falling for a phishing email.)

Of course, you still have traditional protection like multi-factor authentication and Cloud security.

You’ll always complement zero-trust security with older, perimeter-style defences. For instance, GoldFynch offers multi-factor authentication (MFA), where you’ll need more than one piece of information to log in. (Entering your primary password will trigger GoldFynch to send you a secondary authentication code.) Learn how eDiscovery applications set up MFA. Similarly, the Cloud providers storing your data still use their traditional security measures to protect your data. For example, they’ll encrypt it as it leaves your device, back it up on multiple servers (to protect against fires, floods, power outages, etc.), and allow server access only to rigorously-screened employees.

Also, you can pair zero-trust systems with other security tools like VPNs.

Zero-trust systems work well with backup security tools like virtual private networks (VPNs). These networks create a protected ‘tunnel’ for your data to reach the Cloud, shielding it from nosey cybercriminals, internet service providers, government agencies, and more. Further, VPNs protect your privacy. For example, your medical web searches for clients could expose their private health information to a prying internet service provider (ISP). A VPN counters this by masking your IP address and browser activity. Learn more about VPNs.

To learn more about zero-trust security, try experimenting with GoldFynch.

Cloud eDiscovery services like GoldFynch use zero-trust principles to keep your data safe. So, explore the software using GoldFynch’s free 512 MB starter case. Also, GoldFynch is a complete eDiscovery solution with other features you might like. For instance:

  • It costs just $27 a month for a 3 GB case: That’s significantly less than most comparable software. With GoldFynch, you know exactly what you’re paying for: its pricing is simple and readily available on the website.
  • It’s easy to budget for. GoldFynch charges only for storage (processing files is free). So, choose from a range of plans (3 GB to 150+ GB) and know up-front how much you’ll be paying. You can upload and cull as much data as you want, as long as you stay below your storage limit. And even if you do cross the limit, you can upgrade your plan with just a few clicks. Also, billing is prorated – so you’ll pay only for the time you spend on any given plan. With legacy software, pricing is much less predictable.
  • It takes just minutes to get going. GoldFynch runs in the Cloud, so you use it through your web browser (Google Chrome recommended). No installation. No sales calls or emails. Plus, you get a free trial case (0.5 GB of data and a processing cap of 1 GB) without adding a credit card.
  • It’s simple to use. Many eDiscovery applications take hours to master. GoldFynch takes minutes. It handles a lot of complex processing in the background, but what you see is minimal and intuitive. Just drag-and-drop your files into GoldFynch, and you’re good to go. Plus, you get prompt and reliable tech support (our average response time is 30 minutes).
  • Access it from anywhere, and 24/7. All your files are backed up and secure in the Cloud.

Want to find out more about GoldFynch?