One doesn't necessarily think of a law firm as a retail operation, but as a repository of privileged client data with the need to share its information, certain regulations, usually ascribed to brick-and-mortar stores and online commerce, can apply here as well.
Such was the challenge facing debt collection law firm Rausch, Sturm, Israel, Enerson & Hornik, LLC (RSIEH), headquartered in Brookfield, Wis. (in the greater Milwaukee area), with offices in 15 states.Founded in 1977, the creditor's rights law firm found itself required under the Payment Card Industry Data Security Standard (PCI DSS) to encrypt the cardholder data it collected, stored and used during the course of its business operations.
RSIEH collects sensitive information in several locations within its IT infrastructure, which is about 80 percent virtualized through a VMware ESX environment, says Rick Olejnik (left), chief information security officer at the firm. About a year ago, RSIEH's client banks and financial institutions insisted that firm encrypt data in compliance with PCI DSS. While it had systems in place to protect sensitive data from unauthorized access, under PCI DSS requirement 3, Olejnik realized he and his staff would need to encrypt cardholder data wherever it was accessed and stored.
In the legal collection industry, PCI DSS is a requirement that is increasingly being applied to law firms – where it hadn't been before. “We are no different," says Olejnik. The largest repository of PCI data is the Commercial Legal Software (CLS) Collection-Master application, a commercial, off-the-shelf tool that lacks integrated data security functionality, he says.
With an IT staff of 12 supporting a user base that exceeds 300 users, RSIEH's IT systems support business-critical, online claims processing, document management and trust accounting. The CLS Collection-Master application allows authorized users to instantly access case files, to retrieve information on payments, activities and notes without having to retrieve physical paper case files.“This enables us to service multiple states, expanding our scope of businesses served, and gives the firm distinct advantage in a competitive debt-collection market,” Olejnik says. “Our firm can be instantly responsive to inquiries from clients and debtors because our business operations are automated and streamlined.”
His IT team initially tried to use open source TrueCrypt volume-encryption software, but found that it broke the firm's IT operations processes, including backup and vaulting. “We required an encryption solution that enabled us to protect PCI data without breaking our systems or slowing down operations for our many users,” Olejnik says.The team researched the market and commissioned an outside resource, Halock Security Labs, to help assess requirements and locate an appropriate vendor.
The firm needed to encrypt not only structured database information, including credit card numbers, but also unstructured data, flat files and volumes of images containing cardholder data. It also needed to protect more than 30 Windows Servers running in a VMware virtual environment with data residing in a storage area network (SAN) and SQL Server databases. While the CLS Collection-Master information was unstructured flat-file information, other servers requiring security included SQL Server and SQL Report Server.
Finding an encryption vendor able to encrypt all of these data types and formats – wherever they are accessed, used and stored without breaking or slowing down the systems – was the search team's primary focus.
“We initially tried to use open source TrueCrypt volume encryption software,” Olejnik says. Aside from it being cumbersome, the team found that TrueCrypt broke IT operations processes, including backup and vaulting. It turned out that there was only a short list of vendors capable of meeting the requirements the RSIEH team was looking for.
Halock Security Labs, a Schaumburg, Ill.-based hybrid services firm that offers technical solutions, among other services, suggested they bring in Vormetric.
“We brought in Vormetric, tested it, and essentially threw everything at it to not only see if it worked, but also whether it would break anything or slow down our systems,” says Olejnik. “We threw SQL, flat files and a variety of other workloads at it, but we could not find a problem or notice any system slowdown. Vormetric has an approach that allows us to encrypt data in a transparent manner that doesn't require changes to our applications, databases or underlying hardware infrastructure. This encryption approach also allows us to meet strict data governance requirements with separation of duties and secure key management, something other encryption products simply could not provide.How it works
Vormetric's encryption system is capable of processing millions of files without introducing response-time latency, and it integrates with heterogeneous and custom applications without requiring infrastructure modifications, says Todd Thiemann (right), senior director, product marketing at San Jose, Calif.-based Vormetric. “The solution scales via clustering to support large, distributed and global environments. Vormetric features a centralized, secure key management architecture which establishes a separation of duties and can enforce role-based access control policies.”
Vormetric provides for strong access control that enables a rigorous separation of duties that can be role-, user- and process-based, he explains. “This prevents highly privileged users (like database administrators) and applications from accessing data that they are not authorized to see.”
Enterprises can now meet regulatory compliance and data governance requirements with a single offering that applies persistent security policies to data whether it is in their datacenter or the Amazon cloud, Thiemann says.To overcome the limitations of volume-level cloud encryption solutions that only provide control over a storage volume, Vormetric operates at a granular file level to enforce encryption, enable access control policies and audit use at the server, process and user layers, he adds. “This approach extends the security value of encryption beyond simple media theft protection and allows enterprises to address insider threat, separation of duties and gain insight into access activity for data in the cloud.”
Certifications
The deployment of the Vormetric solution went smoothly, says RSIEH's Olejnik. “We appreciate the ease of use. Vormetric slid into place, provides the necessary security with zero impact to users, and it keeps working with very little monitoring from our IT staff."And, it has been easy to manage as the centralized management and user interface required no specialized training for staff, he adds. “The solution encrypts PCI data in all of the formats we maintain and is completely transparent to users. It is definitely meeting our expectations.”
Further, Vormetric encryption enables RSIEH to comply with PCI DSS requirement three to “protect stored cardholder data.”“We had been expecting a 20 percent hit on performance, as the CLI vendor had not before seen an encryption implementation that worked and didn't impact performance,” says Olejnik. “In fact, they wanted us to go back to the PCI folks to say it's just not possible. However, Vormetric has proven otherwise. It's impressive.”
The Vormetric deployment provides encryption of cardholder data across RSIEH's entire network, as the CLI system is the main application supporting business operations, says Olejnik. Attorneys and staff authorized to access files through CLI can do so seamlessly since the encryption provided by Vormetric is transparent to them. Vormetric provides data encryption and encryption key management.RSIEH is now working on ISO 27001 certification with the goal of becoming ISO certified early next year, and Olejnik says his team can transparently expand the Vormetric deployment to encompass other sensitive data to help with ISO 27001.
The threat landscape is always changing, Olejnik says. “With encryption, if someone either on the outside hacking in or on the inside inappropriately or maliciously gains access to protected data, the data itself is secure and unreadable. With Vormetric's separation of duties, I can rest assured that the encryption keys are safe as well.”In general, law firms collect a lot of sensitive client data, financial information, credit cards, bank accounts, trade secrets, etc., says Olejnik. “If this data is stolen, it would place the firm at risk, so our security measures are stringent. The amount of data we maintain is large, constantly growing, and much of it is unstructured. Having been through this experience, I recognize first-hand the importance of selecting an encryption approach that can protect any data type without the need for system modifications."
He admits his team was surprised that Vormetric did not slow down applications and business processes. "An open source solution, like TrueCrypt, might work in simpler environments, but with an array of data types, virtualized environment and legacy applications, it really did pay off for to select an enterprise-class vendor."
For reprints of this case study, contact Elton Wong at [email protected] or 646-638-6101.
