In an SaaS world, terminating access to confidential data is hard to do well

We've always had attorneys and employees moving from law firm to law firm. And when that happened protecting the firm's confidential information used to be (almost) as simple as disabling their access cards and deleting their Active Directory account. In five minutes it was all over and the ex-attorney or ex-employee no longer had access to email, time and billing system, back office databases, or even the office bathroom. The hardest park was wrestling them out of their leased parking garage card.

Alas, in today's world of hosted applications (SaaS) revoking access privileges is not so simple anymore. Let's say an employee leaves your firm tomorrow. While you can trust that her access to internal systems will be ended quickly, confidential data hosted in external applications can remain accessible for many months after her departure. Consider the following hosted applications and the data they hold:

• Case data in litigation support systems like CT Summation
• Financial data in matter management systems like Datacert or Serengeti
• Client data in CRM or marketing systems like Salesforce.com
• Documents and discussions in various collaboration portals
• And tens of other client-owned extranet systems

But if you ask any of these vendors they will tell you their systems are very secure. And, for the most part, they are right. So how could an ex-employee have access to those systems months after their departure? Simple: no one at your firm bothered to terminate the ex-employee access to those systems. In fact, I would bet no one at your firm was keeping track of accounts opened on external systems.

Law firms could do more to reduce this risk, perhaps through more centralized control of who has access to what external applications. But vendors could also do more, perhaps through wider usage of single sign-on or claims-based techniques that enforce access termination as soon as an employee is removed from the firm’s internal systems.