Law firms are increasingly interested in adopting software-as-a-service legal case management solutions to modernize their existing practices. We have been asked repeatedly to provide security insights into adopting SaaS products including CasePeer, LEAP, PracticePanther, Clio, TrialWorks, SmartAdvocate, GrowPath, Cloudlex, and Filevine. Our role is to help firms make the right choice and prepare their practice for adopting software-as-a-service. While the firms evaluate the capabilities and functionality, we supply a third-party perspective, migration assistance, and smart implementation.
Despite many firms already running some form of “cloud” infrastructure, most recognize that moving to a SaaS solution changes the risk landscape. While every company out there wants to promise secure and highly-available experiences, most rely on a shared responsibility approach to security. In this article we take a closer look at Filevine and our internal process for vendor security review. This step is a precursor to a vendor security audit questionnaire that would be submitted to the company in question that clarify any misconceptions or correct any assumptions we make.
Background
During a background review we are interested in learning more about who the company is, where they are, and whether they appear to be solvent. From there we jump to the back-bone of their SaaS infrastructure and attempt to gather preliminary information that is later used to create pointed questions.
Founded in 2014, Filevine is a private American company based out of Salt Lake City, Utah. We have an affection for Salt Lake City based companies as many vendors through the years that were based there have demonstrated proficiency in their fields, so that’s a great start. According to our data they have 101-250 employees, use venture funding, and there was at least one round of venture funding raised at approximately $40,000,000.
Looking at the leadership team we generally prefer to see both CIO and CTO positions filled, Filevine appears to only have a CTO. This means that while they focus on development of external technology they do not have a dedicated position responsible for the internal technology of the company. That is not unusual, but it would be extremely beneficial to see individuals named in the protection of customer data.
Filevine is built on Amazon Web Services, but data on whether their products have ben subject to an AWS Well Architected third-party audit remains unclear; the current information suggest it has not. This is not a problem, as most companies we survey have yet to take this leap. The technologies in use appear to be .NET, JavaScript, Node, AngularJS, Redis, and SQL.
After getting the basics down we have developed an approach we like to call “Perception vs. Reality.” We review the materials offered by the vendor in terms of websites, disclosures, FAQ, support documentation, and publications to develop an impression of the vendor. We then square that information with terms of service. Collectively, this becomes our initial review which frames a conversation and helps our clients understand the realities behind adoption a SaaS product into their workflow.
Perception…
The key components of our cultural assessment are designed to answer whether or not the company has a security mindset. One of the key ways we can frame our initial impression is by comparing a company against others we feel demonstrate this mindset and also attempt to establish a level of transparency the subject company may offer. In Filevine’s case, we feel they have a guarded posture with a general lack of disclosure.
First, let’s look at examples of companies that show openness and transparency. One of our favorite vendors, PaperCut, has clear security statements, white-paper, and addresses security questions. PipeDrive, a CRM company, offers end-user tools including security dashboards. Perhaps, most importantly, companies like Microsoft and Google offer detailed service agreements which address data security, privacy, and responsibility.
Looking at Filevine we then move to a search through support documentation for items linked to “security.” The results here are lack-luster but that seems to be a result of the documentation portal. We hope to find published vendor security assessment questionnaires, information about certifications, and development processes. The good news is that there is some information available, including pages that deal with common threats and we ultimately locate the “How Filevine Approaches Security” whitepaper which is exactly the kind of product we hope to see. In fact, we would argue the whitepaper is a combination of a vendor security assessment questionnaire and a disclosure of security practices in one. This is a welcome find and one that brings much comfort.
The whitepaper starts with a scenario, which is indicative of risk management, and a good find. Unfortunately it immediately begins to transfer responsibility to Amazon and proceeds to describe redundancy within the same environment. The problem is that it is possible to build insecure apps on AWS and redundancy arguably takes more than a single cloud provider. From the information supplied in this whitepaper we do not see signals that their architecture is resilient enough to protect against lateral movement which would be the common method of spreading ransomware. This is difficult to justify from our position, especially when language directly addressing this concern is present. Our experience has shown that when modal auxiliaries are used to describe services they support our position to remain conservative in the risk assessment.
We also tend to cringe when companies dedicate space to “physical data security” and largely focus on Amazon data centers and canned language – to us this is fluff. What we want to know is what the company does to protect their staff and offices from malicious actors, the data center protections are obvious and serve as filler. In other words, the first half of this whitepaper is unfortunately below our expectations for secure data handling but the blame may simply be on the authors and not their practices. Further followup is required.
To understand this portion better, we should explain that we are not looking for a company to do a good job on all fronts. We are looking for the vendor to highlight the areas they focus on and acknowledge there is work to be made. We recoil when we see filler material and canned language which we see a substantial amount of in this edition.
The latter half of the whitepaper is mostly disclosures. Filevine has restricted access, secure data, disaster plans, polices and procedures, etc. This is excellent because it has been acknowledged, but it does not state whether they implement all of it well. To verify, the Filevine would have to disclose a SOC 2 report. SOC 2 is an auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients. For security-conscious businesses, SOC 2 compliance is a minimal requirement when considering a SaaS provider. Filevine’s statement on SOC 2 is as follows: “Our team of data security, compliance, and legal professionals are working diligently to obtain SOC2 certification, an effort that is on target for completion in Q4 2020.” We value this response. SOC 2 certification takes about six months, with a typical three-month pre-audit period that helps square things away and then time to correct issues. This is a reasonable and welcome disclosure. Additionally, Filevine lists certifications of their staff which is a noteworthy step and one we appreciate:
- Certified Information Systems Security Professional (CISSP)
- GIAC Security Leadership Certification (GSLC)
- GIAC Certified Project Manager (GCPM)
- GIAC Legal Issues in Information Technology & Security (GLEG)
- GIAC Web Application Penetration Tester (GWAPT)
- GIAC Assessing and Auditing Wireless Networks (GAWN)
- Certified Information Privacy Professional (CIPP/US)
- GIAC Certified Penetration Tester (GPEN)
- GIAC Securing Oracle Certified (GSOC)
- ITIL v3 Foundations Certification
- Certified Information Systems Auditor (CISA)
- GIAC Certified ISO-27000 Specialist (G2700)
- GIAC Information Security Professional (GISP)
- Security+
- Testout Security Pro
While the list above is impressive, the Filevine product is built on Amazon Web Services (AWS). What is missing from this list are certifications such as AWS Solutions Architect, AWS DevOps Engineer, AWS Advanced Networking, AWS Security, or even a simple AWS Cloud Practitioner for a start.
Finally, we look at the information presented to the end-users that fosters shared responsibility – mainly dashboards. We do not see much related to that but we do find a strong emphasis on two-factor authentication (which today should truly be multi-factor authentication) and availability of audit reporting. Audits should pull from immutable transaction records, so both of these show the company likely has implemented some OWASP-10 capabilities but has more work to do in the future. This is an acceptable finding.
While not directly tied to culture or thinking, the presence of all of these things and their volume is a good indicator of how important security is in an organization. Volume and quality of these materials is typically proportional to the investment made in confidentiality, integrity, and availability of data.
Reality…
The next stage of review is to look at the promises made by the company in their service agreement. Our ideal terms of service are written in the spirit of TOSDR. Clear, concise, easy to follow, and address the main concerns over data privacy, security, and responsibility. We prefer to see acknowledgement of shared responsibility and grow concern when it is missing.
Filevine’s terms and conditions were last updated March 23, 2020 and it is important to point out that you, the customer, are responsible for reviewing them on a regular basis. During the review we specifically care to locate information related to backups, responsibility, privacy, and security. For backups, we care to learn about what backup options exist and whether the customer’s data is portable and easily exportable for added security. For “responsibility” we look for statements acknowledging that security is a relationship between the vendor and the customer. For privacy, we look for a dedicated privacy program and statements that reflect strict standards such as GDPR or CPRA. Lastly, for security, we look for statements that require customers to do their part and secure their systems.
The review leaves several doors open for improvement. The backup portions only addresses data after termination, which is insufficient for our standards. While shared responsibility is not named, specific areas where integrity of data is of concern are addressed. Privacy information was not discovered during this review. Security was covered by the whitepaper discussed in the section above, with one additional blurb worth discussing:
Filevine shall use reasonable efforts consistent with prevailing industry standards to maintain the Products and Services in a manner which minimizes errors and interruptions in the Products and Services and shall perform the Services in a professional and workmanlike manner. Services may be temporarily unavailable for scheduled maintenance windows or for unscheduled emergency maintenance by Filevine, or because of other causes beyond Filevine’s reasonable control, but Filevine will use reasonable efforts to provide advance notice of any scheduled service disruption. However, Filevine does not warrant that the Products or Services will be uninterrupted or error free; nor does it make any warranty as to the results that may be obtained from the use of the Products or Services.
Outages happen. Data breaches happen. Security incidents happen. We can all understand and related to that. What is critical for anyone choosing SaaS is that they understand that the systems are not infallible. Countless times we have talked to organizations that took the sales pitch but failed to understand the reality. In this case, Filevine puts the reality on paper and this is the responsible and reasonable thing to do for any SaaS vendor. It is up to the customer, then, to evaluate possible disruptions and plan for them accordingly. It is up to the vendor to create an environment and application where continuity during disruptive events is possible.
Lastly, we leave on the one clause we see all the time… the one that addresses responsibility regardless of what was said in the TOS. While Filevine takes the expected and standard approach of “not responsible for anything” in their Terms of Service, it fails to guide the customer on where the responsibility lies.
IN NO EVENT SHALL FILEVINE, ITS EMPLOYEES, AGENTS, SUCCESSORS, ASSIGNS, AFFILIATES, CONSULTANTS OR SUPPLIERS BE LIABLE TO SUBSCRIBER OR ANY OTHER THIRD PARTY FOR ANY INDIRECT, SPECIAL, INCIDENTAL, EXEMPLARY, CONSEQUENTIAL, OR STATUTORY DAMAGES ARISING OUT OF OR IN CONNECTION WITH THE DELIVERY, PERFORMANCE OR USE OF THE SERVICE, WHETHER ALLEGED AS A BREACH OF CONTRACT OR TORTIOUS CONDUCT, INCLUDING NEGLIGENCE AND STRICT LIABILITY, INCLUDING WITHOUT LIMITATION LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION, LOSS OF USE OR DATA, DAMAGE TO SYSTEMS OR EQUIPMENT, COST OF COVER, OR OTHER PECUNIARY LOSS, EVEN IF FILEVINE OR SUBSCRIBER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. FILEVINE’S CUMULATIVE LIABILITY TO SUBSCRIBER SHALL NOT EXCEED THE AMOUNT OF FEES PAID UNDER THIS AGREEMENT IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM.
Verdict…
Filevine is a product that effectively runs majority of the processes within a law firm. This means that a breach or destruction of data is catastrophic. For this reason, the bar must be set high. We are somewhat conflicted because the company appears to make all the right choices and the right moves but their published documentation, specifically “How Filevine Approaches Security” does not feel sufficiently sincere to establish the level of trust we would expect from this caliber of a vendor. Even so, we cannot blame the posture of a company on an author of a whitepaper. The components of a successful SaaS deployment are all there and it is evident the company is improving its posture as time goes on. Our wishlist for Filevine is as follows:
- Provide a published progress report on SOC2 compliance including the name of the company performing the audits.
- Publish a “Filevine Development Process” whitepaper that details sprint formation, quality assurance, bug tracking, source control, an change configuration procedure.
- Publish a “Filevine Platform” whitepaper that details the technology stack, diagram, limitations on access to customer environments, data flow workflow, third-party access and integrations, data sanitization, encryption at rest, encryption of data in motion, business continuity and disaster recovery overview (not just the disclosure) along with an SLA commitment.
- Announce the final SOC 2 Type 2 Certification and offer the report for review to all those interested.